News in brief: Update Flash now; Heartbleed fine; the $1.9m email

Your daily round-up of some of the other stories in the news

Update Flash now

In a move that will surprise nobody Adobe has released a patch for Flash that fixes two remotely exploitable vulnerabilities rated Critical.

If you’re a Flash user you should update your Flash player immediately and then ask yourself how much longer you’re prepared to go like this. How many more times are you prepared to read that there’s a Critical RCE in Flash and you need to update immediately.

Our advice? Uninstall it and never look back.

The plugin’s days are numbered and everybody knows it. iPad and iPhone users have survived without it since the beginning. The browser vendors are closing their eyes, covering their ears and trying to pretend it doesn’t exist and  the linear successor, HTML5, is nearly old enough to watch PG-13 films.

For all that though, Flash is taking longer to die than the T-1000 in Terminator II. We think it’s time to cut to the end scene and drop that bedevilled plugin into the molten metal. It’s the only kind thing to do.

Heartbleed fine

A municipality in the UK has been fined £100,000 (about $130,000) by the country’s privacy watchdog for not dealing quickly enough with the Heartbleed vulnerability back in 2014.

Heartbleed was a bug in the widely-used OpenSSL encryption software that allowed crooks to trick some web servers into revealing snippets of data from previous web connections.

By hammering vulnerable servers with booby-trapped network packets, crooks could get a peek at up to 64KB of random RAM content each time – fragments that could include data from web forms, passwords, webmail messages and much more.

According to the UK Information Commissioner’s Office (ICO), Gloucester City Council took more than three months to patch vulnerable systems after a patch became available.

Three month’s delay was simply not fast enough, said the ICO, especially considering that hackers were able to abuse the security hole during that period and access more than 30,000 emails, including personal information about 30 to 40 council staff.

As the ICO puts it:

The Commissioner’s underlying motive in imposing a monetary penalty is to promote compliance with [UK data protection laws] and […] to ensure that appropriate and effective security measures are applied to personal data.

The email that cost $1.9m

South Oregon University is the latest institution to fall for social engineering, after scammers conned the university into wiring funds to them.

The Mail Tribune reports that scammers purporting to be Andersen Construction, who were carrying out building work on a student recreation center, emailed the university requesting that their spring payment be made to a new bank account.

The accounts department transferred $1.9 million but a few days later the construction company confirmed that they hadn’t received it.

Following the incident the FBI issued a warning to universities to highlight the risks.

“We received a briefing by FBI that there have been 78 different attacks at institutions and some of those were universities,” said SOU spokesperson Joe Mosley. “We’re not alone.”

Catch up with all of today’s stories on Naked Security