The Week in Cyber Security News, Nov 4-10
01. Researchers have discovered a new way to hack Alexa and Siri smart speakers merely by using a laser light beam. No physical access of the victims’ device, or owner interaction, is needed to launch the hack, which allows attackers to send voice assistants inaudible commands such as unlocking doors.
02. Two critical vulnerabilities have been found in the network configuration utility rConfig, the free open-source configuration management utility which is used by more than 7,300 network engineers across 3.3 million devices.
03. Microsoft Office 365 ProPlus is getting a new feature called Application Guard that will allow users to open attachments in a virtualized container to protect Windows from malicious macros and exploits.
04. Facebook says it has made "significant changes" to how it aims to protect the integrity of elections and fight misinformation as the United Kingdom prepares for its December 12 General Election.
05. A compression library included by default in Debian, Ubuntu, Gentoo, Arch Linux, FreeBSD, and NetBSD distros, contains a vulnerability that can allow hackers to execute code on user machines. However, the macOS and Windows operating systems, where this library is also included and used as a default decompression utility, are not affected.
06. Mozilla is urging Congress to take the broadband industry’s lobbying against encrypted DNS within Firefox and Chrome with a grain of salt, stating that they are dropping "factual inaccuracies" about "a plan that doesn’t exist."
07. A new version of the MegaCortex Ransomware has been discovered that not only encrypts files, but changes the logged in user's password and threatens to publish the victim's files if they do not pay the ransom.
08. The Department of Justice has charged two former Twitter employees for spying on users at the behest the Saudi Arabian government. Three individuals have been charged in all after they allegedly accessed the personal information of Saudi dissidents, including email addresses, phone numbers, and IP addresses that could reveal user location.
09. The successor to 8chan, 8kun, appeared briefly on the public Internet thanks to an attack on the Internet's routing infrastructure. The site's domain name server gave an Internet address for the site that was from an unallocated set of addresses belonging to the RIPE Network Coordinating Centre, the regional Internet registry authority for Europe and the Middle East. And the host for the new site advertised a route to that address, allowing visitors to reach the site for a short time.
10. Crowdsourced security company Bugcrowd announced it paid over $500K to 237 whitehat hackers in a single week for the first time since launching its bug bounty platform more than seven years ago.
11.Uber will allow passengers and drivers to record audio of their trips in Brazil and Mexico using a new feature in the app, as the ride-hailing company copes with recurring safety concerns during its trips.
12. An Apple IT specialist has discovered that some of the text from encrypted Apple Mail emails is being stored in readable, unencrypted, plaintext form.
13. Amazon has patched a vulnerability in its Ring Video Doorbell Pro devices which allowed attackers to gain unauthorised access to the user's Wi-Fi network credentials and other devices using the network.
14. Facebook says it is deleting the name of the person who has been identified in conservative circles as the whistleblower who triggered a congressional impeachment inquiry into President Donald Trump’s actions.
15. The BlueKeep exploit gets a fix for its Blue Screen of Death (BSOD) problem, after it was discovered that the root cause of the BSOD errors was Microsoft's patch for the Meltdown Intel CPU vulnerability.
. . .
If you want to stay notified of vulnerabilities that affect you, register for a weekly security report customised to your stack.