A selection of this week’s more interesting vulnerability disclosures and cyber security news.
The week’s news is still awash with the devastating DDoS against DYN which appears to have been by a surprisingly low number of IoT devices. Then, with fruther news of some other networks being hit too, I don’t think this is going to get any better. Anyway you can pick up those articles below as my main focus this week is the announcement of a practical application of Rowhammer.
This one which really perked my geeky interest last year, seemed just a fascinating bit of research though clever in the way of bit-flipping neighbour memory cells to induce a security hole, would in practice be very difficult to achieve. How wrong was that? Looks like someone has actually achieved a compromise! Will be interesting to see if anyone actually gets this to apply to other devices.
- App proves Rowhammer can be exploited to root Android phones and there’s little Google can do to fully kill it (The Register)
And for all the other fun we’ve had this week…
- Australia’s biggest data breach sees 1.3m records leaked Allie Coyne reports
- Indian Banks Hit By Debit Card Security Breach Around 3.25 million debit cards affected by breach of 90 ATMs, prompting card replacement and PIN change.
- Nets data breach puts 100,000 cards at risk Alex Hamilton reports
- ‘Root’ Of More IoT-Based DDoS Attacks Last Friday’s massive DDoS that exploited online cameras and DVRs was simple to pull off- and a new chapter in online attacks.
- 3 inexpensive steps to secure IoT (TechRepublic)
- Adobe kicks out patch for fresh Flash zero-day (The Register)
- Ageing GSM crypto cracked on commodity graphics rig (The Register)
- Android phones rooted by most serious Linux escalation bug ever (ArsTechnica)
- Anonymous’s Most Notorious Hacker Is Back, and He’s Gone Legit Andy Greenberg reports
- Botnet Army of ‘Up to 100,000 IoT Devices’ Disrupted Dyn (InfoRiskToday)
- China electronics firm to recall some U.S. products after hacking attack (Yahoo Security)
- DDos On Dyn Used Malicious TCP, UDP Traffic
- Every LTE call, text, can be intercepted, blacked out, hacker finds (The Register)
- Good luck securing ‘things’ when users assume ‘stuff just works’ (The Register)
- Graduate recruitment site exposed 50,000 CVs sent to Virgin Media UK (The Register)
- Hacker’s Icarus machine steals drones midflight (The Register)
- Hacktivist crew claims it launched last week’s DDoS mega-attack (The Register)
- Joomla! squashes critical privileged account creation holes (The Register)
- LinkedIn Hacker Tied to Major Bitcoin Heist (SecurityWeek)
- Mirai Botnet Pummels Internet DNS in Unprecedented Attack (InfoRiskToday)
- Mozilla plots TLS 1.3 future for Firefox (The Register)
- Password1? You’re so random. By which we mean not random at all UK.gov (The Register)
- PayPal patches bone-headed two factor authentication bypass (The Register)
- R3’s Corda Blockchain Platform Goes Open-Source (SecurityWeek)
- Script Kiddies Likely Behind Dyn DDoS Attacks (SecurityWeek)
- Singapore telco StarHub hit by cyber attacks, internet connections disrupted (Yahoo Security)
- Theres a new way to take down drones, and it doesnt involve shotguns (ArsTechnica)
- Three LibTIFF bugs found, only two patched (The Register)
- U.S. web provider says probing East Coast cyber attack (Yahoo Security)
- ComoD’oh! Infosec duo exploits OCR flaw to nab a website’s HTTPS cert (The Register)
- Got Ancient exploit but nowhere to use it? Try the horrid GRX network (The Register)
- Slack Flaw Allowed Hackers to Hijack Any Account