A selection of this week’s more interesting vulnerability disclosures and cyber security news. First up this week is a bit of déjà vu. I’m sure we’ve been here before right? MongoDB exposure? Thought so. Come on guys, when you stick something on the internet make sure you check its access, and don’t just do it from friendly IP’s either!
- Telemedicine company exposed data of more than 2 millions patients in Mexico Another day, another exposed database due to misconfiguration of a MongoDB installation
The next one may relate to cars, but it also relates to a previous posting I did a few weeks back in regards to IoT and driving your ex-partner mad remotely. Hanging on to authentication or other hooks into tech you once owned is not new, although before, it was most likely stuff you can’t reconnect with – unlike now with the ever present IoT:
- Connected Car Apps Open Privacy Hole For Used Car Owners In a resale scenario, a previous owner could continue to have access to the online account with all the new owner’s information stored within.
And continuing my theme of IoT fail. We’ve a good one here (or not if happen to have the tech):
- EXCLUSIVE: Creditmate.in developer’s goof left 19,000 consumer’s credit reports unsecured By Dissent Doe and Lee Johnstone
- Facebook Launches Fizz Library for Dev Speed, Security New open source TLS library aims to help developers incorporate speed and security into apps and services.
- Jailhouse Tablets Allow Inmates to Steal Thousands of Dollars in Credits After inmates hacked tablets with security vulnerabilities, a CenturyLink spokesperson told Threatpost the _vulnerability issue has been resolved._
- Salesforce.com Warns Marketing Customers of Data Leakage SNAFU Potentially impacted customers include organizations like Aldo, Dunkin Donuts, GE, HauteLook, Nestle Waters, News Corp Australia and Sony.
- Spot the Bot: Researchers Open-Source Tools to Hunt Twitter Bots Duo security researchers compiled a massive dataset of public Twitter profiles and built a tool to scour profiles and detect the fakes.
- ThreatList: Business Email Compromises Way Up for Q2 Hardest hit were organizations using Office 365, with incidents costing more than $2 million each.
- US-CERT Warns of New Linux Kernel Vulnerability Patches now available to prevent DoS attack on Linux systems.
- Fresh Approach to Wi-Fi Cracking Uses Packet-Sniffing The new strategy allows an attacker to instead lift ID information directly from the router, within minutes.
- After Singapore medical data hack, Hong Kong’s Department of Health becomes latest cyberattack victim Clifford Lo reports
- Steam Bans Developer After Outcry Over Cryptomining, Scam Items A simple, 2D game raised eyebrows after it was found to be consuming big amounts of processing power.
- Fortnite Skips Google Play For Android Apps, Irking Security Experts Security experts aren’t happy after Fortnite’s creator, Epic Games, announced it would not go through Google Play.
- Chip Giant TSMC Says WannaCry Behind Production Halt
- ‘SegmentSmack’ Flaw in Linux Kernel Allows Remote DoS Attacks
- Consumer DNA Testing Takes a Step Towards Privacy, Transparency Ancestry, MyHeritage and others have committed to a policy framework for the collection, protection, sharing and use of consumer genetic data.
- Update Mechanism Flaws Allow Remote Attacks on UEFI Firmware The glitch stems from a functionality intended to allow updates to the UEFI firmware.