Tuesday, December 28, 2010

Man in Michigan prosecuted for reading wife's email without permission; prosecutor calls it "hacking"

Leon Walker, of Rochester Hills, MI, is being prosecuted for reading his wife’s emails without permission, after he looked up her password in a book on the desk and read her email before divorce litigation (apparently after she had filed for divorce, though).

The Oakland County, MI prosecutor calls this “hacking” and is prosecuting Walker under Michigan’s anti-hacking law.

This gets interesting. If you read another adult family member’s email without permission, is that “hacking”? What if you do it at work. Maybe you should be fired, but should you be prosecuted?

Walker could face five years in prison. He is an IT professional and says he bought and set up the home computer.

I think some people in bad marriages would quote "The Social Network" and say "Let the hacking begin."

Fox Channel 2 in Detroit has the story.


Thursday, December 23, 2010

McAfee Security Scan Plus now offers Site Advisor

Last night, on my Vista laptop which uses Webroot Spysweeper as the main security software, McAfee Security Scan Plus (a free addon) invited me to download and install McAfee Site Advisor. I did so, and now on Internet Explorer and Mozilla the ratings banner shows, as well as on search results from Bing and Google.

Then, when I went to Internet Explorer, Site Advisor encourage me to switch from Bing to Yahoo Secure Search as the default search engine. When I marked OK, IE hung and crashed. When I restarted IE, Bing remained the default search engine, so I left well enough alone.

Except that I now notice a "secure search" box on the upper right, on the IE Toolbar, that goes to Yahoo!

On Mozilla, I see MYWOT (Web of Trust) on the URL line, and McAfee Site Advisor on the lower right. I’ll watch for differing ratings. The "Secure Search" icon (like Sherlock) is also on the lower right.

Also, now I get the "not secured items" display warning box from IE a lot more often (unnecessarily).




Update: Dec. 25

McAfee is now telling me that the encrypted Google page on Firefox has unencrypted content. Don't know if this is an artefact.  And on Mozilla MyWOT is objecting to some advertisers on accuweather.com, even though they are marketers I have seen repeatedly for years. 

Wednesday, December 15, 2010

McAfee Security Scan Plus warns on parked domains mimicking more popular sites

Today, the free McAfee Security Scan Plus add-on to my Vista XPS laptop warned me of “one issue” when it ran its quickspan, a yellow warning on finding a cache of “twiiter.com”, a misspelling of twitter for links. The wording of the warning was dire, so I tried the site on another machine, an older XP laptop with McAfee Site Advisor. It told me that it’s a yellow site, with suspicious behavior. The one suspicious behavior reported was phishing scams; it was linked to green sites otherwise.

Many popular sites have domain name clones on the web, which nearly always consist of parked-domain-style links. McAfee and WOT will flag some, but not all, of these as fake domains. Webroot does not care about them unless it finds specific malware on the sites (but Webroot does have its own internal “reputational screening” within its active shield).

Commercial website owners would be able to litigate against the “fake names” for trademark dilution, especially after the 2006 trademark dilution law strengthening to allow prospective suits.

Monday, December 13, 2010

Gawker commenting account passwords compromised

The Associated Press is reporting today that Gawker has admitted that its user database has been compromised. Users should change “commenting ccount” passwords, and also passwords on other sites that match those used on Gawker. The link is here.

Gawker’s own version of the recommendation is here.
Gawker owns some other sites such as Gizmodo which could be affected.

The incident is different from the recent attacks on MasterCard and Visa, which were denial-of-service attacks. The Gawker attack actually was against user accounts.

Thursday, December 09, 2010

Wikileaks minions may represent an "uncontrollable" security threat to ordinary businesses that make "enemies"

The ease with which Visa, MasterCard, and PayPal were disrupted yesterday after they pulled the plug on Assange and Wikileaks is leading to calls of alarm even if all the sites were back in operation quickly.

The breeches seem to have been distributed denial-of-service attacks, which may be very hard for even sophisticated sites to stop (by measuring the flow of and rebounding packets that try to "attack your machine").

