Weekly Cyber Security News 22/01/2016

For well over a decade our focus at ionCube has been on PHP security but recently with the release of ionCube24 we have been looking into different kinds of vulnerabilities. This post has a few of the interesting issues we have found this week.

A selection of this week’s more interesting vulnerbility disclosures and cyber security news.

General

• Asda slammed for letting vulns fester on its cyber shelves (The Register)

• Bitcoin Heist Steals Millions from Exchange (InfoRiskToday)

• Bitcoin Trader Cryptsy Robbed via IRC Backdoor (SecurityWeek)

• Details of 325K Earbits.com users available on public database (SC Magazine)

• Dridex Trojan targets UK banks, avoids two factor authentication checks (ZDNet)

• Dropbear SSH daemon doesn’t authenticate users (SC Magazine)

• iOS cookie theft bug allowed hackers to impersonate users (ArsTechnica)

• LastPass Attack Could Result in Full Account Compromise

• LastPass in 2FA lock down after ‘fessing up to phishing attack (The Register)

• LastPass phishing attack avoids two-factor authentication in data theft (ZDNet)

• LastPass’s password-shuffling rival Dashlane gets a makeover (The Register)

• Linux Trojan Takes Screenshots Every 30 Seconds

• New open-source ad-blocking web browser emerges from brain of ex-Mozilla boss Eich (The Register)

• PDF redaction is hard, NSW Medical Council finds out the hard way (The Register)

• Possible attack vector for LastPass (IT Toolbox Blogs)

• RSA asks for plaintext Twitter passwords on conference reg page (The Register)

• Security firm sued for filing woefully inadequate forensics report (ArsTechnica)
• Shop online at Asda? Website vuln created account hijack risk (The Register)
• Spamming Someone from PayPal (Schneier blog)
• Trend Micro password manager had remote command execution holes and dumped data to anyone: Project Zero (ZDNet)
• Trustwave failed to spot casino hackers right under its nose lawsuit (The Register)
• Ukraine energy utilities attacked again with open source Trojan backdoor (The Register)
• Google confirms new Linux hole not a big deal for Android (ZDNet)
• How to fix the latest Linux and Android zero day flaw (ZDNet)
• Linux Kernel Flaw Puts Millions of Devices at Risk
• Samsung sued over ‘lackadaisical’ Android security updates (The Register)
• Zero-Day Flaw Found in Linux (InfoRiskToday)

Malware

• Android.Bankosy malware targets ‘voice’ two-factor authorisation (SC Magazine)

• Dridex Trojan Borrows Redirection Attack Scheme from Dyre Malware (SecurityWeek)