Weekly Cyber Security News 19/02/2016

For well over a decade our focus at ionCube has been on PHP security but recently with the release of ionCube24 we have been looking into different kinds of vulnerabilities. This post has a few of the interesting issues we have found this week.

A selection of this week’s more interesting vulnerability disclosures and cyber security news.

General

• 519070 or blank: The PINs that can pwn 80k online security cams (The Register)

• 9 days: Black-hat hackers’ threshold in untargeted attacks (TechRepublic)

• Alibaba security FAIL as brute-force bonaza yields 21 MILLION logins (The Register)

• Amazon’s new cloud engine has a zombie apocalypse clause (ZDNet)

• Apple mulling iMessage port to Android, sending encrypted messaging mainstream (ZDNet)

• Bitcoin Lending Platform Loanbase Breached

• Bitcoiners are just like everybody else: They use rubbish passwords (The Register)

• Brits best French in Euro securo pwn party (The Register)

• Bugtraq: phpMyBackupPro v.2.5 Arbitrary File Upload phpMyBackupPro v.2.5 Arbitrary File Upload

• Bugtraq: Safebreach adsivory: Node.js HTTP Response Splitting (CVE-2016-2216) Safebreach adsivory: Node.js HTTP Response Splitting (CVE-2016-2216)

• Bugtraq: SSO Authentication Bypass and Website Takeover in DOKEOS SSO Authentication Bypass and Website Takeover in DOKEOS

• Cisco customers on alert over new vulns (The Register)

• Cross-Platform Backdoor Adwind Hit 443,000 Users: Kaspersky (SecurityWeek)

• Crypto connoisseurs: Curl up with Princeton’s 300-page ode to Bitcoin (The Register)

• CVE-2016-2230 OpenELEC and RasPlex devices have a hardcoded password for the root account, which makes it easier for remote attackers to obtain access via an SSH session.

• Don’t touch that PDF or webpage until your Windows PC is patched (The Register)

• Exposing ‘Smart’ Security: I Hacked Someone’s Alarm From 5,000 Miles Away (Forbes)

• Extremely severe bug leaves dizzying number of apps and devices vulnerable (ArsTechnica)

• Flash flushed as Google orders almost all ads to adopt HTML5 (The Register)

• Fysbis Backdoor Preferred by Pawn Storm Group to Target Linux (SecurityWeek)

• GitHub Paid $100,000 Since Launch of Bug Bounty Program

• Go full SHA-256 by June or get locked out, say payments bods Bacs (The Register)

• Hundreds Access Fake Bank Account Data quot;Leakedquot; to Dark Web (SecurityWeek)

• Hundreds Of Spotify Premium Accounts Exposed Online (Again) (Forbes)

• Idiot e-tailers falling for fake patch that exploits year-old Magento hole (The Register)

• Instagram rolls out two factor authentication (The Register)

• It’s 2016 and a font can own your computer (The Register)

• Linode SSH key blunder left virtual servers open to man-in-the-middle fiddles for months (The Register)

• Microsoft careers data exposed by MongoDB flaw (ZDNet)

• Misconfigured Database Exposed Microsoft Site to Attacks (SecurityWeek)

• Moscow raids could signal end of global Dyre bank trojan menace (The Register)

• Most Bitcoin Brain Wallets Drained by Attackers (SecurityWeek)

• Mozilla Updates Firefox to Patch Critical Flaws (SecurityWeek)

• Nuclear EK Gate Uses Decoy CloudFlare DDoS Check Page

• Oracle posts security patch for bug that could result in ‘complete compromise’ of Windows machines (ZDNet)

• Password cracking attacks on Bitcoin wallets net $103,000 (ArsTechnica)

• Patch ASAP: Tons of Linux apps can be hijacked by evil DNS servers, man-in-the-middle miscreants (The Register)

• Patch Linux now, Google, Red Hat warn, over critical glibc bug (ZDNet)

• Quotemehappy? No, I’m furious: Insurance site loses customer details (The Register)

• Remote Code Execution Flaw Patched in glibc Library

• Safebreach adsivory: Node.js HTTP Response Splitting (CVE-2016-2216)

• SerVision HVG Hardcoded password

• Shopify doles out free SSL encyrption certificates to merchants (ZDNet)

• TalkTalk Took a Big Bath Over Breach (InfoRiskToday)

• This is what it looks like when your website is hit by nasty ransomware (The Register)

• Trane thermostat is a hot spot for viruses on home networks (The Register)

• Twitter admits to password recovery bug affecting thousands of users (ArsTechnica)

• Virgin Media spoof email mystery: Customers take to Facebook (The Register)

• Warning: Bug in Adobe Creative Cloud deletes Mac user data without warning (ArsTechnica)

• What happens when you leak stolen bank data to the Dark Web? (ZDNet)

• When phone verification and recycled numbers collide, Lyft leaks user data (ArsTechnica)

Infrastructure

• D-Link router DSL-2750B firmware 1.01 to 1.03 remote command execution no auth required

• Poor UX in Asus routers can leave the web UI unintentionally exposed to the Internet

Malware

• Attackers Use Fake Patch to Hack Magento Sites

• Dridex malware exploit distributes antivirus installerhack suspected (ArsTechnica)

• Roll up, roll up to the Malware Museum! Run classic DOS viruses in your web browser (The Register)

• Want the full MS-DOS virus experience? Time for a night at the Malware Museum (ZDNet)

User Space

• Adobe pulls Creative Cloud update that deleted Apple Mac data (ZDNet)

• This Android Trojan steals banking creds and wipes your phone (The Register)