Weekly Cyber Security News 18/10/2019

A selection of this week’s more interesting vulnerability disclosures and cyber security news. From time to time we hear stories of supply chain infections, and they tend to affect a low but still significant number of projects. A team though have gone a bit further in seeing how far they could take it. The results are sobering:

• Hacking 20 high-profile dev accounts could compromise half of the npm ecosystem

With references to the fiasco of the alleged Supermicro implant hardware, this little article posses some interesting ideas, though of course, large scale as a opposed to one-off hacks are a different thing:

• Planting tiny spy chips in hardware can cost as little as $200

Talking of implants, this next article throws a few surprises with how lax and unconcerned some are over crucial global supply routes:

• On-Board ‘Mystery Boxes’ Threaten Global Shipping Vessels

 

In other news:

• Canadian Students Are Sharing Passwords to Prove Friendships

• Zappos data breach settlement: users get 10% store discount, lawyers get $1.6m

• Click2Mail Informs Users of Data Breach

• Hundreds charged in internet’s biggest child-abuse swap-shop site bust: IP addy leak led cops to sys-op’s home

• A Quarter of Americans Want Cyber-flashers Jailed for 5 Years

• Adobe Fixes 45 Critical Vulnerabilities in Acrobat and Reader

• Alleged ‘Psycho’ hacker in court over EtherDelta cryptocurrency robbery

• Almost 50% of Company Network Traffic Comes From Bots, Report Says

• BAE Systems Pilots Tech to Support Child Protection Agencies

• EU orders Broadcom to halt exclusivity deals while investigation deepens

• Ex-TalkTalk Security Leader to Take on Firm in Unequal Pay Dispute

• Facebook Users Being Locked Out After Reporting Fake Accounts

• FBI urges businesses to use biometric factors to mitigate multi-factor authentication risk

• Feds arrest alleged members of international ATM skimmer ring

• Germany’s cyber-security agency recommends Firefox as most secure browser

• Google Pixel 4’s Face Unlock works even if you have your eyes closed

• Kaspersky honeypots find 105 million attacks on IoT devices in first half of 2019

• Linux SUDO Bug Lets You Run Commands as Root, Most Installs Unaffected

• M6, one of France’s biggest TV channels, hit by ransomware

• Man agrees to pay $25,000 for abusing YouTube’s takedown system

• Phorpiex botnet made $115,000 in five months just from mass-spamming sextortion emails

• Planes, gates, and bags: How hackers can hijack your local airport

• Researchers find bug in Python script may have affected hundreds of studies

• Sberbank says sensational data theft fully solved

• Scammers Using Hacked Servers, Bogus Links to Target LinkedIn Users

• Scottish Teens Charged With Met Police Hack

• Symantec Fixes Bad IPS Definitions That Cause a Windows BSOD

• Two cashback sites leaked data of 3.5 million users

• UK: Patient’s private answerphone message became Devon hospital’s voicemail

• Under New Ownership, DigiCert Expands into Verified Mark Certificates

• Unsecured Docker Hosts Attacked by New Graboid Cryptojacking Worm

• Vulnerability found and fixed in HP bloatware

• What if your refrigerator cooled your food by twisting wires?

• What Your Personal Information is Worth to Cybercriminals

• ‘BriansClub’ Hack Rescues 26M Stolen Cards

• Global Shipping Firm Pitney Bowes Affected by Ransomware Attack

• Pitney Bowes Says Disruptions Caused by Ryuk Ransomware

• Stripe Users Targeted in Phishing Attack That Steals Banking Info

• About that ‘Any fingerprint can unlock your Samsung Galaxy S10’ report

• Scammers Use Fake Checkra1n iOS Jailbreak in Click Fraud Campaign

• Security researcher publishes proof-of-concept code for recent Android zero-day

• Dangerous Kubernetes Bugs Allow Authentication Bypass, DoS The flaws in the container technology, CVE-2019-16276 and CVE-2019-11253, are simple to exploit.