Weekly Cyber Security News 08/03/2019

A selection of this week’s more interesting vulnerability disclosures and cyber security news. In the new GDPR age we are in, exploration of data at rest has been high on the agenda for many, and this item perked my interest – and some concern. Well worth a read:

• Data Leakage from Encrypted Databases

Further mystifying progress from an item a few weeks back. How weirder can this get?

• Find QuadrigaCX’s missing $190 million, and you could win a $100,000 bounty

Been a while since I’ve hit the slopes (family life and all), and while I was laughed at with my walkie-talkie, at least I wasn’t able to be pwned to this extent!

• That”s a nice ski speaker you”ve got there. Shame if it got pwned (The Register)

 

In other news…

• Armor Games admits all its users” deets slurped in mega breach as site moves to repair chink

• Why ‘ji32k7au4a83’ Is a Remarkably Common Password

• 19-year-old makes millions from ethical hacking

• An Email Marketing Company Left 809 Million Records Exposed Online

• Coinbase CEO confirms that Ex-Hacking Team members will ‘Transition Out’ of Neutrino

• Container Escape Hack Targets Vulnerable Linux Kernel A proof-of-concept hack allows adversaries to tweak old exploits, have code jump containers and attack underlying infrastructure.

• Dark Web Markets Host Thriving Trade in Weaponized TLS Certs

• Did you hear the one about Cisco routers using codestrcpy/code insecurely for login authentication –  Makes you go AAAAA-AAAAAAArrg; (The Register)

• Did you know?! Ghidra, the NSA”s open-sourced decompiler toolkit, is ancient Norse for “No backdoors, we swear!”

• Digital Signatures in PDFs Are Broken

• Facebook”s Cryptocoin: A Disguised PayPal on a Blockchain? (InfoRiskToday)

• German police storing bodycam footage on Amazon servers

• Google Advises Upgrade to Windows 10 to Fix Windows 7 Zero-Day Bug

• Google reveals Chrome zero-day under active attacks

• How to make people sit up and use 2-factor auth: Show “em a vid reusing a toothbrush to scrub a toilet then compare it to password reuse (The Register)

• Ireland’s Data Protection Commission Reports Multiple GDPR Investigations on Tech Giants

• Linux servers targeted by new Chinese crypto-mining group (ZDNet)

• Magecart Hackers Change Tactics Following Public Exposure

• New study suggests women may be getting less money to start labs

• Quarter of Firms Suffer Breaches via Open Source Components

• Report – Dalil Data Breach: 5+ Million User’s Data Exposed by Unsecured App

• Researchers uncover ring of GitHub accounts promoting 300+ backdoored apps

• RSAC 2019: New Operation Sharpshooter Data Reveals Higher Complexity, Scope New look at server data behind a previously-identified espionage campaign shows that it has exceeded researchers’ expectations in complexity, scope and breadth.

• TalkTalk kept my email account active for 8 years after I left – now it”s spamming my mates

• Tech security at Equifax was so diabolical, senators want to pass US laws making its incompetence illegal (The Register)

• Termite and EarthWorm testing tool weaponized to create multi-platform botnet (TechRepublic)

• The Latest in Creepy Spyware

• UK says prison facial recognition tech, iris scanners deter smugglers

• UK: Former council officer fined for emailing CVs of rival job applicants to his partner

• Unpatched UPnP-Enabled Devices Left Exposed to Attacks

• Update ColdFusion Now, Critical Zero-Day Bug Exploited in the Wild

• W3C finalizes Web Authentication (WebAuthn) standard (ZDNet)

• Women’s Day Special: Women in Cybersecurity

• Comcast set mobile pins to 0000, helping attackers steal phone numbers

• Android users: Popular apps still send data to Facebook without your consent (ZDNet)

• Hackers Revive Microsoft Office Equation Editor Exploit

• RSAC 2019: Microsoft Zero-Day Allows Exploits to Sneak Past Sandboxes Researchers say that Microsoft won’t issue a patch for the issue.

• When 2FA means sweet FA privacy: Facebook admits it slurps mobe numbers for more than just profile security

• Bad news: Google drops macOS zero-day after Apple misses bug deadline. Good news: It’s fiddly to exploit (The Register)

• New exploit lets attackers take control of Windows IoT Core devices (ZDNet)

• NSA”s Ghidra Reverse Engineering Framework Stirs Up Malware Researchers