Adobe Flash ZeroDay Exploit in the wild

I often tell people who are looking for a cheap computer that there are numerous costs beyond the purchase price to consider.

This week on 3 separate occasions this point has popped its head up.

Episode 1: A woman asked me for a recommendation for a new computer – she is an octogenarian that uses it only once or twice a year when she can’t use her Kindle to make travel arrangements.  She was unaware that she could go to websites on her Kindle Fire and be able to make flight reservations.  Instead of showing her an array of computer options, I showed her how to navigate on her tablet.  She breathed a sigh of relief that she would not have to learn a new computer operating system (her old computer was still running XP).

Episode 2: A gentleman that I helped purchase a mac mini about 3 years ago called with a problem that AppleCare had tried to help him fix but couldn’t.  In the interest of saving money at purchase time, we had gotten an inexpensive monitor from CompUSA to pair with his MacMini.  On hearing him describe his symptoms, I knew the solution was to change the input on the monitor, but he had no idea where the button for that was, and I had no idea without being in front of it to hunt for it.  He asked why he got that monitor and not an Apple one, and I reminded him that he (his daughter) didn’t want to spend as much as an Apple monitor would cost.

Epsiode 3: A coworker recently moved to an iMac and was wondering how she was going to be able to back up her computer – a matter of 3 clicks later, TimeMachine was enabled and she was impressed to learn that it would keep hourly backups so in case she accidentally deleted or modified a file, she would have access to recent changes in a very intuitive interface.

It is vitally important to consider the value of your peace of mind when looking at the cost of your new machine.  How much is your aggravation worth?

You may have heard about the FREAK exploit that has been talked about lately, and you might think you are secure using the bank app, or medical records app that you downloaded directly from the Apple Store or Google Play.

A new study just released has shown that isn’t quite the  case, as the FREAK exploit is based on the encryption keys that the server you connect to, not the App on the phone alone.

Ars Technica has an article about the study, and points out that users of apps should contact the vendors to inquire wether they have corrected the app to prevent FREAK attacks.

WHAT SHOULD I DO?

1 – Upgrade your phone to the latest versions, as they have tried to prevent a vast majority of FREAK attacks in the latest versions.  The study found that even after the update on iOS, there were still 7 apps that were vulnerable.

2 – Don’t trust public wifi for secure transactions – you never know when the guy or girl next to you at the library is actually trying to hack your bank account.

for a purchase that you never authorized?

Would you report it on the included Transaction Cancellation form on the email?

Fake Transaction Cancellation Form – by filling this out, you give your account information and credit card information to the bad guys

 

If you have an Apple ID and have made purchases in the past, you should know that there is no Transaction Cancellation Form on your receipts.

But it looks so real!

That is the point of phishing – it makes it hard to tell when it is fake.  You have to think twice before putting your credit card information in anything you have received without your request.

Source: Malwarebytes Blog

Experts are predicting that 2015 will be the worst year ever for credit card fraud, as the US begins transitioning to the EMV card standard.  The US accounts for over 47% of all fraudulent card transaction losses on 23% of all fraudulent transactions.  That is primarily because we haven’t moved to the chip card standard.

So look for your bank to be issuing you a new card with a chip in it soon.

If you are thinking that Apple Pay (the secure credit card transaction method in the new iPhones) will stop this….well not so fast.  Hackers have found a way to use the iPhones as accomplices.  They buy credit card numbers on the black market, and load them into an iPhone, eliminating the need to create fake pieces of plastic.

If you are an Apple Pay using iPhone owner, your information in the phone is not being hacked, so don’t worry.

There is a new attempt to compromise your iPhone or iPad.  It attempts to load a rogue application onto your phone using a method used by developers to test their software before it is approved by the Apple App Store Process.

There may be other methods of infection that are used to install this particular malware. One possible scenario is infecting an iPhone after connecting it to a compromised or infected Windows laptop via a USB cable.

However, in order to do this, you have to help the hackers.  The attempt will pop a number of dialog boxes asking for your confirmation to install an app.

What should I do?

Make sure you are running the most recent version of the operating system for your device.  If you have an older device that cannot run iOS8, be sure not to just click allow.

For more information see the Trend Micro Blog

Trend Micro has identified a new Flash ZeroDay exploit.

ZeroDay? Whatchootalkinaboutwillis?

A ZeroDay Exploit is when a new bug is found in an application like Adobe Flash that is discovered, but no protective or ameliorative patch is available yet.  This means “YOU ARE AT HIGH RISK OF BEING COMPROMISED”.  This one is a real problem, because the attack vector relies on infected ads on otherwise trusted sites.

What can you do?

Install the latest patch whenever Adobe releases it.  Limit your web browsing, and don’t think you are impervious to exploit.

You can read more about the exploit here on Trend-Micro’s blog