Critical Flash update. Patch now!

By Mark Stockley

What’s that you say? A critical vulnerability in Flash?

Why yes.

In news that will surprise nobody, all versions of Flash prior to 28.0.0.161 are harbouring a critical vulnerability that crooks could use to sneak malware on to your computer. Adobe lists this as a priority 2 update, meaning that it hasn’t seen any attacks against this vulnerability in the wild.

Don’t let that assessment, or Flash vulnerability fatigue, be an excuse not to act – it’s not safe to use version 28.0.0.161 of Flash so update it now or, better yet, ditch it entirely.

To understand why urgency is important you need to understand how Flash vulnerabilities can be used against you.

Adobe warns that successful exploitation of the vulnerability could lead to “arbitrary code execution in the context of the current user”. Remote Code Execution (RCE) flaws like this allow hackers to force your computer into running malware.

In the case of a Flash vulnerability like this one, all you have to do is look at the wrong booby-trapped website. Looking at the site is as good as actually downloading a virus and double clicking on it to run it, as far as your computer is concerned.

And we aren’t talking about a danger posed by one or two sites. Cybercriminals are in the business of compromising as many websites as they can.

It’s a numbers game. The danger to you isn’t that you’ll be targeted specifically (unless you’re a high value target), it’s that you’ll be caught in a cybercriminal’s drift net.

Read more at https://nakedsecurity.sophos.com/2018/03/14/critical-flash-update-patch-now/

Don’t fall for Fortnite invite scams!

By Lisa Vaas

STOP.

Don’t click that link. Don’t fork over Amazon gift cards. Don’t send $5 or $1 or anything at all to anybody’s PayPal account. Don’t jump on any offer for a free invite to Fortnite mobile from somebody who says they’ve got invites to spare.

They’re all lying.

On Monday, there was a confusing storm of fake offers to get in on the release of the hot, hot, hot mobile game. There was confusion about what was official and what was smoke, and there wasn’t much communication from game maker Epic Games to clarify the mess, with the exception of a comment by a mod on the official Fortnite subreddit that stated that they were accepting signups only and that the servers weren’t even live yet.

Now, there is official word on the mess, and the word is that all these invite offers are from windbag fraudsters looking for profit or for a pumped-up Twitter following/likes/retweets/comments. On Tuesday morning, Fortnite said that it hadn’t yet sent out any invites, and it warned gamers from clicking on anything but official links.

Read more at https://nakedsecurity.sophos.com/2018/03/14/dont-fall-for-fortnite-invite-scams/

Flippy the burger-flipping robot too good, fired after one day

By Lisa Vaas

Meet Flippy: the burger-turning robot designed to take a job away from expensive, healthcare-dependent, unionizing-inclined, burger-flipping humans!

Oh boy, said the California-based burger chain CaliBurger: #FlippyIsHere!

…and then, within the span of a day, presto blinko automatic-fire-o! #FlippyWasCanned.

It wasn’t that Flippy was bad at flipping. The spatula-wielding robot, which relies on image-recognition and heat-sensing technology, can flip up to 2,000 burgers a day. It’s just that it was too fast, and its human co-workers were too slow.

As of last week, the chain had plans to install Flippy units in 50 locations. The Flippy units, sold by Miso Robotics and specifically designed for CaliBurger restaurants, cost around $60,000 each and another $12,000 a year to run. The plan is for them to appear exclusively in CaliBurger restaurants for the next six months. The company is hoping that the rest of the 50 locations, including Seattle and Annapolis, Maryland, will be Flippified by year’s end. However, all has not started as expected.

The first Flippy debuted in Pasadena, California. It did great. But when USA Today stopped by last Thursday, a day after it was plugged in, the robotic arm was still on display, but it was unplugged. The kitchen was being run entirely by human staff.

Read more at https://nakedsecurity.sophos.com/2018/03/14/flippy-the-burger-flipping-robot-too-good-fired-after-one-day/

Speakers can be used to jump air-gapped systems

By John E Dunn

Bad news for fans of air-gapped security – researchers have outlined how it could be defeated by converting speakers into ultra-sonic transceivers.

