Risk Radar Free Cyber Newsletter – Nov 22, 2016

Microsoft to Bid Farewell to SHA-1 in February
Microsoft will not be supporting SHA-1 for HTTPS early next year, Google and Mozilla will be doing the same in early 2017 also. This will go a long way in improving overall internet security. Users will still have the option of ignoring the warning and continuing to sites using SHA-1. Hopefully websites still on SHA-1 will transition to SHA-2, minimizing these warnings while providing a more secure internet.
BlackNurse DDoS Takes Just One Laptop to Nix a Network
BlackNurse DDoS is taking one of the D’s out of DDoS. BlackNurse uses a ping flood attack that leverages known exploits in firewalls and routers from Cisco, PaloAlto and others. This attack does not have to be distributed to be effective, it will max out the CPU of the device which effectively shuts down the device. Mitigations to this attack are covered in the article.

WordPress Plugins Leave Black Friday Shoppers Vulnerable
Security firm Checkmarx is raising alarm over WordPress e-commerce plugins used on commercial websites. The vulnerabilities in these plugins could lead to loss of personal date, including credit card information. The report does not give specifics on the plugin vulnerabilities, also it does not say it the vulnerabilities have been patched at this time.

iOS 10 Passcode Bypass Can Access Photos, Contacts
A vulnerability in iOS 8,9, and 10 can allow the passcode to be bypassed. Siri is being used to bypass the passcode in this attack.  Physical access to a Siri enabled iPhone is needed for the attack to work. This attack can be mitigated by disabling Siri on the lockscreen. At this time Apple has not said what it plans to do regarding this bypass attack.
Backdoor Found in Firmware of Some Android Devices
Up to 3 million low end android phones are vulnerable to an over-the-air (OTA) update compromise. The compromise does enable remote execution with root privileges. Unencrypted communication used in the OTA enables a man-in-the-middle attack. BLU has acknowledged the flaw and will be issuing a fix, other vendors have not made a statement at this time.
Great. Now Even Your Headphones Can Spy on You
Maybe you cover your laptops camera and even physically disable the microphone on your laptop to avoid eavesdropping. Researchers have figured out a way to get around this if you use headphones with your laptop. The attack uses a little know feature of RealTek audio chips that allow headphones to be used as a mic, the audio can be recorded also.