The Washington Post, however, ran an alarming story by Joby Warrick and Rob Pegoraro, “Wikileaks; relisience shows strength of Internet-age lifelines; Supporters go on offensive to keep site afloat amid enemies’ fullisade, link here. We either live in a “transparent world or shut down the Internet” the article ended, said journalism professor Jeff Jarvis, who said that legitimate MasterCard and Visa customers including major newspapers who published the “illegally” leaked all use these major credit card companies.

In the New York Times, John F. Burns and Ravi Somaiya ran a story “Hackers attack those seen as Wikileaks enemies”, link here. Webroot conveyed this story on Twitter.

We understand the latest Wikileaks “victims” are PayPal and Sarah Palin. John Sutter, a tech writer on CNN, discusses this here, as a kind of enlarged pranksterism. It’s possible that small businesses or websites on hosted services that make “enemies” could become DOS targets because presumably they couldn’t afford the overages, unless their ISP’s could detect the DOS quickly, and then there is nuisance issue. That’s why, for the community as a whole, it’s important that home computer users practice good security at home.

Late Thursday, Netherlands police arrested a 16 year old in connection with the DOS attacks on MasterCard and Visa.


Monday, December 06, 2010

Webroot finds Java bytecode virus "Mal/JavaHeL-C" aka "Trojan.ByteVerify"

Today, a sweep of my Vista laptop by Webroot Spysweeper found, in a file toward the end of the sweep (not in the Registry) a new virus “Mal/JavaHeL-C”, for which Sophos Security has a recent entry (webroot url) here.

The virus has two alias names, including “Trojan.ByteVerify”, which Symantec (Norton) has an entry here.

It appears that the virus can change the Internet Explorer home page, or add entries to favorites. It apparently exploits an IE byte code vulnerability. I have not seen any symptoms on my computer. It seems to have no affect on other browsers, including Mozilla.

A techguy forum gives a detailed log of detection, here.

Sunday, December 05, 2010

Big NYTimes story slams enormous problems controlling cyberbullying

Here’s a big front-page story in the New York Times on Sunday, December 5, “As bullies go digital, parents play catch-up”, by Jan Hoffman, link here.

The story gives a horrific account of a teen’s impersonation of someone else on Facebook in order to besmirch his reputation. The parent who tried to get it stopped herself became a target of cyber bullying.

Parents face challenges in not being savvy enough to intercept the threats even if they do monitor their kids online, and schools in many states seem legally challenged to deal with behavior that takes place “off campus.”

The article also depicted kids’ cell phones as “mobile computers” rather than as communications devices for reaching parents when needed.

Many of the incidents in this article are appalling, and some kids have no business on the Web. Many teens are unable to grasp the long term consequences of behavior or have no really understanding of acceptable forms of social competition. As Dr. Phil says “they don’t see around corners.”

Yet, when I was substitute teaching, I heard of few or no instances of cyber bullying myself in northern Virginia schools.

Generally, kids of a certain level of maturity (the kind able to get on “It’s Academic”) understand appropriate Internet use. Even so, there are tragic incidents. The college kid who webcammed Tyler Clementi had been an AP student in high school.

The tone of the long article suggests that adults, for their own communications purposes, have let kids in on a technical infrastructure that they may be incapable of using without unacceptable risk to everyone.

Saturday, December 04, 2010

Watch out for phish offering to "get you back on Facebook"

This morning I got a “getting back onto Facebook” email spammed to me. Since my Facebook was working normally I knew it was spam. Fortunately, AOL had hidden the links so nothing in the email could “execute”. But it appears to be another kind of phishing, an attempt to get personal information or perhaps access to you Facebook account so that it can abuse it.

By the way, I get a phishing attempt regarding Bank of America almost every other day.

Wednesday, December 01, 2010

Facebook scam spams your friends, pretending to show you who viewed your Profile

Here’s another Facebook scam, as described by Amar Toor on Switched. You see a message on your Wall inviting you to use an application that lets you see who viewed your Profile (rather like knowing who bought your book or went to your movie), and it you use the app, it spams all of your “Friends”. I guess that’s a way to lose them. The switched link is here.

Sophos (which works with Webroot) has a version of the story here.

