• Our Vision

    To be the trusted guardian of
    New Zealand's
    Information Assets


NCSC Cyber Security Advisory CSA-002-17

Date 30 January 2017

DNS server configuration may result in excessive resource use and potential malicious application

Summary

  • The NCSC notes that there are DNS servers currently configured to resolve arbitrary internet domains requested from external hosts. 
  • A DNS server configured in this manner may result in excessive resource use and may have potential malicious application.

Details

1. The NCSC has become aware of DNS servers currently configured to resolve internet domains when requested by external hosts. This appears to occur when a DNS server is configured to search for answers in attempt to resolve the requests.

2. The observed DNS servers either resolve these requests, or request upstream (e.g. Google DNS servers), and finally send the response back to the requester. A DNS server configured in this manner will likely result in excessive resource use, as well as have the potential for malicious application.

Recommendations

3. The NCSC recommends DNS servers are configured to allow recursive lookup from internal hosts and remote offices only.

4. The NCSC further recommends DNS servers are configured to only supply public domains hosted within their network to external hosts.

5. Further open source information can be found by searching for ‘open resolver’.

read more

NCSC Cyber Security Advisory NCSC-C-2016-620

2 November 2016
Disclosure of New Zealand  Health Sector membership details

Background:

On 2 November 2016, the NCSC was made aware that a targeted spearphishing campaign against a New Zealand Health Sector organisation had been successful. This has resulted in the membership information of the organisation being released to a likely malicious actor. The information included first and last names, email addresses, an indication of current member status, and an anonymised identifier about place of employment.
At this point, it is unclear who the actors involved are, and no information is known about their intentions or motivations. Based on previous experience, the NCSC assess that the most likely motivation for this compromise is financial; however this is only one of several possible explanations. The NCSC considers it likely that these email addresses could be used for a range of malicious or criminal purposes. 

Mitigation Steps:

At this stage there has been no successful compromise leveraging the disclosed credentials reported to the NCSC. Even though it is unclear exactly what purpose the disclosed credentials will be used for, there are actions that your organisation can take to reduce exposure to their malicious usage. The NCSC recommends the following:

Ensure that all affected entities and the organisations that they work for are made aware of the data disclosure.

Ensure staff remain vigilant in dealing with emails that contain links, attachments, or that attempt to solicit information. Users should verify any unexpected request for information with a phone call to the sender before replying. The NCSC recommends referring staff to the ConnectSmart resources on phishing, which are available at:
https://www.connectsmart.govt.nz/assets/Uploads/Tip-Sheet-4-Phishing.pdf

Ensure that backups are regularly taken and secured offline.
Given this release, it is prudent to make an immediate backup of critical data. This will mitigate the effects of any potential compromise, particularly ransomware, by allowing critical data to be restored in a timely manner. Further information on ransomware can be found on the ConnectSmart resource at https://www.connectsmart.govt.nz/assets/Uploads/Tip-Sheet-5-Ransomware.pdf 
Implement appropriate controls around remote access.
This includes implementing the use of two factor authentication, and considering limiting remote access to only New Zealand IP addresses where practicable. This will reduce the risk of leaked credentials being used to carry out brute force attacks.

Ensure that a strong password policy is enforced.

This should include complexity, length and maximum password age requirements. Once again this will significantly reduce the risk of a brute force attempt succeeding.

 

Conclusion:

The NCSC assesses that completion of the above steps will help to mitigate against likely attack vectors. The NCSC recommends that affected entities and organisations remain vigilant for any indication of suspicious emails and activity. The New Zealand Ministry of Health is the lead agency on this incident, and the NCSC urges any affected entities to contact the Ministry should they have any further information about this incident, or their IT provider for assistance and support.

read more

Dropbox account details compromised and available online

Credentials from a 2012 Dropbox data breach are now available online. While credential details associated with these accounts were available for purchase on the “Darknet” earlier this year, they are now freely available for download.

Media reports have recently emerged that indicate email addresses (and hashed passwords) for 68,680,741 Dropbox accounts are now publicly available. Of this number, approximately 120,000 are “.nz” domains.

Dropbox have confirmed that credentials were compromised in 2012 when actors used stolen employee login details to access a database containing the email addresses, passwords and other details of users.

The NCSC assesses that the threat to New Zealand entities is low. Since the 2012 breach, the affected accounts have had an enforced password change. Additionally due to the passwords being hashed and salted, it is very difficult for the passwords to be cracked.

While the risk is low, as with all passwords, the NCSC recommends:

  • Using complex passwords;
  • Using two-factor authentication where possible;
  • Consider using a password manager tool; and
  • Making sure your devices and/or accounts are secured with different passwords.

 

The NCSC can be contacted by email via incidents@ncsc.govt.nz or by phone on:04 498 7654.
We encourage you to contact us at any time if you require any further assistance or advice.

read more

July 2016 New Zealand Information Security Manual

New Zealand Information Security Manual

The July 2016 NZISM has now been published.

Changes include new sections in Chapter 11; Radio Frequency Identification (RFID) and Access Control Systems, new content in section 11.2 on printer cartridge memory chips, new paragraphs on Access control in section 16.1 and new rationale and controls for section 19.5 Incident Handling and Management along with other minor and editorial updates.

In addition some new definitions of terms commonly used in the NZISM have been added as points of clarification and to aid policy interpretation as well as minor wording changes for the purposes of clarification.

The document remains in two parts for this release. 

You can view the July 2016 NZISM parts 1 & 2 and the July 2016 Change Register here.

As always, comments and suggestions for improvements are welcome.  Please direct these to ism@gcsb.govt.nz

read more

Reporting an Incident


If your organisation has encountered or suspects a cyber-security incident, please complete and return the Cyber Security Incident - Report Form. If you require assistance in dealing with the incident, please complete the Cyber Security Incident – Request for Assistance Form. If required, you can speak with us directly on (04) 498-7654.

Some Interesting Stats


338 cyber security incidents were recorded by the National Cyber Security Centre in the 12 months to 30 June 2016. This is an average of 28 incidents per month and represents a significant increase on the previous 12 months when there were 190 cyber security incidents. GCSB Director Andrew Hampton reviews the nature of the cyber threats to New Zealand in his address to the New Zealand Institute of International Affairs.

The Australian Signals Directorate (ASD) has updated its ‘Strategies to Mitigate Cyber Security Incidents’ guidance on prioritised security controls, expanding the ‘top four’ strategies to produce a new ‘essential eight’. The strategies are a list of practical actions that organisations can take to make their systems more secure. The eight essential strategies can be implemented as a baseline and the guidance can be tailored based on an organisation’s risk profile and the threats they face.

Security researchers believe the number of companies around the world experiencing ransomware events tripled between the first and third quarters of 2016. The American National Institute of Standards and Technology (NIST) has now published a “Guide for Cybersecurity Event Recovery” (NIST Special Publication 800-184) which offers guidance for developing, testing and improving recovery plans so organisations are ready when a cyber security event occurs.