Silensec Newsletter

Category: News
Top News

Google makes it official: Chrome will freeze Flash ads on sight from Sept 1

Google is making good on its promise to strangle Adobe Flash's ability to auto-play in Chrome. The web giant has set September 1, 2015 as the date from which non-important Flash files will be click-to-play in the browser by default – effectively freezing out "many" Flash ads in the process.

Netizens can right-click over the security-challenged plugin and select "Run this" if they want to unfreeze an ad. Otherwise, the Flash files will remain suspended in a grey box, unable to cause any harm nor any annoyance. Back in June, Google warned that, in cooperation with Adobe, it would change the way Flash material is shown on websites. Read more...


Ashley Madison: 'Suicides' over website hack

 Two individuals associated with the leak of Ashley Madison customer details are reported to have taken their lives, according to police in Canada. The police in Toronto gave no further information about the deaths. Ashley Madison's Canadian parent company Avid Life Media is offering a C$500,000 (£240,000) reward for information on the hackers, they added.

Details of more than 33m accounts were stolen from the website, which offers users the chance to have an affair.




Major Hacks of the Week

GitHub wobbles under DDOS attack

GitHub is under a distributed-denial-of-service attack being perpetrated by unknown actors. The service's status page reported “a brief capacity overload” early on Tuesday. The site's assessment of the incident was later upgraded to a a DDOS and at the time of writing the site is at code yellow. This is the second significant DDOS GitHub has endured in 2015 after a March incident saw the site attacked by entities apparently lurking behind China's Great Firewall. On that occasion the attackers hammered the site for four days. In 2013, the site copped twin attacks within weeks of each other. Read more...

Hacker slaps Dolphin, Mercury browsers, squirts zero day 

Mobile security guy Rotologix has popped two popular not-Chrome not-Firefox Android browsers, gaining the power to commit remote code execution using zero-day flaws. The holes affect Dolphin Browser and Mercury Browser which have something in the realm of 100 million and one million installs respectively. The Dolphin Browser was last updated in July meaning that all users are vulnerable to the zero day vulnerability. Read more...

Major Vulnerabilities Disclosed

Password 'XXXXairocon' pops Wi-Fi routers from ASUS, ZTE and others

A bunch of home gateway vendors, presumably sourcing their firmware from the same place, can be hijacked using depressingly common hard-coded logins. As the Carnegie-Mellon CERT states, the vendors involved are ASUS and ZTE in Asia, European vendors Digicom and Observa Telecom, and carrier Philippine Long Distance Telephone (PLDT), which was presumably house-branding the kit.
All the affected devices have “XXXXairocon” as the telnet password, where the “XXXX” is the device's MAC address. For all but the PLDT device, the username is admin, while the PLDT username is adminpldt.

Have a Samsung smart fridge? Your Gmail credentials might be at risk!

Security researchers from Pen Test Partners recently uncovered a security flaw in a Samsung smart fridge which can compromise a user’s Gmail credentials. Their hack revealed that Samsung’s RF28HMELBSR smart fridge is vulnerable to ‘man in the middle’ attacks because it doesn’t validate SSL certificates. This does serve as an important reminder to be vigilant about where you upload sensitive data. This is especially important because connected devices (IoT) seemingly have less robust security than our smartphones, which themselves are not impervious to any number of exploits. Read more... 

Legal, Regulatory and Corporate

Court Says the FTC Can Slap Companies for Getting Hacked

For companies like the dating site Ashley Madison or the health insurer Anthem, financial loss, customer anger and professional embarrassment aren’t the only consequences of getting massively gutted by hackers. Now a court has confirmed that there’s a three-letter agency that can dish out punishment, too.  In a decision published Monday, a U.S. appellate court ruled that the Federal Trade Commission has the authority to sue Wyndham Hotels for allowing hackers to steal more than 600,000 customers’ data from its computer systems in 2008 and 2009, leading to more than $10 million in fraudulent charges. The ruling more widely cements the agency’s power to regulate and fine firms that lose consumer data to hackers, if the companies engaged in what the FTC deems “unfair” or “deceptive” business practices. Read more...  

