Weekly Cyber Security News 03/03/2017

A selection of this week’s more interesting vulnerability disclosures and cyber security news. With demise of SHA-1 and it inevitable hits against active use, this article about Microsoft’s use of SHA-1 brings the thought; what do we know about the crypto used by any systems we purchase? Are we even aware that there could be something in there that might actually be broken or weak, if not now, but maybe in the future?

• SHA-1 crack just got real: System Centre uses it to talk to Linux (The Register)

In other news…

• 12.6 million cases of personal information leaked in Japan in 2016, survey shows Kyodo News reports

• Cloudflare Finds No Evidence of _Cloudbleed_ Exploitation

• Data from connected CloudPets teddy bears leaked due to misconfigured database

• Insecure CloudPets Database Exposed Credentials, Private Data

• Spiral Toys sends something to the California Attorney General, but what is it?

• WordPress photo plugin opens ‘a million sites’ to SQLi database feasting (The Register)

• ‘Kill Your Darlings’ for Better Disaster Recovery (InfoRiskToday)

• Apache Subversion System Affected by SHA-1 Collision

• Breaking Baxter: 50 Bugs Show Robots Might Be Super Vulnerable To Cyberattack Thomas Fox-Brewster reports

• Carders capitalize on Cloudflare problems, claim 150 million logins for sale Steve Ragan reports

• Cloudflare Leaked Web Customer Data For Months

• CloudPets’ woes worsen: teddy bears’ microphones pwned (The Register)

• Creepy IoT teddy bear leaks gt;2 million parents and kids voice messages (ArsTechnica)

• Forged Cookie Attack Affected 32 Million Yahoo Users

• Git lt;codegt;fscklt;/codegt;ed by SHA-1 collision? Not so fast, says Linus Torvalds (The Register)

• Google Chrome 56’s crypto tweak ‘borked thousands of computers’ using Blue Coat security (The Register)

• Google reports high-severity bug in Edge/IE, no patch available (ArsTechnica)

• Google’s Ease-of-Use Email Encryption Project Goes Open Source

• Researchers uncover PowerShell Trojan that uses DNS queries to get its orders (ArsTechnica)

• Security slip-ups in 1Password and other password managers ‘extremely worrying’ (The Register)

• The Latest Privacy Nightmare For Parents: Data Leaks From Smart Toys (Forbes)

• Three Years after Heartbleed, How Vulnerable Are You?

• Two million recordings of kids, parents leaked from cloud-connected toys’ crappy MongoDB (The Register)

• We found a hidden backdoor in Chinese Internet of Things devices researchers (The Register)

• Yahoo says 32m user accounts were accessed via cookie forging attack Asha McLean reports

• Cybercriminals Use Cracked Builder to Spawn Betabot Variants

• A Basic Design Feature Makes It Easy To Create Fake Advertisements On Facebook (Forbes)

• My Catch Of 4 Months In The Amazon IP Address Spaces

• Popular Android Password Managers Expose Credentials (SecurityWeek)

• CVE-2016-6485 The __construct function in Framework/Encryption/Crypt.php in Magento 2 uses the PHP rand function to generate a random number for the initialization vector, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by guessing the value.

• Researchers find severe flaw in WordPress plugin with 1 million installs (ArsTechnica)

• Slack Quickly Patches Account Hijacking Flaw (SecurityWeek)

• WordPress Plugin With 1 Million Installs Has Critical Flaw (SecurityWeek)