Weekly Cyber Security News 24/02/2017

A selection of this week’s more interesting vulnerability disclosures and cyber security news. While allowing free reign so that people can do their job like in these below, there does come a risk for all staff whether they have admin privileges or not. Staff may intentionally leak information even for innocent reasons such as emailing something to home so they can work on it over a weekend, though once such files are outside an area of control, all hope is lost. There are of course methods to prevent this like the use of VPNs but people being people will find ways around it. Of course the worst (as far as any IT department knows) comes from ‘above’ with requests that break the rules for everyone else ‘for this special situation’.

How do we as any member of staff, let alone as IT professionals, deal with intentional and unintentional leaks? At least education, and better still tools to allow any kind of company document freedom of movement within a flexible infrastructure that’s not going to stop people doing their jobs. It’s not easy I know, I’ve had to deal with a number of incidents in my career that have even surprised me at the ingenuity people have come up with to get around fail-safes! This is really not going to go away I think.

• Logic Bombs Pose Threat to ICS: Researchers

• I was authorized to trash my employer’s system, sysadmin tells court (The Register)

• Paper factory fired its sysadmin. He returned via VPN and caused $1m in damage. Now jailed (The Register)

 

And the rest of the news….

 

• Millions of IGN and PCMag user records sit exposed, online Chris Bing reports

• Serious Breach Linked to Chinese APTs Comes to Light

• Amazon Argues Alexa Has Free Speech Rights In Murder Trial Fight (Forbes)

• At deaths door for years, widely used SHA1 function is now dead (ArsTechnica)

• AU: Privacy commissioner apologises for accidentally releasing email addresses

• Boffins exfiltrate data by blinking hard drives’ LEDs (The Register)

• British Cops Bust Suspected German ISP Mirai Botnet Hacker (InfoRiskToday)

• Bug Allowed Theft of Over $400,000 in Zcoins (SecurityWeek)

• Cloudbleed: Big web brands leaked crypto keys, personal secrets thanks to Cloudflare bug (The Register)

• Connected car in the second-hand lot? Don’t buy it if you’re not hack-savvy (The Register)

• Deutsche Telekom hack suspect arrested at London airport (The Register)

• DomainMonster mash: Hundreds of websites vandalized after Brit web host server hacked (The Register)

• Firefox certificate cache leaks user information (The Register)

• Firefox Users Fingerprinted via Cached Intermediate CA Certificates

• Florida Man jailed for 4 years after raking in a million bucks from spam (The Register)

• Ford Engineers Are Falling Asleep While Monitoring Self-Driving Cars (Yahoo Security)

• Google Researchers ‘Shatter’ SHA-1 Hash ‘Collision’ attack by researchers at CWI Institute and Google underscores need to retire SHA-1.

• Google Shares Data on Corporate Email Attacks (SecurityWeek)

• Hackers who took control of PC microphones siphon >600 GB from 70 targets (ArsTechnica)

• Hard Drive LED Allows Data Theft From Air-Gapped PCs

• Is your child a hacker? Liverpudlian parents get warning signs checklist (The Register)

• Java and Python have unpatched firewall-crossing FTP SNAFU (The Register)

• Linux kernel gets patch for 11-year-old local-root-hole security bug (The Register)

• Malware That Eavesdrops Via Computer Microphones Is Stealing Hundreds Of Gigs Of Data (Forbes)

• Poison Ivy RAT Campaign Leverages New Delivery Techniques

• Police Have Arrested a Suspect in a Massive ‘Internet of Things’ Attack Lorenzo Franceschi-Bicchierai reports

• Practical collision attack against SHA-1 , (Thu, Feb 23rd)

• Privacy concerns over gaps in eBay crypto (The Register)

• Researchers discover security problems under the hood of automobile apps (ArsTechnica)

• Serious Cloudflare bug exposed a potpourri of secret customer data (ArsTechnica)

• SMTP Strict Transport Security Coming Soon to Gmail, Other Webmail Providers SMTP Strict Transport Security is coming to major webmail providers this year, a Google engineer said at RSA Conference

• This Black Box Lets You Know When People Are Partying At Your House (Forbes)

• USB Killer now lets you fry most Lightning and USB-C devices for $55 (ArsTechnica)

• Android Ransomware Demands Victims Speak Unlock Code (SecurityWeek)

• I infected my Windows computer with ransomware to test RansomFree’s protection (TechRepublic)

• Beeps, roots and leaves: Car-controlling Android apps create theft risk (The Register)

• Code Execution Flaw Affected Linux Kernel Since 2005 (SecurityWeek)

• Microsoft catches up to Valentine’s Day Flash flaw massacre (The Register)