Weekly Cyber Security News 14/12/2018

A selection of this week’s more interesting vulnerability disclosures and cyber security news. As many of us ramp up to some kind of party frenzy over coming weeks, this timely article on how the youngsters and trendy ones are perhaps organising parties in a bad way could be worth absorbing. While it goes over my head (as according to my kids I’m a ‘miserable caveman’), hopefully it might help those of you more popular to get it right:

• How To Help Your Teen Organise a Party Online Without It Becoming a Public Spectacle

You would think that even though I’m a ‘miserable caveman’ I would care about the demise of Google+. You would be wrong there, i’ve never understood it, and by the looks of it i’m not alone. Mind you, the fact that you have to have it as part of a Google account is a little concerning with yet another API issue:

• What the Google+ security flaw and expedited shutdown means for enterprise users

A bit of a nightmare for a significant website. Having 2FA might have helped so perhaps time for you to review your own?

• Linux.org Defaced via DNS Hijack

After last week’s moan about the new WP editor, I’m writing this with the Classic one and I am much happier. Unfortunately there are a few issues so patch away folks!

• WordPress plugs bug that led to Google indexing some user passwords (ZDNet)

 

The rest of the news:

• Marriott: Breach Victims Won”t Be Forced Into Arbitration (InfoRiskToday)

• Adobe Patches 87 Vulnerabilities in Acrobat Software

• After Mega-Breach, Marriott May Pay for New Passports (InfoRiskToday)

• Apache Misconfig Leaks Data on 120 Million Brazilians

• Australia”s encryption laws will fall foul of differing definitions (ZDNet)

• Europol Touts Dark Web Win After Counterfeit Crack Down

• Lenovo tells Asia-Pacific staff: Work lappy with your unencrypted data on it has been nicked (The Register)

• Linux.org Redirected to NSFW Page Spewing Racial Epithets Administrators lost control of the domain for several hours in a DNS hijacking incident.

• Malicious sites abuse 11-year-old Firefox bug that Mozilla failed to fix

• Pressing F7 in the Command Prompt Lists Previously Entered Commands

• Privacy, security fears about ID cards? UK.gov”s digital bod has one simple solution: “Get over it”

• Quarter of NHS Trusts Have No Security Pros

• Researchers Find a Dozen Undocumented OpenSSH Backdoors

• Save the Children Foundation duped by hackers into paying out $1 million

• Super Micro says external security audit found no evidence of backdoor chips (ZDNet)

• Super Micro: No Malicious Hardware Found on Motherboards

• The Universal Plug & Play’s Unending Security Nightmare

• UK Supreme Court considers whether spy court should be immune to legal probes

• UK white hats blacklisted by Cisco Talos after smart security code stumbles

• Under Fire Huawei Agrees to UK Security Demands: Report

• Women in Cyber Take the Spotlight Women are key to solving the workforce shortage, which is expected to reach 3.5 million open jobs by 2022.

• Expert devised a new WiFi hack that works on WPA/WPA2

• Ticketmaster tells customer it”s not at fault for site”s Magecart malware pwnage

• ACCC goes after Google, Facebook in the name of fake news and data transparency (ZDNet)

• Australia Anti-Encryption Law Rushed to Passage

• Bug allowed full takeover of Samsung user accounts

• Windows 10 Activity History Sent to Microsoft Even When Disabled

• Windows Zero-Day Exploited by New ‘SandCat’ Group

• Zero-Day Bug Fixed by Microsoft in December Patch Tuesday Microsoft patches nine critical bugs as part of December Patch Tuesday roundup.

• Exploit Code for the Kubernetes Flaw Is Now Available

• New Exploit Kit Targets SOHO Routers

• Several Vulnerabilities Patched With Release of WordPress 5.0.1

• WordPress botnet composed of +20k installs targets other sites