Ex-Prez Bush, Cheney sued for email, phone spying during Olympics 

Ex-US president George W Bush, former Vice President Dick Cheney, and senior law enforcement officials have been named in a class-action lawsuit for authorizing blanket phone, email, and text message surveillance of Utah citizens during the 2002 Winter Olympics. In 2013 the Wall Street Journal reported that the FBI and NSA had done a deal with telco Qwest Communications for blanket surveillance coverage for Salt Lake City during the Winter Olympics. Then-mayor Ross "Rocky" Anderson has now taken up the case and has filed the class action suit. "This is the first time anyone knows of that a surveillance cone has been placed over a specific geographical area in the United States," he told The Register. Read more...

Security and Beyond

Highway to hack: why we’re just at the beginning of the auto-hacking era

In essence, the security posture of many modern automobiles is this—a network of sensors and controllers that have been tuned to perform flawlessly under normal use, with little more than a firewall (or in some cases, not even that) protecting it from attack once connected to the big, bad Internet world. The industry's insular culture and traditional approach to safety have kept most from collaborating with outside researchers, and their default response to disclosures of security threats has been to make it harder for researchers to work with them. Read more...

Biometrics: The password you cannot change

Biometrics Institute CEO Isabelle Moeller said increasingly biometric authentication is being used for the purpose of easing the burden of security when it comes to simplicity and usability. "Their use offers consumers great convenience and increased security at the same time. We are seeing a growing number of wearable devices and the use of fingerprint biometrics on mobile devices," she said.

On the flip side, recent research by FireEye Inc, outlined that hackers can remotely attack our smartphones and steal fingerprints on a "large scale", without anybody noticing. The research said the threat is mainly confined to Android devices, such as Samsung, Huawei, and HTC devices, that have fingerprint sensors. The research suggested the reason is because the device makers have not fully locked down the sensors, making it vulnerable to being attacked. "In this attack, victims' fingerprint data directly fall into attacker's hand. For the rest of the victim's life, the attacker can keep using the fingerprint data to do other malicious things," said FireEye researcher Yulong Zhang.

Security Awareness Tip

If it’s online, you can’t be certain it’s private.

In regard to the recent hack on Ashley Madison, it comes as no surprise.
Each piece of information you share, especially on the internet, via online platforms like social media, online dating sites or any other website which asks for information about you can be accessed by malicious users/attackers or by state governments.
If you don't want your private information to be online, take steps yourself to secure it & best of all, you could ensure that you don't put it there yourself!

Silensec Editorial Team

Editor: Dr. Almerindo Graziano
Dr. Graziano is the Silensec CEO. He holds an MSc in Electronic Engineering and a PhD in Mobile Computer Security, both from the University of Naples, Italy. Dr. Graziano has consulted in information security for private and government organisations across Europe, Africa and Middle East over the last 15 years. He is also a BSI-certified ISO27001 Lead Auditor trainer and auditor

Vice Editor: George Nicolaou (BSc, MSc)
George Nicolaou (BSc, MSc) leads the Silensec Malware Analysis Lab (MAL). He received his BSc in Computer Science and MSc in Advanced Computing Security from the University of Bath in UK, where he pursued research in malware and vulnerability analysis. For many years George has also been the Head of Research and Development department of the Astalavista Security Community. George is also a frequent speaker at security conferences around the world on advanced malware analysis, reverse engineering and exploit development techniques.

Associate Editor: Joseph Alulu (B.A)
Joseph Alulu leads the Silensec Marketing Department. He holds a Bachelors of Arts Degree from the University of Nairobi in Kenya. He publishes the weekly Silensec Newsletter, keeping you up to date on the latest information security news as well as creating information security awareness.

Please feel free to share this with interested parties via email, and social media. For a free subscription, please subscribe to our feed-image Feed.

For any questions please click on the following contact us link

Silensec Cyprus HQ

Silensec Africa

Feel free to contact us if you have any problems.

Silensec UK

Feel free to contact us if you have any problems.

News Feed