Weekly Cyber Security News

For well over a decade our focus at ionCube has been on PHP security but recently with the release of ionCube24 we have been looking into different kinds of vulnerabilities. This post has a few of the interesting issues we have found this week.

A selection of this week’s more interesting vulnerability disclosures and cyber security news.

General

• 6 Ex-Employees Questioned About Hacking Team Breach, Prior Leak (Dark Reading)
• Brand new Chrome 44 release added a bug (ZDNet)
• Computer Systems Security MIT OpenCourseWare (Reddit)
• Configuration Issue Exposes 30,000 MongoDB Instances: Researcher (SecurityWeek)
• Darkode Shuttered But Cybercrime Still Alive And Well (Dark Reading)
• Exclusive: Visa application portal closed following SC Magazine investigation (SC Magazine)
• Firm stops selling exploits after delivering Flash 0-day to Hacking Team (ArsTechnica)
• Four RCE Zero-Day Flaws Plague Internet Explorer: ZDI
• Fully patched Internet Explorer menaced by a whopping 4 code-execution bugs (ArsTechnica) –
• Google Patches 43 Vulnerabilities With Release of Chrome 44 (SecurityWeek)
• Hacking Team Flash Player Exploit Used to Target Japanese Organizations (SecurityWeek) –
• Hacking Team goes to war against former employees, suspects some helped hackers (ArsTechnica) –
• Microsoft Issues Emergency Fix For Critical Flaw Affecting All Versions of Windows (SecurityWeek) –
• Microsoft issues emergency patch for critical vulnerability in Windows (ArsTechnica) –
• Morrisons employee receives eight years for leaking data of 100K workers (SC Magazine) –
• OpenSSH keyboard-interactive authentication brute force vulnerability (MaxAuthTries bypass) (Reddit) –
• OpenSSH keyboard-interactive authentication brute force vulnerability (MaxAuthTries bypass)
• OS X 10.10 DYLDPRINTTOFILE Local Privilege Escalation Vulnerability (Reddit) –
• Photo Processing Vendor Exposes CVS, Wal-Mart, Costco (Dark Reading) –
• PNI Digital Media investigates potential credit card ‘issue’ as more photo center websites go down (SC Magazine) –
• Researcher Discloses Local Privilege Escalation Vulnerability in OS X (SecurityWeek) –
• Researcher unveils new privilege vulnerability in Apple’s Mac OS X (ZDNet) –
• Retailers Suspend Online Photo Centers Due to Possible Breach (SecurityWeek) –
• South Korea Intelligence Official Dead in Hacking Scandal
• South Korea spy found dead with note denying agency targeted citizens (Yahoo Security) –
• Really? Do all these malware ones replace them? Spam Email Rate Falls Below 50% For First Time In 12 Years, Report Says (Forbes) –
• The Case of Insecure MongoDB Defaults and 600TB of Data (Reddit) –
• Time’s Running Out for the $76 Billion Detection Industry (Dark Reading) –
• Twitter-Based System to Provide Alerts on BGP Hijacks, Outages (SecurityWeek) –
• Oh dear not a good example of programming Unlimited free meals (courtesy BiteClub) Software anomalies (Reddit) –
• We Never Broke Any Laws: Hacking Team
• You have no privacy (or security), so get over it (TechRepublic) –

 

This is seriously scary stuff!

• Hackers can take over your Jeep, literally driving you off the road (ZDNet)
• Hackers Remotely Kill a Jeep on the HighwayWith Me in It (WIRED)
• Jeep Owners Urged To Update Their Cars To Stop Hackers Taking Them Off The Road (Forbes) –
• Terrifying: Hackers take over a Jeep driving down the highway at 70 mph (Yahoo Security) –
• Zero-day in Fiat Chrysler feature allows remote control of vehicles (SC Magazine) –
• Automaker Releases Software Update After Hackers Remotely Hijack Car
• Fiat Chrysler says it has a software fix to prevent hacking (Yahoo Security)
• Patch Your Chrysler Vehicle Now Against a Wireless Hacking Technique (WIRED) –
• CVE-2015-5611 – Unspecified vulnerability in Uconnect 15.26.1, as used in certain Fiat Chrysler Automobiles (FCA), allows remote attackers in the same cellular network to control vehicle movement, cause human harm or physical damage, or modify dashboard settings via vectors related to modification of entertainment-system firmware and access of the CAN bus due to insufficient _Radio security protection,_ as demonstrated on a 2014 Jeep Cherokee Limited FWD.
• Fiat Chrysler connected car bug lets hackers take over Jeep remotely (ArsTechnica)

Malware

• Free Hacking Team malware checker released (ZDNet) –

• Researcher takes umbrage after finding his code in Hacking Team malware (ArsTechnica) –

WordPress

• All WordPress users urged to update after critical flaw found (ZDNet) –
• WordPress 4.2.3 released, addresses critical XSS vulnerability (SC Magazine) –
• WordPress 4.2.3 Fixes Vulnerabilities, Bugs (SecurityWeek) –