Weekly Cyber Security News 31/01/2020

A selection of this week’s more interesting vulnerability disclosures and cyber security news. For a daily selection see our twitter feed at #ionCube24

So far this month we’ve had quite a lot of spectacular breach announcements and the month ends on a big one. With such a large organisation it would leak eventually, no matter how hard they worked to cover it up. What everyone I suppose is now asking is ‘will there be any penalty?’:

• UN didn’t patch SharePoint, got mega-hacked, covered it up, kept most staff in the dark, finally forced to admit it

Further embarrassment for the Ring product. If it was bad enough that hackers could view the video feed, it now appears the owner’s profiles are being slurped for sale:

• Ring Doorbell App for Android Caught Sharing User Data with Facebook, Data-Miners – The Amazon-owned video doorbell uses third-party trackers to serve up rich data to marketers without meaningfully notifying users.

• Ring Doorbell App for Android Sends Out Loads of User Data

I love reading research into automotive security. It is after all a new field of tech that has a direct impact on our lives and one that could go spectacularly wrong should we rely on it completely. This article throws another angle, and I will further add, what about naturally occurring reflections? I wonder if that could have the same effect:

• How a $300 projector can fool Tesla’s Autopilot

 

The rest of the news…

• Fortinet removes SSH and database backdoors from its SIEM product

• Wawa card breach may rank as one of the biggest of all times

• Anatomy of OpenBSD’s OpenSMTPD hijack hole: How a malicious sender address can lead to remote pwnage

• Avast winds down Jumpshot, cites user data sale privacy concerns

• CacheOut/L1DES: New Speculative Execution Attack Affecting Intel CPUs

• Cisco Webex bug allowed anyone to join a password-protected meeting

• DEF CON China Conference Postponed Amid Coronavirus Outbreak

• Engaging the Attacker Prior to Impact

• Facebook agrees to pay $550 million to end facial recognition tech lawsuit

• First MageCart Hackers Caught, Infected Hundreds of Web Stores

• Google Halts Publishing of Paid Chrome Extensions Due to Fraud

• If only 3 in 100,000 cyber-crimes are prosecuted, why not train cops to bring these crooks to justice once and for all, suggests think-tank veep

• IoT laws are coming: What to expect

• Iowa DHS data breach: Boxed for shredding, documents were dumped by janitor instead

• Linux Kernel 5.6 Source Tree Includes WireGuard VPN

• LoRaWAN Encryption Keys Easy to Crack, Jeopardizing Security of IoT Networks

• Microsoft Asked to Unshackle Windows 7 From Proprietary Tyranny

• Microsoft Launches Xbox Bounty Program With $20K Maximum Payout

• Microsoft’s IE Zero-day Fix is Breaking Windows Printing

• OurMine Hackers Are Back, Hijack NFL Team’s Social Accounts

• Owner of stolen data marketplace Cardplanet pleads guilty

• Privacy worries cited as possible reason for DNA test firm 23andMe’s sales downturn

• Royal Yachting Association Resets Passwords After Breach

• Staff Send 130+ Emails Per Week to Wrong Recipient

• The autofill email goof that exposed vulnerable students and cost the University of East Anglia ?140,000

• Trello exposed! Search turns up huge trove of private data

• UK Approves Restricted Huawei Role in 5G Network

• US Arrests Prominent Harvard Academic for China Ties

• US Downs Drone Fleet on China Security Fears

• Use of SCPI Protocol Exposes Measurement Instruments to Attacks

• Vulnerability Allowed Attackers to Join Zoom Meetings

• Whoops! LastPass accidentally deleted its browser extension from the Chrome store. But it’s back now

• Zoom Bug Potentially Allowed Attackers to Find and Join Active Meetings

• DOD contractor suffers ransomware infection

• Only 6 ransomware attacks on the UK’s NHS since WannaCry worm hit in 2017 – report

• U.S. Govt Agency Hit with New CARROTBALL Malware Dropper

• Critical Flaws in Magento e-Commerce Platform Allow Code-Execution

• Webex flaw allowed anyone to join private online meetings – no password required

• Zoom Fixes Flaw Opening Meetings to Hackers