A selection of this week’s more interesting vulnerability disclosures and cyber security news. This week’s news is dominated by another revelation at Yahoo. Yet another reminder of the risk of password reuse which I mentioned last week. In this case, I suspect due to the lack of any serious financial data the objective is to provide more information in password creation patterns which can feed into other attacks.
I’m certain, and like most out there, there must be services I have signed up for that may have reused passwords, but for the life of me I can’t remember which ones. I do track in more recent times but older ones? With so many services out there that require their own logins its a nightmare to deal with the increasing number of credentials even with a password keeper.
What solutions do we have then? Single sign-on is a marvellous idea but provides a single point of failure. Could use multiple single sign-ons perhaps, use some sites with Facebook, others with Google, that would spread the risk maybe? Certainly 2FA helps a lot, and I would imagine unless you have someone determined to get you, any attacker will move on to more easy pickings if you make it hard enough.
- UK: KFC warns 1.2 million Colonel’s Club loyalty scheme members of data breach after website hacked Richard Wheatstone reports
- ‘I found a bug that let anyone read anyone’s Yahoo! Mail and all I got was this $10k check’ (The Register)
- Bangladesh Police Say Some Bank Officials Involved In Cyberheist Mid-ranking officials of Bangladesh Bank deliberately exposed bank’s network to allow theft of $81 million, says top investigator.
- CVE-2015-3271 Apache Tika server (aka tika-server) in Apache Tika 1.9 might allow remote attackers to read arbitrary files via the HTTP fileUrl header.
- Dear hackers, Ubuntu’s app crash reporter will happily execute your evil code on a victim’s box (The Register)
- Joan Jett’s BlackHeart Records leaks thousands of files online From MacKeeper Security Research Center
- Macbook seized or stolen? But you’ve set a FileVault password, right? Ha, it’s useless (The Register)
- Microsoft Patches Dangerous Backdoor In Skype For Mac OS X Vulnerability would have let attackers record calls, intercept and read messages, and siphon out all kinds of data, Trustwave says.
- New World Hackers group revealed as college students: sources Some great reporting by Zack Whittaker
- Vuln: Multiple Netgear Routers VU#582384 Remote Command Injection Vulnerability Multiple Netgear Routers VU#582384 Remote Command Injection Vulnerability
- T-Mobile’s Digits sign-up page temporarily pulled after some subscriber info was exposed Jacob Siegal reports
- Nearly Half Of The Top 1 Million Websites Deemed Risky Forty-six percent of the top million websites, as ranked by Alexa, pose potential malware risks to businesses.