Perpetual IT

Two weeks ago, the big “zero-day” news concerned a bug in Chrome.

We advised everyone to look for a Chrome or Chromium version number ending in .111, given that the previous mainstream version turned out to include a buffer overflow bug that was already known to cybercriminals.

Loosely speaking, if the crooks get there first and start exploiting a bug before a patch is available, that’s known as a zero-day hole.

The name comes from the early days of software piracy, when game hackers took brand new product releases and competed to see who could “crack” them first.

As you can imagine, in the days before widespread internet access made free games with a subscription-based online component viable, games vendors often resorted to abstruse and complex technical tricks to inhibit unlawful duplication of their software.

Nevertheless, top crackers would often unravel even the most ornery software protection code in a few days, and the lower the number of days before the crack came out, the bigger the bragging rights in underground forums.

The ultimate sort of crack – the gold-medal-with-a-laurel-wreath version – was one that came out with a zero-day delay (more coolly called an 0-day, with 0 pronounced as “oh”, not “zero”), where the game and its revenue-busting crack appeared on the very same day.

And “zero-day” is a term that has stuck, with the word now denoting a period of zero days during which even the most scrupulous sysadmin could have patched proactively – whether the crooks have known about the bug for years, months, weeks or days.

Well, the bad news is that there’s another vital update to Chrome, which means that users on Windows, Linux and Mac should now be looking for a version number of 86.0.4240.183, not for 86.0.4240.111.

Worse on Android

On Android, things are worse, and the version you need is 86.0.4240.185, because the Android patches include a bug dubbed CVE-2020-16010, which is apparently unique to the Android version of Chrome…

…and as Google once again drily notes, without any detail or explanation, “[we are] aware of reports that an exploit for CVE-2020-16010 exists in the wild.”

In short: Chrome for Android has a zero-day hole that crooks are already abusing, so you need to patch.

We don’t know how the crooks are abusing this bug, and we don’t know where it’s happening – if Google knows, it isn’t saying – so all we can advise is, “Get the update as soon as you can.”

As often happens, given the fragmented state of the Android ecosystem, updates often arrive at different times and in different ways depending on what device you bought, from which manufacturer, with which vendor’s name on it, and possibly even which mobile network it’s connected to.

So, as usual, despite what sounds like a serious problem in the standard Android browser, Google can offer little more by way of consolation than its usual disclaimer that the new version will “become available on Google Play over the next few weeks.”

Check early, check often – and get the patch as early as possib;e.

What to do?

• On Windows, Linux, Mac and Android, look for version 86.0.4240.183. (Or later, depending on when you are reading this.)
• On Android, look for version 86.0.4240.185.

The burning question, of course, if Google Play is still showing an earlier version than the latest one available for your device, “What then?”

As we noted above, Google has implied that this update may take weeks to reach all devices, and some old devices may not be getting updates anyway, in which case there isn’t a lot you can do but to live without the update until it arrives, or get a new phone that gets prompt patches.

If you are stuck without a Chrome update, you could consider switching to an alternative Android browser, albeit temporarily.

Look either for one that’s based on different software underpinnings, such as Firefox, or for one based on the Chromium codebase that is sufficiently different to Chrome that (so far as you can tell) the CVE-2020-16010 bug is not replicated in it.

You can switch your default browser using Settings > Set as default browser (Firefox, perhaps unsuprisingly, has detailed instructions on how to switch for various Android versions).

Note that on Google Android builds, Chrome is supplied with the operating system, in much the same way that Safari is part of iOS on Apple iPhones, and therefore can’t be uninstalled.

You can disable Chrome temporarily – or “turn it off so that it won’t show on the list of apps on your device”, in Google’s words – via the Settings > Apps & notifications option.

---

Did you know you can join us for a live cybersecurity lecture every Friday?

Just keep an eye on the @NakedSecurity Twitter feed or check our Facebook page on Fridays to find out the time we’ll be on air – it’s usually somewhere between 18:00 and 19:00 UK time, which is late morning/early afternoon on the West/East coast of North America.

(Note that you don’t need a Facebook account to watch our live streams, but you will need to login if you want to ask questions or post comments.)

We also upload the videos to our YouTube channel – here’s our latest video on mobile privacy:

[embedded content]

(Watch directly on YouTube if the video won’t play here.)

Thanks for watching… hope to see you online later this week!

---

There are some cybersecurity issues that just never seem to go away.

As a result, we have written about them, on and off, for years – at first with ever-increasing quizzicality, but ultimately, once we could raise our eyebrows no further, with a sort of saggingly steady fatalism.

Examples include: the fact that Windows still doesn’t show file extensions by default; the prevalence of elementary security blunders in IoT devices; and Apple’s obstinate refusal to say anything at all about security fixes – even whether widely-known bugs are being worked on – until after they’re out.

