Firefox Dropping NPIAPI Plugin Support EXCEPT FLASH (Wait, What?)

Firefox is dropping NPAPI plugins by the end of 2016 — except for Flash. “Microsoft dropped NPAPI support in Internet Explorer 5.5, and its Edge browser in Windows 10 also drops support for ActiveX plugins. Google’s Chrome started phasing out NPAPI support in April this year and dropped it entirely in September. Now it’s Firefox’s turn. Netscape’s open source descendent will be removing NPAPI plugin support by the end of 2016. Some variants of the browser, such as 64-bit Firefox for Windows, already lack this plugin support.”

Latest on the Hack List: The Wall Street Journal

The Wall Street Journal was apparently hacked. “It seems the attack was mostly targeted at accessing contact information like names, addresses, email addresses and other similar data. However, Lewis also noted that credit card information for about 3,500 customers ‘could have been accessed’ — though again, he says there’s no direct evidence yet that the data was actually stolen. “

Adobe Prepping a Pile of Patches

Get your computer ready – Adobe is releasing a pile of patches next week – and several of them are for Acrobat. “The advanced notification of the fixes does not elaborate on the vulnerabilities given that doing so will help attackers brew exploits ahead of patch time, but it does award a ‘critical’ severity rating of two that indicates each bug is likely to be exploited when those details drop.”

Personal Data and Online Advertising

An expanded tool tracks the way personal information is used in online advertising. “With computer scientists, Augustin Chaintreau and Daniel Hsu, and graduate students Mathias Lecuyer, Riley Spahn and Yannis Spiliopoulos, [Roxana] Geambasu has designed a second-generation tool for bringing transparency to the Web. It’s called Sunlight and builds on its predecessor, XRay, which linked ads shown to Gmail users with text in their emails, and recommendations on Amazon and YouTube with their shopping and viewing patterns. The researchers will present the new tool and a related study on Oct. 14 in Denver, at the Association for Computing Machinery’s annual conference on security.”

Russia Gives Google A Deadline

Russia is giving Google until November 18th to adjust its Android deployments. From (a translated version of) Russia’s announcement: “These include mandatory preset with the Google Play a number of other applications of the company, their placement in the priority areas on the screen, the mandatory installation of the search engine Google ‘default’ as well as a ban on the preset applications of other companies.”

LinkedIn Has to Pay Out After Annoying Users

LinkedIn has to pay out after spamming the crap out of people. “LinkedIn’s Add Connections program allowed users to import their personal contacts into the company’s system and then have invitations to connect on LinkedIn sent out on their behalf. However, if a recipient of the invitation email didn’t accept the invitation within a certain amount of time, LinkedIn would then send two follow up emails repeating the invitation.” Okay, so technically it’s not spamming people, because LinkedIn did have permission to communicate with people. So I guess technically I should write “LinkedIn has to pay out after horribly abusing the trust and permission of its users by metaphorically beating them over the head with an e-mail stick.” Right?

Google Pushes Back Against Android Auto Data Claims

Google is pushing back against claims that Android Auto collects a lot of car information. “Android Auto does not phone key automotive data back home, Google says. This comes after Motor Trend stated Porsche opted to not include Android Auto in the new 991/2 as Google’s system collects and transmits back to Google information such as vehicle speed, throttle position, coolant and oil temp, engine revs.”

Patreon Hacked; User Information Put Online

It looks like the Patreon crowdfunding site has been hacked, and user information has already been put online. “Security researcher Troy Hunt has since downloaded the archive file, inspected its contents, and concluded that they almost certainly came from Patreon servers. He said the amount and type of data posted by the hackers suggest the breach was more extensive and potentially damaging to users than he previously assumed.”

Argentina Looking at Serious Copyright Extension

Argentina wants to do some big-time copyright extension. “As a post on the Wikimedia Argentina blog explains (original in Spanish), a proposed law would extend the copyright in photos from 25 years after an image was taken (or 20 years from first publication) to life plus 70 years — a vast extension that would mean that most photos taken in the 20th century would still be in copyright. That’s a big problem for Wikipedia in Argentina, since it is using photographs that have passed into the public domain under existing legislation. If the new law is passed in its current form, large numbers of photos would have to be removed…”

TrueCrypt Has Critical Security Flaws

You may remember last year, the developers of TrueCrypt abandoned it, saying it wasn’t secure and suggesting no one use it. There wasn’t a lot of explanation at the time. Well now we have more details: TrueCrypt has critical security flaws. “Google Project Zero researcher James Forshaw found two ‘privilege elevation’ holes in the popular software that would give attackers full access to your data. Worse yet, TrueCrypt was audited earlier this by a crowdfunded team of iSec security researchers and found to be error-free.”

Scottrade Hacked?

Apparently Scottrade has been hit with a hack. (Based on the number of things I’ve got in my Pocket queue, you’re going to see several such stories in ResearchBuzz shortly. “Welcome to Day 2 of Cybersecurity (Breach) Awareness Month! Today’s awareness lesson is brought to you by retail brokerage firm Scottrade Inc., which just disclosed a breach involving contact information and possibly Social Security numbers on 4.6 million customers.” And guess what? It looks like the actual hack was over 18 months ago.

Blogspot to Go HTTPS

Google is beginning HTTPS support for Blogspot. (Does anybody use Blogspot anymore?) “…today we’re expanding on the HTTPS Everywhere mission and beginning an initial rollout of HTTPS support for Blogspot. HTTPS is a cornerstone of internet security as it provides several important benefits: it makes it harder for bad actors to steal information or track the activities of blog authors and visitors, it helps check that visitors open the correct website and aren’t being redirected to a malicious location, and it helps detect if a bad actor tries to change any data sent from Blogger to a blog visitor.”