Weekly Cyber Security News 09/12/2016

A selection of this week’s more interesting vulnerability disclosures and cyber security news. Yet more big breaches to look at this week, and thoughts often turn to concern for where our own information may be and if it is included in these breaches. As usual researchers are often quick to point out that military and government email addresses are present, but what about corporate accounts? Linking staff email accounts to some of the more salacious data breaches could give some PR departments a bad time.

For the rest of us, and more so those in IT where we might register with a service using weak or common passwords just to try things out only to forget later, and such details are now probably spread further afield than we would like. Using disposable email accounts are great for this but the down side is if there is the possibility that the use of email beyond a simple reset is required, something a little more permanent will be required and so often fall back to our usual habits. In these cases I would suggest using different account names on a domain you own, that way no obvious common email account is going to be reused across services. I do see others doing this from time too.  You then only have to focus on the passwords, and again, different passwords as we often hear are a good option.

 

• DailyMotion Allegedly Hacked, 85 Million User Accounts Stolen Catalin Cimpanu reports

• 1.4bn records from HaveIBeenPwned offered for your analytical pleasure (The Register)

• 10 Days of DDoS: an Actor’s Working Hours

• Arista CloudVision Portal bug revealed, plus evidence it’s been used (The Register)

• Chrome 55 Patches 36 Flaws, Blocks Flash by Default (SecurityWeek)

• Cryptography Expert to Audit OpenVPN

• Data Theft At ThyssenKrupp Highlights Industrial Espionage Threat

• Disgraced IT worker stole confidential Expedia e-mails even after he left (ArsTechnica)

• Exclusive: Bangladesh panel finds insiders negligent in central bank heist (Yahoo Security)

• Guessing valid credit card numbers in six seconds? Priceless (The Register)

• IoT Botnet Plague: Coming Soon to an ISP Near You (InfoRiskToday)

• Millions exposed to malvertising that hid attack code in banner pixels (ArsTechnica)

• Mirai variant turns TalkTalk routers into zombie botnet agents (The Register)

• Open source Roundcube webmail can be attacked … by sending it an e-mail (The Register)

• OpenVPN to get security audit (The Register)

• Playtime’s over: Internet-connected kids toys ‘fail miserably’ at privacy (The Register)

• Real deal: Hackers steal steelmaker trade secrets (The Register)

• The smart city security nightmare: How cities can stay awake (TechRepublic)

• Thieves can guess your secret Visa card details in just seconds (ArsTechnica)

• ThyssenKrupp Attackers Stole Trade Secrets In Massive Hack (Forbes)

• Visa Numbers Are Frighteningly Easy For Criminals To Guess (Forbes)

• WordPress to Require Hosts to Support HTTPS (SecurityWeek)

• Google Patches 74 Vulnerabilities in Android

• Is Ransomware Creeping Into Facebook and LinkedIn? (InfoRiskToday)

• Trend Micro AV nukes innocent Sharepoint code, admins despair (The Register)

• Hackers Can Exploit Roundcube Flaw by Sending an Email (SecurityWeek)

• Vuln: Joomla! Core CVE-2016-9836 Arbitrary File Upload Vulnerability Joomla! Core CVE-2016-9836 Arbitrary File Upload Vulnerability