Weekly Cyber Security News 26/10/2018

A selection of this week’s more interesting vulnerability disclosures and cyber security news. A plethora of choice this week to pick three items of interest… Where to start… OK, first is this very odd fiasco over the Bloomberg story about Super Micro. So much seems wrong, but why are they sticking to it?

• Forgotten that Chinese spy chip story? We haven’t – it’s still wrong, Super Micro tells SEC

At first a rather innocuous story, however thinking about it, it’s quite alarming:

• Audio recording is now disabled by default in OpenBSD (ZDNet)

And as regular readers know, I like a bit of hardware or IoT news, and this one is cunning:

• NFCdrip Attack Proves Long-Range Data Exfiltration via NFC

 

And for the other news of breaches and silly things….

• AWS FreeRTOS Bugs Allow Compromise of IoT Devices The bugs let hackers crash IoT devices, leak their information, and completely take them over.

• Boots cover up breach of confidentiality; over 400 lost ‘prescriptions’ from its Chaddesden store

• Cathay Pacific data breach hits 9.4 million people (ZDNet)

• Questions Mount Over Delay After Cathay Pacific Admits Huge Data Leak

• Two Critical RCE Bugs Patched in Drupal 7 and 8 Drupal’s advisory also included three patches for _moderately critical_ bugs.

• “The inmates have taken over the asylum”: DNS godfather blasts DNS over HTTPS adoption

• 0-Day in jQuery Plugin Impacts Thousands of Applications

• Access data for 70% of top US and EU websites is being sold on dark web

• British Airways: If you”re feeling left out of our 380,000 passenger hack, then you may be one of another 185,000 victims (The Register)

• Card Factory allowed customer photos to be exposed publicly

• Critical Infrastructure & Supply Chain Remain Highly Vulnerable to Attacks

• Discord quietly changed ToS, clock is ticking for US users to opt out of arbitration

• DJI website”s “Get the app on Google Play” directs users elsewhere

• EU Laws Could Spell Double Trouble for Firms

• Flaws in telepresence robots allow hackers access to pictures, video feeds

• FreeRTOS Vulnerabilities Expose Many Systems to Attacks

• Go With Passphrases

• Government Spyware Vendor Left Customer, Victim Data Online for Everyone to See

• Hackers steal data of 75,000 users after Healthcare.gov FFE breach

• Half of enterprise machines run Windows 10, as Windows 7’s end of life looms

• How to use Ublock Origin and Privacy Badger to prevent browser tracking in Firefox

• Kaspersky says it detected infections with DarkPulsar, alleged NSA malware

• Magecart group leverages zero-days in 20 Magento extensions (ZDNet)

• Microsoft Windows zero-day disclosed on Twitter, again

• Mozilla announces ProtonVPN partnership in attempt to diversify revenue stream

• Mozilla Brings Encrypted SNI to Firefox Nightly

• New DemonBot Botnet Pulls the YARN in Hadoop Servers

• New Reconnaissance Tool Uses Code from Eight-Year-Old Comment Crew Implant

• Pocket iNet ISP exposed 73GB of data including secret keys, plain text passwords

• Presidential race in Brazil marred by WhatsApp scandal (ZDNet)

• Researcher Livestreams 51% Attack on Altcoin Blockchain

• Signal Desktop Leaves Message Decryption Key in Plain Sight

• Startup boasts unhackable email protection for the rest of us (ZDNet)

• Super Micro trashes Bloomberg chip hack story in recent customer letter (ZDNet)

• Tim Cook calls for Bloomberg to retract controversial chip story (ZDNet)

• Trade.io loses $7.5Mil worth of cryptocurrency in mysterious cold wallet hack

• Two new supply-chain attacks come to light in less than a week

• UK Cyberattack Investigations: An Analysis (InfoRiskToday)

• Vendors confirm products affected by libssh bug as PoC code pops up on GitHub

• Vulnerable Magento Extensions Exploited to Plant Skimmers

• We asked 100 people to name a backdoored router. You said “EE”s 4GEE HH70”. Our survey says… Top answer! (The Register)

• Windows 10 will banish Spectre slowdowns with Google”s Retpoline patch (ZDNet)

• WordPress team working on “wiping older versions from existence on the internet”

• You like HTTPS. We like HTTPS. Except when a quirk of TLS can smash someone”s web privacy

• You patch my back(up) and I”ll patch yours… Arcserve bugs burrow remotely exploited holes in UDP storage systems (The Register)

• Apple blocks GrayKey police tech in iOS update

• Magecart Attackers Exploit Magento Zero-Days

• New security flaw impacts most Linux and BSD distros

• Remote Code Execution Flaws Patched in Drupal

• Thousands of applications affected by a zero-day issue in jQuery File Upload plugin

• Vuln: CakePHP CVE-2016-4793 Security Bypass Vulnerability CakePHP CVE-2016-4793 Security Bypass Vulnerability