Weekly Cyber Security News 10/03/2017

A selection of this week’s more interesting vulnerability disclosures and cyber security news. The week appears to have been low on volume but not explosive news. We have WikiLeaks, this Spammer breach and now Apache Structs. In particular, the 1.37 billion spam database raises a point that has manifested a few times in the news over the last couple of weeks; namely remote backups being open to all. In fact Western Digitial put out an alert this week for one theirs.

I don’t understand how these remote backup systems (and all those Mongo/Elastic and MySQL) are so open. Surely when setting up things up someone actually checks access is denied from an outside location? Its not hard to do…

• 1.37bn records from somewherelt to leak on Monday (The Register)

• Backup Error Exposes 1.37 Billion-Record Spamming Database (InfoRiskToday)

• Spammers Leak 1.4 Billion User Records

• That big scary 1.4bn leak was basically nothing but email addresses (The Register)

• Apache needs patching, without delay. It’s under attack as you read this (The Register)

• Critical vulnerability under massive attack imperils high-impact sites (ArsTechnica)

• Researcher Discloses Google ReCaptcha v2 Bypass

• Scammers hired hundreds of ‘staff’ to defraud TalkTalk customers (The Register)

• Shellshock Attacks Still Cheap and Easy: IBM (SecurityWeek)

• Solarwinds sends customers each others’ complete client lists Alexander J. Martin reports

• Spammers expose their entire operation through bad backups

• Top tip: Unplug your WD My Cloud boxen now (The Register)

• Critical Apache Struts 2 Vulnerability (Patch Now!)

• Six Flaws Patched With Release of WordPress 4.7.3

• Twitter Flaw Allowed Access to Locked Accounts

• Put down the coffee, stop slacking your app chaps or whatever and patch WordPress (The Register)