Current Activity

NCSC Cyber Security Advisory CSA-002-17

Date 30 January 2017

DNS server configuration may result in excessive resource use and potential malicious application


  • The NCSC notes that there are DNS servers currently configured to resolve arbitrary internet domains requested from external hosts. 
  • A DNS server configured in this manner may result in excessive resource use and may have potential malicious application.


1. The NCSC has become aware of DNS servers currently configured to resolve internet domains when requested by external hosts. This appears to occur when a DNS server is configured to search for answers in attempt to resolve the requests.

2. The observed DNS servers either resolve these requests, or request upstream (e.g. Google DNS servers), and finally send the response back to the requester. A DNS server configured in this manner will likely result in excessive resource use, as well as have the potential for malicious application.


3. The NCSC recommends DNS servers are configured to allow recursive lookup from internal hosts and remote offices only.

4. The NCSC further recommends DNS servers are configured to only supply public domains hosted within their network to external hosts.

5. Further open source information can be found by searching for ‘open resolver’.

NCSC Cyber Security Advisory NCSC-C-2016-620

2 November 2016
Disclosure of New Zealand  Health Sector membership details


On 2 November 2016, the NCSC was made aware that a targeted spearphishing campaign against a New Zealand Health Sector organisation had been successful. This has resulted in the membership information of the organisation being released to a likely malicious actor. The information included first and last names, email addresses, an indication of current member status, and an anonymised identifier about place of employment.
At this point, it is unclear who the actors involved are, and no information is known about their intentions or motivations. Based on previous experience, the NCSC assess that the most likely motivation for this compromise is financial; however this is only one of several possible explanations. The NCSC considers it likely that these email addresses could be used for a range of malicious or criminal purposes. 

Mitigation Steps:

At this stage there has been no successful compromise leveraging the disclosed credentials reported to the NCSC. Even though it is unclear exactly what purpose the disclosed credentials will be used for, there are actions that your organisation can take to reduce exposure to their malicious usage. The NCSC recommends the following:

Ensure that all affected entities and the organisations that they work for are made aware of the data disclosure.

Ensure staff remain vigilant in dealing with emails that contain links, attachments, or that attempt to solicit information. Users should verify any unexpected request for information with a phone call to the sender before replying. The NCSC recommends referring staff to the ConnectSmart resources on phishing, which are available at:

Ensure that backups are regularly taken and secured offline.
Given this release, it is prudent to make an immediate backup of critical data. This will mitigate the effects of any potential compromise, particularly ransomware, by allowing critical data to be restored in a timely manner. Further information on ransomware can be found on the ConnectSmart resource at 
Implement appropriate controls around remote access.
This includes implementing the use of two factor authentication, and considering limiting remote access to only New Zealand IP addresses where practicable. This will reduce the risk of leaked credentials being used to carry out brute force attacks.

Ensure that a strong password policy is enforced.

This should include complexity, length and maximum password age requirements. Once again this will significantly reduce the risk of a brute force attempt succeeding.



The NCSC assesses that completion of the above steps will help to mitigate against likely attack vectors. The NCSC recommends that affected entities and organisations remain vigilant for any indication of suspicious emails and activity. The New Zealand Ministry of Health is the lead agency on this incident, and the NCSC urges any affected entities to contact the Ministry should they have any further information about this incident, or their IT provider for assistance and support.

Dropbox account details compromised and available online

Credentials from a 2012 Dropbox data breach are now available online. While credential details associated with these accounts were available for purchase on the “Darknet” earlier this year, they are now freely available for download.

Media reports have recently emerged that indicate email addresses (and hashed passwords) for 68,680,741 Dropbox accounts are now publicly available. Of this number, approximately 120,000 are “.nz” domains.

Dropbox have confirmed that credentials were compromised in 2012 when actors used stolen employee login details to access a database containing the email addresses, passwords and other details of users.

The NCSC assesses that the threat to New Zealand entities is low. Since the 2012 breach, the affected accounts have had an enforced password change. Additionally due to the passwords being hashed and salted, it is very difficult for the passwords to be cracked.

While the risk is low, as with all passwords, the NCSC recommends:

  • Using complex passwords;
  • Using two-factor authentication where possible;
  • Consider using a password manager tool; and
  • Making sure your devices and/or accounts are secured with different passwords.


The NCSC can be contacted by email via or by phone on:04 498 7654.
We encourage you to contact us at any time if you require any further assistance or advice.

July 2016 New Zealand Information Security Manual

New Zealand Information Security Manual

The July 2016 NZISM has now been published.

Changes include new sections in Chapter 11; Radio Frequency Identification (RFID) and Access Control Systems, new content in section 11.2 on printer cartridge memory chips, new paragraphs on Access control in section 16.1 and new rationale and controls for section 19.5 Incident Handling and Management along with other minor and editorial updates.