Monday, November 29, 2010

Bizarre worm in Facebook "random applications" leads to more discussion of site's security; checking Friend requests

So here’s a story by British criminology graduate student Zack Whittaker on ZdNet about a new worm whose bizarre links seems to be showing up in a lot of Facebook friends’ lists these days. The story is (website url) here, in an "iGeneration" piece.  Note the use of the word "infested" instead of "infected". The worm has various random names such as “S22BZ5”. There follows an existential discussion, especially in the comments, as to whether Facebook is “secure.”

I know that I started getting a run of Friends’ requests, from people who probably wouldn’t have a legitimate interest in me. At least one stated his birthdate, and it seemed that some were underage, which sounds dangerous. Maybe a worm masquerading as a police sting. Someone who doesn’t have a lot of “Friends” (pun) should probably look at the profile of every request. My own policy is not to accept any Friend whom I believe to be under 18 (unless I know him or her from a legitimate source).

Saturday, November 27, 2010

Webroot quarantines "Rogue Security Products" from active Shield

This morning, while surfing blogs that displayed ads, I suddenly got a warning from Webroot that it had quarantined “Rogue Security Products”. All previous quarantine incidents have occurred when running the sweep (which gets longer all the time). Webroot says that it an adware program. Apparently it would try to prompt the user to purchase a fake anti-virus product. No such ad appeared in my browser or on my screen.

Webroot’s blog entry for the problem, dated Nov 22, is here.

There follows a discussion of Karagany, a fake “security” product that hides in Adobe applications.


Trojan Mimics Adobe Updater from Webroot Threat Research on Vimeo.
Webroot Threat Research

About three years ago, my blogs sometimes attracted comments attempting to sell fake anti-virus software. Since I have monitored comments, spam comments have disappeared. But one time when tried clicking on a link, an application icon came up (on an older XP computer), and McAfee did not detect it. (All such comments have been removed.)

Picture: Sartor Resartus, and a cluttered closet.

Wednesday, November 24, 2010

Webroot/Sophos detect mysterious malware "Mal/JSIfrLd-A"




Today, Webroot made me run the biweekly sweep (now up to 3 hours and 600000 files across 2.5 million definitions -- it doesn't let me work until I run this), and in the files (not registry) it spotted “Mal/JSIfrLd-A” , which it called a “virus” (not spy coolied) which it quarantined at the end.

The only definition I could find on the web was a generic listing from Sophos (Webroot’s antivirus engine) is here , dated Nov. 22, 2010. I found a similar listing from 2008 by surfing, but this appears to be a new variation of a low-prevalance threat before. Since the date is recent, the Shield may not have detected the virus during surfing before Nov. 22. You can look at the Sophos “malicious behavior” link and find a general description of how it looks for “malicious behavior” with what it calls “genotype protection”, as here

Apparently it found an executable with markers known to be associated with spyware or malicious activity and not considered part of legitimate application code. It’s possible that it found accidental “unsafe code” in a legitimate module, but there is a risk that it could have found the “virus” in an executable placed there by a website and inserted originally on a legitimate corporate site by a hacker, for later use in identity theft or perhaps DOS attacks.

Search engines find numerous lists of new threats including this and similarly spelled "Mal/" threats, but they always point back to a Sophos link, which gives little information other than "suspected malicious behavior". This may be spyware or keylogging or attempts to sell fake anti-virus products.

Webroot has been sending me advisories of a new Security Essentials upgrade, which I can only do by working with Geek Squad to remove a duplicate record on their files; I may get this done when I go to Windows 7. 

Both Webroot and Kaspersky have a "street" reputation of being much stricter with suspected malware than McAfee and Norton. Webroot has a very active Twitter feed.

(Note: the spelling of the virus name seems to have an "l" (lower case "L") and only then an "I" (upper case "i")), according to search engines, when looking it up.)

Saturday, November 20, 2010

Reprise on the Stuxnet worm: Q&A from Yahoo!, Webroot


Yahoo posted a Q&A on the Stuxnet Worm back in August which Webroot has reminded us of with a tweet. The link is here.

The worm seems to relate to the way Microsoft shows some shortcuts on the desktop. It may relate to the fact that touchpads on some laptops will try to create new shortcuts by mistake.

But Stuxnet appears to have been released with the idea that some people will take devices like USB flashes from home to work. The main harm could be in process control at power plants or manufacturing. There are some reports that Stuxnet is related to centrifuges in processing nuclear ores and was targeted at Iran’s controversial nuclear industry.

