This Week in Security: Flash, Fireball, IoT Carwash

Gone in a Flash

Earlier this week, Adobe announced Flash will be end-of-life (EOL) at the end of 2020. Thankfully, the announcement doesn’t require Flash to view. The move comes as other open web standards like HTML5, WebAssembly, and WebGL gain widespread adoption by developers while Flash usage has decreased dramatically over the last 3 years, according to the Chromium project.

China Extinguishes Fireball Team

Chinese authorities turned up the heat on the criminals responsible for Fireball malware by arresting at least 9 of the developers at RafoTech, a digital marketing company in Beijing. Fireball spread like wildfire, allegedly infecting over 250 million machines across the globe, by bundling itself with other software distributed by RafoTech.

We recommend protecting yourself from other threats like Fireball by ensuring your operating system, browser, and antivirus are up to date, and avoid downloading software from third party websites.

Putting the Brakes on an IoT Carwash

If that previous story got you heated, you can cool off by taking a drive through your nearest carwash, where hackers have figured out how to hijack Internet connected drive-through carwash stations and gain control over the doors and washing arm. With just these two primitive capabilities, an attacker could trap a vehicle inside the washing bay, douse the occupants with water, or even strike the vehicle with the washing arm or exit doors.

The automated washing machines rely on software-based safety mechanisms to prevent the doors and arm from hitting a vehicle, but hackers can override these safety controls. Apparently, the developers didn’t learn the lessons from the Therac-25 incident, where a software safety interlock failed silently resulting in at least six cases where patients received excessive radiation treatments.

Perhaps we should stop connecting things to the Internet that don’t need to be connected. At (Read more...)

*** This is a Security Bloggers Network syndicated blog from Cylance Blog authored by Cylance Research and Intelligence Team. Read the original post at: https://threatmatrix.cylance.com/en_us/home/this-week-in-security-7-28-2017.html