And Flash. Abobe Flash.

Adobe’s technology for fancy interactive graphics, mostly used to spice up your browser, has drifted towards its demise for so many years that it has almost single-handedly made a cliche out of Mark Twain’s famous remark that “the report of my death was an exaggeration.”

Back in the day, Flash was a popular tool for writing online games and publishing browser-based software that worked more like a native app than was possible with the HTML features of the time.

However, given that Flash ran right inside your browser and required a complex, powerful plugin to implement what were essentially fancy, turbo-charged, proprietary browser extensions…

…Flash brought with it a regular supply of exploitable bugs, over and above any bugs in your browser or your operating system.

Cybercriminals could abuse these bugs not only to plague you with fake or misleading content, but also to escape from the strictures of your browser, spy on other browser tabs, read files off your hard disk that they weren’t even supposed to know about, and implant malware on your computer.

Worse still, Flash bugs seemed to show up very frequently as zero-days, the jargon term for exploitable security holes that are found by attackers before a patch is available, thus leaving even the most disciplined and swift-acting system administrators with zero days during which they could have been ahead of the crooks.

In one memorable (or perhaps best-forgotten) article back in 2016, we bemoaned three successive months in which Adobe pushed out updates to close off zero-day bugs in Flash.

Cybercriminals didn’t just love Flash, they adored it.

Who needs it, anyway?

Of course, most of us, even back in 2016, already either didn’t need Flash at all, or needed it so sparingly that we could get away with uninstalling it completely after each use, downloading and reinstalling it as a one-off every time we were genuinely forced to rely on it.

If anything showed that Adobe’s heart hasn’t really been in Flash for many years, it was the story of how Apple banned Flash from the iPhone in 2010.

Steve Jobs, then CEO at Apple, unilaterally ejected Flash from the iOS ecosystem in that year, saying that apps that tried to include it would be denied access to the App Store.

Ironically, even though opinion went against Apple for what was seen as anti-competitive behaviour and Apple relented on its ban, Adobe didn’t show any enthusiasm for the reprieve.

In fact, Adobe itself announced in 2011 that it was giving up on Flash for mobile devices altogether.

Not dead yet

Probably more because of pressure from users than from any burning desire to keep Flash alive, Adobe soldiered on with Flash updates and security patches for desktop computers for a few years more.

But in July 2017, the company finally and formally admitted that it had had enough, and that the technology was entering a phase known by the rather doom-laden jargon term EOL, short for End Of Life:

Specifically, we will stop updating and distributing the Flash Player at the end of 2020 and encourage content creators to migrate any existing Flash content to […] new open formats.

Three years may sound like a long EOL period, but it’s a surprisingly common duration, given how long it takes some companies to implement technology changes throughout the entire organisation. Some reports suggest that Windows XP still has a market share above 1%, even though it’s now more than 12 years after XP’s final release and six years after it exited even from extended support.

The end of the end of the end?

So, where do we stand on the Final Demise of Flash?

Will it really abdicate forever on the last day of 2020, given that it’s had so many encores already, despite being redundant in browsers since HTML5 came out in 2014?

Is someone finally going to take us on a one-way trip to a world without Flash, a trip from which there really is no turning back this time?

Yes! It seems that the programmers at Microsoft, bless their hearts, have set out to do exactly that!

Update KB4577586, entitled Update for the removal of Adobe Flash Player: October 27, 2020, “will remove Adobe Flash Player from your Windows device.”

But there’s more.

“After this update has been applied,” the KB article goes on to say, “this update cannot be uninstalled.” (Microsoft’s boldface emphasis.)

The only way to get Flash back is by rolling back to a earlier restore point, or reinstalling Windows from scratch.

Wow! It really is the end of the end for Flash, at least on Windows.

PS. Do you have any Flash-related memories you want to share/unburden/lament? Let us know in the comments below…

Guess what? It’s not truly the end, because this only removes the version of Flash that Windows itself controls. If you’re really desperate to carry on, like those cigarette smokers who huddle together miserably in the bike shed even on the blusteriest of winter days, you can always Bring Your Own Flash. But please don’t. Give Adobe the chance, at last, to give Flash the final sendoff it has been trying to achieve for years.)

---

You’ve probably heard or seen the news that the US CISA issued an alert this week with the unassuming identifier AA20-302A.

CISA is short for Cybersecurity and Infrastructure Security Agency, and the AA20-302A report was a joint alert from CISA, the FBI and the HHS (US Department of Health and Human Services).

Of course, you won’t have heard the news by its codename.

