Pittsburgh Tech Guy

Quickly patching vulnerable software is key to keeping computer systems secure. Yet, consumers are increasingly leaving their systems open to attack by failing to patch two ubiquitous third-party programs: Oracle's Java and Adobe's Flash.

Over the past five quarters, the portion of U.S. Java users with unpatched versions of the program on their systems increased to 50 percent at the end of 2014, up from 44 percent in Fall, 2013, according to data from vulnerability management firm Secunia. A similar, if slightly muted trend, affects U.S. users of Adobe Flash: The portion of users with older versions of the program reached 24 percent at the end of 2015, slightly up from five quarters earlier.

Programs like Java and Flash, which run on many different operating systems are "gifts to hackers," said Kasper Lindgaard, director of research and security for Secunia.

"They run on all different kinds of operating systems, so if there is a vulnerability, the attackers can use it on every target," he said.

No wonder, then, that the creators and users of key cybercriminal tools, known as exploit kits, regularly focus on both Java and Flash. While the number of attacks from exploit kits has declined since the 2013 arrest of the group suspected of being behind the popular Blackhole exploit kit, a number of other popular kits have popped up, and almost every one has included exploits for Adobe's Flash, Oracle's Java or both.

An update to the popular Styx exploit kit late last year included the ability to compromise systems through exploits for any of three Java flaws. While all the vulnerabilities had been patched by Oracle, cybercriminals know that users tend to be slow to patch. Another popular exploit kit, FlashPack, contains code capable of compromising systems using four different Adobe Flash vulnerabilities, two Java flaws, or three different bugs in Internet Explorer.

In 2013, Java was the most popular target of attackers, but in 2014, the number of attacks attempting to exploit the software declined by a third, according to Cisco's 2015 Annual Security Report. A survey of exploit kits by security software firm Trend Micro has found that flaws in Adobe Flash are the most popular vulnerabilities for attackers to target.

It is unclear why users have not patched. Both Oracle and Adobe have focused on security. Installing the latest version of Java should uninstall older, vulnerable versions of the program. Adobe regularly releases software updates. Both companies have added automatic update capabilities to their programs and have set the default setting to regularly check for and install updates.

Adobe recommends that all users update to the latest version of the software. Peleus Uhley, lead security strategist at Adobe, noted that the company has seen a drop-off in successful attacks.

"The majority of attacks we see are exploiting software not up-to-date on the latest security updates, therefore we strongly recommend that users install the latest security updates and enable the background updater as the best possible defense against those with malicious intent," Uhley said.

Other companies' data supports the strategy. Cisco found that consumers and companies that enable automatic updates are less vulnerable.

"The research clearly indicates that software that automatically installs its own updates seems to have an advantage in creating a safer security framework," Cisco stated in its 2015 Annual Security Report.

iTunes changed the way music was bought and sold. The revolution it brought around had a major impact but with the passage of time we’ve seen several large companies enter the fold, all aiming to make it easier for people to buy, and artists to sell their music online. Noteworthy among the new names are Google, Amazon, and Spotify. That said, we now not only have a simple way to buy cheap music, we also have choice when it comes to where or who we buy it from. Services compete for users now and if you’re in the market for some new music, Tunemiser is a little tool that you can use to see whether Amazon or iTunes has a better deal on an album or a track.

Open Tunemiser and type in the name of an artist, an album, or a track that you want to buy and hit ‘I’m feeling cheap’.  For some songs, you might see no difference in prices while for others you can see both a minor and a major difference. The service that offers the track or album at a better price is highlighted in the results. Click the play button next to a service to hear a snippet of the song.

When you search for an artist the results will include tracks and their prices on both Amazon and iTunes. It will also show a price comparison for albums available on iTunes and Amazon. In some cases, the album might only be available on one service and you obviously won’t see a comparative price for it. It’s not bad and can be improved by adding more services for users to compare prices across.

Got an old Android phone you want to trade in for an iPhone? Now you can do it at your local Apple retail store.

As expected, Cupertino has expanded its "Reuse and Recycling Program," which offers credit towards a new device in exchange for your old one, to non-Apple smartphones and PCs, according to a report from 9to5Mac. Previously limited to iPhone, iPad, and Mac, the program now lets you trade in select smartphones and PCs from other manufacturers as well.

That includes certain Android, Windows Phone, and BlackBerry phones as well as non-Mac computers. The newly expanded program is now available in the U.S. and U.K., France, and Italy.

Just bring your old device into an Apple Retail Store, and the company will give you immediate credit for its value toward the purchase of a new one. Trade-in prices, of course, will vary depending on the state of your current device.

Apple first started offering iPhone trade-ins at its U.S. stores in 2013, and expanded the program last year to include the iPad. The company also has an online recycling program that offers gift cards for salvageable iDevices via third-party partners, but users must mail in their devices rather than trade them in via an Apple Store.

Meanwhile, ahead of the April 24 Apple Watch launch, trade-in site Gazelle earlier this month announced that it wants your Apple timepieces.

Tidal, the Jay Z-owned streaming service built around high quality tracks, is relaunching in a move that could give consumers a new option when weighing competitors like Spotify or Pandora.

The revamped Tidal will go live on Monday at 5 p.m. U.S. Eastern time, as indicated by a large countdown timer that dominates its homepage. A company spokesman confirmed the relaunch plan but declined to comment further on how Tidal’s service might change. It’s reasonable to speculate that the new Tidal may feature lower pricing, new app functions, or an expansion of its existing database of 25 million “lossless” CD quality songs.

