Tuesday, February 07, 2017

Spam comments try to lead to fake Internet security links

I have become aware of the practice of some spammers to send spam comments to blog postings about various Internet security companies with links to fake sites pretending to be the security company   This is a variation of the usual email phishing, where the spammer tries to put spam comments on blogs with fake links.

Comment moderation (or use of services like Akismet) should stop this.

In one case, Google comment moderation warned me on a comment with a hidden link to “webrootsupportphone dot com”.  I have reported this to the company but it appears not to be legitimate.
This probably happens with all major security companies.

Tuesday, January 31, 2017

Trump postpones cybersecurity EO, but has specifically mentioned power grid security, which is unusual

President Trump postponed signing an executive order related to cybersecurity today, with no reason specified, according to NBC News, story here.

The president talked to some tech security companies today, and made a brief statement.  It is interesting that President Trump mentioned the power grid as a possible target, as so well documented in Ted Koppel’s book “Lights Out”.   I have actually tweeted "RealDonaldTrump" directly on this issue.

The president could tighten rules about network topology that even allows it to be possible to access the power grids or other infrastructure, or that makes components (like transformers) vulnerable to sabotage.

Sunday, January 01, 2017

"True Key" from Intel, provided facial recognition sign-on, seems to come with a recent Windows 10 update

I recently had problems with an install of a Microsoft update KB3206332 of Windows 10 after the cumulative upgrade last August, on a Toshiba satellite that had been converted from Windows 8.1,

I kept getting repeated errors "0x80070564" after very slow installs ("preparing to install, 1%, then 20%.  Also, when booting up, Trend Micro would take a long time to start, prompting warnings.

Geek Squad got it installed, but said it found malware (with Webroot) that Trend Micro had missed. It thought the errors were due to the malware.

But the adobe flash, which had updated before, now offers a "True Key" option rather than password for log on.  (It has not done this on my HP Envy with the same update.) I tried to use it, and I could not get it to take my picture properly.  Maybe my Comcast Internet wasn't strong enough (it has been shaky recently).  Eventually I had to opt out and go back to regular log on.  True Key will tell you to use your Microsoft password, but actually you have to use the password for that computer, which can be different.

Here's the link for True Key. But curiously that site (which displays the Intetl trademark has a gray rating from Trend, but there is another green link on Intel's site here.  Bleeping Computer says the original link is OK (answer to question here),

Tuesday, December 27, 2016

Security odds and ends for Christmas week

Here’s a few odds and ends during Christmas week.

Trend Micro has flashed that it now offers password encryption on all your major sites (which might include websites or blogs you own, as well as social media).  This is another feature besides two-factor identification, and I haven’t looked into it much. It also offers endpoint encryption for business, here.  It’s your own private “ransomware”.

Watch out for some new phishing scams.  There’s a new one for rental house and putting homes on the market.

Webroot reports on a ransomware scam attracting victims with fake credit reports.  Webroot also reports on a new scheme for stealing cars with keyless ignition.  Car thieves also use radio signals to keep car doors from locking.

I had a situation where a garage door got stuck on open.  The garage contractor reprogrammed it.  I think it timed out because I didn’t close it in time, and that there is a firmware issue (in my specific case).  But this sounds like another possibility for hacking and a possible home security issue.

Friday, December 09, 2016

"12 Days of 2FA" from EFF (two-factor authentication)

Electronic Frontier Foundation has a valuable summary by Gennie Gebhart on “2FA” systems – “two factor authentication”, link.
The authentication is based on a password, where you are, and what you have.  (That's really three factors.) Sites that make you re-authenticate when on a different computer (even in your own home) are using this practice. 

EFF is sponsoring a “12 Days of 2Fa” event.


EFF prefers the use of hardware tokens like Yubikey when possible, as it would be harder for a totally fake copy of a regular site to trick you, and as governments could not track your smartphone use into metadata. 

Update: Dec. 23

Apple says it has turned on 2 factor identification with the IOS 10.2 release.  But Forbes says there are other problems (especially with power shutoff issue at 30%, here). 

Friday, December 02, 2016

Wordpress wants all bloggers on https by the end of 2017

Wordpress (Automattic) has announced that it sill step up work on implementing SSL, with the hope that all blogs will eventually use it (https) by the end of 2017, post here.

Since SSL works by domain name, that means accounts with multiple domains, with an owner and subdomains that actually have their own URLs, would have to be set up in single domains as subdirectories.  This would be a lot of work for a hosting provider like Bluehost and its customers to implement smoothly.

That's also the reason why Google can offer https now on blogs addressable only under "blogspot" but not to custom domains equated to blogs.  People tell me the latter can be done, but it will be a lot of work.

With Trump coming to the Whitehouse, many service providers are on edge now about "national security".

I wonder why Trend Micro has Automattic's rating as gray.  

Thursday, December 01, 2016

FBI gets authority to hack into citizens' computers and phones with much simpler warrant procedures

As of midnight this morning, the FBI gained authority to hack into computers, networks, and phones with simple blanket federal warrants, as explained this morning in a typical story in New York magazine here.

The Senate did not stop this authority.  Previously, multiple local warrants would have been necessary.

It’s not likely that this could affect most users (“if you aren’t doing something you shouldn’t be doing”).   It’s unclear if major computer security firewall products will prevent the hacking.  The FBI may want this capability particularly to counter terrorism and recruitment by foreign enemies (ISIS) which Trump is likely to continue.