Wednesday, April 18, 2018

Russian router hacks could even target home and small business users


Dan Goodin, of Ars Technica, has a somewhat detailed account of the recent reports from DHS and FBI and the UK’s National Cyber Security Center, that the reports of Russian hacking of corporate routers may well include small business and even some home officer routers, link.
  
The story was released April 16 and was reported on WJLA (a Sinclair station) local news early Tuesday.
  
The Ars Technica story emphasizes homeowners having older firmware and not always maintaining routers properly.  Some security experts say that cable company routers should be restarted once a month to reinstall any firmware, but I find that cable companies usually force maintenance in the early AM hours (leading to brief outages).
  
  
But some observers see this report as sinister.  Compromised routers could facilitate “man in the middle” attacks, and could provide some of the push for all websites (even those without requiring login to sell anything) to use https.  They could provide ways for hackers to steal financial data or trade secrets or to stage novel new kinds of terror-like attacks targeting ordinary people, although this doesn’t seem to have happened.  But the North Korea attack on Sony in 2014 might be a paradigm to follow.

Tuesday, April 17, 2018

More on fixing legacy webpages for https everywhere



Here is some more information on the progress to enabling https, at least on my domains.

On Blogger, the three custom domains automatically convert to https if you enter http.  The thirteen other blogs as “blogspot” simply accept https.  I suspect that Google will force these to redirect before July for the Chrome68 implementation.

My four wordpress custom domains through Wordpress all accept https.  They can be accessed with http, but will work with “Let’s encrypt”.  Bluehost offers pingbacks when you make hyperlink referenes among these domains.  Pingbacks generated after the https certificates were implemented and propagated (as positive SSL) become https.  Older pingbacks right now are still http.  If you want to review the pinged site you have to enter https yourself in the browser, then you can see it under SSL (I just tested it).  This is not ideologically perfect, but I suspect this will be OK in July.

I haven’t gone through the Wordpress blogs and converted all the internals to https, although there really aren’t that many, fortunately.  Right now the user can insert the https on older links.
   
Google’s link (mentioned April 1) recommends that users deploy an Open Source tool called Lighthouse  to “clean up” their web pages.  This might take a long time for bloggers with a huge inventory of legacy pages, as I have.  Ramsay Tamplin (“Blogtyrant”) made similar recommendations with a different technique that I linked to here on November 13.

I have purchased a positive SSL certificate for my verio legacy doaskdotell.com domain.  So far it has not been propagated.  There is a massive number of hardcocded links within this very old site.  They could be changed by gang edits to relative links (as here).  I don’t think I will get to this right away, however.  I’ll keep everyone posted.

It is also worthy of note that Google Blogger no longer will publish posts with video embeds that include http (as opposed to https) code. 

Friday, April 13, 2018

All my blog custom domains (Wordpress and Blogger) now have https enabled



I have updated all four (the three remaining) Wordpress blog domains and the three Google custom domains.
  
The Google domains were easy. You just check a box in settings for each corresponding Blog, wait about an hour for propagation, and then check a second box to autoconvert all accesses to https.
   
For Bluehost Wordpress hosting, now you can do multiple domains within one cPanel.
  
One of the domains had minimal SiteLock protection, and that one took the free SSL certificate. Two others, that are newer, have SiteLock CDN (similar to Cloudflare). For these, you have pay for Positive SSL (about $5 a month) and assign a new IP address for the domain (or remember to ask the support technician to do so – not everyone knows this yet).  You then wait for the new IP to propagage. You can check the progress of the propagation on “whatsmydns.net”.  It helps to reload it a few times;  that seems to prompt progress.  The site will go to your BlueHost panel as a redirect or give database errors on https until the entire propagation all over the world is done.  During the propagation, it is possible for foreign servers, especially, to reject your IP address, but this will not prevent the rest of the locations from working.  There seems to be at least one server for every telecom company around the world.  There are many server sites in non-democratic countries.

I hope later that SiteLock will cause the automatic conversion to https to happen.  I am told it is supposed to.   
  
 China blocked one of my domains (the movie reviews).  Maybe that’s retaliation for Trump’s tariffs, or maybe that’s because I had reviewed some films about dissidents (Weiwei).  I don’t think I threaten Xi Jingping’s being god-king for life. 

I've noticed that Trend Micro, at least, does not automatically mark https versions of green http sites as green; it seems to view them as new domains.  This seems illogical. 

Sunday, April 01, 2018

Google Chrome orders publishers to get SSL on all their sites by July 2018, "or else"



Google is now advising web publishers that its browser Chrome will start marking sites as “unsafe” (so to speak) if they so not have security certificates accessed with https, in July 2018, as in this story.   Google's own link is here
  
The Search Engine Journal offers analysis on Chrome use compared to other browsers.  But it would sound reasonable to wonder if other browsers intend to do the same.

