Weekly Cyber Security News 28/10/2016

A selection of this week’s more interesting vulnerability disclosures and cyber security news.

The week’s news is still awash with the devastating DDoS against DYN which appears to have been by a surprisingly low number of IoT devices. Then, with fruther news of some other networks being hit too, I don’t think this is going to get any better. Anyway you can pick up those articles below as my main focus this week is the announcement of a practical application of Rowhammer.

This one which really perked my geeky interest last year, seemed just a fascinating bit of research though clever in the way of bit-flipping neighbour memory cells to induce a security hole, would in practice be very difficult to achieve. How wrong was that? Looks like someone has actually achieved a compromise! Will be interesting to see if anyone actually gets this to apply to other devices.

• App proves Rowhammer can be exploited to root Android phones and there’s little Google can do to fully kill it (The Register)

• Using Rowhammer bitflips to root Android phones is now a thing (ArsTechnica)

And for all the other fun we’ve had this week…

 

• Australia’s biggest data breach sees 1.3m records leaked Allie Coyne reports
• Indian Banks Hit By Debit Card Security Breach Around 3.25 million debit cards affected by breach of 90 ATMs, prompting card replacement and PIN change.
• Nets data breach puts 100,000 cards at risk Alex Hamilton reports
• ‘Root’ Of More IoT-Based DDoS Attacks Last Friday’s massive DDoS that exploited online cameras and DVRs was simple to pull off- and a new chapter in online attacks.
• 3 inexpensive steps to secure IoT (TechRepublic)
• Adobe kicks out patch for fresh Flash zero-day (The Register)
• Ageing GSM crypto cracked on commodity graphics rig (The Register)
• Android phones rooted by most serious Linux escalation bug ever (ArsTechnica)
• Anonymous’s Most Notorious Hacker Is Back, and He’s Gone Legit Andy Greenberg reports
• Botnet Army of ‘Up to 100,000 IoT Devices’ Disrupted Dyn (InfoRiskToday)
• China electronics firm to recall some U.S. products after hacking attack (Yahoo Security)
• DDos On Dyn Used Malicious TCP, UDP Traffic
• Every LTE call, text, can be intercepted, blacked out, hacker finds (The Register)
• Good luck securing ‘things’ when users assume ‘stuff just works’ (The Register)
• Graduate recruitment site exposed 50,000 CVs sent to Virgin Media UK (The Register)
• Hacker’s Icarus machine steals drones midflight (The Register)
• Hacktivist crew claims it launched last week’s DDoS mega-attack (The Register)
• Joomla! squashes critical privileged account creation holes (The Register)
• LinkedIn Hacker Tied to Major Bitcoin Heist (SecurityWeek)
• Mirai Botnet Pummels Internet DNS in Unprecedented Attack (InfoRiskToday)
• Mozilla plots TLS 1.3 future for Firefox (The Register)
• Password1? You’re so random. By which we mean not random at all UK.gov (The Register)
• PayPal patches bone-headed two factor authentication bypass (The Register)
• R3’s Corda Blockchain Platform Goes Open-Source (SecurityWeek)
• Script Kiddies Likely Behind Dyn DDoS Attacks (SecurityWeek)
• Singapore telco StarHub hit by cyber attacks, internet connections disrupted (Yahoo Security)
• Theres a new way to take down drones, and it doesnt involve shotguns (ArsTechnica)
• Three LibTIFF bugs found, only two patched (The Register)
• U.S. web provider says probing East Coast cyber attack (Yahoo Security)
• ComoD’oh! Infosec duo exploits OCR flaw to nab a website’s HTTPS cert (The Register)
• Got Ancient exploit but nowhere to use it? Try the horrid GRX network (The Register)
• Slack Flaw Allowed Hackers to Hijack Any Account