Weekly Cyber Security News 25/05/2018

A selection of this week’s more interesting vulnerability disclosures and cyber security news. A number of IoT issues cropped up this week that made me pause (and yes, pun intended this time) affecting a pet related device as well as the usual home/office arena. The Z-Wave attack while great headlines does in fact have a very narrow window of opportunity, but still could provide a pivot. The pet one however a little more concerning, and as usual concerns apps and/or Bluetooth:

• 100 Million IoT Devices Possibly Exposed to Z-Wave Attack

• Pet Tracker Flaws Expose Pets and Their Owners to Cybercrime Hackers can exploit vulnerabilities in popular pet trackers to intercept location coordinates and access owners’ personal data.

The third issue that surfaced many people (mostly home):

• Attackers Change DNS Settings of DrayTek Routers

 

The rest of it:

• ZipperDown Vulnerability Could Hit 10% of iOS Apps A newly discovered vulnerability could affect thousands of iOS apps- and Android users may not be spared.

• Bombas notifies consumers of breach going back to 2013 Bombas is sending out a breach notification to consumers

• Actor Advertises Japanese PII on Chinese Underground Kelly Sheridan reports

• Amazon Comes Under Fire for Facial Recognition Platform

• Chinese citizen tries to steal advanced robotic technology IP

• Chinese Researchers Find Vulnerabilities in BMW Cars

• Chrome to Issue Red ‘Not Secure’ Warning for HTTP

• Cloudflare Improves DDoS Mitigation Tool

• CVE-2017-18269 An SSE2-optimized memmove implementation for i386 in sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S in the GNU C Library

• Fitting Forward Secrecy into Today’s Security Architecture

• Intel’s ‘Virtual Fences’ Spectre Fix Won’t Protect Against Variant 4

• Las Vegas Most Insecure Cyber City in US

• Misconfigured Reverse Proxy Servers Spill Credentials Researchers created a proof-of-concept attack that allows remote attackers to access protected APIs to extract credentials.

• More Than Half of Users Reuse Passwords

• Pentagon’s project to verify identity via smartphones within two years

• Six Vulnerabilities Found in Dell EMC’s Disaster Recovery System

• The Good & Bad News about Blockchain Security

• Track naughty and nice binaries with Google Santa

• Comcast Patches Router Bug That Leaked Some Wi-Fi Passwords

• Comcast website bug leaks Xfinity customer data ZackWhittaker reports

• Teen phone monitoring app leaked thousands of user passwords Zack Whittaker reports

• TeenSafe Tracking App Exposes Thousands of Private Records Records for a mobile app

• Thousands of kids Apple IDs stored in plaintext on unprotected server

• Hackers Behind ‘Triton’ Malware Attack Expand Targets

• Macs Infected With New Monero-Mining Malware

• Agari Employs Active Defense to Probe Nigerian Email Scammers

• ‘Roaming Mantis’ Android Malware Evolves, Expands Targets Roaming Mantis has evolved rapidly, adding geographies, platforms, and capabilities to its original scope.

• Microsoft locks down Windows 10 with the S edition

• Critical Flaw Impacts Dell EMC RecoverPoint

• Intel Responds to Spectre-Like Flaw In CPUs Intel on Monday acknowledged that its processors are vulnerable to another Spectre-like speculative execution side channel flaw that could allow attackers to access information.

• Malicious PHP Script Infects 2,400 Websites in the Past Week A botnet called Brain Food is pushing diet pills via infected WordPress and Joomla websites.

• Researchers Say More Spectre-Related CPU Flaws On Horizon Yet another speculative execution side channel flaw has been disclosed in processors and security experts warn that more may be out there.

• Tech Firms Coordinate Disclosure of New Meltdown, Spectre Flaws

• Two Vulnerabilities Patched in BIND DNS Software