Tag Archives: Flash

News Bites for the Week Ending December 7, 2018

Australian Parliament Passes Crypto Back Door Law Overnight

Politics always wins.  After the Prime Minister said that the opposition party was supporting terrorism, the opposition completely folded after claiming that Parliament would implement amendments after the first of the year.

Since politicians lie about 99.99% of the time, the party in power is now saying that they only might, possibly, consider some amendments.

It is not clear what software companies will do if asked to insert back doors.  One thing that is likely true is that they won’t tell you that they have inserted back doors into your software.  Source: The Register.

 

Sotheby’s Home is the Latest Victim of Magecart Malware

Magecart is the very active malware that has been found in hundreds of web sites and which steals credit card details from those sites before they are encrypted.

Sotheby’s, the big auction house, says that if you shopped on the site since, well, they are not sure, your credit card details were likely stolen.

They became aware of the breach in October and think that the bad guys had been stealing card data since at least March 2017.

Eventually governments will increase the fines enough (Uber just got fined $148 million – we are talking REALLY large fines) that companies will make the decision that it is cheaper to deal with security than pay the fines.  GDPR will definitely help in that department with worst case fines of up to 4% of a company’s global annual REVENUE (not profit).

Sotheby’s acquired the “Home” division about 8 months ago, so, like the Marriott breach, the malware was there when they acquired the company and their due diligence was inadequate to detect it. Source: The Register.

 

Sky Brazil Exposes Info on 32 Million Customers Due to User Error

I continue to be amazed at the number of companies that can’t seem to do the simple things right.

Today is it Sky Brazil, the telecom and Pay-TV company in Brazil.

They were running the open source (which is OK) search tool Elastic Search, made it exposed to the Internet and didn’t bother to put a password on it.  Is password protecting your data really that hard?  Apparently!

What was taken – customer names, addresses, email, passwords (it doesn’t say, so I guess they were not encrypted), credit card or bank account info, street address and phone number, along with a host of other information.

After the researcher told them about their boo-boo, they put a password on in quickly.  We are not talking brain surgery folks. How hard is it really to make sure that you put a password on your publicly exposed data?

Apparently the data was exposed for a while, so the thought is that the bad guys have already stolen it.  Nice.  Source: Bleeping Computer.

 

Yet Another Elastic Search Exposure – Belonging to UNKNOWN

Maybe this is elastic search week.  Another group of researchers found a data trove of elastic search data, again with no password.  Information on 50 million Americans and over 100 million records.

Information in this case is less sensitive and probably used to target ads.  The info includes name, employer, job title,  email, phone, address, IP etc.  There were also millions of records on businesses.

In this case, the researchers have no idea who the data belongs to, so it is still exposed and now that they advertised the fact that it is there, it probably has been downloaded by a number of folks.

That kind of info is good for social engineers to build up dossiers on tens of millions of people for nefarious purposed to be defined later.  Source: Hackenproof.

 

Microsoft Giving Up on Edge?  Replacing it with Chrome?

If this story turns out to be true – and that is unknown right now – that would be a bit of a kick in the teeth to Microsoft and a huge win for Google.

Rumor is that the Edge browser on Windows 10, which is a disaster, along with Microsoft’s Edge HTML rendering engine are dead.  Rumor is that Microsoft is creating a new browser, code named Anaheim,  based on the open source version of Chrome (called Chromium) which also powers the Opera and Vivaldi browsers.

If this is true, Google will effectively own the browser market or at least the browser engine market.  That could make them even more of a monopoly and a target for the anti-trust police.  Source: The Hacker News.

 

Turnabout is Fair Play

While the Democratic party seems to have escaped major hacks in this election cycle, apparently, the Republicans didn’t fare as well.

Several National Republican Congressional Committee senior aides fell to hackers for months prior to the election.  The NRCC managed, somehow, to keep it quiet until after the election, even though they had known about it for months.

Once way they kept is quiet is by not telling Speaker Paul Ryan,  Majority Leader Kevin McCarthy or other leaders about it.

In fact, those guys found out when the media contacted them about the breach.  I bet they are really happy about being blindsided.

Anyway, the cat is out of the bag now and the NRCC has hired expensive Washington law firm Covington and Burling as well as Mercury Public Affairs to deal with the fall out.  I suspect that donors are thrilled that hundreds of thousands of dollars of their donations are going to controlling the spin on a breach.

