Weekly Cyber Security News 17/02/2017

A selection of this week’s more interesting vulnerability disclosures and cyber security news. In addition to last week’s train system honey pot, a similar theme appeared in my feed this week. Having spent some years in manufacturing, and integration of SCADA systems into the rest of a company’s business infrastructure I often became horrified at the lack of authentication between critical control devices within these supposedly isolated networks. This then all comes crashing down when given comments of ‘just stick it behind a fire wall, it will be fine, oh and can you create a VPN tunnel through for our engineers’.

I understand that these systems operate often had high speed, especially when you have large robots and heavy automation that requires instant response especially in a human safety situations. Nevertheless, any rouge device that can breach it and at least poke at some known faults or even flood the network with junk causing erratic behaviour could still do serious damage.

Even outside industrial areas such as the standard office network, we often let our guard down and trust too much. Google have long been working on a new approach to boundaries which I’ve been following and though complex could be interesting in the long term:

• Meet LogicLocker: Boffin-built SCADA ransomware (The Register)

• No Firewalls, No Problem for Google Google secures its perimeter with explicit trust in what it knows about users and the devices connecting to its corporate services.

• Infected Vending Machines And Light Bulbs DDoS A University (Forbes)

 

And the rest:

• Hacker Breached Dozens of Universities and Government Agencies, Report Says Jeff John Roberts

• How IoT hackers turned a university’s network against itself Danny Palmer reports

• Shirebrook man arrested in connection to Sports Direct breach (The Register)

• Verizon Data Breach Digest Triangulates Humanity Inside Security

• Yahoo Notifies Users of Sophisticated Breach Methods

• Adobe Patches 13 Code Execution Vulnerabilities in Flash Adobe patched 13 code execution vulnerabilities in Flash Player today as part of its regular patch update cycle.

• Bruce Schneier: The US government is coming for YOUR code, techies (The Register)

• Crypto-curious? Wickr’s opened its kimono for code review (The Register)

• Forget quantum and AI security hype, just write bug-free code, dammit (The Register)

• Hackers Have Stolen Millions Of Dollars In Bitcoin Using Only Phone Numbers Laura Shin reports

• Haven’t deleted your Yahoo account yet? There’s a new forged cookie hack risk (The Register)

• Hong Kong police struggle to stop brokerage hacking spree (Yahoo Security)
  

• New ASLR-busting JavaScript is about to make drive-by exploits much nastier (ArsTechnica) 

• Open Databases a Juicy Extortion Target A sudden wave of attacks against insecure databases resulting in ransom demands points to wave of data hijacking attacks.

• Report: Data breaches growing more complex, causing more damage (TechRepublic)

• Researchers Break ASLR Protection via JavaScript Attack (SecurityWeek)

• Security analysts link arrested Russian computer expert to crime websites Tim Johnson reports

• This Fake Femme Fatale Is Stealing Google Accounts From Journalists And Human Rights Activists (Forbes)

• Turning Tables on Nigerian Business Email Scammers Researchers from Dell SecureWorks infiltrated a Nigerian business email spoofing and business email compromise operation, shutting down a number of money mule accounts in the process.

• Uber Rider Sues For $47M After Wife Caught Him Cheating In The App (Forbes)

• UK website data insecurity worries: Users in bits over car break-up emails (The Register)

• UK’s Proposed Espionage Act Treats Journalists As Foreign Spies (Forbes)

• Worldwide bank attack blitz linked to Sony Pictures hacking crew (The Register)

• Yahoo reveals more breachiness to users victimized by forged cookies (ArsTechnica)

• Yahoo tells users they were hit with cookie attack Laura Hautala reports

• Updated Firmware Due for Serious TP-Link Router Vulnerabilities A researcher disclosed vulnerabilities in TP-Link C2 and C20i routers that allow for remote code execution and denial-of-service attacks with authentication.

• Google whacked $20m over Chrome malware patent (The Register)
  

• RSA Conference: New ransomware could poison your town’s water supply if you don’t pay up (TechRepublic)

• Google claims massive Stagefright Android bug had ‘sod all effect’ (The Register)

• WordPress Flaw Exploited for Remote Code Execution (SecurityWeek)

• 1.5M Unpatched WordPress Sites Hacked Following Vulnerability Disclosure WordPress security experts said that 1.5M sites have been defaced following the disclosure of a silently fixed content injection vulnerability.

• Virally growing attacks on unpatched WordPress sites affects 2m pages (ArsTechnica)