Weekly Cyber Security News 18/01/2019

A selection of this week’s more interesting vulnerability disclosures and cyber security news. There has been some amazing breach notifications this week, none of which I will comment on as there’s plenty of articles already.  First item of comment this week is an interesting article commenting on various hosting providers –  are they fair points? How far should our trust go in that any service provider of any kind is doing their best to look after both ours, and their, property?

• GoDaddy removes JavaScript injection which tracks website performance, but might break it too

In a way I’m glad the implications are beginning to dawn on those who slap IoT everywhere. As with any security a level of paranoia is healthy:

• As IoT Grows, Confidence in Security Remains Low

At last! More assistance for a healthy WordPress install, thought my preference would be that it should also automatically go into maintenance mode, or shut down the site should the version of WordPress be way too old because the owner hasn’t kept on top of updates. But perhaps I’m in the minority in thinking that?

• WordPress to Warn on Outdated PHP Versions

 

Continue on for the other manic news of the week:

• Finger pointed at real estate recruiter after Australian CV leak (ZDNet)

• Massive Oklahoma Government Data Leak Exposes 7 Years of FBI Investigations

• VOIPO database exposed millions of call and SMS logs, system data

• “Right to Be Forgotten” Should Be EU-Only, Adviser Says (InfoRiskToday)

• 51 percent Ethereum Classic hacker returns $100,000 in stolen cryptocurrency

• A security conference will let you hack a Tesla car and earn cash prizes

• Advertising network compromised to deliver credit card stealing code (ZDNet)

• Apple loses patent case appeal, owes VirnetX $440M in FaceTime dispute

• Attackers Leverage Open Source in New BYOB Attack

• Banks in West Africa Hit with Off-The-Shelf Malware, Free Tools

• Cops told: No, you can”t have a warrant to force a big bunch of people to unlock their phones by fingerprint, face scans

• EDGAR Wrong: Ukrainians hacked SEC, stole docs for inside trading, says Uncle Sam

• Eight months after discovery, unkillable LoJax rootkit campaign remains active

• Epic”s Fortnite fail: Ancient UT2004 server used for login-stealing proof-of-concept

• Flaws in a Card Access Control System May Allow Hackers to Bypass Security

• Germany’s cyber security authority criticised for failing to disclose data breach

• Goddamn the Pusher man: Nominet kicks out domain name hijack bid

• Got a Drupal-powered website? You may want to get patching now…

• Hack Allows Escape of Play-with-Docker Containers Researchers created a proof-of-concept escape of Docker test environment.

• Hope You”re Using Protection as Love Letter MalSpam has Nasty Surprises

• Huawei sacks employee arrested in Poland as Warsaw mulls EU ban (ZDNet)

• Intel”s Software Guard caught asleep at its post: Patch out now for SGX give-me-admin hole

• IT Teams Have One Year to Move Off Windows 7

• Microsoft sends a raft of Windows 10 patches out into the Windows Update ocean

• Mondelez sues Zurich over $100m cyberhack insurance claim

• More .gov Domains Hit by Government Shutdown

• Mozilla Announces It Will Disable Support for Flash Plugin in Firefox 69

• NASA internal app leaked employee emails, project names

• North Korean hackers infiltrate Chile”s ATM network after Skype job interview

• Over 87GB of email addresses and passwords exposed in Collection 1 dump (ZDNet)

• PoC for Windows VCF zero-day published online (ZDNet)

• Schneider Electric Vehicle Charging Stations Exposed to Hacker Attacks

• Stop and Shop grocery chain to begin offering �store on wheels� service

• UK Banks Finally Issue New Cards After Ticketmaster Breach

• UK facial verification firm iProov is working with Homeland Security

• Vulnerability in Amadeus Flight Booking System Affects 141 Airlines

• Yet Another Bypass: Is 2FA Broken? Authentication Experts Weigh In A penetration testing tool called Modlishka can defeat two-factor authentication in the latest 2FA security issue. We asked a roundtable of experts what it all means.

• Flaw in Telegram Reveals Awful OpSec from Malware Author

• Google Play malware used phone’s motion sensors to conceal itself

• Researchers Create PoC Malware for Hacking Smart Buildings

• Phishers Use Zero-Width Spaces to Bypass Office 365 Protections

• Twitter Fixes Four Year Old Bug in Android App Exposing Private Tweets

• Windows 7 KMS Activation Issues Caused by Microsoft Mistake, Not an Update

• New Ethereum version postponed after discovery of serious security flaw (ZDNet)

• Popular Web-Hosting Platform Bluehost Riddled with Flaws, Researcher Claims He said that similar flaws were also found in the Dreamhost, HostGator, OVH and iPage web hosting platforms.

• Two Code Execution Flaws Patched in Drupal

• Unpatched Flaws in Building Access System Allow Hackers to Create Fake Badges