Weekly Cyber Security News 08/07/2016

A selection of this week’s more interesting vulnerability disclosures and cyber security news. Always an interesting week, but from this week’s selection I think the most talk has been around upheaval in the AV business, first serious issues remain with Symantec and the sudden announcement that Avast are going to buy AVG. Remember that game of finding the pea under the cup? Replace the pea with AV…

• Attention, small biz using Symantec AV: Smash up your PCs, it’s the safest thing to do (The Register)

• Avast to acquire AVG in $1.3 billion internet security deal (Yahoo Security)

• Avast to Acquire Rival AVG for $1.3 Billion (SecurityWeek)

The other topic of the week is the growing risk to Android of malware and the compromise of the full disk encryption:

• Androids full-disk encryption just got much weaker heres why (ArsTechnica)

• Cafe killer remote code execution affects 140 million MIUI Androids (The Register)

• Virulent auto-rooting malware takes control of 10 million Android devices (ArsTechnica)

• Android Flaw Allows Full-Disk Crypto Bypass (InfoRiskToday)

• Critical Vulnerability Breaks Android Full Disk Encryption

• Huge double boxset of Android patches lands after Qualcomm disk encryption blown open (The Register)

 

And here is the remaining news of course:

• Apache Update: TLS Certificate Authentication Bypass with HTTP/2
• ‘Double speak’ squawk users as Silent Circle kills warrant canary (The Register)
• Heartbleed Update: America the Vulnerable (InfoRiskToday)
• How to set up Authy on multiple devices for more convenient two-factor authentication (TechRepublic)
• Lenovo scrambling to get a fix for BIOS vuln (The Register)
• Mozilla emits nightly builds of heir-to-Firefox browser engine Servo (The Register)
• Nasty BIOS bug slugs Gigabyte, hackers say (The Register)
• NATO Ambassador: How The Ukraine Crisis Fits Cyber War Narrative
• Outed China ad firm infects 10M Androids, makes $300k a month (The Register)
• Serious Vulnerability Affects Over 120 D-Link Products (SecurityWeek)
• SQLite developers need to push the patch (The Register)
• Sysadmins: Use these scripts to fully check out of your conference calls (The Register)
• TP-Link forgets to register domain name, leaves config pages open to hijack (ArsTechnica)
• UEFI Zero-Day Allows Hackers to Disable Security Features
• Ukraine?s Central Bank Issued Hacking Alert In April Country?s chief financial body told lenders to strengthen security in wake of cyberattack on bank via SWIFT.
• Bugtraq: Logic security flaw in TP-LINK tplinklogin.net Logic security flaw in TP-LINK tplinklogin.net
• CVE-2016-4979: HTTPD webserver X509 Client certificate based authentication can be bypassed when HTTP/2 is used