Weekly Cyber Security News 30/11/2018

A selection of this week’s more interesting vulnerability disclosures and cyber security news. Yet another instance of tainting a dev module repository surfaced this week. That’s quite a few this year alone, and a few too many really. With Python, Node and of course CMS platforms being targetted by malicious module admins, this really does little to provide confidence that we can trust what we pull in. Perhaps more needs to be done on the part of both repo contributors and admin, any thoughts?

• Backdoor in Popular JavaScript Library Set to Steal Cryptocurrency

While the above was a covert attempt to infiltrate, looks like some are about to make it far far worse with a ‘cool’ idea:

• Google, Mozilla working on letting web apps edit files despite warning it could be “abused in terrible ways” (TechRepublic)

As we know biometrics can be a problem if somehow there is a flaw because its not easy changing a physical attribute. Next in queue for difficulty fixing a vulnerability is in a method that is mass produced such as ID cards, passports and credit cards. One has popped up and as is the way, opportunity to abuse usually leads a long way ahead of any fix:

• Flaw allowing identity spoofing affects authentication based on German eID cards

 

Other items of interest:

• Bing is Warning that the VLC Media Player Site is Unsafe

• Another ‘decision makers’ database leaked

• Brazil”s largest professional association suffers massive data leak (ZDNet)

• Dell announces security breach (ZDNet)

• 3ve Offline: Countless Windows PCs using 1.7m IP addresses hacked to click on up to 12 billion adverts a day (The Register)

• Apache Hadoop spins cracking code injection vulnerability YARN

• Bedroom design outfit slapped with £160k fine for 1.6 million spam calls

• Big Blue shoos Db2 blues before rogue staff turn the screws in hijack ruse (translation: patch your IBM databases) (The Register)

• Did UK city council over-react to a vulnerability report in its recycling app or not?

• Dunkin” Donuts accounts may have been hacked in credential stuffing attack (ZDNet)

• ElasticSearch server exposed the personal data of over 57 million US citizens (ZDNet)

• German flirting network gets fined for leaking user information

• How I changed the law with a GitHub pull request

• Knock-Knock Docker!! Will you let me in? Open API Abuse in Docker Containers

• Microsoft Details Cause of Recent Multi-Factor Authentication Outage

• Microsoft warns about two apps that installed root certificates then leaked the private keys

• PageUp Breach: “No Specific Evidence” of Data Exfiltration (InfoRiskToday)

• US told to quit sharing data with human rights-violating surveillance regime. Which one, you ask? That”d be the UK

• User Confidence in Smartphone Security Abysmal Sixty-six of percent of phone users said they had suffered data-related harm: 11 percent suffered identity theft, 22 percent account hacking, 14 percent credit cards hacking and 12 percent financial fraud.?

• Widely used open source software contained bitcoin-stealing backdoor

• Researchers Use Smart Bulb for Data Exfiltration

• Potent Lucky Ransomware Hits Linux Servers in a Global Attack

• LinkedIn used 18M non-member emails to target Facebook ads. Were you a victim?
• UK gov”t seizes documents Facebook wanted to keep private in Cambridge Analytica battle

• Critical Zoom Flaw Lets Hackers Hijack Conference Meetings Hackers can spoof messages, hijack screen controls and kick others out of meetings.

• Hackers can exploit this bug in surveillance cameras to tamper with footage

• Siemens Warns of Linux, GNU Flaws in Controller Platform