Thursday last week saw the fourth emergency security update to Adobe Flash in as many months. All updates combined are responsible for plugging what is now a total of 107 holes with last week’s update responsible for 36 of those all on it’s own and one of which it is known can be used to crash or even take complete control of an infected computer.
This is nothing new and having frequently been exploited by online criminals for the purpose of infecting the innocent users of the internet (including infection by the Locky Ransomware virus) it’s already tarnished reputation is showing no signs of improving any time soon. Therefore, it’s no surprise that this has lead to many doubting whether or not they really need Adobe Flash at all. So there in lies the question. Should we update flash now or uninstall it altogether?
Should I uninstall Flash altogether?
Ideally yes. However, as I suspect the case is with most, you’re probably using it more than you realise. For example, certain videos published to both Facebook and YouTube still utilise Flash not to mention those online flash games popular with kids and even those looking for a little mind-numbing fun during their lunch break.
If you think you can do without then there are no two ways about it, get rid now. After all having Flash installed will be doing nothing more than to increase the risk of you getting infected. Instructions on how to uninstall Flash altogether can be found here for PC and here for Mac.
If as is most likely, you do still need it or if you’re unsure then read on.
OK. So how do I update Flash?
So as I thought you do still have a need for Flash and while that’s OK it is absolutely imperative that you update it now and continue to do so on a regular basis.
If you’re fortunate enough to have your computer covered by either our ByteSafe Silver, Gold or Platinum packages then the good news is you needn’t do anything as we’ve got it covered. As of approximately one month ago we added functionality to ensure that any commonly used 3rd party application (Flash, Java, Chrome etc) suffering a zero-day vulnerability would be updated ASAP.
A zero day vulnerability is a security hole in an application that is unknown to it’s vendor. This security hole is then exploited by hackers before the vendor is even aware. Once made aware the vendor then hurries to fix it.
With our ears always firmly to the ground the moment we catch wind of a zero-day and an update has been released all systems covered by ByteSafe Silver, Gold or Platinum are patched at best the same day if not the following morning (or the next time the system is switched on).
If you’re not covered (feel free to get in touch to discuss our packages in more detail) then you’re going to need to apply these updates yourself. It’s worth noting that Google Chrome includes it’s own version of Flash player and so you’ll need to update Chrome itself to ensure your patched. Alternatively if you use a browser other than chrome click here for instructions on updating.
What does the future hold for Flash?
The writing is already on the wall and with Google having already started the ball rolling I suspect to see others do the same within the coming months. To a hacker Flash has proven to be the gift that just keeps on giving and so as we already have viable alternatives to Flash there is little excuse that we continue using it for much longer.
Do you use online services such as LinkedIn, Twitter, Myspace or Tumblr? Are you re-using passwords with more than one online account? If so, the time has come for a re-think. The password you’re re-using may be suitably complex (this is still important – a post for some other time). However, the fact that you’re using it more than once puts you at risk. Here’s why;
So why is re-using passwords a bad idea?
You have a password for each online account, whether that be Facebook, Amazon or LinkedIn in the same way that you have a key to your home, the office and even your car. So while I’m sure you’d agree that it would be completely stupid to have a single key for all three (home, work and your car) why is it OK that you re-use the same password for your Facebook account, Amazon account and LinkedIn account?
Let’s just say for example you go out for a meal in town and decide to drive there. You enjoy a lovely evening with your partner but little did you know when the waiter took your jacket he took your key and got a copy cut. Now he has easy access to not just your car but also your home and even the office. Obviously in real life this is so unlikely but imagine for a moment it could happen. A pretty frightening thought right?
But my password hasn’t been stolen. Has it?
The answer is I don’t know for sure but it’s certainly possible. Reports surfaced last month that the login names and passwords of more than 100 million LinkedIn users were being sold online. While the data being sold is thought to have originated from a breach occurring around 4 years prior it’s probable that a large proportion of those users haven’t changed their password in this time. I personally use LinkedIn and did so back in 2012. Were you too?
That’s not all though as only a week or so later details began to emerge that a similar number of user’s credentials were also being sold online but this time in relation to separate breaches of both Myspace and Tumblr. It didn’t stop there though and in fact as I sat down Friday evening to begin writing this very article I got news of Twitter this time also having suffered at the hands of hackers. While we’re still waiting for further details to surface it certainly illustrates just how much of an issue this really is right now.
Why is this happening?
It was never much of surprise that as time went on we were going to see a steady increase in the amount of internet related data breaches. After all, the more we rely on computers and the internet, the more data there is online. The more data there is online the more data there is to be stolen. The more data there is to be stolen, the more data that will be stolen and so on and so forth. What’s more there is also significantly more of a financial motive for a hacker than there ever used to be with data collected from such breaches being sold online for thousands of pounds.
Last year such breaches got a fair bit of media coverage (most notably in the case of TalkTalk back in October) and 2016 hasn’t shown any sign of this letting up. And, if you take into consideration the little the authorities are doing or able to do (lack of funding and expertise arguable excuses) then it’s up to ourselves to ensure we do all we can to keep our own information safe.
What can I do?
Well it goes without saying that the really obvious solution is to simply stop using re-using passwords for multiple accounts. I know, I know but having so many passwords is difficult to manage. I completely understand this and if we’re going to be realistic the chances are you have dozens of online accounts and remembering a different password for each is no easy task for anyone. But wait, all is not lost and you do have some options here.
Have you ever heard of two-factor authentication? Two-factor authentication put simply, is a two-step process requiring the user to provide something they know (i.e. a password) along with something they have (i.e. a unique code sent to their mobile phone) before they’re granted the access being requested. As a result, this method will almost certainly mitigate against anyone attempting to login to an account using stolen credentials because they’ll only have one piece to what is now a two-part puzzle.
Currently a large number of online services provide this facility as I type and do so free of charge. The list of those offering it includes but is not limited to Apple, Google, Dropbox, Twitter, Facebook and Tumblr and with all providing instruction on how to get started there really isn’t any excuse not to enable this where possible.
Password Management Apps
When it comes to keeping ourselves safe online there is often a trade of between and security and convenience. But what if you could have the best of both worlds? Interested? If you want to go that one step further, then my advice would be to look into a password manager. While not affiliated with them in any way I am personally currently using Lastpass but have also used Keeper as well in the past. Both offer almost identical services with the former providing a free option for individual use and both offering paid solutions for teams or entire companies.
Password managers are great in that they keep a record of all your passwords, ensuring each one is strong and never re-used. This means that generally speaking the only password you need to remember is the one to the password manager itself. What’s more they also support two-factor authentication so access to the manager platform is pretty damn secure.
At the end of the day I’m realistic enough to know that most users probably won’t heed such advice and because of this I strongly expect and hope that the security guys behind such online services put in place systems to help protect users from themselves. This is all very well and good and until the time at which this becomes general practice we need to do more to look after ourselves because this problem isn’t going to go away any time soon. Cyber security is very much a moving target and so the defenses that keep us safe today won’t necessarily be half as effective come tomorrow.