Whether the hack had anything to do with the NRCC’s losses in the past election is unknown as is the purpose of hacking the NRCC.  It is certainly possible that the hackers will spill the dirt at a time that is politically advantageous to them.  I don’t think this was a random attack.  Source: Fox News.

 

Another Adobe Flash Zero-Day is Being Exploited in the Wild

Hey!  You will never guess.

Yes another Adobe Flash zero-day (unknown) bug is being exploited in the wild.  The good news is that it appears, for the moment, to be a Russia-Ukraine fight. The sample malware was submitted from a Ukraine IP address and was targeting a Russian health care organization.  Now that it is known, that won’t last long.

The malware was hidden inside an Office document and was triggered when the user opened the document and the page was rendered.

Adobe has released a patch.  Source: The Hacker News.

News Bites for the Week Ending November 23, 2018

Japan’s Cybersecurity Minister has Never Used a Computer

Yoshitaka Sakurada, the deputy chief of Japan’s cybersecurity strategy office and the minister in charge of the 2020 Olympic Games in Tokyo says that he doesn’t use computers – basically, he has secretaries and employees to do that.  He also acted confused about whether Japan’s nuke plants use USB drives.

While a few people joked that he has mastered cybersecurity (which of course is not true unless he plans to shut down all of Japan’s computers), most people were amazed that the government put someone with absolutely no understanding of cybersecurity, never mind no expertise, in charge. Source: The Guardian .

Suspect Remotely Wipes iPhone that Police Seized as Evidence

Juelle Grant is a suspect in a shooting in New York in October.  Police think she was the driver and hid the shooter’s identity and hid the gun.

Apparently Grant tried to out-think the police and used Apple’s find my phone feature to do a remote wipe of the phone.

The cops were not amused and charged her with tampering with evidence and hindering prosecution.  The police could have foiled her by putting the phone in a $1.00 foil bag.

That she was able to successfully do this is indicative of the up hill battle that police face shifting from a world of cops walking a beat to a world of cyber experts.  Source: Apple Insider.

China’s Response to Tariffs – Increase Hacking

According to a U.S. government report released recently, China’s response to U.S. tariffs is to increase, not decrease hacking.  The tariffs, which were put in place due to unfair business practices, including hacking, were supposed to get China to reduce hacking our intellectual property, but according to the report, has in fact, had the opposite effect.

The report says that Chinese hacking efforts aimed at stealing American technology and trade secrets have “increased in frequency and sophistication” this year.

The Chinese appear to be interested in stealing information on artificial intelligence and other technologies and includes a “sharp rise” in hacking against manufacturers.

What this means is that U.S. need to take efforts to protect themselves.  Source: Real Clear Defense .

 

Adobe Releases Yet Another Emergency Fix For Flash

In the “gee, what a surprise” category, the pile of Band-Aids (R) that some people call Adobe Flash released yet another emergency patch for a bug that would allow an attacker to run arbitrary malicious code on a user’s device by getting them to visit a web page that had, for example, a malicious ad on it.

Adobe has announced that they will discontinue support by the end of 2020, which means that we still have years of emergency patches in the wings, followed by hacks for new bugs that are never going to be patched.  Source: CyberScoop.

 

Just Visiting a Website Could Have Hacked Your Mac

A bug in Safari allowed an attacker to take over your Mac simply by getting you to visit some web page.  The bug, now patched, would have allowed an attacker to own any Mac.  The researchers released a video and proof of concept code now that the hole has been closed.  That, of course, does not mean that other hackers didn’t know about it already.

Attacks are getting more sophisticated as vendors try to lock down their systems.  This exploit used three different Mac bugs to take over your computer.

No user involvement was required after the user opened a web page in Safari.  Source: The Hacker News.

Kill Flash Now or Patch These 36 New Vulnerabilities

I don’t normally publish posts on individual software updates, but Flash is such a mess and such a security swamp that I feel compelled to do that.  Microsoft’s attempt to copy Flash – Silverlight – is even worse.  It is so bad that Google doesn’t support it inside Chrome.

My recommendation is that you uninstall Flash and Silverlight if you can do that and still operate your business.  Some web sites that businesses use still require Flash so you may need to keep it around.  More and more web developers are moving away from Flash due to the swamp that it is.

OK, so let’s look at this particular patch.

