Weekly Cyber Security News 08/01/2016

For well over a decade our focus at ionCube has been on PHP security but recently with the release of ionCube24 we have been looking into different kinds of vulnerabilities. This post has a few of the interesting issues we have found this week.

A selection of this week’s more interesting vulnerbility disclosures and cyber security news.

Drupal

• ‘You’re updated!’ Drupal says, with fingers crossed behind back (The Register)

• Unpatched Drupal Flaws Expose Sites to Attacks (SecurityWeek)
• Drupal install process appears to be dripping (SC Magazine)

General

• Bash, smash, trash Flash earn $100k cash (The Register)

• BBC reports own websites hit by cyber attack (Yahoo Security)

• BBC says website knocked down due to apparent attack (Yahoo Security)

• BBC sites hit with possible DDoS attack (SC Magazine)

• Bugtraq: [SYSS-2015-062] ownCloud Information Exposure Through Directory Listing (CVE-2016-1499) [SYSS-2015-062] ownCloud Information Exposure Through Directory Listing (CVE-2016-1499)

• Cloud host Linode resets user passwords after suspected hack (ZDNet)

• CVE-2015-8027 Node.js 0.12.x before 0.12.9, 4.x before 4.2.3, and 5.x before 5.1.1 does not ensure the availability of a parser for each HTTP socket, which allows remote attackers to cause a denial of service (uncaughtException and service outage) via a pipelined HTTP request.

• Devs get malicious root app militia on Play Store, sell pumped up ratings (The Register)
• Fatally weak MD5 function torpedoes crypto protections in HTTPS and IPSEC (ArsTechnica)
• First known hacker-caused power outage signals troubling escalation (ArsTechnica)
• Good news, OAuth is lt;igt;almostlt;/igt; secure (The Register)

• Happy 2016, and here’s the year’s first ransomware story (The Register)

• HTTPS Bicycle Attack (Reddit)

• If you want a USB thumb drive wiped, try asking an arts student for help (The Register)

• Irked train hackers talk derailment flaws, drop SCADA password list (The Register)

• LastPass 4.0 gives others access to your password vault in emergencies (ZDNet)

• Latest tech support scam stokes concerns Dell customer data was breached (ArsTechnica)

• Linode Blog Security Notification and Linode Manager Password Reset (Reddit)

• Linode Resets User Passwords After Breach (SecurityWeek)

• Linode: back at last after ten days of hell (The Register)

• LogMeIn adds emergency break-in feature to LastPass (The Register)

• Novel JavaScript ransomware could be an equal opportunity infecter (SC Magazine)

• Plain cruelty: Boffins flay Linux ransomware for the third time (The Register)

• Researcher hacks her own pacemaker (The Register)

• Researchers uncover JavaScript-based ransomware-as-service (ArsTechnica)

• SSL Security of UK Finance Websites Dismal: Report (SecurityWeek)

• The Father of Online Anonymity Has a Plan to End the Crypto War (WIRED)

• The First Cyber Battle Of The Internet Of Things Era May Have Just Happened (Forbes)

• The sloth is coming! Quick, get MD5 out of our internet protocols (The Register)

• Ukraine Claims Hackers Caused Christmas Power Outage (Forbes)

• Ukraine utility cyber attack wider than reported: experts (Yahoo Security)

• Ukrainian Power Grid: Hacked (InfoRiskToday)

• Under-attack Linode resets passwords after logins leak onto web (The Register)

• University of Plymouth plans to exchange passwords for pictures (SC Magazine)

Malware

• Crafty booby-trapped invoice malware empties Japanese bank accounts (The Register)
• ANN-IE-LATION: Microsoft to axe support for older Internet Explorer next week (The Register)

User Space

• Google Patches Critical Flaw in Android Mediaserver (SecurityWeek)
• Firefox users should eliminate Mint Cast, ShellServices: Report (SC Magazine)
• Firefox ban on SHA-1 certs causing some security issues, Mozilla warns (ArsTechnica)
• Firefox ban on SHA-1 dropped after many locked out of HTTPS sites (ZDNet)
• Mozilla Re-Enables Support for SHA-1 in Firefox
• Mozilla warns Firefox fans that SHA-1 ban could bork their security (The Register)

WordPress

• WordPress 4.4.1 Patches XSS Vulnerability
• WordPress 4.4.1 patches 52 issues, adds new emojis (SC Magazine)