Weekly Cyber Security News 21/04/2017

A selection of this week’s more interesting vulnerability disclosures and cyber security news. Its been a while (or maybe not – ah, actually last week about the Aga oven!) that I’ve not moaned about IoT, but this week instead then, a gem of a company alleged to be collecting data on user habits without making it clear. This sort of thing does appear to pop up on a regular basis, though of course we do willing give so much to companies such as social media platforms, this kind of activity however goes below the radar:

• Bose Wireless Headphones Spy on Users, Lawsuit Claims (SecurityWeek) 

In the general IoT world this sort of thing doesn’t help:

• Flaws found in Linksys routers that could be used to create a botnet (The Register)

Then we have someone trying to stem such floods using highly debatable tactics:

• Vigilante botnet infects IoT devices before blackhats can hijack them (ArsTechnica)

 

The other non-IoT news…

• Flaws in Bosch Car Dongle Allow Hackers to Stop Engine (SecurityWeek)

• Fixing your oven can cook your computer (The Register)

• Miffed with Snapchat CEO, Indian hackers claim to have leaked data of 1.7 million app users Shashank Shekhar reports

• Montreal man gives HP failing grade after data breach And once again, we see why incident response is so important to reputation management. CBC reports

• ‘We should have done better’ the feeble words of a CEO caught using real hospital IT in infosec product demos (The Register)

• 30,000 London gun owners hit by Met Police ‘data breach’ (The Register)

• 6 Times Hollywood Got Security Right Hollywood has struggled to portray cybersecurity in a realistic and engaging way. Here are films and TV shows where it succeeded.

• All ready for that Easter holiday? Here’s a mild MySQL security bug (The Register)

• Ambient light sensors can steal data, says security researcher (The Register)

• Chrome Addresses Threat of Unicode Domain Spoofing (SecurityWeek)

• Chrome, Firefox, and Opera users beware: This isnt the apple.com you want (ArsTechnica)

• Data Privacy After Brexit: Keep Calm and GDPR On (InfoRiskToday)

• Personal details of thousands of UK drivers ‘are exposed in huge data breach’ as car parking app used by councils across Britain shows users other motorist’s information Rebecca Taylor reports

• Facebook Disrupts Suspected Spam Operation

• Feds seek 30-year sentence for Russian master hacker convicted in Seattle Mike Carter reports

• Former Employee Kept Accessing Engineering Firm’s Servers (InfoRiskToday)

• Hack Of 1.7M Snapchat Accounts Didn’t Actually Happen (Forbes)

• ICS-CERT Warns of BrickerBot’s IoT Device Damaging Capabilities (SecurityWeek)

• Mastercard launches card that replaces PIN with fingerprint sensor (The Register)

• Microsoft turns two-factor authentication into one-factor by ditching password (ArsTechnica)

• Microsoft: Latest ‘Shadow Brokers’ Exploits Already Patched (SecurityWeek)

• New Breed of DDoS Attack On the Rise

• New processors are now blocked from receiving updates on old Windows (ArsTechnica)

• No Coincidence: Microsoft’s Timely Equation Group Fixes (InfoRiskToday)

• NSA-leaking Shadow Brokers just dumped its most damaging release yet (ArsTechnica)

• Nuh-uh, Google, you WILL hand over emails stored on foreign servers, says US judge (The Register)

• Revealed: Scammers plaster Google Maps with pins to lure punters from honest traders (The Register)

• Scammers mine online recruiter for patsies in package reship scheme (ArsTechnica)

• Tanium CEO tacitly admits using hospital data in demos, sort of (ArsTechnica)

• That apple.com link you clicked on? Yeah, it’s actually Russian (The Register)

• Uber accused of using ‘Hell’ software program for industrial espionage against Lyft (TechRepublic)

• UK.gov survey shines light on cybersecurity threats to businesses (The Register)
  
• White Hat Hacker Created Mysterious IoT Worm, Symantec Says (SecurityWeek)
• Windows bug used to spread Stuxnet remains worlds most exploited (ArsTechnica)
• Mobile devices with Broadcom chipsets may be vulnerable to Wi-Fi hijacking (TechRepublic)
  
• Nearly 40% of Ransomware Victims Pay Attackers Ransomware is targeting more consumers, and many of them are paying hundreds to attackers.

• Profit with just one infection! Crook sells ransomware for $175 (The Register)

• Drupal Patches Critical Access Bypass Flaw (SecurityWeek)

• Experts Find 10 Flaws in Linksys Smart Wi-Fi Routers (SecurityWeek)

• Flaw in Drupal Module Exposes 120,000 Sites to Attacks

• Unpatched Magento Flaw Exposes Online Stores to Attacks