In addition some new definitions of terms commonly used in the NZISM have been added as points of clarification and to aid policy interpretation as well as minor wording changes for the purposes of clarification.

The document remains in two parts for this release. 

You can view the July 2016 NZISM parts 1 & 2 and the July 2016 Change Register here.

As always, comments and suggestions for improvements are welcome.  Please direct these to

Cyber Security Advisory CSA-007-16

Distributed Denial of Service Extortion Campaign Targeting New Zealand Organisations

The NCSC is aware of an extortion campaign currently targeting New Zealand organisations. Several organisations have received extortion emails threatening a Distributed Denial of Service attack (DDoS) unless a payment in Bitcoins is made to the email sender.

The NCSC is not currently aware of any instances where the threat to carry out an attack has been realised.

Any organisation receiving an extortion email should report the threat to their local police

We also recommend speaking with your Internet Service Provider (ISP) regarding advice and any specific DDoS mitigations that may be needed. 

Preparation is the most effective method of withstanding a DDoS attack. However, if your organisation is currently being targeted, there are a number of measures you can consider taking to reduce the impact of the attack. 

  • Contact your Internet Service Provider to discuss their ability to help you manage or mitigate the attack.
  • Where applicable, temporarily transfer online services to cloud-based hosting providers that have the ability to withstand DDoS attacks.
  • Use a denial of service mitigation service for the duration of the DDoS attack.
  • Disable website functionality or remove content that is being specifically targeted by the DDoS attack. For example, search functionality, dynamic content or large files.

The full Cyber Security Advisory CSA-007-16 is available here.

NCSC Security Advisory - NCSC-EV-2015-126

NCSC is aware of a recent campaign involving credential harvesting attacks in the form of spear phishing emails targeting different government agencies.

Windows 10 upgrade scam

A new scam in relation to downloading Microsoft windows 10 operating system has been identified.

Notification of Bash Bug Advisory

A new vulnerability (CVE-2014-6271) in the Bash command-line interpreter poses a critical security risk to Unix and Linux systems including Apple OSX.

Connect Smart

Connect Smart week runs from Monday 16 June to Friday20 June, and has been organised by the National Cyber Policy Office.

Cyber threats continue to rise

The number of cyber incidents recorded by the National Cyber Security Centre (NCSC) increased by more than 60% in 2013.

NCSC advisory - OpenSSL Vulnerability

OpenSSL versions 1.0.1 through 1.0.1f contain a flaw allowing an attacker to retrieve private memory of an application that uses the vulnerable OpenSSL library.

Mobile Electronic Device

The NCSC has released an advisory for mitigating the risks associated with mobile electronic devices.

NCSC Plesk Advisory

A security researcher has released details of a significant zero day vulnerability in some versions of the Plesk server management software.

Cyber Security Awareness Week

Cyber Security Awareness Week (CSAW) begins on Monday, 27 May. CSAW is being run by NetSafe and a number of events are planned.

New Training to Address Cyber Security Risk

A new cyber security and information assurance course has been launched by the Wellington Institute of Technology (WelTec) in collaboration with the GCSB.

NCSC – 2012 Incident Report Summary

NCSC has reported a significant increase in reported attacks against NZ government agencies, critical national infrastructure, and private sector orgs in 2012.

NZ-UK joint statement on cyber security

NZ Foreign Minister and the visiting Foreign Secretary of the UK have committed the two countries to working more closely together to address cyber security.

Apple QuickTime 7.7.3 Released

Apple have released QuickTime 7.7.3 for Windows 7, Vista, XP SP2 or later, in order to address several critical security vulnerabilities.

Sophos Anti-Virus Vulnerabilities

A recent report has described multiple vulnerabilities that have been identified in Sophos Anti-Virus products, prompting Sophos to issue a security advisory.

Back to Top

Top 35 Mitigation Strategies Updated

The Defence Signals Directorate (DSD) have released an October 2012 update to their Top 35 Strategies to Mitigate Targeted Cyber Intrusions.

Revocation of Adobe Code Signing Certificate

Adobe has announced plans to revoke a code signing certificate that appears to have been misused. The attached advisory contains further information.

Java Vulnerability Patch Released

This advisory is to report that Oracle has now released a patch to address the recently reported Java vulnerability (CVE-2012-4681).

iOS Hardening Configuration Guide

The iOS Hardening Configuration Guide issued in March 2012 by DSD, for iPod Touch, iPhone and iPad devices running iOS 5.1, is available from the DSD website.

Product Support Advisory

The NCSC has released an advisory recommending the best practises for all New Zealand Government ICT systems in relation to product support.