Saturday, January 19, 2019
The Register

DDoS sueball, felonious fonts, leaky Android file manager, blundering building security, etc etc

Plus, Safari security foiled by… a finger swipe? Roundup  This week we wrangled with alleged Russian election meddling, hundreds of millions of username-password combos spilled online, Oracle mega-patches, and cliams of RICO swap-gangs.…
The Register

The Iceman cometh, his smartwatch told the cops: Hitman jailed after gizmo links him to Brit gangland slayings

Killer jailed for life after fitness kit data tips off plod Avid runner and hitman Mark Fellows was this week found guilty of murder after being grassed up by his Garmin watch.…
The Register

US midterms barely over when Russians came knocking on our servers (again), Democrats claim

Лучшая защита – нападение? Russian hackers attempted to infiltrate the Democratic National Committee (DNC) just after the US midterm elections last year, according to a new court filing.…
The Register

Microsoft partner portal ‘exposes ‘every’ support request filed worldwide’ today

No customer data visible but hell's bells, Redmond, what have you borked now? Exclusive  Alarmed Microsoft support partners can currently view support tickets submitted from all over the world, in what appears to be a very wide-ranging blunder by...
The Register

I used to be a dull John Doe. Thanks to Huawei, I’m now James Bond!

We'll know for sure when Huawei reveals a shoe-shaped smartphone Something for the Weekend, Sir?  The name's McLeod. Alessandro McLeod. I am a spy for the secret services.…
The Register

Microsoft blue biz bug bounty bonanza beckons

Azure DevOps Services invites hackers to test its limits There's more money to be made from bug hunting in Microsoft code after Redmond announced its 10th active bug hunting reward scheme, the Azure DevOps Bounty Program.…
The Register

Old bugs, new bugs, red bugs … yes, it’s Oracle mega-update day again

Out of 284 flaws, 33 are rated critical. Big Red admins have big patches ahead Oracle admins, here's your first critical patch advisory for 2019, and it's a doozy: a total of 284 vulnerabilities patched across Big Red's product...
The Register

Got a Drupal-powered website? You may want to get patching now…

Open-source CMS gets a pair of critical fixes Drupal has issued a pair of updates to address two security vulnerabilities in its online publishing platform. The vulns are a little esoteric, and will not affect most sites, but it's...
The Register

Twitter. Android. Private tweets. Pick two… Account bug unlocked padlocked accounts

Cock-up went unnoticed for two Olympics, one World Cup, an EU referendum, and a US presidential election Twitter has fessed up to a flaw in its Android app that, for more than four years, was making twits' private tweets...
The Register

Top GP: Medical app Your.MD’s data security wasn’t my remit

Prof Maureen Baker told tribunal info security and clinical safety are two separate things The founders of medical symptom-checker app Your.MD knew that a number of key medical information databases were "open to anyone who knows the URL", emails...
The Register

Happy Thursday! 770 MEEELLLION email addresses and passwords found in yuge data breach

Now is a good time to get a password manager app Infosec researcher Troy Hunt has revealed that more than 700 million email addresses have been floating around “a popular hacker forum” - along with a very large number...
The Register

South Korea says mystery hackers cracked advanced weapons servers

No idea who could have been behind this one... The South Korea Ministry of National Defense says 10 of its internal PCs have been compromised by North Korea unknown hackers .…
The Register

$24m in fun bux stolen from crypto-mogul. Now he fires off huge fraud charge. Like, RICO, say?

Lawsuit claims coin thief was part of a gang targeting crypto whales The victim of a $24m cryptocurrency heist is suing his assailants in what is believed to be the first ever RICO claim involving digital currency.…
The Register

Lowjax city: Researchers crack open notorious Fancy Bear rootkit

UEFI malware has been in the wild for more than two years The Fancy Bear hacking group's Lojax rootkit is far from a one-off tool, and may have been active in the wild for years before it was first...
The Register

Epic’s Fortnite fail: Ancient UT2004 server used for login-stealing proof-of-concept

A tale of XSS, SQL injection and OAuth implementation Crafty infosec bods exploited XSS vulns on dusty corners of Epic Games’ web infrastructure to steal Fortnite gamers’ login tokens and compromise their accounts – using a genuine Epic Games...
The Register

Microsoft sends a raft of Windows 10 patches out into the Windows Update ocean

Whoa - is that an Access 97 iceberg dead ahead? Microsoft has released a second raft of fixes for Windows 10 following the monthly Patch Tuesday excitement last week. It has also issued some fixes for its latest Windows...
The Register

EDGAR Wrong: Ukrainians hacked SEC, stole docs for inside trading, says Uncle Sam

Crooks banked $270,000 in just one move, it is claimed A pair of Ukranian hackers broke into America's financial watchdog to swipe insider info for stock traders, it is claimed.…
The Register

‘It’s like they took a rug and covered it up’: Flight booking web app used by scores of airlines still vuln to attack – claim

Security hole can still be exploited to tamper with journeys, warn infosec bods Exclusive  A security hole in a widely used airline reservation system remains open to exploit, allowing miscreants to edit strangers' travel details online, The Register has...
The Register

Yes, you can remotely hack … building site cranes. Wait, what?

Authentication is simply AWOL for remote RF construction plant, says Trend Micro Did you know that the construction industry uses radio-frequency remote controllers to operate cranes, drilling rigs and other heavy machinery? Doesn't matter: they're alarmingly vulnerable to being...
The Register

Want to get rich from bug bounties? You’re better off exterminating roaches for a living

Before you outsource security to strangers, try boosting internal cybersecurity skills Security researchers looking to earn a living as bug bounty hunters would to do better to pursue actual insects.…
ZDNet

Websites can steal browser data via extensions APIs

Researcher finds nearly 200 Chrome, Firefox, and Opera extensions vulnerable to attacks from malicious sites.
Security Affairs

6 Reasons We Need to Boost Cybersecurity Focus in 2019

Paying attention to cybersecurity is more important than ever in 2019. But, some companies are still unwilling to devote the necessary resources to securing their infrastructures against cyberattacks, and naive individuals think they’re immune to the tactics of cybercriminals,...
isBuzz

Fortnite Vulnerabilities Allow Hackers To Take Over Gamers’ Accounts, Data And In-Game Currency

Cybersecurity researchers today shared details of vulnerabilities that could have affected any player of the hugely popular online battle game, Fortnite. If exploited, the vulnerability would have given an attacker full access to a user’s account and their personal information  as well...

DNC Accuses Russia, ACLU Sues ICE, and More Security News This Week

Trump dominated security headlines this week, but there's plenty of other news to catch up on.
SecurityWeek

Bulgaria Extradites Russian Hacker to US: Embassy

Bulgaria has extradited a Russian indicted by a US court for mounting a complex hacking scheme to the United States, the Russian embassy in Washington said Saturday. read more