Air-gapping is based on the idea that two computers or networks can be viewed as isolated from one another if there is no physical or logical connection linking them.

The flaw is that computers come with interfaces not designed for communication which could, in principle, be covertly modified to bridge such a gap.

According to researchers based at Israel’s Ben-Gurion University of the Negev, this includes devices such as speakers and headphones.

Previous research by the same team showed how microphones (receivers) and speakers (transmitters) could be exploited in this way, primarily through laptops which come equipped with both.

However, doing the same for two devices of the same type – speakers and headphones both designed to transmit sound – should be much harder.

Overcoming this required exploiting two obscure techniques: speaker reversibility and jack re-tasking.

Reversibility is based on the observation that speakers and headphones can be thought of as microphones in reverse:

A loudspeaker converts electric signals into a sound waveform, while a microphone transforms sounds into electric signals.

The researchers found that it is possible to use electrical reversal to turn a speaker or headphone into a device that will behave like a crude microphone.

Read more at https://nakedsecurity.sophos.com/2018/03/14/speakers-can-be-used-to-jump-air-gapped-systems/

Firefox turns out the lights on two privacy-sucking features

By Mark Stockley

Did you know that the websites you browse can ask your phone how far away your face is from the screen, and that they can determine the ambient light levels of the room you’re in?

No, me neither, and I do this stuff for a living.

The fact it is that the web browser you’re using now is stuffed full of exotic, esoteric, somebody-somewhere-will-use-them features of questionable utility.

These features, often APIs (Application Programming Interfaces) that allow websites to act more like native apps, give sites access to some of your device’s most sophisticated capabilities, exposing everything from your GPS, gyroscopes and accelerometers, to proximity and ambient light sensors.

Until recently that list also included access to your battery charge level. It doesn’t now, on Firefox at least, thanks to the work of Lukasz Olejnik and the boldness of the Firefox development team.

The Battery Status API was killed off in late 2016 because, while it had almost no legitimate uptake at all, it became quite popular as a browser fingerprinting technique for cookie-less tracking.

Mozilla’s decision to flense the Battery Status API from Firefox, a move described by Olejnik as “unprecedented”, was a welcome check on the trend to fold ever more complexity (and attack surface) into web browsers.

And now that trend is about to hit another bump.

We’ll soon be losing proximity and ambient data from the list too, on Firefox at least, thanks to… the work of Lukasz Olejnik and the boldness of the Firefox development team!

Read more at https://nakedsecurity.sophos.com/2018/03/13/firefox-turns-out-the-lights-on-two-privacy-sucking-features/

Tweet thieves suspended by Twitter

By Lisa Vaas

As BuzzFeed News so nicely put it, the Tweetdeckoning has come.

On Friday, the platform cleared house of a particular kind of leach, suspending several popular accounts known for ripping off other people’s tweets or jokes without crediting the original creator and for making money by retweeting the plagiarized content.

BuzzFeed reported in January that the so-called “tweetdeckers” are youngsters – typically in their teens and 20s – who have huge followings and who are making thousands every month by selling the retweets.

The practice, which is against Twitter’s policy against spam, gets its name from groups called “decks.” To score an invitation to join a deck, accounts usually need a follower count in the tens of thousands.

From Twitter’s spam policy, which defines spam to be, among other things…

…duplicative or substantially similar content, replies, or mentions over multiple accounts or multiple duplicate updates on one account.

Customers – both individuals and brands – pay tweetdeckers for a specified number of retweets to go out across deck member accounts with the aim of ‘going viral’. A single retweet fetches payment in the range of $5-$10. Subscriptions that last a week or month can cost several hundreds of dollars, depending on a given deck’s popularity. Some decks even hand over temporary access to the whole deck, BuzzFeed reports, something like a subscription to unlimited deck retweets.

Read more at https://nakedsecurity.sophos.com/2018/03/13/tweet-thieves-suspended-by-twitter/