Last week’s breach of Italian security firm Hacking Team exposed documentation that detailed the firm’s use of previously unknown security weaknesses in Adobe’s pervasive Flash platform. Typically known as “zero-day” vulnerabilities, these types of holes are being exploited by cybercriminals from the moment they are discovered, and companies will scramble madly to patch the problems and distribute the fix to their customers. Apparently fed up with the ongoing security failures of the plugin and Adobe’s lackluster speed at fixing them, Mozilla has started blocking outdated Flash plugins from running in Firefox, and Facebook’s security czar has called for the troubled platform to be retired:
It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day.
— Alex Stamos (@alexstamos) July 12, 2015
What this means for you:
If you are the owner of a website that uses Flash, you should review whether its use is optional or required, with the latter choice presenting numerous challenges, including alienating a large segment of your mobile browsers; both iOS and Android require special, third-part apps to run Flash that are typically not free. Adding this to Google’s latest ranking algorithm which disfavors sites that aren’t mobile friendly, and you could end up with a website that gets relegated to a dark corner of the internet.
As a website visitor, at minimum you should update your Flash plugin immediately, and only do so by getting the latest version from Adobe’s website. Do not follow links or popups that appear while visiting websites – 99% of the time they are not legitimate and will lead to a malware infection. If you’d prefer to stop using Flash altogether, you can follow these instructions to make Flash ask for permission every time it runs:
The first Tuesday of every month is commonly known as “Patch Tuesday” in the IT industry, and is called thus because Microsoft issues its monthly batch of patches and security fixes to its operating systems and applications, most notably Internet Explorer. February’s selection features a whopping 31 CVEs (common vulnerabilities and exposures) that have been fixed in 4 “critical” updates and 3 “important” updates. Chief among the fixes are patches to all versions of Internet Explorer 6 through 11 to fill holes in the web browser that Microsoft anticipates being exploited in the next 30 days. Adobe also issued a fix for its Shockwave Media Player (a legacy multimedia player that may be installed on older PCs), not to be confused with Adobe Flash, which was also patched last week to combat a security hole that was actively being exploited on the internet.
What this means for you:
Depending on whether your technology is managed by an IT department, 3rd-part provider like C2, or just by you, your Windows computers may update in the next day or two, or further out if your IT department tests MS updates before patching your company’s fleet. The ones that really need to pay attention are those that manage the software updates personally, as it’s easy to forget about or ignore the Windows Update process.
Not sure if your computer’s OS needs an update? Go to Control Panels -> Windows Update and read the information presented there. It will tell you if there are any updates waiting to be applied, when your computer was last updated, and you can even see a full history of what was updated previously. You can also double-check to see how your computer is set to check and apply updates. The best choice for most non-managed computers is the default setting for Windows Update, which is to download and apply all “important” and “critical” updates automatically on a regular schedule.
If you need to check whether Adobe Flash is properly patched, you can visit http://helpx.adobe.com/flash-player.html to check what version you have installed and whether it is working properly.
You’ve seen it in movies and television probably dozens of times: video surveillance systems being hacked into by both heroes and villains and being fooled into showing looped footage allowing said hero/villain to proceed undetected. This time around, life is imitating art as a security researcher demonstrated at the Black Hat security conference held this past weekend. In his presentation, dubbed “Exploiting Surveillance Cameras Like a Hollywood Hacker”, former NSA worker Craig Heffner demonstrated how he was able to research and exploit readily available internet-enabled video cameras commonly used for security surveillance in homes and businesses around the world. Given the well-honed skeptical nature of Black Hat attendees, Mr. Heffner provided a live demonstration wherein he focused a compromised camera on a bottle placed on stage. While the audience watched via the security console, Heffner hacked the camera to display a spoofed image of the bottle (the “Hollywood” part), and then proceeded to “steal” the bottle while the security camera continued to display an unmolested bottle.
What this means for you:
Unfortunately, Heffner was able to exploit cameras from many manufacturers primarily because the device firmwares contained hard-wired passwords and other backdoor mechanisms. Thanks to the internet, Heffner was able to download copies of many camera firmwares and research the vulnerabilities without even owning the actual device. Heffner contends that he has yet to come across a model of internet security camera that he cannot hack, primarily because the manufacturers have been careless in removing the backdoors and weakness, and that the basic operating system varied in only minor ways from model to model. If you are actively using any of the cameras listed in Heffner’s presentation, you may want to consider disconnecting them from the network (which essentially defeats the “Internet-enabled” part), or disabling them completely until the manufacturers patch the obvious security weaknesses.
Image courtesy of Renjith Krishnan / FreeDigitalPhotos.net
Security tester Phil Purviance has gone public with his findings on a popular router that widely sold to consumers and small businesses. He sums it up succinctly:
…any network with an EA2700 router on it is an insecure network!
The router in question is commonly found at big box retailers like Fry’s Electronics, Best Buy and pretty much any retailer that sells consumer electronics. Purviance reported his findings to Cisco over a month ago, but the hardware giant has yet to comment or issue any fixes to the public.
What this means for you:
If you are using a Cisco Linksys EA2700 router for your internet connection, your device and any computer connected to the EA2700 is at risk. Seeing as most folks aren’t even aware that their routers have software/firmware that can be upgraded, it’s likely that even if Cisco were to fix all the vulnerabilities outlined by Purviance, those fixes are unlikely to be applied by most consumers and small businesses. At the moment, the only true fix for the EA2700 is to replace it with something else, but with what? Researchers are still playing catch-up in this space, as there are literally hundreds models of consumer-grade routers installed in the US alone.
As a business owner, you should consider upgrading to a business-class router from a major manufacturer like Dell, Cisco, Fortinet, etc. (Cisco’s business-class equipment, ironically, is typically considered a standard choice). At the very minimum, understand what you have installed, upgrade the firmware if possible, and check with your local IT professional (C2 is always there to answer your questions!) to determine if there are any widely known exploits published about your particular router model.
A 2013 whitepaper published by security firm Fortinet provides eye-opening details on the increasingly well-organized world of cybercrime that now features standardized pricing, polished branding, affiliate networks and zombie armies that can be rented for as little as $15/hour. Depending on the size of the botnet army, an incredible amount of damage can be done in an hour, making this one hell of a deal if your business is exploiting security flaws and stealing identities. Criminals have noticed the huge upside to cybercrime and, like they have always done, wasted no time investing big dollars and resources in this new “industry.”
What this means for you:
Overall, it’s unlikely criminals are outspending the big companies in the cyber arms race, but it’s almost a certainty that they are outspending and are better “armed” than most small and medium-sized businesses, especially ones that can’t (or won’t) afford the necessary investment in preparation and security. The most important thing you can do as a business owner that uses technology for any aspect of your business is ensure that you are taking the appropriate precautions and making the right security investments in your technology platforms. Keep in mind this doesn’t stop at buying hardware and software, but also includes training your employees as well as holding your vendors accountable for security as well.
Image courtesy of chanpipat / FreeDigitalPhotos.net