Friday, December 02, 2016

Wordpress wants all bloggers on https by the end of 2017


Wordpress (Automattic) has announced that it sill step up work on implementing SSL, with the hope that all blogs will eventually use it (https) by the end of 2017, post here.

Since SSL works by domain name, that means accounts with multiple domains, with an owner and subdomains that actually have their own URLs, would have to be set up in single domains as subdirectories.  This would be a lot of work for a hosting provider like Bluehost and its customers to implement smoothly.

That's also the reason why Google can offer https now on blogs addressable only under "blogspot" but not to custom domains equated to blogs.  People tell me the latter can be done, but it will be a lot of work.

With Trump coming to the Whitehouse, many service providers are on edge now about "national security".

I wonder why Trend Micro has Automattic's rating as gray.  

Thursday, December 01, 2016

FBI gets authority to hack into citizens' computers and phones with much simpler warrant procedures


As of midnight this morning, the FBI gained authority to hack into computers, networks, and phones with simple blanket federal warrants, as explained this morning in a typical story in New York magazine here.

The Senate did not stop this authority.  Previously, multiple local warrants would have been necessary.


 
It’s not likely that this could affect most users (“if you aren’t doing something you shouldn’t be doing”).   It’s unclear if major computer security firewall products will prevent the hacking.  The FBI may want this capability particularly to counter terrorism and recruitment by foreign enemies (ISIS) which Trump is likely to continue.

Friday, November 25, 2016

Fake apps are like to pester companies that don't create their own; stolen identities can use fake social media accounts (esp. less popular ones)


Tonight, on Black Friday, several media sources noted that companies (selling in major box stores) that don't have their own smart phone apps are likely to find that crooks will create phony apps in their name.

The advice is to download the app from the vendor or possibly the retailer but not from an app store.

Another risk is that individuals who do not sign up for a particular service may learn that others have created accounts in their name.  This could happen with Snapchat and Instagram.  When I signed up for Instagram, I found a bogus account in my name with nothing in it, but it had to be removed first.  

Thursday, November 24, 2016

2-step verifications can now use thumb drives as security keys


Google is recommending that users of Google accounts on true laptops or desktops with USB ports, now consider getting security key thumb drives for use in 2-step verification of their Google accounts, rather than use pin codes by smartphone or pre-print.  They also recommend financial institutions offer similar products, which can work with Google Chrome.  The writeup is here.
   
Although the 2-step process now available pretty much stops password cracking, it’s possible for a hacker to entice a user with a duplicate built to look exactly like the original (and presumably use phishing to entice clicks, or misspellings, that today lock up browsers with scare ware.

Thursday, November 10, 2016

Beware of scams in new shopping apps for smartphones


Now the latest warning is to be careful of  scamming“shopping apps” from your smartphone.



Be wary of apps that don’t have any or many reviews, or that link to other apps.  Most of the rogue apps seem to come from China.

(To view the NBC News embed, turn off the https and use http.  To have to say that seems ironic on a blog about Internet security.)

Wednesday, November 02, 2016

Microsoft to patch "Fancy Bear" vulnerability on Election Day, but Adobe seems to have done all necessary patches to Flash


Microsoft plans to patch a vulnerability in its Windows operating systems from 7 to 10 on Nov. 8 (Election Day, ironically), a bug known as “Strontium” or “Fancy Near”.  The “Strontium” name seems to refer to loose nuclear waste in former Soviet republics (especially Georgia).  A British security site Itpro has a good explanation here.

The zero-day vulnerability seems to be spread by phishing attacks, especially those appealing to the “It’s free” mentality, and seem to affect Adobe.  There is some suggestion that the vulnerability originated in Russia and is intended to sabotage political campaigns.

Adobe also is warning users about the vulnerability “CVE-2016-7855” (story)

 An attacker could gain control of a user’s system when viewing an infected flash file.  Almost any operating system could be affected, but Adobe says its fixes will work on all systems.

Adobe has a blog posting on the matter here.

When I visited the download center  in Windows `0 it told me that Chrome will automatically download any new versions when needed.

Recently I did get a warning from one site that I actually thought looked suspicious.

Google has a security blog entry describing the problem here.

Some sources say that Microsoft’s Malicious Software Removal Tool (which takes a long time to update, always) already protects users.
 


Some older YouTube videos (including some embedded by me) invoke Adobe Flash, and Mac systems seem to block these by default.

Trend Micro says that it’s latest builds protects Windows users from malicious exploits possible from the vulnerability, here.

Thursday, October 27, 2016

Fed Ex spoofed in a phishing scam; other reputable sites have malvertising issues; Windows 10 update today causes a temporary crash in Trend Micro


Tonight, for the second time in two weeks, I got a phishing email on a failed delivery of a FedEx package.  The other one had come when I was expecting a package.  The giveaway is that it had a zip file attachment.

It's a good idea if you have a UPS store address to have it email or text you when it receives a package, so you know what is legitimate.

DHL has had similar issues.



Tonight, when going to a non-existent blog posting on a reputable site (tech republic) an ad (for a "for-profit university" was served, as well as a bizarre xyz domain registration page.  The trace showed loading of an ad service platform tnctrx (located in Loudoun County VA).  No harm was done, but the site seems to have a little "malvertising" resulting in adware that went bad when loading.  Trend Micro did not find any problems (processes or files) or flag anything.

Also, today, a Trend component coreServiceShell.exe was found to have crashed after finishing a routine full scan successfully (windows 10).  Trend worked normally upon restart of Windows 10, which had just done a scheduled update cycle today.