The NCSC uses this site to share relevant security information and news produced by the NCSC and other organisations.
The NCSC has released an advisory for mitigating the risks associated with mobile electronic devices. You can access the full advisory below.
If you have any questions regarding this advisory, please contact the NCSC at firstname.lastname@example.org
Mozilla has released a Security Advisory which details a number of vulnerabilities in several versions of the Firefox Internet browser and Thunderbird email client. The advisory outlines multiple vulnerabilities in the following products:
• Firefox versions prior to 22.0
• Firefox Extended Support Release (ESR) versions prior to 17.0.7
• Thunderbird versions prior to 17.0.7
• Thunderbird Extended Support Release (ESR) versions prior to 17.0.7
These vulnerabilities could allow remote code execution, cause affected applications to crash, potentially leak sensitive information, and allow privilege escalation or unauthorized access in a number of different contexts.
Full details about the vulnerabilities can be found on Mozilla’s website.
NCSC recommends that administrators, where possible and in accordance with their organisational policies, update Firefox and Thunderbird to the current latest available version 22.0 and 17.0.7 respectively.
A security researcher has released details of a significant zero day vulnerability in some versions of the Plesk server management software. The code-execution vulnerability affects default versions 8.6, 9.0, 9.2, 9.3, and 9.5.4 of Plesk running on the Linux and FreeBSD operating systems. Windows and other types of Unix have not currently been tested to see if those configurations are vulnerable as well.
Plesk is a control panel that is commonly used to manage servers through a graphic interface. Plesk environments which maintain the versions identified above could be exploited to allow an attacker to compromise and control managed servers by gaining the privileges of authorised users and take control of the affected system.
Trend Micro has published further information on the report which can be found here.
NCSC recommends that, where practical and with the appropriate due diligence, network operators upgrade to a version later than those vulnerable, as later releases are not currently being reported as vulnerable to this specific issue.
The purpose of this advisory is to provide guidance for securing government public-facing networks and systems.
Cyber Security Awareness Week (CSAW) begins on Monday, 27 May. CSAW is being run by NetSafe and a number of events are planned.
In support of NetSafe, the NCSC encourages home computer users to participate in these events and ensure that they are adopting the best possible security practices. A full list of events can be found here: http://www.securitycentral.org.nz/events-and-resources/cyber-security-aw...
3 May 2013
Cyber planning course for key NZ infrastructure orgs
The National Cyber Security Centre (NCSC), with the CERT Program of Carnegie Mellon University’s Software Engineering Institute (SEI), is offering spaces on a one day course for Government departments and critical infrastructure operators on how to respond to cyber attacks.
The National Cyber Security Centre is part of the Government Communications Security Bureau (GCSB), which has a role to protect government systems and information, and to work with critical infrastructure operators to help them improve their computer and network security.
GCSB Director Ian Fletcher says, “We are pleased to be able to offer this training for government and the private sector in partnership with Carnegie Mellon University.
“The Carnegie Mellon Software Engineering Institute is regarded as the world leading training institute in this field. We have developed this Incident Management programme specifically for New Zealand to support our important organisations develop Computer Security Incident Response Teams (CSIRTs).
“The teams will have an agreed method and format for responding to suspected threats, as well as setting up trusted communication channels and collaboration across New Zealand. It also involves developing training and mentoring to ensure the expertise and skills base is grown.
“Cyber attacks are becoming more advanced and sophisticated, and increasingly are targeting intellectual property and other proprietary information held by businesses as well as individuals.
“There’s no reason to believe New Zealand is any different from the rest of the world. We are seeing more incidents reported in New Zealand, and we can benefit from having a standardised cyber security incident response method and format.”
The courses are being run in Auckland, Wellington and Christchurch in mid June.
If organisations are interested in taking part, with no charge for attending the sessions, you can contact email@example.com
Media contact: Antony Byers 04 463 1667 or 021 241 7449
A new cyber security and information assurance course has been launched by the Wellington Institute of Technology (WelTec) in collaboration with the Government Communications Security Bureau (GCSB).
Speech given by the GCSB Director Ian Fletcher at the Gallagher Security conference held in Hamilton on 11 March 2013
MEDIA RELEASE - 21 February 2013
Key NZ infrastructure operators take a lead in cyber security
A group of New Zealand critical infrastructure organisations have established the New Zealand Cyber Security Voluntary Standards for Industrial Control Systems with the support of the National Cyber Security Centre (NCSC).
The NCSC is part of the Government Communications Security Bureau, and supports government and critical infrastructure owners in efforts to protect themselves from cyber threats.
These critical infrastructure organisations operate industrial control systems, which allow centralised supervision and control of remote assets. The group has been working on voluntary standards with the NCSC.
Mike Judge from Genesis Energy says, “This work has allowed us to safely discuss cyber security issues, and work together with industry to develop best practice and share information.
“The participants in this group are well placed, to provide or endorse security guidance to the New Zealand utility industry. Risks will vary, but this standard we have developed is a practical compilation of best practice and guidance for establishing a secure control system.
“The aim is to minimise the threat from unauthorised or inappropriate access, and also to maintain access and control during adverse conditions.“
“These voluntary standards will be applicable for a range of NZ industries including electricity, oil and gas, water, transport, chemical, pharmaceutical, food and beverage, and manufacturing.” Mr Judge said.
The National Cyber Security Centre recently published its 2012 Incident Summary, which identified a significant increase in the number of attacks against New Zealand government agencies and critical national infrastructure in 2012.
If you or your organisation is a part of the Industrial Control Systems infrastructure (SCADA) in New Zealand and is seeking further resources on current security issues contact the NCSC ICS team by emailing: firstname.lastname@example.org
Media contact: Antony Byers 04 472 6881 or 021 241 7449
Adobe has released a Security Advisory which identifies critical vulnerabilities (CVE-2013-0640, CVE-2013-0641) in two Adobe products; Reader and Acrobat. The following versions are affected:
• Adobe Reader XI (11.0.01 and earlier) for Windows and Macintosh
• Adobe Reader X (10.1.5 and earlier) for Windows and Macintosh
• Adobe Reader 9.5.3 and earlier 9.x versions for Windows, Macintosh and Linux
• Adobe Acrobat XI (11.0.01 and earlier) for Windows and Macintosh
• Adobe Acrobat X (10.1.5 and earlier) for Windows and Macintosh
• Adobe Acrobat 9.5.3 and earlier 9.x versions for Windows and Macintosh
According to Adobe, these vulnerabilities could allow the application to be exploited causing it to crash, and potentially allow an attacker to take control of the affected system.
Adobe has also acknowledged other reports which have identified that these vulnerabilities are being exploited in the wild, in targeted attacks, designed to trick Windows users into opening a malicious PDF file delivered in an email message.
Adobe has released security updates for Adobe Reader and Acrobat XI (11.0.01 and earlier) for Windows and Macintosh, X (10.1.5 and earlier) for Windows and Macintosh, 9.5.3 and earlier 9.x versions for Windows and Macintosh, and Adobe Reader 9.5.3 and earlier 9.x versions for Linux. These updates address the vulnerabilities detailed above.
The NCSC encourages administrators to review the full security bulletin from Adobe, available here, and apply these updates as soon as practicable.