I’m simultaneously amazed and not surprised that Adobe Flash is still as widely used as it is currently. I was just working with a client who uses a website for a very large financial services company where certain key features rely on Flash. And this site was just launched. I know of several other clients who regularly rely on training websites to ensure employee compliance that require Flash be enabled to view their webinars. It’s as if all the major technology companies haven’t been warning for years that Adobe Flash was a dead-end technology riddled with security flaws. Heck, Google started hammering nails in Flash’s coffin five years ago, and yet, here it is, still required throughout the corporate workplace.
“I’m not dead yet!”
Unlike the famous Monty Python scene, there’s nothing humorous about Adobe’s stated plans to discontinue support for the stand-alone Flash Player at the end of this year. Not only will it no longer be supported, Adobe has stated that it will just stop working at that point, and should be uninstalled. I can see some of you scratching your head, “Hang on, isn’t Flash built into my browser?” And therein lies maybe a small amount of grace for tardy developers who are hoping to eke out a few more miles from their Flash content. Chrome, Firefox and Edge all have Flash built into the browser, but make you manually unblock each website that still requires Flash to operate, and there are, as of today, no definite dates for when those browsers kick Flash to the curb for good. You can bet that it won’t be too much past Adobe’s deadline. If you are relying on a website that still uses Flash, you know who you are: the hoops you have to jump through to use a Flash website are essentially impossible to avoid. Make sure you contact your content provider to find out what plans they have, if any, to upgrade their websites when Adobe Flash finally shuffles off this mortal coil.
Image by 00luvicecream from Pixabay
Though it’s been reported as being on death’s door for well over a year, Adobe Flash is still in wide use on the internet. Just as stubbornly, security problems continue to plague its undying existence, and the latest is already being exploited by an advanced persistent threat group dubbed StarCruft by security firm Kaspersky. Details are sketchy at the moment – Adobe isn’t publicizing any details on the loophole, and it won’t be patched until June 16 at the earliest.
What this means for you:
According to Kaspersky, the exploit is definitely being used to attack what they call “high value” targets – primarily large companies or organizations with data that would be prized either for criminal or political value, but that doesn’t mean anyone can rest easy. The patch from Adobe will most likely solve this particular vulnerability, but you can count on other exploits being discovered, as they always have in the past, and, as always, the fix is entirely dependent on people actually updating their software on a regular basis. Until you can confirm Flash has been patched on your workstation, avoid clicking strange links (as always), and make sure you have updated malware protection in place.
Adobe Flash can’t seem to catch a break. Their most current black eye has arrived in the form of yet another zero-day exploit of a vulnerability in the latest versions (184.108.40.206 and 220.127.116.11) of the browser plug-in. According to Trend Micro’s blog, the hacking group Pawn Storm is targeting government workers via spear-phishing emails that contain links to news about current events. Instead of taking them to a legitimate news story, the links lead to compromised websites that can install malware onto the victim’s computer via the aforementioned exploit. Rather than the usual identity theft, this group seems to have a more politicized agenda and bears similarities to attacks on NATO from last year.
What this means for you:
If you are new to this blog, you may not have been briefed on the #1 Rule of Personal Technology Security: “Don’t click strange email links.” Even clients who have weathered years of me saying this sometimes let their guard down, so Rule #2 is “Be prepared for the worst,” which you should interpret as (1) having a strong firewall, (2) trusted anti-malware installed, and (3) a contingency straegy that includes backups and plans for operating without core infrastructure when things do go wrong. The sad matter of fact is that cyberattacks will get past anyone’s mental guard – we are only human after all – at which point properly installed and configured technology can act as a safety net. Note the emphasis – poorly implemented security is worse than nothing at all in some cases. When you have nothing, at least you aren’t lulled into a false sense of security. And don’t count on the (perhaps prematurely reported) death of Flash as means to improve everyone’s overall security profile. We haven’t quite seen the end of Flash just yet, and there are plenty of other platforms (Java anyone?) that could easily take its place if and when Adobe finally puts this software out to pasture for good.http://arstechnica.com/security/2015/10/new-zero-day-exploit-hits-fully-patched-adobe-flash/
Last week’s breach of Italian security firm Hacking Team exposed documentation that detailed the firm’s use of previously unknown security weaknesses in Adobe’s pervasive Flash platform. Typically known as “zero-day” vulnerabilities, these types of holes are being exploited by cybercriminals from the moment they are discovered, and companies will scramble madly to patch the problems and distribute the fix to their customers. Apparently fed up with the ongoing security failures of the plugin and Adobe’s lackluster speed at fixing them, Mozilla has started blocking outdated Flash plugins from running in Firefox, and Facebook’s security czar has called for the troubled platform to be retired:
It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day.
