Weekly Cyber Security News 05/10/2018

A selection of this week’s more interesting vulnerability disclosures and cyber security news. Development frameworks are wonderful, can’t disagree there, they do make life easier by taking away tedious process. Obviously their increased complexity in hiding this tedium from the dev means debugging can be tricky at times. So they often included some quite revealing debug modes that can help…. Only that they really are for the eyes of the dev and not the public. Switching them off when in production is a good idea don’t you think?

• After two decades of PHP, sites still expose sensitive details via debug mode

Biometrics again, something I’m not entirely comfortable with as a sole means of authentication. One’s body is not easy to change should some vulnerability be found in how that data can be faked. I would advocate that as the second aspect of 2FA along with existing passwords or pins it is handy, but what about something that occurred to me while reading this article, how with an automatic biometric auth/payment would we be able to have multiple accounts on a system, perhaps for business and leisure?

• Fujitsu develops palm vein and facial data authentication technology (ZDNet)

This week in the office we were chatting about the changes to Chrome in the way it lets you know what level of protection a site is at. Well, these two articles then appear which make use of valid certificated sites to garner trust in who you are talking to. I think the lesson to be learned is no matter what site you are on, the moment you begin to part with any PII, ensure you are where you think you are:

• Phishing Attack Uses Azure Blob Storage to Impersonate Microsoft

• Phishing Attacks Distributed Through CloudFlare”s IPFS Gateway

 

In other news:

• Adobe Patches 85 Vulnerabilities in Acrobat Products

• Burgerville customer credit card info stolen in data breach laid at Fin7″s feet

• Facebook Can”t Reset All Breach Victims” Access Tokens (InfoRiskToday)

• Sales engagement startup Apollo says its massive contacts database was stolen in a data breach

• Telegram fixes IP address leak in desktop client

• Apple forgot to lock Intel Management Engine in laptops, so get patching (The Register)

• BlackVue dashcams share cars’ mapped GPS locations, stream video feeds and audio

• CEO who sold phones with ‘totally unbreakable encryption’ takes plea deal

• China accused of sabotaging thousands of servers at major US companies with tiny microchips hidden on motherboards

• Cops told suspect he had to open iPhone X with his face, so he did

• Criminals Holding Hijacked Instagram Influencer’s Accounts for Ransom

• Facebook Breach: Single Sign-On of Doom (InfoRiskToday)

• Facebook may face $1.63 billion EU fine for breach

• Facebook: No evidence attackers accessed third-party apps (ZDNet)

• Facebook: No evidence attackers used stolen access tokens on third-party sites

• French police officer caught selling confidential police data on the dark web (ZDNet)

• Gigantic 100,000-strong botnet used to hijack traffic meant for Brazilian banks

• Hacker wastes entire day hacking Pigeoncoin cryptocurrency only to make $15,000 (ZDNet)

• Keyloggers Turn to Zoho Office Suite in Droves for Data Exfiltration The free online office suite software is used by more than 30 million people and is a ripe target for criminals.

• Mac OS Bug Allows Hackers to Hijack Installed Software

• NZ customs can now demand phone or laptop passwords (ZDNet)

• Police to Seattle’s techies, streamers: Sign up for our anti-swatting service [Updated]

• Researchers Call for a Shared Dark Web Taxonomy

• Sendgrid blurts out OWN customers” email addresses with no help from hackers (The Register)

• Telegram Leaks IP Addresses by Default When Initiating Calls

• Tesco Bank Hit With 16 Million Fine Over Debit Card Fraud (InfoRiskToday)

• The 6 most popular cyberattack methods hackers use to attack your business

• The dark web is not actually selling your data, report says

• ThreatList: Password Hygiene Remains Lackluster in Global Businesses Password-sharing persists, but at least multifactor authentication usage is up.

• Toyota notifies employees and health plan participants of data breach

• Web inventor Berners-Lee creates a new privacy first way of dealing with the internet (ZDNet)

• CVE-2018-15702: TP-LINK TL-WR841N Router Vulnerability Found

• Two-Factor Authentication Controversy Facing Facebook, User Mobile Numbers Used for Ads

• Canadian restaurant chain suffers country-wide outage after malware outbreak

• Cryptomining Malware Grows by 86% in Q2: McAfee Report

• Instagram Users Terrorized by Phishing and Ransomware

• Irish Data Regulator Likely to Fine Facebook for Data Breach

• Virus Bulletin 2018: macOS Flaw Allows Attackers to Hijack Installed Apps This code-signing issue represents a new attack vector, according to the researcher.

• Website flaw exposed a Canadian ISP’s entire customer database