This Week In Security #5
Security is looking past what you know. With new threats and vulnerabilities found every day we’ll try to give you an organized weekly dose of security news. This is Koda Ops TWIS#5
New zero-day found in abode flash player
A newly discovered zero-day vulnerability in Adobe Flash Player is being exploited by attackers in the wild. Adobe released a Security Bulletin (APSB16-36) yesterday which patches the vulnerability (CVE-2016-7855). The critical vulnerability affects Adobe Flash Player 126.96.36.199 and earlier versions for the following operating systems: Windows, Mac, Linux, Chrome OS. According to Adobe, an exploit for the vulnerability exists in the wild and is being used in limited, targeted attacks against users running Windows versions 7, 8.1, and 10.
Vulnerabilities in Telegram, WhatsApp, and Signal allow your voicemail to be used against you
Italian security researchers have discovered a vulnerability that can be easily exploited to break into messaging applications such as telegram, WhatsApp, and Signal. According to the researchers, a rather old voicemail caller-ID spoofing flaw can be used to steal activation codes and compromise accounts. an estimated 32 million users are at risk from this attack. The obvious fix is to turn off your voicemail, but the companies should look into a fix for this security flaw and hopefully soon. The attack works when calls get redirected to your voicemail and the user doesn’t respond or isn’t reachable at the time allowing attackers to spoof your number call your voicemail and gain access to your account.
Weebly and foursquare hacked
Weebly and foursquare are the latest in a long line of tech companies under scrutiny for their security practices. On Thursday a notification of the breach was posted on LeakedSource. More than 43.3 million accounts were stolen in this attack and according to ZDNet the information that was leaked contains usernames, passwords, IP addresses, nd emails. Lucky all stolen passwords were stored in Bcrypt a relatively strong system for scrambling passwords. As of now I’d still recommend changing passwords and grabbing a VPN as soon as you can.
3.2 million debit cards compromised
India is dealing with a major breach of 3.2 million debit cards, Of the cards, 2.6 million are said to be on the Visa and Master-Card platform and 600,000 on the RuPay platform. The banks who saw most of the damage are State Bank of India, HDFC Bank, ICICI Bank, YES Bank and Axis Bank. Several victims of this breach have reported unauthorized usage from china, leading us to believe that this was a Chinese group of hackers.
Adding your number might not be as secure as you think it is
It seems like a common thing to be asked to add your phone number to your accounts so you can have a “secure” way of resetting your password or logging into them. Well I’m sure that most of the information security community stayed away from placing this information on their accounts and for good reason. Recent account takeovers, email hacking, and targeted phishing attacks of various youtubers and politicians haven proven that you don’t always need a complex zero-day when you can just social engineer your victim into handing over their information.
This is this week in security I hope you enjoyed reading, please comment below and stay tuned for more TWIS.