Welcome to Dead Drop number 2, your weekly look at what's happening in the worlds of computer security, privacy, and internet freedom. All source links mentioned are below.
Over 300,000 financial records and credit card details have been stolen either from payment processor BlueSnap or it's customer Regpack. Neither company has admitted the breach, but a database of the records was posted online recently.
About a third of the associated email addresses have been added to the Have I Been Pwned site, so search that if you think you might be affected.
Adobe have issued another security bulletin for a critical vulnerability found in Flash player for Windows, Mac, Linux, and ChromeOS. This one can potentially take control of your system, so update now, or better still get rid of Flash player if you don't need it.
Signal, the private messaging app recently issued a patch for their Android app due to two new vulnerabilities found. The first allows attackers to add extra data onto the end of attachments, and the other can remotely crash the app.
A researcher in Holland has found that his Xiaomi smartphone has a vulnerability allowing attackers to silently install any app they wish. He found an app named Analytics.apk routinely sends data about the phone back to the Xiaomi servers, and more importantly checks for an update every 24 hours. This means if someone acts as a man in the middle and renames any malicious app as Analytics.apk, it will be downloaded and installed automatically, without the user knowing.
DENIAL OF SERVICE
Bruce Schneier wrote an interesting post about what looks to be a huge, and sustained operation to probe critical infrastructure on the internet. It seems like a nation state is testing capabilities and weak points, potentially to use in a cyber war scenario to take down the entire internet, using targetted DDoS attacks.
In other denial of service news, researchers from Ben-Gurion University have found that it would take only 6000 smartphones to take down a states emergency phone system, and around 200,000 for the entire system across the US. They theorized that malware infected phones could launch a distributed attack, overwhelming the system, and bringing it to its knees.
Steve Kemp found out that if web apps don't filter out URI inputs from standard URL forms, he could read files on the web apps server, including password files and other potentially damaging data. This one's worth a read if you're a developer.
Adblock Plus, the famous ad blocking browser extension, has announced that will now start selling and including ads on web pages. They say they aim to replace big and intrusive ads with their own preselected ones.
Four researchers from the Max-Planck Institute for Informatics wrote a paper titled ‘Faceless Person Recognition', and investigated whether it's possible for image-matching systems to correctly identify people in photos even if faces have been obscurred, pixelated or blurred.
To finish, we have a great article by Robert Epstein, about how Silicon Valley tricked us into giving up our freedom, privacy, data, and behavioral patterns, in return for “free” stuff. Definitely check this one out if you're into these sort of ideas.