Tidal’s ad-free flagship service currently costs $19.99 per month, and can be accessed on the desktop, iOS, Android and home audio players like Sonos. A version offering standard sound quality costs $9.99 per month. Ad-supported services from competitors like Spotify, Pandora, Rdio and Deezer are free, although premium versions without ads cost around $9.99 per month or less.

Tidal launched its high fidelity-oriented service last year, betting there’s a large enough audience of music fans willing to pay more for better sound quality. Musician Jay Z bought it as part of a $56 million acquisition of Swedish company Aspiro, announced earlier this month.

Tidal has sought to distinguish itself from competitors by claiming to be the only that combines high quality audio with high definition music videos and with editorial content around music interviews and features.

But there’s a crescendo of competition. Google now offers its own Google Play Music streaming service, and Apple is said to be developing a new version of the Beats streaming service it acquired from that company. There’s also Deezer, which offers its own high fidelity streaming service.

But as streaming has grown, so too have complaints from artists that it doesn’t generate enough revenue for them. Tidal, however, has the backing of some major artists like Taylor Swift, who pulled her music from Spotify late last year over royalty issues.

With the relaunch, Jay Z might be looking to position Tidal, above all, as the service with the strongest support of artists.

So how did I get that malware on my system is the question I get more than anything.  From the look of things, you probably installed it yourself.  It typically came from some legitimate software that you wanted to download.  

There was a time when we went to some good download sites and clicked on the Download button to download software. And what we got was – software. But times have changed now, and things have gotten a bit messy. Now you have to be very careful before you click on any Download button or link, because you never know what you may end up with! You may go visit a download site to download, say our 340KB Ultimate Windows Tweaker, and end up with a bunch of other crapware you did not ask for!

Why have things come to this stage?

Over a period of time, something somewhere changed. Reputed download sites started getting a lot of traffic. Search Engines rank these sites well, so many visit them to download software. People trusted them. Then came a day when such sites decided to encash that trust – and betrayed their users! It was all about money!

They started offering Installers!

CNET is one such site. So are BrotherSoft, Softonic, FreewareFiles and Tucows. The open-source download site Sourceforge is yet another example! I am sure there are many more. So what are these Installers or Downloaders? They are nothing but setup files that try and first push third-party offers, bundleware and potentially unwanted programs on to your computer before giving you access to the file you want. This is how the downloaders or installers look like.

The CNET website explains:

The Download.com Installer securely delivers software from Download.com’s servers to your computer. During this process, the Download.com Installer may offer other free applications provided by our partners.

Brothersoft states its Download Manager policy as:

The program you want to download will be downloaded through Brothersoft Downloader, making the download process much faster, showing a progress bar and ensuring the program is virus-free.

Says SourceForge about its Installer and third-party offers:

Our mission is to help open source communities to grow, and we understand some projects need funds to be sustainable. We have taken every effort to ensure that the offers that you’re presented with are trustworthy and legitimate, and not a conduit for malware, spyware, viruses, or otherwise malicious software. All offers presented via this installer are subjected to a rigorous verification process to ensure that you are safe. Furthermore, if you don’t choose to accept the offer, the installation will continue, and you’ll hear no more about it. Nothing is installed without your consent, and no personally identifiable information is sent anywhere without your consent.

Don’t press the green Download Now button blindly

When you go on to download some software, you may see a big Download Now button. Most people will typically click on this button, and end up downloading the download sites installer, which is ad-supported and may include third-party offers. Most don’t see them and keep clicking on Next > Next, and end-up with software they did not want on their computers. Fortunately, for those who are sharp enough, you can see a Direct Download Link too. Its very small, but its there on most sites, including CNET. All Download.com Installer enabled products now have this Direct Download Link that you can use instead of the Installer. So remember to click the small Direct Download text link instead of the large Download Now button or link.

If you can, try to find the direct site of the software.  Anytime you get it from a third party website, chances are it is coming with malware.  Whenever you do install, do a custom installation.  Do not do the recommended installation.  Do a custom and it typically will list what will be installed, UNCHECK everything other than what you wanted. 

Tech support scammers should probably just hang up the phone when a scam call goes wrong.

But one scammer took things to a new level by threatening to kill a man who pointed out that the scammer was trying to steal money.

As we've reported numerous times, scammers pretending to work for Microsoft tech support call potential victims, tell them their computers are infected, convince them to provide remote access, and then charge them hundreds of dollars to fix imaginary problems.

Jakob Dulisse of British Columbia was wise to the ruse and recorded such a call two weeks ago, CBC News reported today. After Dulisse accused the scammer of trying to install malware on his computer that would steal banking information, passwords, and PayPal credentials, things went very wrong.

"You do understand we have each and every information, your address, your phone number," the scammer said in the recorded call. (You can listen to excerpts at the CBC link.) "We have our group in Canada. I will call them, I will provide your information to them, they will come to you, they will kill you."

That wasn't the only disturbing thing the scammer said. CBC reports:

The caller became irritated, but it wasn't until Dulisse asked why the man would try to steal from unsuspecting people that the conversation took what Dulisse calls a "sinister turn."

"He started getting kind of nasty and angry.

"He admitted that he was in India... and then he said, 'If you come to India, you know what we do to Anglo people?' I said, 'No.'

"He said, 'We cut them up in little pieces and throw them in the river.'"

Dulisse found the threats "chilling, but hard to take seriously," CBC reported.

"He was still trying to get me to do what he was trying to do with my computer," Dulisse told CBC. "He was actually threatening me as a tactic."

In the US, federal officials have been shutting down Windows tech support scam operations for years, but new ones using the same tactics keep popping up.