Weekly Cyber Security News 16/11/2018

A selection of this week’s more interesting vulnerability disclosures and cyber security news. Quite an interesting stream of news this week, however, my choices this week focus on threat management. The first one, and its quite alarming and not at all funny, shows an example of someone didn’t accept reasonable proof of account ownership for a password reset – something many of us face with public websites:

• Unable to remember his password, man sent letter bomb to Bitcoin exchange

Its extreme for sure, though this next article does remind us that the threats are still there, and not going away, and that they are likely going to be more forceful:

• Just because you”re paranoid doesn”t mean hackers aren”t going to nuke your employer into the ground tomorrow

And here is one that brings such fears home…

• Dutch Film Boss Sacked After €19m BEC Loss

Stay paranoid folks!

 

The rest of the news:

• A leaky database of SMS text messages exposed password resets and two-factor codes

• Cathay Says ‘Most Intense’ Period of Data Breach Lasted Months

• Google Services Inaccessible Due to BGP Leak

• BA data breach: 565,000 customers may have been affected

• Cathay Pacific hack: Airline admits techies fought off cyber-siege for months

• Deserialization issues also affect Ruby, not just Java, PHP, and .NET

• Employees Poor Security Habits Getting Worse, Survey Finds

• Experts Slam Employee Microchip Plans

• Facebook patches another bug that could have allowed mass-harvesting of user data (ZDNet)

• Firefox Monitor 2.0 gives you desktop notifications if a site suffers a data breach

• Gift ideas – Perhaps check Mozilla’s gadget security, creepiness ratings before you buy (ZDNet)

• Google traffic hijacked via tiny Nigerian ISP (ZDNet)

• HTTP-over-QUIC to be renamed HTTP/3

• I found a security hole in Steam that gave me every game”s license keys and all I got was this… oh nice: $20,000

• IoT security and Linux: Why IncludeOS thinks it has the edge (ZDNet)

• Microsoft Patches Zero-Day Bug in Win7, Server 2008 and 2008 R2 Microsoft’s November Patch Tuesday fixes include mitigation against a zero-day vulnerability leaving Windows 7, Server 2008 and Server 2008 R2 open to attack.

• Misconfiguration a Top Security Concern for Containers

• Misconfigured Docker Services Actively Exploited in Cryptojacking Operation

• Researchers discover seven new Meltdown and Spectre attacks

• Scumbag who called a Call of Duty “swatting” that ended in death pleads guilty to dozens of criminal charges (The Register)

• Steam Vulnerability Allowed Malicious Operators to Gain License Keys

• Stolen data from ‘almost all’ Pakistan banks goes on sale on dark web

• Super Micro chief bean counter: Bloomberg”s “unwarranted hardware hacking article” has slowed our server sales

• The next version of HTTP won’t be using TCP

• U.S. Chip Cards Are Being Compromised in the Millions A full 60 million U.S. cards were compromised in the past 12 months. While 93 percent of those were EMV chip-enabled, merchants continued to use mag stripes.

• UK: Six month prison sentence for motor industry employee in first ICO Computer Misuse Act prosecution

• Want to hack an ATM for free cash – It’s as easy as Windows XP (The Register)

• Sites Infected with Magecart Malware Reinfected Multiple Times

• Apple says nothing as Apple ID accounts mysteriously locked down

• Dutch government report says Microsoft Office telemetry collection breaks GDPR

• Finally, Facebook to Introduce Unsend Feature in Messenger