Weekly Cyber Security News 09/09/2016

A selection of this week’s more interesting vulnerability disclosures and cyber security news.

If you want to just skip to the huge number of data breaches both recent and historical then scroll down, though if, as a normal personal internet user you feel confident in your security then hang on one moment. This week I want to draw attention to our daily use of consumer tech and the ease in which just one mistake can suddenly expose us to all sorts of nastiness. This was brought to light from a friend this week who had her PayPal charged with numerous £400 charges from Google Play for games she certainly didn’t buy and our subsequent discussion about the number of spam emails we see daily. Thankfully both of those parties sorted things out for her, but it did make me recall the near death experience last year when Stagefright came out. As soon as I saw the reports I disabled various bits on my phone, and that was lucky that I did, a few hours later I received an odd text from a friend with a link which looked like such an attack. I told him to ditch the phone as he was probably now compromised.

This week we have a few articles that highlight some of the simple attacks that could, in a moments lapse of concentration, open us up to loss. What perhaps we also forget is that our devices, especially mobile phones now pack a huge amount of technology and computing power, and once breached could be doing more than just going through your phone contact list. The lesson as always is pause to think before anything unexpected occurs.

 

• Ten year-old Windows Media Player hack is the new black, again (The Register)

• Just One Photo Can Silently Hack Millions Of Androids (Forbes)

• Researchers demonstrate half of people will click on any link theyre sent (ArsTechnica)

• Researchers Uncover Car Infotainment Vulnerability

• Researchers Use WiFi Signals to Read Keystrokes (SecurityWeek)

• Scientists’ sneaky smartphone software steals 3D printer designs (The Register)

• Brutally efficient phishing scam takes advantage of PayPals awfulness (Yahoo Security)

• DropboxCache Cross-Platform Backdoor Targets OS X

 

And here we have the hacks and other chaos of the week:

 

• 43 Million Last.fm Accounts Stolen in 2012 Breach (SecurityWeek)

• 98 million passwords from 2012 breach of Russias Yahoo Rambler.ru leaked (ArsTechnica)

• Dropbox’s Big, Bad, Belated Breach Notification (InfoRiskToday)

• Hitsniffer ceases trading because of a malicious-insider data leak Roi Perez reports

• Intruders Pilfered Over 68 Million Passwords In 2012 Dropbox Breach

• Lightspeed PoS vendor breached, sensitive database tapped (The Register)

• Mass download of Poles personal data sparks fears PAP reports

• Over 40 million usernames, passwords from 2012 breach of Last.fm surface (ArsTechnica)

• PoS Vendor Lightspeed Suffers Data Breach (SecurityWeek)

• Russian internet giant Rambler.ru hacked, leaking 98 million accounts Zack Whittaker reports on yet another 2012 hack where the data are first being leaked publicly

• 100 Million Accounts Stolen From Russian Web Portal Rambler (SecurityWeek)

• 162 million personal data items leaked over six years in Beijing ECNS reports

• 2012 Dropbox hack worse than realized, 68M passwords leaked (TechRepublic)

• 71,000 Minecraft World Map accounts leaked online after ‘hack’ (The Register)

• 98.1 million CLEARTEXT passwords pasted as Rambler.ru rumbled (The Register)

• Bitcoin Exchange BTC-E and BitcoinTalk Forum Breaches Two Bitcoin related websites were hacked, namely Btc-E.com (a Bitcoin exchange acting similar to a foreign currency exchange) and Bitcointalk.org (the largest Bitcoin discussion forum in the world

• Bloke accused of Linux kernel.org hack nabbed during traffic stop (The Register)

• Downfall of Software Startup Highlights Code Ownership Issues (SecurityWeek)

• Dropbox didnt tell anyone about a giant hack for four years (Yahoo Security)
  

• Dumps from Two More Bitcoin Breaches Disclosed by LeakedSource

• Feds pin brazen kernel.org intrusion on 27-year-old programmer (ArsTechnica)

• Hacker takes down CEO wire transfer scammers, sends their Win 10 creds to the cops (The Register)

• How much does your kid hate exams? This lad hacked his government to skip them (The Register)

• How to force users to create secure passwords on Linux (TechRepublic)

• Hypervisor security ero-Xen: How guest VMs can hijack host servers (The Register)

• Israeli Online Attack Service vDOS Earned $600,000 in Two Years Brian Krebs reports

• Kaspersky to 1337 haxors: take down our power grid. We dare you (The Register)

• Kernel.org Hacking Suspect Arrested in Florida (SecurityWeek)

• McAfee’s back in action: Intel flogs its security software for $3.1bn (The Register)

• Meet PocketBlock, the crypto engineering game for kids of all ages (ArsTechnica)

• Microsoft thought of the children and decided to ban some browsers (The Register)

• Over 18,000 Redis Instances Targeted in FairWare Attacks (SecurityWeek)

• Owen Smith Tweets Login Data to 16,000 Followers Slack Alice writes

• Pokmon-loving VXer targets Linux with ‘Umbreon’ rootkit (The Register)

• Sophos Windows users face black screens after false positive snafu (The Register)

• SWIFT Reveals New Hacking Attempts On Member Banks Banks being pushed to meet November 19 deadline for updated security features, including stronger password rules.

• UK Labour man Owen Smith: If you wanna be a leader, you gotta stop with that lens (The Register)

• Sophos Products Detect Legitimate Windows File as Malware

• Transmission hijacked to broadcast Mac malware (The Register)