Major infrastructures like power grids are not supposed to be reachable from the public Internet. But as far back as 2002 there have been scattered reports of access points, and grids could be vulnerable to devices brought from other sites or from home and connected to work computers. Even military computers have been known to be infected this way.

Tuesday, November 16, 2010

Much of US government and military and ordinary home traffic was mistakenly routed through China; more on Stuxnet

Shuan Waterman has a story in The Washington Times on Tuesday Nov. 16, reporting that about 15% of American Internet traffic was routed through China for an 18 minute period e in April, according to some rogue networking optimization algorithms. Some of this traffic came from US government and military computers. Obviously, hackers could have enjoyed an opportunity to corrupt the traffic.

The story appears on the front page of the Tuesday, Nov. 16 Washington Times and has this link.

There are also media reports that the Stuxnet work was designed to disrupt Iran centrifuges associated with nuclear materials, but the worm has the potential to affect process control in various industrial operations and electric power grids, and it might circulate as an apparently harmless Trojan in home systems.

I had to chuckle today at NBC’s “Days of our Lives” when a character gets a computer virus from a video and didn’t bother to use anti-virus software and is so naïve!

Thursday, November 11, 2010

Twitter offers picture chart comparing anti-virus software

Twitter has a chart (“Twitpic”) that compares the results of tests by various anti-virus vendors. Webroot scored well, and, yes, Webroot sent out the Tweet. Here’s the link. You might have to refresh it once.

I thought that Titanium was the cloud product, but it scored lower.

By the way, I’m getting advisories from Webroot to upgrade to new Essentials (that includes a new firewall, replacing Windows), but because of a duplicate license issue going back to Best Buy, it won’t work. I’ll probably have to take care of this if I go to Windows 7 and do a bug upgrade of everything.

I also have Kaspersky and McAfee on two other Windows machines (and stripped down McAfee on all machines).

By the way, security experts recommend putting "tiny url" preview tools on your machine before clicking on them from Twitter, unless you know the entities you follow well.

Wednesday, November 10, 2010

FBI probes DOS attacks against antipiracy sites

A hacker group called “4chan” has launched anonymous denial of service attacks on websites of organizations heavily involved in copyright litigation, according to a CNET story by Greg Sandoval, link here.  The FBI is investigating attacks that took down a number of these sites, including that of the US Copyright Office.  The group apparently takes the “extremist” position that copyright protection is a kind of censorship.

Friday, November 05, 2010

Could home router owners be responsbile for illegal downloads of wardrivers?

The whopping judgment against a Minnesota woman for illegal downloading that she says she didn’t do, raises a question. True, RIAA says it is not suing now but is working with ISP’s. But if you have a home router, and a wardriver gets too close and does illegal downloading with your router, are you responsible? I wonder.

The server logs will identify the computer as well as router, so you would be able to prove it wasn’t your own computer. (See IT Jobs blog, June 10, 2010). But could you be responsible anyway? A hotel would not be responsible for illegal downloading done through its wireless network, I would think.

Many ISP's provision home routers for use without logon, but from a security viewpoint,. that may not be a good idea.

Tuesday, November 02, 2010

Application fingerprinting may become important than virus signature files

Webroot, a Denver based security company, has bought UK security vendor Prevx in order to establish a foothold in cloud-based security.

Prevx is a leading player in “application fingerprinting technology” which is likely to become critical in the future. It is getting increasingly difficult to maintain adequate security with regular updates of virus signature files and probably anti-virus engines on individual PC’s.

Tech World has a story on the acquisition by John E Dunn, with the title “Antivirus scanning becoming inadequate, says Webroot CEO”, link (website url) here.

Webroot sent this out as a tweet today with a condensed URL, which did not convert when I pulled it up. That hasn’t happened before. That tiny link was this.

Friday, October 29, 2010

Firesheep (from Firefox) refines our understanding of "HTTPS Everywhere" and what sites should do

Electronic Frontier Foundation has an important piece by Seth Schoen, “The Message of Firesheep: Implement Sitewide HTTPS Now”, link here, dated Oct. 29.

