• Our Vision

    To be the trusted guardian of
    New Zealand's
    Information Assets

NCSC Cyber Security Advisory NCSC-C-2016-620

2 November 2016
Disclosure of New Zealand  Health Sector membership details


On 2 November 2016, the NCSC was made aware that a targeted spearphishing campaign against a New Zealand Health Sector organisation had been successful. This has resulted in the membership information of the organisation being released to a likely malicious actor. The information included first and last names, email addresses, an indication of current member status, and an anonymised identifier about place of employment.
At this point, it is unclear who the actors involved are, and no information is known about their intentions or motivations. Based on previous experience, the NCSC assess that the most likely motivation for this compromise is financial; however this is only one of several possible explanations. The NCSC considers it likely that these email addresses could be used for a range of malicious or criminal purposes. 

Mitigation Steps:

At this stage there has been no successful compromise leveraging the disclosed credentials reported to the NCSC. Even though it is unclear exactly what purpose the disclosed credentials will be used for, there are actions that your organisation can take to reduce exposure to their malicious usage. The NCSC recommends the following:

Ensure that all affected entities and the organisations that they work for are made aware of the data disclosure.

Ensure staff remain vigilant in dealing with emails that contain links, attachments, or that attempt to solicit information. Users should verify any unexpected request for information with a phone call to the sender before replying. The NCSC recommends referring staff to the ConnectSmart resources on phishing, which are available at:

Ensure that backups are regularly taken and secured offline.
Given this release, it is prudent to make an immediate backup of critical data. This will mitigate the effects of any potential compromise, particularly ransomware, by allowing critical data to be restored in a timely manner. Further information on ransomware can be found on the ConnectSmart resource at https://www.connectsmart.govt.nz/assets/Uploads/Tip-Sheet-5-Ransomware.pdf 
Implement appropriate controls around remote access.
This includes implementing the use of two factor authentication, and considering limiting remote access to only New Zealand IP addresses where practicable. This will reduce the risk of leaked credentials being used to carry out brute force attacks.

Ensure that a strong password policy is enforced.

This should include complexity, length and maximum password age requirements. Once again this will significantly reduce the risk of a brute force attempt succeeding.



The NCSC assesses that completion of the above steps will help to mitigate against likely attack vectors. The NCSC recommends that affected entities and organisations remain vigilant for any indication of suspicious emails and activity. The New Zealand Ministry of Health is the lead agency on this incident, and the NCSC urges any affected entities to contact the Ministry should they have any further information about this incident, or their IT provider for assistance and support.

read more

Dropbox account details compromised and available online

Credentials from a 2012 Dropbox data breach are now available online. While credential details associated with these accounts were available for purchase on the “Darknet” earlier this year, they are now freely available for download.

Media reports have recently emerged that indicate email addresses (and hashed passwords) for 68,680,741 Dropbox accounts are now publicly available. Of this number, approximately 120,000 are “.nz” domains.

Dropbox have confirmed that credentials were compromised in 2012 when actors used stolen employee login details to access a database containing the email addresses, passwords and other details of users.

The NCSC assesses that the threat to New Zealand entities is low. Since the 2012 breach, the affected accounts have had an enforced password change. Additionally due to the passwords being hashed and salted, it is very difficult for the passwords to be cracked.

While the risk is low, as with all passwords, the NCSC recommends:

  • Using complex passwords;
  • Using two-factor authentication where possible;
  • Consider using a password manager tool; and
  • Making sure your devices and/or accounts are secured with different passwords.


The NCSC can be contacted by email via incidents@ncsc.govt.nz or by phone on:04 498 7654.
We encourage you to contact us at any time if you require any further assistance or advice.

read more

July 2016 New Zealand Information Security Manual

New Zealand Information Security Manual

The July 2016 NZISM has now been published.

Changes include new sections in Chapter 11; Radio Frequency Identification (RFID) and Access Control Systems, new content in section 11.2 on printer cartridge memory chips, new paragraphs on Access control in section 16.1 and new rationale and controls for section 19.5 Incident Handling and Management along with other minor and editorial updates.

In addition some new definitions of terms commonly used in the NZISM have been added as points of clarification and to aid policy interpretation as well as minor wording changes for the purposes of clarification.

The document remains in two parts for this release. 

You can view the July 2016 NZISM parts 1 & 2 and the July 2016 Change Register here.

As always, comments and suggestions for improvements are welcome.  Please direct these to ism@gcsb.govt.nz

read more

Cyber Security Advisory CSA-007-16

Distributed Denial of Service Extortion Campaign Targeting New Zealand Organisations

The NCSC is aware of an extortion campaign currently targeting New Zealand organisations. Several organisations have received extortion emails threatening a Distributed Denial of Service attack (DDoS) unless a payment in Bitcoins is made to the email sender.

The NCSC is not currently aware of any instances where the threat to carry out an attack has been realised.

Any organisation receiving an extortion email should report the threat to their local police http://www.police.govt.nz/contact-us/stations

We also recommend speaking with your Internet Service Provider (ISP) regarding advice and any specific DDoS mitigations that may be needed. 

Preparation is the most effective method of withstanding a DDoS attack. However, if your organisation is currently being targeted, there are a number of measures you can consider taking to reduce the impact of the attack. 

  • Contact your Internet Service Provider to discuss their ability to help you manage or mitigate the attack.
  • Where applicable, temporarily transfer online services to cloud-based hosting providers that have the ability to withstand DDoS attacks.
  • Use a denial of service mitigation service for the duration of the DDoS attack.
  • Disable website functionality or remove content that is being specifically targeted by the DDoS attack. For example, search functionality, dynamic content or large files.

The full Cyber Security Advisory CSA-007-16 is available here.

read more

Reporting an Incident

If your organisation has encountered or suspects a cyber-security incident, please complete and return the Cyber Security Incident - Report Form. If you require assistance in dealing with the incident, please complete the Cyber Security Incident – Request for Assistance Form. If required, you can speak with us directly on (04) 498-7654.

Some Interesting Stats

In the 12 months to 30 June 2015 the NCSC recorded a total of 190 incidents. Of those 114 were identified as targeting government systems, 56 targeting private sector – with a further 20 where the sector targeting was not identified in the reporting. Of total recorded incidents for the 2014/15 period spear phishing made up 30.5 percent, with 58 incidents, followed by network intrusion/compromise with 21.5 percent (41 incidents) and botnets, 9.5 percent (18 incidents). For the full article, see Cyber incidents for year to 30 June 2015.

According to Intel Security, New Zealand songstress Lorde ranks in the Top 10 of the "World’s Most Dangerous Celebrities" to search for online. Cybercriminals take advantage of interest in celebrities by filling search results with links to sites that may host malware and other online threats that can steal personal data and harm our devices. Intel Security conducted a study to determine the number of risky sites that would be generated in search results including a celebrity name and commonly searched terms.  Lorde ranged number nine in Intel’s 2015 list.  For the full article, see The 2015 Most Dangerous Celebrity.

The median number of days a cyber threat was present in victims system before being detected was 205 according to Mandiant’s 2015 MTrends report.  The report says 69 percent of victims were notified of the threat by an external entity.