Weekly Cyber Security News 26/04/2019

A selection of this week’s more interesting vulnerability disclosures and cyber security news. Should we be surprised that there are weaknesses in a car app that lets you locate and remotely control them? We’ve been here before – too many times before. Again, possibly bad management, specification and design failures all round, and no one seems to learn:

• Hacker could locate thousands of cars and kill their engines remotely via poorly-secured GPS tracking apps

Another failure where design and QA should have took there time to get things right. With high risk project did they even consider and use the right people? Was it a rush to glue all the bits together and hope it works? We may never know:

• French government releases in-house IM app to replace WhatsApp and Telegram use

• Bug in French government’s WhatsApp replacement let anyone join Élysée chats

I admit I’m paranoid about backups and what remains on storage devices. Whenever I’m had to decommission and dispose of kit during a refresh I would normally extract the HDDs and personally wipe with highly rated software for the job before trusting with an external waste management firm to have ago. What about the general consumer? Personal experience shows, like this report, that most think simply deleting does the job. They might strike lucky – that time. But what if someone is out for long hanging fruit?

• Report: 42% of Used Drives Sold on eBay Hold Sensitive Data

 

Other stuff going on:

• Wi-Fi Hotspot Finder Spills 2 Million Passwords China-based app maker ignored repeated warnings by researchers that its password database stored in plain text was accessible to anyone online.

• #CYBERUK19: GCHQ Ramps Up Intelligence Sharing with UK Firms

• Carbanak Source Code Discovered on VirusTotal

• Congress sends letter to Google for details on Sensorvault location tracking database

• Cybersecurity: UK could build an automatic national defence system, says GCHQ chief (ZDNet)

• EU votes to create gigantic biometrics database

• Evil TeamViewer Attacks Under the Guise of the U.S. State Department The attack is targeting financial regulators and embassy staff– but probably isn’t the work of an APT.

• Excellent Analysis of the Boeing 737 MAX Software Problems

• Facebook admits to storing plaintext passwords for millions of Instagram users

• Facebook harvested 1.5 million user email contacts without permission

• Facebook is working on an AI voice assistant similar to Alexa, Google Assistant

• G7 Comes Out in Favor of Encryption Backdoors

• Greek DPA Issues EUR 30,000 Fine For Data Protection Violation by Hellenic Petroleum S.A.

• India expected to surpass the UK for second place in payment card fraud

• LinkedIn Data Found in Unsecured Databases

• Microsoft buys Express Logic, adds a third operating system to its IoT range

• Millimeter-wave 5G will never scale beyond dense urban areas, T-Mobile says

• Online Thief Cracks Private Keys to Steal $54m in ETH

• Oops. 228K Danish Passports Have Swapped Fingerprint Data

• UK’s NCSC Suggests Automatic Blocking of Common Passwords

• Weather Channel Knocked Off-Air in Dangerous Precedent The incident was the work of malicious cyberattackers.

• DNSpionage campaign releases new Karkoff malware into the wild (ZDNet)

• IoT Zero-Days – Is Belkin WeMo Smart Plug the Next Malware Target?

• Security researcher creates new backdoor inspired by leaked NSA malware (ZDNet)

• The Weather Channel goes off the air for 90 minutes after ransomware infection

• GitHub Service Abused by Attackers to Host Phishing Kits

• Google to Block Logins From Embedded Browsers to Prevent Phishing

• Easter Attack Affects Half a Billion Apple iOS Users via Chrome Bug The U.S-focused eGobbler malvertising attacks are exploiting an unpatched Google Chrome bug.

• Popular jQuery JavaScript library impacted by prototype pollution flaw (ZDNet)

• Security flaw lets attackers recover private keys from Qualcomm chips (ZDNet)

• Shopify API flaw offered access to revenue data of thousands of stores