Weekly Cyber Security News 14/09/2018

A selection of this week’s more interesting vulnerability disclosures and cyber security news. A lot to get worked up about this week, and I will skip the majority of the noise about British Airways and yet more MongoDB related shenanigans, to highlight another kind of oversight: Deploying publicly accessible web content with Git and not cleaning up afterwards – or not doing it in the first place perhaps:

• Open .Git Directories Leave 390K Websites Vulnerable An exhaustive scan shows hundreds of thousands of websites potentially exposing sensitive data such as database passwords, API keys and so on.

Not sure how angry I would be, not being a Chrome user, but its easy to understand. Certainly confusion when we’re told to watch out for similar domains used by phishing scams. Unexpected changes really don’t inspire confidence… But then who really pays attention anyway?

• Chrome 69 kills off www in URLs: Here”s why Google”s move has made people angry (ZDNet)

Have to get one IoT in and this article title really sums up all that is wrong:

• Security Vulnerability in Smart Electric Outlets

 

Read on, and don’t get too worked up, its nearly the weekend…

• Fortnite’s Accidental Revelation of Android’s Security Weakness

• Safari, Edge fans: Is that really the website you think you”re visiting? URL spoof bug blabbed

• Attackers Made 9,000 Unauthorized Database Queries in Equifax Hack: Report

• British Airways breach caused by the same group that hit Ticketmaster

• 100 days of GDPR

• Abandoning a domain name can come back to bite you, research shows

• An EU copyright bill could force YouTube-style filtering across the Web

• Apple”s Safari Falls For New Address Bar Spoofing Trick

• Awful military and government LinkedIn passwords highlight need for 2FA, new policies

• British Airways Fell Victim To Card Scraping Attack

• Card-stealing code that pwned British Airways, Ticketmaster pops up on more sites via hacked JS (The Register)

• Data Management Firm Exposes 445 Million Records

• Exploit vendor drops Tor Browser zero-day on Twitter (ZDNet)

• Feds Charge Lone North Korean With Devastating Cyberattacks (InfoRiskToday)

• Feel the shame: Email-scammed staffers aren”t telling bosses about it (The Register)

• Google and EU Fight France Over “Right to Be Forgotten” (InfoRiskToday)

• Hackers Can Clone Tesla Key Fobs in Seconds

• How to nab a HTTPS cert for a stranger”s website: Step one, shatter those DNS queries…

• How to steal a Tesla Model S in seconds

• Law firm launches £500 million group action over British Airways hack

• Microsoft Patches Windows Zero-Day Disclosed via Twitter

• Millions of Records Exposed in Veeam Misconfigured Server Exposed data included names, emails addresses and IP addresses.

• Mongo Lock Attack Ransoming Deleted MongoDB Databases

• New modification of the old cold boot attack leaves most systems vulnerable (ArsTechnica)

• One Year Later, Over 2 Billion Devices Still Exposed to BlueBorne Attacks

• OpenSSL 1.1.1 out with TLS 1.3 support and “complete rewrite” of RNG component

• Revealed: British Airways was in talks with IBM on outsourcing security just before hack

• Solid password practice on Capital One”s site? Don”t bank on it

• Trend Micro tools tossed from Apple”s Mac App Store after spewing fans” browser histories

• Worries arise about security of new WebAuthn protocol

• Fallout exploit kit appeared in the threat landscape in malvertising campaigns

• Zerodium disclose exploit for NoScript bug in version 7 of Tor Browser

• Publication of PoC in popular WordPress plugin leads to scans for vulnerable sites (ZDNet)