Insightful &
Helpful Articles

Here is what we're working on and
thinking at Hedgehog security.

This week we look at an end of an era in Adobe Flash, will we miss the never-ending updates? Have Google underestimated their cloud security with flaws in their settings. And has the dark web now gone corporate?
Adobe has officially set a kill date for its love/hate Flash. The Photoshop giant said it plans to end support for the hacker-prone multimedia browser plugin by the end of 2020. No more updates for Flash Player after that date and the end of support on many browsers, including ChromeInternet Explorer and Edge, and Firefox. Facebook also says it will shut off Flash games by the end of 2020, and is advising developers to change their FB games over to a different format.
Programmers, designers and companies whose websites still rely on Flash (Google estimates that is about 17 per cent of all sites) are being encouraged to start planning now to transition to a more modern format, such as HTML5 and WebGL. Like me this news will give me one less thing to think about and it is welcomed news for security professionals, as for us it is one less attack vector to worry about. In recent years, the notoriously insecure Flash Player plugin has been a favourite target for automated exploit kits due to both its dominance and the large number of serious flaws lingering in the code. 2020 may be an end of an era but it is a welcomed one.
Hundreds of organisations have been discovered by researchers at RedLock for exposing sensitive data via Google Groups, which have pinned the cause on basic configuration issues! The exposure of sensitive data such as personally identifiable information, including employee salary, compensation details, customer’s passwords, names and email addressed and home address at hundreds of companies has all be down to ‘A customer- controlled configuration error in the Goggle Group sharing setting” The exposure was found when RedLock searched for publicly exposed groups with the top 1,000 most visited sites on Alexa. Although some would like to blame Google this is companies themselves underestimating the power of making things public on the internet as it is the company themselves that need to set their sharing groups to private, is there very really any need to make these types of groups public when they know how sensitive the information is?
Gone are the days where you were nervous to buy things online, maybe you brought things that you didn’t want anyone to know about? It’s unfortunate the web has gone corporate and it is now easy for people to buy hacking and shadowy technology services. Exploits and attack code can be extremely complex to discover or build from scratch. The dark web provides a marketplace that connects programmers with the needed skills and motivations to unleash them. Buyers of these exploits don't need to be master hackers themselves, they just need to find the right sites and unfortunately nowadays it is very easy to do so. If anything, criminals are getting more efficient. It may be that the only thing worse than hacking services for sale online are hacking services for sale online in a frictionless marketplace that let those with ill intent harness the skills of advanced programmers.