According to the story, Firefox’s Firesheep extension demonstrates that an attacker can shiff packets from a target’s network and copy cookies, sometimes stealing logon information. The https logon might not be effective if the site does not properly encrypt user-related information. (This isn’t an issue for a flat website or blog that does not accept visitors; it probably isn’t an issue for interacting with blogs hosted by reputable service providers including Blogger, Wordpress, and most well-established shared hosting ISP’s; I’m a little bemused by the observation that others on a network could sniff Facebook or Twitter logons, unless they are talking about Facebook and Twitter plugins on other sites, and I would wonder about “wardriving” and wireless issues.) One of the features of https is that, when implemented properly, it allows a site to verify that you are who you say you are; but some sites don’t use https for all phases of this verification. Recent hardware and software advances show that this would not slow down processing. EFF says that “https everywhere” may not fully protect the visitor on websites that haven’t implemented encryption for all phases of their logon verification.

Wednesday, October 27, 2010

Conservative DC paper reports that Iran-associated hackers have exploited a WordPress flaw on some sites

The “conservative” newspaper “The Washington Times”, in a front page story by Shaun Waterman Thursday, warned that hackers in Iran seem to have exploited some reported vulnerabilities in Wordpress, and planted botnet Trojans that can sometimes take control of computers of visitors to these sites. The hackers may be playing pranks or trying to attack enemies of Shiite Islam, but there is no evidence that they are connected to the government in Tehran.

It was not reported here whether standard anti-virus software actively protects visitors to infected sites and prevents their computers from becoming compromised or commandeered. Presumably major antivirus companies would detect them readily. Since WordPress is so popular with "amateur" bloggers (even in comparison to Blogger), especially sites mapped to separate domains, the report could be alarming, although the number or frequency of such sites is not known. WordPress is considered superior in some ways by many bloggers. 

Some connected vulnerabilities appear in Adobe PDF, java, and Microsoft Internet Explorer. (The safety of java and applets would deserve a discussion some other day; in the late 1990s the relatively safety of it was touted in java training classes.)

The link to the Washington Times (“TWT”) story is here.

Possibly in response to the stories about WordPress (and there have been earlier reports of vulnerabilities), competitor Google tweeted and published a "Blogger Buzz" story about "Safe Browsing on Blogger" here (Blogger is "its" product).

Thursday, October 21, 2010

More advice on password changes; how Cloud security is a group experience

The latest on password security has been floating around on Twitter, with a lot of it referring to an Oct. 15 New York Times article by Robert McMillan of IDG News Service, “Google: Change Your Password Twice a Year to Stay Safe”, link here.

One problem is that scammers often save passwords and so another technique is to never use the same or closely related passwords on different accounts that you consider critical.  I would think at least 4 to 6 times a year would be more appropriate. At work back in 2001, in a Unix environment, we had to change it once a month and go through password cracker.

Google has an article by Priya Nayak on Oct 15 on its own corporate blog, “Protecting your data in the Cloud”, link here The company points out that since your account is considered trustworthy, scammers might be tempted to sift from other people you know supposedly to “help you out”. Such schemes, to be sure, generally do not foot tech savvy people or people who must know how to network online properly to generate legitimate business for themselves (including, for example, filmmakers and musicians).

Wednesday, October 20, 2010

Internet cafe displays spyware warnings on the fly, but in IE only, not Mozilla

Yesterday (Oct. 19) I went into a full service Internet café in Greenwich Village and noticed while testing a few of my blogs that “Real Threat” would identify a few spy cookies with a popup square at the lower right side of the web page, in Internet Explorer only. The same blog would not bring up the warning consistently, and it appeared at least once on Yahoo! too. The warning did not appear with Mozilla. I also sometimes got C++ runtime errors with an invitation to debug from a few sites that displayed this warning, but in Internet Explorer only.

Webroot does not show these to me on any site or browser, and neither does McAfee or Kaspersky. However, batch screens with Webroot usually do identify and (upon request) quarantine a number of common cookies, including realmedia, tripod, doubleclick, overture, adbureau. Many of these sound familiar. They are identified by repeated scans so they appear to be commonly used, and probably harmless.

Monday, October 18, 2010

Australia will start program where ISP's notify, cut off users with infected PC's; US studying plan

Lolita C. Baldor has an Associated Press story Monday Oct. 17, “U.S. Studying Australian Internet Security Program”, link here. In Australia, starting in December 2010, ISP’s will notify users whose computers are infected (particularly when taken over by botnets) and may disconnect them until fixed.