The story (with a sublink) offers a guide for migrating a Wordpress site.  This looks like a time consuming process, but many blog sites probably don’t use a lot of the features of concern. 
  
Google says that the conversion is important even for sites that don’t do ecommerce or require user login.  This seems debatable.  But one problem is that sometimes unencrypted sites allow actors to insert ads (or even scareware) or possibly illegal content into the stream sent by a user, and this may not be picked up by an antivirus product.  It would be a good question whether Microsoft Windows 10, for example, could come up with other ways to disallow man-in-the-middle attacks.
Google first started talking about this in 2014, but the concern has really picked up since about the end of 2016.
  

There is a product called the Unified Communications Certificate (UCC) which Godaddy, for example, explains here, for multiple domain names.  But Comodo systems explains other concepts such as Multi-Domain SSL and Wildcard SSL here.  It appears as of this writing that such a product on BlueHost would still require separate cPanel’s for each domain, but I will check further into this.
I usually announce my own plans on a secured Wordpress “doaskdotellnotes” blog (it has https).  I would anticipate trying to have my other three wordpress domains secured by the end of June, 2018. 

There is a lingering question on Blogger why Google custom domains (when equated to Blogspot blogs) cannot have these certificates.  Will Google change this before its new Chrome policy goes into effect?
  
See the notes at the end of the Jan. 8, 2018 post here

Friday, March 30, 2018

I'm getting random "scareware" attacks from MSN on Windows 10; Trend doesn't show them



On two occasions in late March, when I have gone to an MSN story displayed by Microsoft Edge, on a Windows 10 computer with the latest fixes (and Creator’s Update) I’ve gotten a red page and “Internet warning” which demands payment for tech support.

The screen goes away by merely closing the browser.  I have always restarted the machine. Trend Micro screens do not show malware, nor do they show a block of the page.  Edge history does not show the page.

Both stories appear to the with “http” (not https) so it is possible that this is an interception and a “man in the middle” attack.

I have Cox as the telecom provider now.  In a previous location I had comcast.  On a few occasions I got such screens from random sites on Google Chrome, which I believe were always http.  The problem always went away with closing the browser and restarting, on this same HP Envy machine.  But I believe that Trend reports in those cases noted a blocked site.  

Not all news or media sites use or enable https for ordinary browsing yet.  I just checked Time and it does not.  But I have not tried to see if MSN can enable “https everywhere”. 

One other interesting observations about the MSN stories:  they are always derived news stories from other sites.  It is usually possible to just go to the original news site, which may be “safer”.
Windows 10 should be able to intercept this sort of attack.
  
Tuesday, while on an Amtrak train, an ASUS laptop with Windows 10 updated Trend and required a restart.  But then it required a second restart when I got home.  I’m not sure if Trend was working properly during the “Crypto Party” in Philadelphia, but I didn’t notice anything.

If it happens again I'll have the presence of mind to take a photo of the screen.  But the natural reaction is to close the browser instantly.



Update:  March 31 (Major)

I find that if I key in "https://www,msn.com" first then all their news comes up https.  So far doing that the problem hasn't recurred. So far, I can't get abcnews and time to come up with https, but I'll keep experimenting.

There's more.  On another machine, an ASUS originally built with Windows 10 and not converted from 8.1, the MSN automatically comes up as https without having to be told do so.  Are there some security problems for older machines converted to W 10 with Edge added after the fact?  It looks like it.  

Wednesday, March 28, 2018

US Cert reports on password spray attacks



Here is a report on US=Cert advisory TA18-086A “Brute Force Attacks Conducted by Cyber Actors”  with what CERT calls “password spray attacks”.

The attacker will conduct algorithmic password cracking attacks against a long list of related customers of a particular site, returning to all the customers in cyclic fashion, rather than be rejected after repeated attempts on just one.

  
GitHub has a similar writeup here.

Monday, March 26, 2018

Facebook could have logged Android users' SMS messages from users who accidentally gave permission




Media sources are reporting that Android phone users may have unintentionally given Facebook permission to log their calls and messages “behind the scenes”.  This is not allowed on the iPhone.  Here is FB's own link

Qz has a critical story here.   NBCNews has a story here.
  
NBC News has a simpler tutorial on how to protect your Facebook data if you think you need to.
  
   
I had an android phone from late 2011 until, as I recall, early 2014.  When I got messages it would growl "Droid" in the night. I think I had the Facebook app, so it is conceivable that I could have been logged.