Google to Dim Flash Player in Chrome Browser

Google  announced that it would minimize use of Adobe's Flash Player in its Chrome Web browser by the end of the year by turning off its default status.

When Chrome encounters a Web page, it will report the presence of Flash Player only if a user has indicated that the domain should execute Flash or if the site is in one of the top 10 domains using Flash, said Anthony LaForge, technical program manager for Google Chrome.

When a Web surfer using Chrome encounters a site offering HTML5, the change in Google's browser will make that the primary experience, he said.

"We will continue to ship Flash Player with Chrome, and if a site truly requires Flash, a prompt will appear at the top of the page when the user first visits that site, giving them the option of allowing it to run for that site," LaForge said.

"While Flash historically has been critical for rich media on the Web, today in many cases HTML5 provides a more integrated media experience with faster load times and lower power consumption," he added. "This change reflects the maturity of HTML5 and its ability to deliver an excellent user experience."

The Whitelist Hedge

"This is part of a 10-year effort by the industry to get rid of Flash," said Patrick Moorhead, principal analyst at Moor Insights & Strategy.

"This is the next step in that process as people move to HTML5 and H.265 video," he told TechNewsWorld.

After the proposed change, "if you're not a top 10 website and you use Flash, you're going to have trouble with people who visit you and are running Chrome," Moorhead noted.

Google's change in Chrome creates a "whitelist" of 10 domains where Flash will be turned on by default. They are YouTube.com, Facebook.com, Yahoo.com, VK.com, Live.com, Yandex.ru, OK.ru, Twitch.tv, Amazon.com and Mail.ru. However, Google intends to get rid of even that whitelist after a year.

The company's support of a whitelist may be an indication of just how tough it's going to be to purge Flash from the Web. "Getting rid of Flash is going to be an onerous task due to its pervasive influence on the Internet," said Rahul Kashyap, chief security architect with Bromium.

"Already Google is resorting to poking holes in their strategy by whitelisting popular websites to minimize user impact," he told TechNewsWorld. "This is going to be a long and slow process, and Google's timeline is definitely aggressive."

Dead by 2018

Google's move could give competing browsers a helping hand. "Potentially, there's an opportunity for people to move to other browsers if they're not happy with Google's move," Moorhead said.

Nevertheless, "I don't see why Flash would be in existence in 2018, unless you didn't care about people coming to your website and watching your videos," he added.

Even Adobe is resigned to Flash's phase-out. "Google's initiative is part of an industry-wide transition to open Web standards," said Adobe spokesperson Russell Brady.

"At Adobe we are working closely with Google, Microsoft, Facebook and others to facilitate the adoption of these standards, including HTML5. At the same time, given that Flash continues to be used in areas such as education, Web gaming and premium video, the responsible thing for Adobe to do is to continue to support Flash with updates and fixes, as we help the industry transition," he told TechNewsWorld. "Looking ahead, we encourage content creators to build with new Web standards."

Security Woes

Among the advantages of the standards supplanting Flash is better security.

"The industry is moving to new technologies, which provides higher security," said Jim McGregor, principal analyst at Tirias Research.

Google's move is more forgiving than the way others have treated Flash, he told TechNewsWorld. The technology still will be supported in Chrome, although it will have to be turned on manually for many sites.

"While this may be a bit of discomfort to some users, all users are better off using the latest software to minimize security threats," McGregor said.

Eye to Eye on Flash

Vulnerabilities can appear in almost any type of software, but Flash has become a popular target of hackers. According to Symantec's latest "Internet Security Threat Report," four of the five most exploited zero-day vulnerabilities in 2015 were found in Adobe Flash.

"Once discovered, the zero days are quickly added to cybercriminal toolkits and exploited," noted Kevin Haley, director of security response at Symantec.

"At that point," he told TechNewsWorld, "millions will be attacked and hundreds of thousands infected if a patch is not available, or if people have not moved quickly enough to apply the patch."

In 2010, Steve Jobs defended Apple's decision not to support Flash on the iPhone. "Flash was created during the PC era -- for PCs and mice. Flash is a successful business for Adobe, and we can understand why they want to push it beyond PCs. But the mobile era is about low-power devices, touch interfaces and open Web standards -- all areas where Flash falls short."

Billion Wireless Mice at Risk

Wireless mice and keyboards are the perfect accessories for a world in which devices increasingly are shuffling off their connection coils, but those accessories -- especially untethered rodents -- also can create new threats for those who use them.

One such threat is Mousejack. The attack exploits a vulnerability found in 80 percent of wireless mice. With US$15 worth of off-the-shelf hardware and a few lines of simple code, a wireless mouse can be turned into a hacker's portal for all kinds of mischief.

Mousejack -- the name Bastille, which discovered the flaw last year, gave to the vulnerability -- impacts more than a billion wireless mice worldwide, the company's chief revenue officer, Ivan O'Sullivan, said.

