Weekly Cyber Security News 16/12/2016

A selection of this week’s more interesting vulnerability disclosures and cyber security news. This week’s news is dominated by another revelation at Yahoo. Yet another reminder of the risk of password reuse which I mentioned last week. In this case, I suspect due to the lack of any serious financial data the objective is to provide more information in password creation patterns which can feed into other attacks.

I’m certain, and like most out there, there must be services I have signed up for that may have reused passwords, but for the life of me I can’t remember which ones. I do track in more recent times but older ones? With so many services out there that require their own logins its a nightmare to deal with the increasing number of credentials even with a password keeper.

What solutions do we have then? Single sign-on is a marvellous idea but provides a single point of failure. Could use multiple single sign-ons perhaps, use some sites with Facebook, others with Google, that would spread the risk maybe? Certainly 2FA helps a lot, and I would imagine unless you have someone determined to get you, any attacker will move on to more easy pickings if you make it hard enough.

 

• Stolen Yahoo Data Includes Government Employee Information Jordan Robertson reports

• UK: KFC warns 1.2 million Colonel’s Club loyalty scheme members of data breach after website hacked Richard Wheatstone reports

• Yahoo says 1 billion accounts exposed in newly discovered security breach (Yahoo Security)

• Yahoo Says Newly Discovered Hack Hit 1 Billion Accounts

• Yahoo Suffers History’s Biggest Known Data Breach (Yahoo Security)

• Yahoo’s big breach helps usher in an age of hacker anxiety (Yahoo Security)

• ‘I found a bug that let anyone read anyone’s Yahoo! Mail and all I got was this $10k check’ (The Register)

• 0-days hitting Fedora and Ubuntu open desktops to a world of hurt (ArsTechnica)

• Apple Patches 72 Vulnerabilities in macOS Sierra

• Bangladesh Police Say Some Bank Officials Involved In Cyberheist Mid-ranking officials of Bangladesh Bank deliberately exposed bank’s network to allow theft of $81 million, says top investigator.

• BlackEnergy power plant hackers target Ukrainian banks (The Register)

• Bluetooth-enabled safe lock popped after attackers win PINs (The Register)

• CVE-2015-3271 Apache Tika server (aka tika-server) in Apache Tika 1.9 might allow remote attackers to read arbitrary files via the HTTP fileUrl header.

• Dear hackers, Ubuntu’s app crash reporter will happily execute your evil code on a victim’s box (The Register)

• Exclusive: Some Bangladesh Bank officials involved in heist investigator (Yahoo Security)

• Infosec bods: This is a backdoor in Skype for Macs. Microsoft: No. (The Register)

• Joan Jett’s BlackHeart Records leaks thousands of files online From MacKeeper Security Research Center

• Kentucky pried chicken: Fried grease chain’s loyalty club hacked (The Register)

• Macbook seized or stolen? But you’ve set a FileVault password, right? Ha, it’s useless (The Register)

• Microsoft Edge to Block Flash by Default

• Microsoft Patches Dangerous Backdoor In Skype For Mac OS X Vulnerability would have let attackers record calls, intercept and read messages, and siphon out all kinds of data, Trustwave says.

• New World Hackers group revealed as college students: sources Some great reporting by Zack Whittaker

• Nymaim Trojan Fingerprints MAC Addresses to Bypass Virtualization (SecurityWeek)

• Ongoing Windows update bug woes affecting all ISPs (The Register)

• Op-ed: Im giving up on PGP (ArsTechnica)

• Ransomware Decrypts Your Files For Free If You Infect Your Friends (Forbes)

• Ransomware scum face unified white hat army (The Register)

• Ransomware scum offer free decryption if you infect two mates (The Register)

• Two APTs Used Same Zero-Day to Target Individuals in Europe (SecurityWeek)

• U.S. proposes requiring vehicles to ‘talk’ to each to avoid crashes (Yahoo Security)

• UK: TalkTalk hacker who blackmailed company chief during year-long cyber crime spree faces jail

• Unpatched bug allows hackers to seize control of Netgear routers (ArsTechnica)

• Users Warned of Zcash Miner Infections

• Vuln: Multiple Netgear Routers VU#582384 Remote Command Injection Vulnerability Multiple Netgear Routers VU#582384 Remote Command Injection Vulnerability

• Windows 10: Microsoft’s Edge browser the latest to disable Flash by default (TechRepublic)

• Worst Privacy Policy Evernote? Update Allows Employees To Read Your Notes (Forbes)

• Yahoo Admits Another Billion User Accounts Were Leaked In 2013 (Forbes)

• Yahoo admits its been hacked again, and 1 billion accounts were exposed (ArsTechnica)

• Yahoo Discloses 1 Billion User Accounts Were Hacked in 2013

• Yahoo hack serves as reminder to change passwords (Yahoo Security)

• Yahoo says hackers stole data from more than one billion user accounts (Yahoo Security)

• Yahoo says hackers stole information from over 1B accounts (Yahoo Security)

• T-Mobile’s Digits sign-up page temporarily pulled after some subscriber info was exposed Jacob Siegal reports

• US-CERT’s top tip: Hack your crap Netgear router before miscreants arrive (The Register)

• Microsoft Edge’s malware alerts can be faked, researcher says (The Register)

• Nearly Half Of The Top 1 Million Websites Deemed Risky Forty-six percent of the top million websites, as ranked by Alexa, pose potential malware risks to businesses.

• Office 365 Business Users Targeted in Punycode-based Phishing (SecurityWeek)

• Covert downloaders found preinstalled on dozens of low-cost Android phone models (ArsTechnica)

• Secunia Research: Microsoft Windows Type 1 Font Processing Vulnerability

• Microsoft Patches Several Publicly Disclosed Flaws

• Netgear Starts Patching Critical Router Flaw (SecurityWeek)

• Netgear working to fix flaw that left thousands of devices open to attack Steve Ragan reports

• Serious Vulnerabilities Found in McAfee Enterprise Product

• Unpatched Flaw Exposes Netgear Routers to Hacking (SecurityWeek)

• Yahoo Pays Out $10,000 Bounty for Critical Mail Flaw

• Over 8,800 WordPress Plugins Have Flaws: Study (SecurityWeek)