Weekly Cyber and PHP Security News

For well over a decade our focus at ionCube has been on PHP security but recently with the release of ionCube24 we have been looking into different kinds of vulnerabilities. This post has a few of the interesting issues we have found this week.

A selection of this week’s more interesting vulnerability disclosures and cyber security news.

General

• Bitcoin exchange compromised through SendGrid account (SC Magazine) –

• Data breaches may cost less than the security to prevent them (TechRepublic) –

• Google sticks anti-SQL injection vaccine into MySQL MariaDB fork (The Register) –

• New York man gets seven-and-a-half years in prison for cyber crime scheme (Yahoo Security) –

 

Is the wonder of the IoT truly valid?

• Popular Home Automation System Backdoored Via Unpatched Flaw (Dark Reading) –
• The Internet of things is great until it blows up your house (The Register) –
• CVE-2015-2247 – Unspecified vulnerability in Boosted Boards skateboards allows physically proximate attackers to modify skateboard movement, cause human injury, or cause physical damage via vectors related to an _injection attack_ that blocks and hijacks a Bluetooth signal.
• CVE-2013-4866 – The LIXIL Corporation My SATIS Genius Toilet application for Android has a hardcoded Bluetooth PIN, which allows physically proximate attackers to trigger physical resource consumption (water or heat) or user discomfort.

An amazing bit of vulnerability analysis!

• Extracting the Private Key from a TREZOR with a $70 Oscilloscope (Reddit) –

Can’t believe the lax password security, in a school of all places where you expect the kids to try it

• Florida teen charged with felony after hacking teachers account to change desktop background – all teacher’s passwords were (are?) their last names (Reddit) –

That was unfortunate of them

• Hackers Make off With Data on 100,000 French State TV Contacts

Staggering that so many faults were not picked up on during commissioning

• Meet the e-voting machine so easy to hack, it will take your breath away (ArsTechnica) –

Such a well used embedded database makes you wonder how wide spread this will be

• several issues in SQLite (+ catching up on several other bugs)

Scary report on the the threats we are vulnerable to

• Verizon to world: STOP opening dodgy phishing emails, FOOLS (The Register) –

ionCube24

One we could catch using ionCube24

• Arbitrary File Upload Vulnerability in Virtocommerce Beta 2.0

Infrastructure

The issues with these routers never seem to go away

• D-Link router patch creates NEW SOHOpeless vuln (The Register) –

Point of sale systems are a quick way for the crims to score.

• FighterPOS malware strikes over 100 terminals in Brazil, captures info for 22K cards (SC Magazine) –

Such a popular platform has luckily been patched

• Hijacking any Weebly Website [Insecure Direct Object Reference Vulnerability]

Insider attacks are a huge risk many ignore as this shows

• Prosecutors suspect man hacked lottery computers to score winning ticket (ArsTechnica) –

This router hit again

• SEC Consult SA-20150410-0 :: Unauthenticated Local File Disclosure in multiple TP-LINK products (CVE-2015-3035)

Blogged last week about this one. Its going to be a game changer for many and then no excuse for it not to be in place.

• Securing the web once and for all: The Let’s Encrypt Project (ZDNet) –

Wondered at all the SSH traffic? This is the kind of thing which providers are looking at

• Single Threat Actor Producing 30% of SSH Bruteforce Traffic – SSHPsychos (Reddit) –

User Space

A (small) win against ransomware

• CoinVault ransomware decryption keys released (ZDNet) –

Here we are again with yet another round of issues with Flash. Should we not just abandon it and go with HTML5?

• CVE-2015-0346 – Double free vulnerability in Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0.0.169 on Windows and OS X and before 11.2.202.457 on Linux allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-0359.

A week of large patching

• Google Fixes 45 Security Flaws With Release of Chrome 42

This maybe from the USA but I’ve seen something simliar here in the UK in the past week. Watch out!

• I.R.S. Tax Phone Scam Claims More Victims Than Ever as 2015 Tax Day Arrives (Forbes) –

A bit of disruption to the world of Minecraft? Here are a few views on this issue.

• Just-released Minecraft exploit makes it easy to crash game servers (ArsTechnica) –
• Public exploit crashes Minecraft servers (The Register) –
• Server-crashing Minecraft exploit published after game maker failed to act (ZDNet) –
• The Minecraft Server – a lesson on why to not roll out your own data formats and responsible disclosure (Reddit) –

Such a simple approach to bypass security

• New York Times columnist falls prey to signal repeater car burglary (ArsTechnica) –

A week of large patching

• Oracle Security Update Contains Critical Patches for MySQL, Java SE

 

Cant see this going wrong, can you? Nope. Not in any way….

• Report: Google adding voice unlock to Android devices (ZDNet) –

This is quite a nasty one

• WiFi hotspots can put iPhones into eternal super slow-mo (The Register) –

Will this really work?

• Windows Hello brings biometric security to Windows 10 (TechRepublic) –

Complete bypass! Ouch!

• [SYSS-2015-015] Panda Gold Protection 2015 – Authentication Bypass

WordPress

• Arbitrary File Download Vulnerability in Aspose DOC Exporter plugin for WordPress

• Multiple Vulnerabilities in WPML plugin before 3.1.9 for WordPress