Like sofware bugs, which might officially be denoted by a harmless sounding tag like CVE-2014-0160 but known in real life as Heartbleed, the headline title of AA20-302A is much more worrying:

Ransomware Activity Targeting the Healthcare and Public Health Sector

The bulk of the report is well worth studying if you haven’t been keeping up with recent history of ransomware, because it describes a common malware attack combination in useful detail.

You can also bone up on how ransomware attacks commonly unfold these days by consulting these recent articles:

Is this all about healthcare?

Yes. And no.

CISA’s warning was put out specifically because:

CISA, FBI, and HHS have credible information of an increased and imminent cybercrime threat to US hospitals and healthcare providers. CISA, FBI, and HHS are sharing this information to provide warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats.

What’s vital to bear in mind, however, is that this report is not a sign that you are suddenly less likely to get hit if you are in any other industry sector.

It’s not an judgment on, or an indictment of, cybersecurity in the healthcare industry, and it definitely doesn’t imply that the rest of us are in fine cybersecurity shape simply because we’re in a different business.

It’s a warning that’s tailored for the healthcare sector, but that applies to all of us, and from which we can all learn.

Sure, some of the items in the AA20-302A report are specific to healthcare, such as contact details for cybersecurity bodies in the healthcare sector, and specific advice about security “hardening” on medical devices, which operate under a special regulatory mechanism.

(Flashing your own firmware tweaks on your home router or your Android phone is one thing; altering the firmware on regulated equipment such as ventilators or anaesthetic monitors is quite another.)

But we think you should read the CISA’s report even if you aren’t in healthcare: wherever you see the word “healthcare”, imagine your own business sector written there instead, whether that’s retail, hospitality, marketing, civil engineering, legal services, financial advice, real estate, aerospace…

…heck, read the report even (perhaps especially!) if your own industry sector is IT or cybersecurity itself.

What to remember

Ransomware attacks in their modern form – where your files get scrambled and the crooks blackmail you to pay a “fee” for the decryption key, of which they have the one and only copy – have evolved dramatically in recent years.

At first, starting in about 2013, ransomware criminals did massive spam runs that aimed to infect thousands or tens of thousands of individuals at a time and to demand an affordable yet painful sum from every individual victim, typically $300 to $2000.

By about 2017, the ransomware game began to shift to human-led attacks where the criminals would attack hundreds or thousands of computers at a time, but where all of them belonged to the same company.

This meant the crooks only needed to negotiate with one victim at a time (or a handful at most), but had much more leverage, assuming that many or all of the victim’s computers – including servers – were at a simultaneous standstill.

Ransom demands quickly rocketed up to five digits, with the infamous SamSam ransomware gang apparently picking $50,000, or just below it, as a sweet spot.

We don’t know why they chose $50k – they have have felt that many companies would be able to pay up that sort of money without consulting the board or going through a complex approval process.

Those five-figure demands didn’t last long, however, with today’s ransomware crews commonly demanding sums as high as eight digits. (Yes, you read that correctly.)

In a recent attack on travel company CWT, for example, the company was blackmailed for $10,000,000, though it ended up negotiating the amount down to $4,500,000.

Double whammy

One reason the crooks are making such outrageous demands these days is that they aren’t just scrambling files and leaving you stuck if you have no backups.

(By the way, the crooks go out of their way to find any online backups you’ve got so they can obliterate them first to make self-recovery harder.)

Sadly, the criminals are now taking the time to riffle through your files first, locating your so-called trophy data – business plans, financial accounts, internal emails, personal information about customers and employees, data covered by regulations such as GDPR, HIPAA and so on; anything that could damage your business deeply if it were to leak out.

The attackers then steal your data before scrambling it, and threaten to reveal it to the world – to your customers, your shareholders, the media, your competitors, the relevant regulators – if you don’t pay.

Double whammy.

The crooks are not only extorting you to get your business moving again in the short term, but also blackmailing you to save yourself from potential data breach doom in the long run.

What to do?

Don’t take this latest FBI warning as an indication that things have cooled off for everyone else, just because the heat has been turned up for the healthcare sector.

Ransomware is very often just the end of an lengthy attack chain, and the criminals who unleash it may have spent days or weeks in your network first.

During this time they will very likely spend time:

1. Mapping out your network so they can attack as much of it as possible.
2. Finding your trophy data and stealing it.
3. Making themselves into sysadmins so they have as much power as your own IT department.
4. Creating new accounts as backdoors to get back in tomorrow if they get kicked out today.
5. Installing “grey hat” penetration testing tools that they use for attack, not for defence.
6. Turning off key components of your own security software
7. Carrying out small “dry runs” with various malware samples to test attack techniques.
8. Wiping your backups.
9. Scrambling all your computers at the worst time of day for you.

So here is our advice on what to look for and how to prepare:

Never put off until tomorrow those curious malware reports you could investigate today!

---