Weekly Cyber Security News 11/01/19

A selection of this week’s more interesting vulnerability disclosures and cyber security news. Another week in to 2019 and it’s just not getting better is it? Some more pretty big breaches and the worst; companies that should know better apparently missing the mark:

• Stormy times ahead for IBM-owned Weather Channel app: LA sues over location data slurp

Add to this our legacy digital footprint leaving more than behind than we would have hoped. Another reason to switch off everything on your phone that makes it ‘smart’:

• FYI: Twitter”s API still spews enough metadata to reveal exactly where you lived, worked

After a previous article I’ve seen on how dumbing down biometrics is done to actually make them work renders a good idea (somewhat) useless. I personally wouldn’t rely on biometrics entirely for authentication. If pushed, only with another factor that can be changed such as a password or pin, you know, as a form of mini-2FA:

• 6 reasons biometrics are bad authenticators (and 1 acceptable use)

• Biometrics in 2019: Increased Security or New Attack Vector? Should we pump the brakes on the roll out of biometric security to first consider whether we are creating new vulnerabilities?

 

Other fun this week:

• Google boasts 1 billion Assistant devices ’10x Amazon Alexa’s install base

• Emergency Warning Network confirms breach (ZDNet)

• German Police Identify Suspect Behind Massive Data Leak (InfoRiskToday)

• Industry Reactions to Massive Data Leak in Germany

• 5.25 Million Unencrypted Passport Numbers Accessed in Starwood Breach

• ACCC unsure how consumers will receive their data under impending mandate (ZDNet)

• Adobe Patches Important Bugs in Connect and Digital Edition The update comes on the heels of critical fixes in an unscheduled patch last week.

• Almost $500,000 in Ethereum Classic coin stolen by forking its blockchain

• Before you slink off to the pub, be sure to patch these 19 serious vulns in Juniper Networks kit

• BlackBerry Secure feature packs aspire to give trusted security to “all smart things” (ZDNet)

• Coinbase suspends Ethereum Classic (ETC) trading after double-spend attacks

• Contactless Fraud Losses Double but Remain Low

• Detroit Fire Department personal information compromised after fire at former training school

• EU Top Court Adviser: Google Can Limit Right to be Forgotten

• Fewer Affected in Marriott Hack, but Passports a Red Flag

• Gatwick drone disruption deemed ‘deliberate’, new powers given to police

• German Politicians Caught in Massive Data Leak

• Google Emails Users About Private Data Exposed by Google+ API Bug

• Government shutdown: TLS certificates not renewed, many websites are down (ZDNet)

• Hacktivist Gets 10-Year Prison Sentence for DDoS Attack on Hospitals

• How Cybercriminals Are Getting Initial Access into Your System

• IT Guy’s Help Snares Mexican Drugs Baron

• Japan makes visitors pay for their biometric info to be collected (ZDNet)

• Linus Torvalds opts for the scream test: Linux kernel syscall tweaked to shut data-leak hole � anyone upset, yell now

• Microsoft pulls buggy Office 2010 January updates (ZDNet)

• Most home routers don”t take advantage of Linux”s improved security features

• New side-channel leak: Boffins bash operating system page caches until they spill secrets (The Register)

• NHS Digital CISO Quits After Three Months

• OXO Discloses MageCart Attack That Targeted Customer Data on Oxo.com

• Real-time location data for over 11,000 Indian buses left exposed online (ZDNet)

• Reddit users locked out of accounts after ‘security concern’

• Reddit Users Locked Out of Their Accounts for Unusual Activity

• Software patents poised to make a comeback under new patent office rules

• The (Re-)Emergence of Zero Trust

• The D in SystemD stands for Dammmit… Security holes found in much-adored Linux toolkit

• Three-Quarters of Firms Hit by Container Security Incidents

• Unlimited private repositories now available to free GitHub users

• Unprotected MongoDB Exposes Over 200 Millions Resumes

• Ransomware Attack Against Hosting Provider Confirms MSPs Are Prime Targets

• Latest Phishing Technique Uses Fake Fonts to Evade Detection

• Modlishka Tool Can Bypass 2FA Authentication in Phishing Attacks

• Face unlock on many Android smartphones falls for a photo

• Microsoft Patches Critical Flaws in Edge, Hyper-V, DHCP

• ThreatList: WordPress Vulnerabilities Tripled in 2018 Despite fewer plugins being added to WordPress last year, the CMS saw an astounding tripling of vulnerabilities in its platform in 2018.