Weekly Cyber Security News 23/09/2016

A selection of this week’s more interesting vulnerability disclosures and cyber security news.

Again this week I’m going to side-step the usual trove of breaches that seem common place, and yes, including the massive Yahoo one. Instead lets look at the perils of not understanding where the boundaries are that need protecting. The obvious one is wifi, and often we moan that the signal drops in the next room, however, it can also leak. It can also leak some distance away given the right conditions which can also reveal way too much information even if you are not authenticated. A few articles below show some recent examples of this.

The article that caught my attention the most is the last one. Although I don’t use voice activated services, it did lead me to ponder this as yet another ‘leaking’ of sorts outside the expected boundary and could pose many risks beyond the unlocking of doors.

 

• BT’s Wi-Fi Extender works great at extending your password to hackers (The Register)

• Researchers wirelessly hit the brakes in a Model S, Tesla patches quickly (ArsTechnica)

• Tesla Patches Cars Against Wi-Fi ‘Braking’ Attack (InfoRiskToday)

• How A Few Words To Siri Unlocked A Man’s Front Door And Exposed A Major Security Flaw In Apple’s HomeKit (Forbes)

 

And with the rest of the breaches and some critical patches we have list merry lot:

 

• 500 million Yahoo accounts breached; biggest breach ever publicly disclosed Kim Hjelmgaard and Elizabeth Weise report

• Massive data breach hit 500 million users, Yahoo confirms (Yahoo Security)

• Yahoo Admits 500 Million Hit In 2014 Breach- Blames Foreign Spies (Forbes)

• Yahoo confirms 500M accounts leaked in massive data breach (TechRepublic)

• Yahoo Confirms Massive Data Breach of 500 Million Accounts

• Yahoo Reveals Nation State-Borne Data Breach Affecting A Half-Billion Users

• Yahoo says half a billion accounts breached by nation-sponsored hackers (ArsTechnica)

• How You Can Support InfoSec Diversity, Starting With The Colleagues You Already Have GitHub’s Jamesha Fisher discusses

• Beyond the Yahoo hack: Other major data breaches (Yahoo Security)

• Big email hack doesn’t exactly send the message Yahoo needed (Yahoo Security)

• Brian Krebs’ Blog Hit by 665 Gbps DDoS Attack

• Bug that hit Firefox and Tor browsers was hard to spotnow we know why (ArsTechnica)

• Dropbox ‘Hacks’ Macs, Developer Warns (InfoRiskToday)

• Greybeards beware: Hair dye for blokes outfit Just For Men served trojan (The Register)

• Hackers steal data from 500 million Yahoo accounts (Yahoo Security)

• Hand-delivered hacking: malicious USBs left in mailboxes (Yahoo Security)

• iPhone passcode bypassed with NAND mirroring attack (ArsTechnica)

• Let’s Encrypt won its Comodo trademark battle but now fan tools must rename (The Register)

• Nearly 800,000 FTP Servers Accessible Online Without Authentication Catalin Cimpanu reports

• Online scammers speed up: Hit gold every 15 seconds (The Register)

• OpenSSL Update Released, (Thu, Sep 22nd)

• Over a Dozen Vulnerabilities Patched in OpenSSL (SecurityWeek)

• Version 3 of Qadars Trojan Targets UK Banks

• Watch Chinese Hackers Control Tesla’s Brakes From 12 Miles Away (Forbes)

• Yahoo says hackers stole info in 500 million user accounts (Yahoo Security)

• Smartphone Infections Rise 96% In H1-2016: Malware Study Nokia report reveals April 2016 saw new all-time high in mobile infections with one out of every 120 smartphone affected.

• China hackers swipe millions in data breach Jon Marino reports

• 10-second hijack hole could kill any Facebook profile (The Register)
  

• Over 840,000 Cisco Devices Affected by NSA-Linked Flaw

• Safe browsing checks fail as 16,000 WordPress sites hacked this year (The Register)

• XSS WordPress W3 Total Cache <= 0.9.4.1