— Alex Stamos (@alexstamos) July 12, 2015
What this means for you:
If you are the owner of a website that uses Flash, you should review whether its use is optional or required, with the latter choice presenting numerous challenges, including alienating a large segment of your mobile browsers; both iOS and Android require special, third-part apps to run Flash that are typically not free. Adding this to Google’s latest ranking algorithm which disfavors sites that aren’t mobile friendly, and you could end up with a website that gets relegated to a dark corner of the internet.
As a website visitor, at minimum you should update your Flash plugin immediately, and only do so by getting the latest version from Adobe’s website. Do not follow links or popups that appear while visiting websites – 99% of the time they are not legitimate and will lead to a malware infection. If you’d prefer to stop using Flash altogether, you can follow these instructions to make Flash ask for permission every time it runs:
Researchers at Bluebox Security have published an unsettling discovery in the Android operating system that is the digital equivalent of a law enforcement official neglecting to verify if your driver’s license is actually real whenever you submit it as proof of your identity. Oh, and this little bug has been around since version 2.1 of the OS, which was released in January 2010. The real problem with this bug (aside from it being over 4 years old and still unpatched) is that it has the potential to grant malware written to take advantage of this bug an unprecedented level of access to your phone. While Google has acknowledged Bluebox’s finding, there is still no word on when this serious flaw will be fixed.
What this means for you:
Normally, Android apps installed on your phone are “sandboxed” into their own spaces, preventing them from interacting with other apps without permission. However, there are a certain set of apps that are allowed access to other apps, ostensibly to provide services to those apps. A well known example of a “super-privileged” app is Adobe’s Flash Player (before it was removed from the Play Store in Android 4.4) which was granted privileges to other apps primarily to provide rendering and playback services for Flash content. Each app comes with its own security certificate that is supposed to verify the apps identity and authenticity. Except because of the above-mentioned bug, your Android phone doesn’t bother to verify if the certificate itself was issued by a proper authority. Oops.
Until Google fixes this bug, be very careful installing new apps that appear on the Play store, especially if you are directed to one via suspicious email or social media. Even though Google supposedly checks every single app made available on the Play Store, hackers and security researchers have been able to sneak malware into the store for a short period of time. And definitely do not side-load apps. Hopefully I don’t need to explain just how bad having malware on your phone could be, especially one that could interact with things like your contact list, banking apps and social media accounts.
Security holes in Adobe’s Flash and Oracle’s Java have become so commonplace, it’s actually helped to raise awareness about the necessity of keeping these platforms updated, but there’s a third platform that many of you probably use everyday without ever realizing that it too needs to be patched. Would it surprise you to know that it’s a Microsoft product? Microsoft’s Silverlight technology was originally built to compete with Flash, but it’s probably best known as the platform that delivers Netflix’s streaming content to your computer. Hackers, unfortunately, are very much aware of how widespread Silverlight is, and are currently pressing their attacks on older versions of Silverlight, seeing as their usual punching bags, Java and Flash, are now firmly in the security spotlight.
What this means for you:
If you’ve ever watched Netflix streaming content on your computer, you have Silverlight installed. Even if you don’t use Netflix streaming, there is a high probability Silverlight is installed on your computer, even if it’s a Mac. Depending on how long ago it was initially installed, it might be out of date, especially if you disallowed automatic updates of the software. The latest version of Silverlight is 5, and to make sure you are up to date, you can use this link here. While you are at it, double check to make sure Java and Flash are both up to date as well, but be careful of the “optional software” both companies push when you update their platforms. Oracle variously pushes the Ask toolbar or McAfee Security Scan, the former a very annoying adware-spawning toolbar, and the latter may be redundant if you already have a decent antimalware app installed. Adobe is a little less obnoxious, but it does offer to automatically install Google Chrome (and the Google Toolbar), which may be redundant if you already have it installed, or possibly very confusing to a less savvy computer user who thinks Internet Explorer is the web browser.
The first Tuesday of every month is commonly known as “Patch Tuesday” in the IT industry, and is called thus because Microsoft issues its monthly batch of patches and security fixes to its operating systems and applications, most notably Internet Explorer. February’s selection features a whopping 31 CVEs (common vulnerabilities and exposures) that have been fixed in 4 “critical” updates and 3 “important” updates. Chief among the fixes are patches to all versions of Internet Explorer 6 through 11 to fill holes in the web browser that Microsoft anticipates being exploited in the next 30 days. Adobe also issued a fix for its Shockwave Media Player (a legacy multimedia player that may be installed on older PCs), not to be confused with Adobe Flash, which was also patched last week to combat a security hole that was actively being exploited on the internet.
What this means for you:
Depending on whether your technology is managed by an IT department, 3rd-part provider like C2, or just by you, your Windows computers may update in the next day or two, or further out if your IT department tests MS updates before patching your company’s fleet. The ones that really need to pay attention are those that manage the software updates personally, as it’s easy to forget about or ignore the Windows Update process.
