Weekly Cyber Security News 22/11/2019

A selection of this week’s more interesting vulnerability disclosures and cyber security news. Leaky bucket time once again. With so much effort by the providers to make it as hard as possible to accidentally expose data, then for the devs to try really hard to undo all of that because they are too lazy (or lack understanding) to do a proper job, is utterly mystifying. Please, please try and make the effort:

• PayMyTab data leak exposes personal information belonging to mobile diners

• Video-editing upstart bares user’s raunchy flicks to world+dog via leaky AWS bucket

It also doesn’t help when there is a lax attitude to data handling in some sectors:

• UK public sector IT chiefs shrug off breach threats: The data we hold isn”t that important

OK, I have to admit that recently, while away on holiday I had plugged my phone into a wall USB recharge point in our holiday property because the family have pinched all the cables. The moment I done that I realised in horror my error. We do tend to let our guard down when on holiday, and I could have waited, or I could have used the charging brick in my bag. I’m sure I was lucky that time. What about next time?

• LA Warns Travelers of Juice Jacking Scams

 

The rest of the news:

 

• Hackers leak 2TB of Data From Cayman National Bank stolen by Phineas Fisher

• Americans Concerned, Confused Over Privacy, Survey Reveals

• Anonymous hacker gets a whopping six years in prison for some lame DDoS attacks

• Attackers using WhatsApp MP4 video files vulnerability can remotely execute code

• CAH Holdings issues notice after employee email accounts compromised

• Choice Cancer Care Treatment Center notifies patients of May data security incident

• Compromised by Connection: 5G Will Unite Cities and Also Put Them at Risk

• Cops put GPS tracker on man’s car, charge him with theft for removing it

• Cryptocurrency Stealer Delivered From Official Monero Website

• Denial of service kingpin hit with 13 months denial of freedom and a massive bill to pay

• Gamers Exposed After Wizards of the Coast Data Leak

• Google outlines plans for mainline Linux kernel support in Android

• Google patches ‘awesome’ XSS vulnerability in Gmail dynamic email feature

• Half of Oracle E-Business customers open to months-old bank fraud flaw

• Holiday Shoppers Beware: 100K Malicious Sites Found Posing as Well-Known Retailers

• Holiday Shopping on Company Devices a Worry for Executives

• Intel to remove old drivers and BIOS updates from its site by the end of the week

• Its the user’s fault if a Ring camera violates your privacy, Amazon says

• Linux Webmin Servers Being Attacked by New P2P Roboto Botnet

• Macy’s Customer Payment Info Stolen in Magecart Data Breach

• Microsoft Is Adding DNS-Over-HTTPS (DoH) to Windows 10

• New GitHub Security Lab Aims to Secure Open Source Software

• NSA Publishes Advisory Addressing Encrypted Traffic Inspection Risks

• Official Monero website is hacked to deliver currency-stealing malware

• Orange is the new green: Nigeria scammer bags $1m while operating behind bars

• Password data for ~2.2 million users of currency and gaming sites dumped online

• Pemex hit by ransomware, US Postal Service gets a copycat and new WhatsApp bugs

• ProtonMail blocked in Belarus following wave of bomb threats across the country

• Researchers Publish PoC for Docker Escape Bug

• Security of North American Energy Grid Tested in GridEx Exercise

• Thousands of hacked Disney+ accounts are already for sale on hacking forums

• uBlock Origin Now Blocks Sneaky First-Party Trackers in Firefox

• ‘Absolutely relentless’ ‘ad blocker’ plasters users with – you guessed it – ads

• D-Link Adds More Buggy Router Models to “Won’t Fix” List

• New NextCry Ransomware Encrypts Data on NextCloud Linux Servers

• Google Discloses Android Camera Hijack Hack

• Microsoft rebukes rumors that Microsoft Teams is being used in ransomware attacks

• Senators ask if Facebook really lets users opt out of location tracking

• Android flaw lets rogue apps take photos, record video even if your phone is locked