Weekly Cyber Security News 15/11/2019

A selection of this week’s more interesting vulnerability disclosures and cyber security news.  There’s leaving a few API keys in a GitHub repo, and there’s leaving everything on Pastebin. The question then is who did it? Staff, hacker or 3rd party? Perhaps we will never know. Do we however have a moral of the story here? Maybe just don’t write everything down in the clear (and give it to someone)…

• Retailer Orvis.com Leaked Hundreds of Internal Passwords on Pastebin

Staying undetected for maximum effect is a serious objective for an attacker, however, in this case they blew their cover eventually. For those of us defending, well, even the slightest irregular deviation from the normal should trigger something. But false positives becoming desensitising, so how do you define normal?

• Breach affecting 1 million was caught only after hacker maxed out target’s storage

A reliable attack vector on a major security component has now been demonstrated with viable time scales for this side channel attack. Where do we go from here?

• TPM-FAIL vulnerabilities impact TPM chips in desktops, laptops, servers

 

In other news:

• Magento Urges Users to Apply Security Update for RCE Bug

• 150 infosec bods now know who they’re up against thanks to BT Security cc/bcc snafu

• Apple Mail on macOS leaves parts of encrypted emails in plaintext

• Federal Court: Suspicionless Search of Traveler Devices by Border Agents Is Unconstitutional

• Google Chrome experiment crashes browser tabs, impacts companies worldwide

• Google has access to detailed health records on tens of millions of Americans

• How a turf war and a botched contract landed 2 pentesters in Iowa jail

• If it sounds too good to be true, it most likely is: Nobody can decrypt the Dharma ransomware

• Infosec boffins pour cold water on claims Home Office Brexit app can be easily hacked

• Intel Driver Vulnerability Can Give Attackers Deep Access to a Device

• Londoner accused of accessing National Lottery user accounts

• Magento Warns E-Commerce Sites to Upgrade ASAP to Prevent Attacks

• Major ASP.NET hosting provider infected by ransomware

• Mexican Petrol Giant Pemex Hit by Ransomware

• Microsoft Patches IE Zero-Day Bug

• Newer Intel CPUs Vulnerable to Variant 2 of ZombieLoad Attack

• Over 230 UK Police Disciplined for Computer Misuse

• Tech Support Scammers Exploiting Unpatched Firefox Bug

• Visa Warns of New JavaScript Skimmer ‘Pipka’

• Vulnerability in McAfee Antivirus Products Allows DLL Hijacking

• Microsoft Patches RCE Bug Actively Under Attack Microsoft tackles 74 bugs as part of its November Patch Tuesday security bulletin.

• Amazon Fixes Ring Video Doorbell Flaw That Leaked Wi-Fi Credentials