Weekly Cyber Security News 10/08/2018

A selection of this week’s more interesting vulnerability disclosures and cyber security news. First up this week is a bit of déjà vu. I’m sure we’ve been here before right? MongoDB exposure? Thought so. Come on guys, when you stick something on the internet make sure you check its access, and don’t just do it from friendly IP’s either!

• Telemedicine company exposed data of more than 2 millions patients in Mexico Another day, another exposed database due to misconfiguration of a MongoDB installation

The next one may relate to cars, but it also relates to a previous posting I did a few weeks back in regards to IoT and driving your ex-partner mad remotely. Hanging on to authentication or other hooks into tech you once owned is not new, although before, it was most likely stuff you can’t reconnect with – unlike now with the ever present IoT:

• Connected Car Apps Open Privacy Hole For Used Car Owners In a resale scenario, a previous owner could continue to have access to the online account  with all the new owner’s information stored within.

And continuing my theme of IoT fail. We’ve a good one here (or not if happen to have the tech):

• Samsung Patches Critical Vulnerabilities in SmartThings Hub

• Researchers reveal 20 vulnerabilities in Samsung SmartThings Hub

 

Other news:

• Attackers Circumvent Two Factor Authentication Protections to Hack Reddit

• EXCLUSIVE: Creditmate.in developer’s goof left 19,000 consumer’s credit reports unsecured By Dissent Doe and Lee Johnstone

• Forum post claims breach of 850k user’s information; leak from recruitmilitary.com

• Massive Singapore Healthcare Breach Possibly Involved Contractor

• Salesforce API error may have caused data leak Tom Allen reports

• Telstra customer stumbles across contact details of 66,000 fellow customers Elise Baker reports

• Addressing IoT Device Security Head-on

• BGP Hijacking Attacks Target US Payment Processors

• Bounty for hacking the ‘unhackable’ Bitfi wallet jumps from $100K to $250K

• Credit Card Issuer TCM Bank Leaked Applicant Data for 16 Months Brian Krebs reports

• Cryptojacker Campaign Hits MikroTik Routers

• Facebook Launches Fizz Library for Dev Speed, Security New open source TLS library aims to help developers incorporate speed and security into apps and services.

• Flaw in BIND Security Feature Allows DoS Attacks

• GitHub to Warn Users on Compromised Passwords

• Jailhouse Tablets Allow Inmates to Steal Thousands of Dollars in Credits After inmates hacked tablets with security vulnerabilities, a CenturyLink spokesperson told Threatpost the _vulnerability issue has been resolved._

• Let’s Encrypt Now Trusted by All Major Root Programs

• Microsoft Adds Direct Trust for Let’s Encrypt

• MikroTik Routers Exploited in Massive Crypto-Mining Campaign

• Mozilla Reinforces Commitment to Distrust Symantec Certificates

• OpenEMR patches serious vulnerabilities uncovered by Project Insecurity

• Salesforce warns of API error that exposed Marketing data

• Salesforce.com Warns Marketing Customers of Data Leakage SNAFU Potentially impacted customers include organizations like Aldo, Dunkin Donuts, GE, HauteLook, Nestle Waters, News Corp Australia and Sony.

• Snapchat Source Code Leaked

• Spot the Bot: Researchers Open-Source Tools to Hunt Twitter Bots Duo security researchers compiled a massive dataset of public Twitter profiles and built a tool to scour profiles and detect the fakes.

• Student Charged in Elaborate Digital Money Theft Scheme

• TCM Bank: website misconfiguration exposed applicant data for 16 months

• The Secret to Securing Smart Buildings

• ThreatList: Business Email Compromises Way Up for Q2 Hardest hit were organizations using Office 365, with incidents costing more than $2 million each.

• US-CERT Warns of New Linux Kernel Vulnerability Patches now available to prevent DoS attack on Linux systems.

• Fresh Approach to Wi-Fi Cracking Uses Packet-Sniffing The new strategy allows an attacker to instead lift ID information directly from the router, within minutes.

• New Method Discovered for Cracking WPA2 Wi-Fi Passwords

• After Singapore medical data hack, Hong Kong’s Department of Health becomes latest cyberattack victim Clifford Lo  reports

• Malware Hits Plants of Chip Giant TSMC

• Microsoft Uncovers Multi-Tier Supply Chain Attack

• Ransomware attack against COSCO spread beyond its US network to Americas

• Weaponized AI and facial recognition enter the hacking world

• ZombieBoy, a new Monero miner that allows to earn?$1,000 on a monthly basis

• Steam Bans Developer After Outcry Over Cryptomining, Scam Items A simple, 2D game raised eyebrows after it was found to be consuming big amounts of processing power.

• Facebook Asks Big Banks to Share Customer Details

• Fortnite Skips Google Play For Android Apps, Irking Security Experts Security experts aren’t happy after Fortnite’s creator, Epic Games, announced it would not go through Google Play.

• Samsung Galaxy S7 smartphones vulnerable to Meltdown hacking: researchers Jack Stubbs reports

• Chip Giant TSMC Says WannaCry Behind Production Halt
• ‘SegmentSmack’ Flaw in Linux Kernel Allows Remote DoS Attacks

• Consumer DNA Testing Takes a Step Towards Privacy, Transparency Ancestry, MyHeritage and others have committed to a policy framework for the collection, protection, sharing and use of consumer genetic data.

• CVE-2018-14773 Symfony Flaw expose Drupal websites to hack

• Honeypot Highlights Danger to ICS Systems From Criminal Hackers

• Researchers Find Flaw in WhatsApp

• Update Mechanism Flaws Allow Remote Attacks on UEFI Firmware The glitch stems from a functionality intended to allow updates to the UEFI firmware.