Weekly Cyber Security News 15/03/2019

A selection of this week’s more interesting vulnerability disclosures and cyber security news. Biometrics again. Here’s the thing, you get the consumer all fired up and (as the article says) actually put in some good kit saying this is reliable, and then further down the line substitute it for something that is not so great; will the consumer be aware of the down grade? Most likely not. As with all authentications, biometrics included, don’t rely on just one key…

• The Galaxy S10’s face unlock fooled by pictures, siblings

All the best tech in the world for securing transatlantic communications fails if you don’t cover basic physical security. There may be loads of automated bots constantly scanning for a way in, however, us meat-bags will always be the weakest link in any security chain:

• Hapless engineers leave UK cable landing station gate open, couple of journos waltz right in

Low hanging fruit are the mainstay of cyber criminals, and focusing on places where a lot of possible marks could be, and where they might have their guard down is a literal gold mine. Unfortunately gamers are one such group. How do you protect yourself from rouge game servers when a server list is presented which is hard to verify in-game?

• Malicious Counter-Strike 1.6 servers used zero-days to infect users with malware

 

Other mad news…

• JavaScript infinite alert prank lands 13-year-old Japanese girl in hot water

• Creepy Database Lists “BreedReady” Status for 1.8 Million Women

• Pre-GDPR UK Breach Reporting Was a Mess

• That marketing email database that exposed 809 million contact records? Maybe make that two-plus BILLION

• “Yelp for conservatives” MAGA app leaks users data

• A world of hurt after GoDaddy, Apple, and Google misissue >1 million certificates

• Ad Network Sizmek Probes Account Breach

• Cookie Walls Do Not Comply with the GDPR According to Dutch Watchdog

• Cybersecurity: Why bosses are confident, and tech workers are scared (ZDNet)

• Dozens of companies leaked sensitive data thanks to misconfigured Box accounts

• Elasticsearch Crypto-Miner Sinkholes the Competition

• F5 Networks to Acquire NGINX for $670 Million

• Facebook Faces Criminal Probe of Data Deals: Report

• Facebook Messenger bug made it possible for hackers to see who you have been chatting with

• Freelance devs: Oh, you wanted the app to be secure – The job spec didn”t mention that (The Register)

• Game Development Companies Backdoored in Supply-Chain Attacks

• Google Chrome to block automatic downloads initiated from ad slot iframes (ZDNet)

• Google Hardware makes cuts to laptop and tablet development, cancels products

• Hackers cop a FILA thousands of UK card deets after slinking onto clothing brand”s servers (The Register)

• Hundreds of immigrant recruits risk ‘death sentence’ after Army bungles data, lawmaker says

• Man arrested for selling one million Netflix, Spotify, Hulu passwords

• Marriott CEO shares post-mortem on last year”s hack

• Microsoft changes DHCP to “Dammit, Hacked, Compromised, Pwned” Big bunch of security fixes land for Windows (The Register)

• Microsoft Edge Insider Addons Store Discovered, 84 Extensions

• Microsoft proves the critics right: We’re heading toward a Chrome-only Web

• MyEquifax.com Bypasses Credit Freeze PIN

• Nah, National Cyber Security Centre doesn”t need its own minister, UK.gov tells Parliament (The Register)

• New BitLocker attack puts laptops storing sensitive data at risk

• Raiding party! UK”s ICO drops in unannounced on couple of dodgy-dialling dirtbag outfits

• Threatlist: IMAP-Based Attacks Compromising Accounts at ‘Unprecedented Scale’ Attackers are increasingly targeting insecure legacy protocols, like IMAP, to avoid running into multi-factor authentication in password-spraying campaigns.

• Triton is the world’s most murderous malware, and it’s spreading

• UK: Gateshead Council data breaches share health and debt details

• Vulnerabilities Discovered in Swiss E-Voting System

• Vulnerabilities in Two Smart Car Alarm Systems Affected 3M Vehicles

• Women in Tech: How Are We Doing? How Should We Be Doing? (InfoRiskToday)

• A brief history of Wi-Fi security protocols from “oh my, that’s bad” to WPA3

• GlitchPOS Malware Appears to Steal Credit-Card Numbers A new malware targeting point of sale systems, GlitchPOS, has been spotted on a crimeware forum.

• Slack, GitHub Abused by New SLUB Backdoor in Targeted Attacks

• This banking malware just returned with new sneaky tricks to steal you data (ZDNet)

• 3 Million New Users for Telegram While Facebook Was Down

• Almost 150 million users impacted by new SimBad Android adware

• Windows Zero-Day Exploited by FruityArmor, SandCat Threat Groups