Weekly Cyber Security News 20/09/2019

A selection of this week’s more interesting vulnerability disclosures and cyber security news. After a long occasional rumble of consumer network devices failing the basics of security, a huge storm of failures were highlighted across a swath of devices this week. If you are thinking of going shopping for a network device you had better take a look at this first:

• SOHOpelessly Broken 2.0: 125 Vulnerabilities Found in Routers, NAS Devices

Besides the local politics, this article should also have asked another question: Is a 15min infosec presentation enough? And is it a one-off?

• City Blocks Email Account of Alderman Who Refuses Cybersecurity Training

Following the news last week of two pen-testers being busted for breaking and entering, further articles have appear giving both sides of the story, as well as a really fascinating article revealing others who do this for a living. Sometimes we do forget the physical and assume others have that covered. Do they?

• These Hacks Require Literally Sneaking in the Backdoor An on premise hacker can cripple even the best cybersecurity defenses.

• Remember that security probe that ended with a sheriff cuffing the pen testers? The contract is now public so you can decide who screwed up
•  

Other news…

• Gootkit malware crew left their database exposed online without a password

• Smart TVs, Subscription Services Leak Data to Facebook, Google Researchers discovered that smart TVs from Samsung, LG and others are sending sensitive user data to partner tech firms even when devices are idle.

• 400 Million Medical Radiological Images Exposed on the Internet

• A vulnerability in Instagram exposes personal information of users

• Beware of Venmo Scams Targeting Users via Text Messages

• Data of 24.3 million Lumin PDF users shared on hacking forum

• Database leaks data on most of Ecuador’s citizens, including 6.7 million children

• Emotet, today”s most dangerous botnet, comes back to life

• Financial asset firm PCI ordered to pay $1.5 million for poor cybersecurity practices

• Google removes two Chrome ad blocker extensions caught ‘cookie stuffing’

• Hacker destroys Hungarian Development Center’s digital database

• How to break out of a hypervisor: Abuse Qemu-KVM on-Linux pre-5.3 – or VMware with an AMD driver

• If you”re using Harbor as your container registry, bear in mind it can be hijacked with has_admin_role = True

• In India, you don’t need a Google phone to have a Google Assistant

• iOS 13 Passcode Bypass Lets You View Contacts on Locked Devices

• LastPass bug leaks credentials from previous site

• Massive Gaming DDoS Exploits Widespread Technology The attack- the 4th-largest the company has ever encountered- leveraged WS-Discovery, which is found _everywhere._

• Medical images and details of 24.3 million patients left exposed on the internet

• Millions of Lion Air Passenger Records Exposed and Exchanged on Forums

• Misconfigured Google Calendars Share Events With the World

• Most Port Vulnerabilities Are Found in Three Ports

• MPs call for ‘immediate’ stop to facial recog in UK as report underlines bias risks in ‘pre-crime’ algos used by coppers

• Old Magecart web domains resurrected for fraudulent ad schemes

• Patch now: 1,300 Harbor cloud registries open to attack

• Scammer behind sextortion campaigns arrested in France

• Scotiabank slammed for ‘muppet-grade security’ after internal source code and credentials spill onto open internet

• Smominru Botnet Infects Thousands of Hosts Daily

• Suspected Hacker Arrested for Stealing and Selling Unreleased Music

• Symantec Axes Hundreds of US Jobs

• UK Home Office web form snafu allows you to both agree and disagree ‘strongly’ all at once

• Volkswagen’s bold plan to create a new car operating system

• WannaCry is still the smallpox of infosec. But the latest strain (sort of) immunises its victims

• Webcam Security Snafus Expose 15,000 Devices

• Your ugly mug may be scanned yet again – but at least you”ll be able to board faster at Gatwick

• InnfiRAT malware lurks in your machine to steal cryptocurrency wallet data

• Irish government admits ransomware breach

• New Threat Actor Fraudulently Buys Digital Certificates to Spread Malware ReversingLabs identified cybercriminals duping certificate authorities by impersonating legitimate entities and then selling the certificates on the black market.

• Skidmap malware buries into the kernel to hide illicit cryptocurrency mining

• TFlower Ransomware Targeting Businesses via Exposed RDS

• Windows Defender malware scans are failing after a few seconds

• GitHub security alerts now support PHP projects

• Microsoft Acquires Semmle, GitHub Now a CVE Numbering Authority