Not sure if your computer’s OS needs an update? Go to Control Panels -> Windows Update and read the information presented there. It will tell you if there are any updates waiting to be applied, when your computer was last updated, and you can even see a full history of what was updated previously. You can also double-check to see how your computer is set to check and apply updates. The best choice for most non-managed computers is the default setting for Windows Update, which is to download and apply all “important” and “critical” updates automatically on a regular schedule.
If you need to check whether Adobe Flash is properly patched, you can visit http://helpx.adobe.com/flash-player.html to check what version you have installed and whether it is working properly.
A new website entitled “HaveIBeenPwned.com” recently launched that indexes millions of accounts that have been exposed in some of the largest data breaches in the past 3 years, including the most recent data theft from Adobe, in which over 153 millions accounts were dumped onto the internet. This website allows anyone to punch in their email address to see if their credentials were a part of the haul the data thieves looted in these attacks. Interestingly enough, I punched in my personal email address and discovered (as expected) my account was one of the 153 million exposed in the Adobe breach. Other breaches covered in this database include Yahoo, Sony, Stratfor and Gawker. If you happen to use any websites from those companies, it may be worth your while to check to see if you might have a password issue.
What this means for you:
If you happen to score one or more hits in the database on this website, and you know you’ve used the same password exposed in the above data breaches on other sites, you should stop using that password immediately and head out to change your other passwords ASAP. Even if you didn’t score a hit in the database, there are data breaches happening constantly, and computers have become strong enough to crack the encryption used to store and ostensibly protect them. Where possible (and reasonable), you should be using unique, strong passwords for all your important web services, especially the ones that have access to your sensitive data and money. Programs like Passpack (what I use) and LastPass are indispensible tools to assist in making strong password use practical. Each has a bit of a learning curve and will take some getting used to, but the time spent will be a worthwhile investment in protecting yourself online.
Image courtesy of Salvatore Vuono / FreeDigitalPhotos.net.
While analyzing the data trail of the recent, highly-publicized Adobe security breach and data theft, researchers also discovered data that appears to have been stolen from a prominent online broker of limousine and towncar services. Among the some 850,000 customer records discovered were such illustrious names as Donald Trump, LeBron James and Tom Hanks as well numerous other wealthy and/or famous individuals. The data also included credit card information, pickup times and locations and even ID numbers of private airplanes used by this company’s customers. The records also included notes on customer behaviors and activities including a number of tidbits that could prove embarrassing or even potentially incriminating. Even if the data were to somehow avoid falling into the hands of police or tabloids, it’s highly likely that cybercriminals will have already cherry-picked many of the customer records for their potential use to fuel spear-phishing attacks and other focused cyber-espionage attempts on corporate and government targets.
What this means for you:
You may have enforced rigor and discipline in your own technology, to the point where you feel fairly confident that you can avoid most attempts to compromise your technology security, but the above points out an uncomfortable reality: you cannot control what information is being gathered about you whenever you interact with the rest of the world. You have two choices here: acceptance and vigilance – be watchful and cautious, and come to grips with the fact that 100% security is impossible, or move to a bunker in the wilderness, off the grid and completely isolated from society. However distasteful and infuriating the former may feel some days, the latter is just not a practical choice (or even possible) for most people.
Adobe dared what other software companies have only dabbled in doing: converting their entire, hugely popular software library into a rental-only commodity. Why do software companies aspire to this model? As you might suspect, users of expensive software packages like Adobe’s Creative Suite or Microsoft’s Office products are able to enjoy multiple years of use from the software before reluctantly upgrading, a consumer trend that bodes ill for any software manufacturer bottom line. The solution: make your highly desirable products only available for rent, or in software parlance: “subscription-based”, guaranteeing you a regular income that will make shareholders dance with glee. While this move has angered a large number of Adobe users, the software company was able to pull the plug on ownership because of the virtual stranglehold it has on this particular category of software, especially its flagship products Photoshop, Illustrator and Lightroom, for which there is virtually no competition its users are willing to consider.
What this means for you:
Adobe’s success (or failure) will determine how other companies proceed. Microsoft already has an extensive subscription-based offering of its productivity suite, which can be rented for what most in the business world consider to be a fair price, especially seeing as how critical Office is in daily business, but “rentals” are only a fraction of its overall sales, which still come through more traditional licensing channels. Annual licensing and maintenance has long been an accepted and expected revenue generator on the enterprise side, a means to bolster profits from an ownership model that came from lengthy software development cycles that are growing shorter and shorter every year. Adobe’s justification behind the subscription model maintains that subscribers will be able to enjoy continuous improvement to and expansion of their products. The question remains, however, whether business is ready for applications and platforms that continually change. While new features and improvements are always welcome, the constant change also present bugs, security holes and training challenges that are definitely not covered by the subscription. Where before companies could control the rate at which their critical business software was changed, now they may have to join a race in which the finish line is constantly moved away from the partipants.
Image courtesy of Stuart Miles / FreeDigitalPhotos.net