Weekly Cyber Security News 23/11/2018

A selection of this week’s more interesting vulnerability disclosures and cyber security news. As this article coincides with the all out sales fest of Black Friday, I thought I would highlight a number of articles along this theme to remind everyone that while shopping online can be fun, it can also contain traps for the unwary…

I’ve already had loads of pre-Black Friday email offers through, but are they real? Most likely yes, but as usual, my practice is never to follow any links in emails. Stay sharp with some of these warnings:

• Black Friday 2018 – Scams You Should Expect

Going directly to the retailer’s website is a good thing, sometimes though you might hit a search engine first to find other similar offers. Be careful if you happen to hit Google Maps. A new possible wider threat might be out there to redirect you to replica sites out to get your cash:

• Bank Scam Using Google Maps loophole

And as usual, I end with an IoT item. A good checklist if you are considering adding to your tech at home:

• IoT Purchasing Checklist

Happy shopping!

 

If you’re not off shopping right now, here some other news:

• Stopping the Infiltration of Things If a network-connected smoke detector starts communicating with the mail server, you know you have a problem.

• This UK pub chain left 17,000 customer details exposed online

• Technical foul: Amazon suffers data breach days before Black Friday, emails world+dog

• Instagram glitch exposed some user passwords

• Amazon Exposes Customer Names, Email Addresses

• AWS Adds New Feature for Preventing Data Leaks

• BlackBerry to Acquire Cylance for $1.4 Billion in Cash

• Critical Adobe Flash Bug Impacts Windows, macOS, Linux and Chrome OS Adobe issues patch for a Flash Player vulnerability that could lead to an arbitrary code execution on targeted systems.

• Emoji Attack Can Kill Skype for Business Chat The _Kitten of Doom_ denial-of-service attack is easy to carry out.

• Ford Eyes Use of Customer’s Personal Data to Boost Profits Ford’s CEO sees the tech company model as key to the company’s next chapter.

• Here”s Why Account Authentication Shouldn”t Use SMS (InfoRiskToday)

• Hidden Cameras in Streetlights

• Instagram Download Tool Exposes User Passwords

• LastPass; More like lost pass. Or where the fsck has it gone pass. Five-hour outage drives netizens bonkers (The Register)

• Linus Torvalds: After big Linux performance hit, Spectre v2 patch needs curbs (ZDNet)

• Magecart group hilariously sabotages competitor (ZDNet)

• MageCart Group Sabotages Rival to Ruin Data and Reputation

• Million password resets and 2FA codes exposed in unsecured Vovox DB

• Popular Dark Web hosting provider got hacked, 6,500 sites down (ZDNet)

• Potentially disastrous Rowhammer bitflips can bypass ECC protections

• Safety Tips for Black Friday & Cyber Monday Online Shopping

• Scumbags cram Make-A-Wish website with coin-mining malware

• Security warning: UK critical infrastructure still at risk from devastating cyber attack

• Talk about a cache flow problem: This JavaScript can snoop on other browser tabs to work out what you”re visiting

• Vision Direct Notifies Customers of Data Compromise

• Washington Post offers invalid cookie consent under EU rules  – ICO

• What the #!/%* is that rogue Raspberry Pi doing plugged into my company”s server room, sysadmin despairs

• What Your Password Says About You

• When selling security awareness training by email, probably a good shout not to hit “reply all”

• Workers unaware of travel-related cybersecurity threats, survey finds

• Germany pushes router security rules, OpenWRT and CCC push back

• New Vehicle Hack Exposes User’s Private Data Via Bluetooth

• Gmail Glitch Enables Anonymous Messages in Phishing Attacks A glitch in the UX in Gmail allows the ‘from’ field to be forged so there is no sender listed in the email’s header.

• Gmail Glitch Offers Stealthy Trick for Phishing Attacks The issue comes from how Gmail automatically files messages into the _Sent_ folder.

• Protonmail hacked : a very strange scam attempt

• For Apple users without latest security updates, the letter “d” is not always the letter “d” (ZDNet)

• Massive Crackdown Against Fake Accounts: Facebook Deleted 1.5 Billion Accounts

• Windows 10 1809 big iCloud problem: We”re working on fix, say Microsoft, Apple (ZDNet)

• A flaw in US Postal Service website exposed data on 60 Million Users

• Attackers Exploit Recently Patched Popular WordPress Plugin

• TP-Link Patches Remote Code Execution Flaws in SOHO Router