One of Bastille's engineers, Marc Newlin, discovered the vulnerability in non-Bluetooth wireless mice. The flaw in the mice is related to how the devices handle encryption.

"When evaluating these devices, it became apparent that they do not implement encryption in a correct way and make it possible to bypass encryption in certain situations," he told TechNewsWorld.

Speed Typing

That allows an attacker to forge and transmit wireless packets to the USB dongle of a target's mouse and use that to inject keystrokes into that target's computer.

"Taking advantage of that, an attacker from 225 meters away [246 yards] can type on a target's computer," Newlin said.

Typing is a relative term here. The keystrokes sent to the dongle could be automated, which means a hacker could type as fast as 1,000 words a minute.

"You could very quickly execute an attack," Newlin said. "You could bring up a command window, type some commands, download some malware, and close the window all in a matter of seconds."

"If a victim's attention is elsewhere for a short period of time, an attack can be executed without their knowledge," he added.

160 Million Weak Links

Although Bastille has demonstrated the feasibility of Mousejack, no attacks have been seen in the wild yet, Newlin noted.

Still, the vulnerability does pose a large threat not only to consumers but to businesses too. Eighty-two percent of businesses allow their employees to use wireless mice at work, according to a survey of 900 organizations Bastille released last month.

Most of the respondents were concerned about the mousejacking problem, but 21 percent said they were unconcerned about it, and 16 percent said they'd continue to use their wireless mouse even if it had the vulnerability.

"Sixteen percent of a billion devices is 160 million weak links in an organization's security chain," O'Sullivan told TechNewsWorld.

EMV Working

While merchants remain slow to add the hardware necessary for processing EMV transactions, card issuers are starting to see benefits from the payment cards with a computer chip, according to report released this month by the Aite Group and sponsored by Iovation.

Card issuers with at least 50 percent of their portfolios reissued as EMV cards averaged a 25 percent year-over-year decline in net counterfeit fraud, Aite reported.

The results can be even better for issuers that have replaced their portfolio. One such issuer said its year-over-year decline in fraud losses was 65 percent, and it expects losses to be down by 80 percent in 2016, the report said.

Those declines can be a bit of a shell game, though. That's because with the introduction of EMV cards, the liability for picking up the tab for card fraud shifted from card issuers to merchants. Still, it's expected that much of the card-present fraud will shift from the physical world to the online world.

Unlike brick-and-mortar merchants, online retailers have been eating the losses for misuse of payment card for years. Nevertheless, that doesn't mean they're ready to cope with more fraud.

"The question is if a significant portion of attempted fraud shifts to online, all of a sudden the numbers shift and you may not be able to absorb the uptick," Michael Thelander, product marketing manager of Iovation, told TechNewsWorld. Card issuers continue to absorb some losses, the Aite report noted. Fraud at the gas pump, for example, is absorbed because chargeback to merchants provisions don't take effect there until 2017.

In addition, card issuers are eating fraud losses on transactions of less than $25 because it costs more to process the chargeback than to eat the fraud loss.

Breach Diary

• May 9. The Federal Deposit Insurance Corp. retroactively reports to Congress that since Oct. 30, five major data breaches have occurred involving taxpayers' personally identifiable information.
• May 9. Google begins notifying employees their personal information is at risk after it was sent by a third-party provider to the benefits manager of another company. The manager destroyed the data when he realized it was sent to him by mistake.
• May 9. Chelsea and Westminster Hospital NHS Foundation Trust in the UK is fined $258,570 for accidentally emailing the email addresses and names of HIV-positive patients with an electronic newsletter last fall.
• May 10. The Ohio Department of Mental Health and Addiction Services discloses it has put at risk the personal information of as many as 59,000 people by mailing them postcards about participating in a survey for people with mental health or addiction problems.
• May 10. Kiddicare reveals sensitive information about as many as 794,000 customers was stolen from a test site operated by the company.
• May 10. Motherboard reports information on more than 100,000 user accounts from an adult site called Rosebuttboard was being posted to the "Have I Been Pwned?" site by security researcher Troy Hunt.
• May 11. Wendy's reports a data breach in January affected fewer than 300 of its 5,500 restaurants.
• May 12. Ponemon Institute releases annual benchmark study on privacy and security of healthcare data with a finding that the average cost of a healthcare breach was $2.2 million.
• May 12. UnityPoint Health-Allen Hospital starts notifying 1,620 patients that their personal information was at risk after an employee accessed it without proper authorization over a seven-year period.
• May 12. TalkTalk, which suffered a major data breach last year, reports per-tax profits plunged more than 50 percent -- to Pounds 14 million from Pounds 32 million -- for the fiscal year that ended in March.
• May 12. Kern County Superintendent of Schools in California alerts more than 2,500 employees paid by KCSOS in 2015 that some sensitive information about them was at risk after it was sent to an unauthorized party as the result of a phishing scam.
• May 12. Kmart files papers with a federal court in Illinois announcing it has reached a settlement with financial institutions that filed a class-action lawsuit over a 2014 data breach. Details of the deal were not disclosed.
• May 12. The New York Times reports a second bank has been infected with malware believed to be connected to an $81 million electronic robbery of the central bank of Bangladesh.

