Queue the collective sigh of relief. They will stop supporting Flash at the end of 2020. Nostalgic comments on Hackernews here, end of an era indeed.
The team behind Copyfish, an extension to extract text from images, videos or PDF, was tricked into clicking on a clever phishing e-mail. Their developer account was hijacked, and the extension was briefly turned into adware.
I missed this last week but it's worth still sharing. Sweden screwed up badly by leaking citizens' data several times, including the information of thousands of people with protected identities. Worth digging in to if you want a couple of angry face-palm moments.
About 1.5Tb of data was reportedly exfiltrated. There doesn't seem to be a monetary incentive, making it just for kicks or to hurt HBO.
Fun game: the Defcon group had set up a range of voting machines (some decommissioned, some still in use) and challenged the attendees to 'go nuts'.
They found critical vulnerabilities in the 'holiday show' Easter egg that Tesla had pushed to the car. Tesla fixed the problem within two weeks, and welcomed other researchers to find and report such exploits.
It tracks a phone's communication and location. It seems to have been created by a private company called Equus Technologies. Google's own announcement can be found here.
U.S Senators introduced a bill that would require a set of security measures from IoT manufacturers, and would allow white hats to look for vulnerabilities.
Interesting article where Nick Kralevich, head of Android platform security at Google, explains how they changed focus from exploit mitigation to decreasing the attack surface. Mostly by redesigning the underlying architecture and removing unused functionality.
Quite controversial, obviously, but not surprising. Justine Bone put forth that one might make a good amount of money shorting a stock before disclosing a severe vulnerability, as she did last year with the St. Jude Medical pacemaker debacle.
Where originally it started as a espionage method, they now increasingly use the state-sponsored hacking groups to get their hands on foreign currency, stealing from financial institutions. Reportedly they have 1.700 active hackers, and over 5.000 people as support staff and trainers.
Fantastic article by Troy Hunt on what your login mechanism should and shouldn't do. For example: don't mandate special characters, allow pasting of passwords, embrace password managers, check against often-used passwords. To facilitate that last one he wrote a second article where he releases 306 million pwned passwords as hashes to check against. Kudos, sir.