Issue 36

Adobe announcing EOL for Flash

Queue the collective sigh of relief. They will stop supporting Flash at the end of 2020. Nostalgic comments on Hackernews here, end of an era indeed.

adobe.com

 

Chrome Extension CopyFish hacked and turned into adware

The team behind Copyfish, an extension to extract text from images, videos or PDF, was tricked into clicking on a clever phishing e-mail. Their developer account was hijacked, and the extension was briefly turned into adware.

sophos.com

 

Sweden leaks the personal information of millions of its own citizens

I missed this last week but it's worth still sharing. Sweden screwed up badly by leaking citizens' data several times, including the information of thousands of people with protected identities. Worth digging in to if you want a couple of angry face-palm moments.

gizmodo.com

 

HBO hacked, attackers leak GoT script and some episodes

About 1.5Tb of data was reportedly exfiltrated. There doesn't seem to be a monetary incentive, making it just for kicks or to hurt HBO.

helpnetsecurity.com

 

Defcon attendees hacking US voting machines with ease

Fun game: the Defcon group had set up a range of voting machines (some decommissioned, some still in use) and challenged the attendees to 'go nuts'.

hackread.com

 

Hackers take over Tesla Model X; control brakes and doors

They found critical vulnerabilities in the 'holiday show' Easter egg that Tesla had pushed to the car. Tesla fixed the problem within two weeks, and welcomed other researchers to find and report such exploits.

hackread.com

 

Lipizzan: newly discovered Android malware targeting specific individuals

It tracks a phone's communication and location. It seems to have been created by a private company called Equus Technologies. Google's own announcement can be found here.

zdnet.com

 

Legislation proposed to secure connected IoT devices

U.S Senators introduced a bill that would require a set of security measures from IoT manufacturers, and would allow white hats to look for vulnerabilities.

threatpost.com

 

How Google shrank the android attack surface

Interesting article where Nick Kralevich, head of Android platform security at Google, explains how they changed focus from exploit mitigation to decreasing the attack surface. Mostly by redesigning the underlying architecture and removing unused functionality.

threatpost.com

 

Shorting-for-profit viable business model for security community

Quite controversial, obviously, but not surprising. Justine Bone put forth that one might make a good amount of money shorting a stock before disclosing a severe vulnerability, as she did last year with the St. Jude Medical pacemaker debacle.

threatpost.com

 

North Korea tries to make hacking a profit center

Where originally it started as a espionage method, they now increasingly use the state-sponsored hacking groups to get their hands on foreign currency, stealing from financial institutions. Reportedly they have 1.700 active hackers, and over 5.000 people as support staff and trainers.

nytimes.com

 

Passwords evolved: authentication guide for the modern era

Fantastic article by Troy Hunt on what your login mechanism should and shouldn't do. For example: don't mandate special characters, allow pasting of passwords, embrace password managers, check against often-used passwords. To facilitate that last one he wrote a second article where he releases 306 million pwned passwords as hashes to check against. Kudos, sir.

troyhunt.com