OAIC examines Census attack; Oracle MICROS breach; Linux TCP weakness

Australian Privacy Commissioner Timothy Pilgrim has issued a comment on the attack that interrupted the 2016 Australian Census last Tuesday, saying he is satisfied that personal information was not inappropriately accessed, lost or mishandled during the attack.

Last Wednesday, Pilgrim released a statement saying he was aware of denial of service attacks on the Census 2016 website the previous night and that he was “commencing an investigation of the Australian Bureau of Statistics (ABS) in regards to these cyber attacks, under the Australian Privacy Act 1988”.

In that statement he said his first priority was to ensure that no personal information had been compromised as a result of those denial of service attacks.

On Thursday, Pilgrim released a second statement, saying he and his staff had been in regular contact with the ABS, and that he had received a briefing directly from the Australian Signals Directorate (ASD).

“ASD advised me that the incident was a denial of service (DoS) attack and did not result in any unauthorised access to, or extraction of, any personal information and, on the information provided to me by ASD, I am satisfied that personal information was not inappropriately accessed, lost or mishandled,” he said.

Pilgrim said the incident will now be the subject of a review led by the Prime Minister’s Cyber-Security Adviser, Alastair MacGibbon.

“I have discussed with Mr MacGibbon how our offices will work together as part that review,” Pilgrim said. “My office will also continue to work with the ABS to ensure they are continuing to take appropriate steps to protect the personal information collected through the Census.”

Linux weakness found

Researchers at the University of California, Riverside say they have identified a Linux TCP weakness that could be used to hijack users’ internet communications.

The university said the weakness could be used to launch targeted attacks that track users’ online activity, forcibly terminate a communication, hijack a conversation between hosts or degrade the privacy offered by anonymity networks like Tor.

The weakness lies in the TCP (Transmission Control Protocol) of all Linux operating systems since late 2012, the university said.

The research was led by Yue Cao, a computer science graduate student in UC Riverside’s Bourns College of Engineering. The research team also included Zhiyun Qian, Zhongjie Wang, Tuan Dao and Srikanth V Krishnamurthy. Lisa M Marvel, from the United States Army Research Laboratory, also contributed to the work.

According to UC Riverside, the researchers “identified a subtle flaw (in the form of ‘side channels’) in the Linux software that enables attackers to infer the TCP sequence numbers associated with a particular connection with no more information than the IP address of the communicating parties”.

“This means that given any two arbitrary machines on the internet, a remote blind attacker, without being able to eavesdrop on the communication, can track users’ online activity, terminate connections with others and inject false material into their communications. Encrypted connections (eg, HTTPS) are immune to data injection, but they are still subject to being forcefully terminated by the attacker,” the university said.

The paper detailing the weakness is titled ‘Off-Path TCP Exploits: Global Rate Limit Considered Dangerous’, and is available (in PDF form) on Qian’s lab website.

Oracle MICROS breach

A Russian cybercrime group appears to have breached hundreds of computer systems at Oracle and has compromised a customer support portal for companies using Oracle’s MICROS point-of-sale credit card payment systems, according to security reporter Brian Krebs.

Krebs said that the size and scope of the break-in is still being investigated. He wrote that two sources with knowledge of the breach investigation had said that Oracle’s MICROS customer support portal was seen communicating with a server known to be used by the Carbanak Gang.

“Carbanak is part of a Russian cybercrime syndicate that is suspected of stealing more than $1 billion from banks, retailers and hospitality firms over the past several years,” Krebs wrote.

Krebs said that his sources indicated that the attackers placed malicious code on a MICROS support portal, and that the malware allowed them to steal MICROS customer usernames and passwords.

Krebs’ analysis spans multiple articles and draws on input from multiple anonymous sources that are purportedly highly informed on the topic.

Image courtesy of Ruben Schade under CC