36 separate bugs are patched.  Microsoft releases patches once a month and usually has around 10-15 patches covering 50 software products.  Adobe seems to patch just this one product several times a month – sometimes several times a week – and is still patching 36 bugs in a single patch.   They have been doing this for as long as I can remember.  What does that mean about the security quality of the product?

One of those bugs, named CVE-2016-4171, is being exploited in the wild right now.

Adobe says the bugs were found by Cisco Talos, Google, FireEye, Microsoft, Tencent, Kaspersky, Pangu Lab and Qihoo.  That, of course, does not include every intelligence agency in the world.

To add insult to injury, this patch comes days after Adobe’s regular monthly Flash (and other product) patch release.

Apple has announced that it will be disabling Flash by default in Safari, Joining Google’s Chrome.

I use two browsers.  One browser, the one I use every day, has Flash completely disabled.  The other browser, a kind of ‘break class in case of emergency’, has Flash enabled, but I only use it if my main browser complains.

A lot of malware is delivered silently by Flash based ads that contain malware in the ads.  Major sites like The New York Times, BBC and AOL, among a number of others were hit with malicious ads recently.  The ads delivered ransomware to users who happened to have particular unpatched vulnerabilities and it DID NOT require users to click on anything to become infected.  Disabling Flash protects you against these attacks.

If, after all this, you really do need Flash, then make sure that you install this patch as soon as possible.

Information for this post came from The Register.

Adobe Patchs 23 Flash Flaws – Enough Is Enough

Adobe announced patches yesterday for 23 additional Flash vulnerabilities.  18 of these bugs can be used to run malicious code on the underlying computer.

To see what version you are running, go to:

WWW.Adobe.com/software/flash/about

That web page will give you the version that you are running, the current version that you should be running and a link to the download page.

On my computer, I run Firefox and Chrome.

On Chrome I have Flash disabled completely.  To do that, open Chrome and type

Chrome://plugins – you will get a screen that looks like this (click to enlarge).  You should look at what plugins you are running and decided which ones you want to run and which ones you want to disable.

Chrome flash

Chrome IMMEDIATELY disables Flash if you do this –  if you have browser windows open with Flash objects in it, those objects will go away.  On the other hand, if you enable it, you have to click on the page refresh to make the Flash object reappear.

In Firefox, you have to go to

About:addons

You will see a page that looks like this.  Find the SHOCKWAVE FLASH addon.  I set it to Ask to activate, but you can select Never activate.  If you set it to ask, Firefox displays a box where the Flash object should be with a link.  The link asks you if you want to activate it one time or always – Should you want to display a Flash object I recommend selecting One time.

Firefox flash

Curiously, the Flash installer requires you to activate Flash in order to run the installer.

It is surprising how many sites still use Flash, but the number is decreasing every day because a lot of businesses are blocking Flash as a security enhancement.

The biggest benefit is the number of ads that won’t run – reducing page load times.

Still, it is a personal decision – kind of like paper, plastic or your own grocery bag.  Some web sites will not work without Flash, so you have to decide.

Not A Great Week For Adobe

Researchers at FireEye have uncovered another zero day Flash exploit from within the ruins of the Hacking Team data dump.  Adobe says that they will patch it some time this week.  Adobe also says that the flaw could cause a crash and potentially allow an attacker to take control of the affected system.

Like the first Flash zero day that was revealed from the Hacking Team data dump, this one includes a well written proof of concept, so assume that the malware writers will jump right on this one like they did the first one.

According to Adobe, the new bug affects the Windows, Linux and Mac OS X versions of Flash.

In addition, there are reports of a third Flash zero day in the Hacking Team dump, so it may well be that Adobe gets to release 3 emergency patches in a week.  That would not be a good week for the Flash maker.

This comes at a time when there is a lot of pressure to move away from Flash to HTML 5.  Three emergency patches in a week will only strengthen the call for the move.

Information for this post came from Computerworld.

Adobe Releases Emergency Patch For Flash

Yet again Flash is the means of attack by a Chinese hacking group that Fireeye has labelled APT3.

The attack IS in the wild, although limited in use.

The attack looks like a phishing email offering discounts on Apple computers.

You can find out what version of flash you are running at http://www.adobe.com/software/flash/about/ and download the newest update at https://get.adobe.com/flashplayer/ .

Even though I have updates enabled on this computer, the version of Flash that I was running was 34 versions old.  Of course, Adobe may not have released any or all of those intermediate versions.

You may remember that Steve Jobs was not a big fan of Flash – to be very polite.  This is just one of the reasons why.