Weekly Cyber Security News 10/11/2017

A selection of this week’s more interesting vulnerability disclosures and cyber security news. Like buses, don’t see one for ages and then suddenly loads turn up. Been like that with interesting news the last few weeks, yes we’ve had some pretty bid blows, but this week so so many to choose from.

My first is a glimpse into the underbelly of security research. The fine line. Fascinating back stories to situations we only hear the highlights (or lowlights) about at the time:

• Cracking the Code Jason Leopold reports

• He Perfected a Password-Hacking Tool – Then the Russians Came Andy Greenberg reports

After the dreadful exposure of S3 data, looks like Amazon has added something that might help those that really are either clueless or careless about their data. Let’s see if this is the end of it… Somehow I don’t think so:

• Amazon Adds New Encryption, Security Features to S3

Ah, the leaving keys in binaries problem. An oldie but still a simple mistake that could be pretty disastrous as it turns out:

• Twilio Credentials Hardcoded in Mobile Apps Expose Calls, Texts

 

Go on, read the rest over the weekend…

• 2nd Breach at Verticalscope Impacts Millions Brian Krebs reports

• Equifax Says Execs Unaware of Hack When They Sold Stock

• Update: 46.2 Million Malaysian Mobile Phone Numbers Leaked From 2014 Data Breach Vijandren writes

• AWS S3 Buckets at Risk of _GhostWriter_ MiTM Attack

• CVE-2017-16634 In Joomla! before 3.8.2, a bug allowed third parties to bypass a user’s 2-factor authentication method.

• DigiCert Addresses Mozilla’s Concerns on Symantec CA Acquisition

• Equifax: Hack Related Expenses Cost Company $87.5 Million in Q3

• Estonia Blocks Electronic ID Cards Over Identity-Theft Risk

• Firefox to Block Canvas-based Browser Fingerprinting

• Francisco Partners Acquires Comodo CA

• Google to Remove Support for PKP in Chrome

• Guy tracks down girlfriend via Snapchat Snap Map, stabs man she’s with

• Hackers Poison Google Search Results to Deliver Zeus Panda Threat actors leverage SEO to ensure malicious links rank highly in Google results to infect targets with Trojan.

• How Wireless Intruders Can Bypass NAC Controls

• Many Brother Printers Vulnerable to Remote DoS Attacks

• Many Vulnerabilities Found in Linux USB Subsystem

• Mozilla Raises Concerns Over DigiCert Acquiring Symantec CA

• Poisoned Google Search Results Lead to Banking Trojan

• Researchers Downplay Size of Reaper IoT Botnet

• Stack Ranking SSL Vulnerabilities: DUHK and ROCA

• Stealthy New PLC Hack Jumps the Air Gap

• T-Mobile Alerted �A Few Hundred Customers� Targeted By Hackers Lorenzo Franceschi-Bicchierai reports

• Twitter employee deleting POTUS account is a lesson for all companies

• ‘Eavesdropper’ Exposes Millions of Mobile Conversations

• Apple Patches Dangerous KRACK Wi-Fi Vulnerabilities

• 15 real-world phishing examples � and how to recognize them

• Office 365 Missed 34,000 Phishing Emails Last Month Nearly 10% of emails delivered to Office 365 inboxes were spam, phishing messages, and known or zero-day malware.

• Experts Find Faster Way to Exploit Infineon Chip Crypto Flaw

• OpenSSL Patches Flaws Found With Google Fuzzer

• Serious SQL Injection Flaw Patched in WordPress