Upcoming Security Events

• May 20-21. B-Sides Boston. Microsoft NERD, 1 Memorial Drive, Cambridge, Massachusetts. Tickets: $20.
• May 21. B-Sides Cincinnati. University of Cincinnati, Tangeman University Center, Cincinnati. Tickets: $10.
• May 21. B-Sides San Antonio. St. Mary's University, One Camino Santa Maria, San Antonio. Tickets: $10.
• May 24. PCI DSS: Preventing Costly Cases of Non Compliance. 1 p.m. ET. Webinar by VigiTrust, HPE Data Security, Aberdeen Group and Coalfire. Free with registration.
• June 1-2. SecureWorld Atlanta. Cobb Galleria Centre (Ballroom), Atlanta. Registration: conference pass, $325; SecureWorld plus $725; exhibits and open sessions, $30.
• June 6-9. Cloud Identity Summit. New Orleans Marriott, 555 Canal St., New Orleans. Registration: $1,695.
• June 8. B-Sides London. ILEC Conference Center, 47 Lillie Rd., London SW6 1UD, UK. Free.
• June 9. SecureWorld Portland. Oregon Convention Center. Registration: conference pass, $325; SecureWorld plus $725; exhibits and open sessions, $30.
• June 10. B-Sides Pittsburgh. Spirit Pittsburgh, 242 51st St., Pittsburgh. Free.
• June 11-12. B-Sides Latin America. PUC-SP (Consolação), São Paulo. Free.
• June 15. Federal Trade Commission's Start With Security -- Chicago. Northwestern Pritzker School of Law, 375 E. Chicago Ave. (corner of Lake Shore Drive), Chicago. Free.
• June 13-16. Gartner Security & Risk Management Summit. Gaylord National Resort & Convention Center, 201 Waterfront St., National Harbor, Maryland. Registration: until April 15, $2,950; after April 15, $3,150; public sector, $2,595.
• June 20. Center for New American Security Annual Conference. 9:30 a.m. to 5:30 p.m. J.W. Marriott, 1331 Pennsylvania Ave., Washington, D.C. Free with registration.
• June 22. Combatting Targeted Attacks to Protect Payment Data and Identify Threats. 1 p.m. ET. Webinar by TBC. Free.
• June 27-29. Fourth annual Cyber Security for Oil & Gas. DoubleTree by Hilton, 6 Greenway Plaza East, Houston. Registration: main conference, $2,295; conference and workshops, $3,895; single workshop, $549.
• June 27-July 1. Appsec Europe. Rome Marriott Park Hotel, Colonnello Tommaso Masala, 54 Rome, Italy. Registration: members, 599 euros; nonmember, 610 euros; student, 91.50 euros.
• June 27-July 1. Hack in Paris. Maison de la Chimie, 28 Rue Saint-Dominique, 75007 Paris. Tickets: before April 5, 288 euros; student or unemployed, 72 euros. Before June 9, 384 euros; student or unemployed, 108 euros. After June 8, 460.80 euros.
• June 29. UK Cyber View Summit 2016 -- SS7 & Rogue Tower Communications Attack: The Impact on National Security. The Shard, 32 London Bridge St., London. Registration: private sector, Pounds 320; public sector, Pounds 280; voluntary sector, Pounds 160.
• June 30. DC/Metro Cyber Security Summit. The Ritz-Carlton Tysons Corner, 1700 Tysons Blvd., McLean, Virginia. Registration: $250.
• Aug. 25. Chicago Cyber Security Summit. Hyatt Regency Chicago, 151 E. Wacker Drive, Chicago. Registration: $250.
• Oct. 11-14. OWASP AppSec USA. Renaissance Marriott, 999 9th St. NW, Washington, D.C. Registration: Nonmember, $750; student, $80.
• Oct. 17-19. CSX North America. The Cosmopolitan, 3708 Las Vegas Blvd. South, Las Vegas. Registration: before Aug. 11, ISACA member, $1,550; nonmember, $1,750. Before Oct. 13, member, $1,750; nonmember, $1,950. Onsite, member, $1,950; nonmember, $2,150. 

Huawei P9 review

The Huawei P9 with its co-engineered Leica camera setup could be one of the best smartphones Huawei has released to date but does it deliver? Let's find out in our Huawei P9 review.