Microsoft has been urging such a measure worldwide. The Obama Administration is looking at the program for the US, but there is a general impression that in the US ISPO’s won’t be encouraged to cut off consumers immediately. But Comcast will soon start a pilot program in December of alerting infected consumers. Probably security companies will offer for-fee services to clean up computers and bring them to ISP standards.

Saturday, October 16, 2010

Search engines ponder encrypting results, and looking for encrypted versions of sites

Electronic Frontier Foundation has an important analysis by Seth Schoen, “Search Engines Protect Privacy with Outbound HTTPS links”, link here.

The main point is that while searching itself can be encrypted, and engine can return an unencrypted version of a site, particularly if an encrypted one is available. (The article discusses Wikipedia, and I wasn’t aware it could be encrypted.) It also proposes that all browsers offer automatic encryption, which now only Firefox can do. (Some wireless servers, as at universities, may be starting to do this.)

I wonder if this could become an issue for webmasters who offer information only (as with my doaskdotell.com site) and don’t offer logons or expose visitors to revealing PII at all.   Would search engines stop indexing us?  What about simple blogs?  Will we all be expected to encrypt our sites, no matter what?

Friday, October 15, 2010

Firefox offers bloggers a tool to block litigious sources

Here’s an odd topic for a blog on Internet safety. If you blog and don’t want to use content from sources known to be litigious, you can install a plugin tool into Firefox to block access from those sources. Then you won’t inadvertently use it and possibly face a copyright lawsuit, a topic I have covered on my “BillBoushka” blog (esp. to Sept 8 posting).

Clayton Cramer has a blunt blogger entry titled “How to make sure you don’t accidentally visit organizations that don’t want you”, on a posting Aug. 18, 2010, about the Righthaven mass litigation, here.

A blog devoted to “Righthaven victims” offers detailed instructions on how to use the Firefox tool here.

Both list and show how to block sites from Stephens Media. WEHCO Media could probably be added to the list.

One could use this technique with sources known to file SLAPP lawsuits, too.

Tuesday, October 12, 2010

Trend Micro uses "cloud computing" rather than data file downloads to keep its security protection up-to-date

Time Magazine carried (on p. 64) a full-page paid advertisement in the Oct. 18, 2010 issue for Trend Micro Titanium Security Suite, with the website here.  Trend’s tagline is “Internet Security that won’t slow you down”, and the printed ad reads “Securing your PC from cybercrime; Protect PC’s against insidious attacks without the endless security file downloads that cripple productivity”. The technique?  Cloud computing. You have to have a high quality high speed Internet connection where their server will continually check your PC.  One would have to be sure that one wouldn’t want to run into those notorious ISP broadband limits.  
"Titanium" happens to be the name of one of my screenplays (UFO's land).

Saturday, October 09, 2010

Firefox trojan sets up automatic password saving and keylogging without user's knowledge

Webroot and InfoSecurity are reporting a Trojan that can inject a keylogger and also cause Firefox to store passwords automatically without the user’s direction. On some computers, this could also cause passwords accessed through IE or Chrome to be compromised, too.

The InfoSecurity story is here.  Andrew Brandt, of the Denver security company, has a blog posting in which he says that Firefox will “forego forgetting passwords”, as here.

He recommends downloading the latest Firefox installer from here . It’s interesting that this trojan targeted Firefox first, since Firefox has been considered safer than IE.

Webroot tracked the virus hacker to Iran, and it is not clear that any use has been made of any stolen passwords. However, conceivably an enemy could use a device like this against an institution’s critical systems. It may be a good idea for home users with Firefox to run a scan against the latest definition file soon, before reloading Firefox.

Wednesday, October 06, 2010

Microsoft wants to quarantine infected PC's from web, require PC health certificates

Microsoft has published a position paper calling for a mechanism to identify infected computers and having ISP’s disconnect them from the Internet until they get “health certificates”. The paper is titled “Collective Defense: Applying Public Health Models to the Internet”, by Scott Chaney, Corporate Vice President, Trustworthy Computing.

A certificate would require freedom from malware and properly configured security software. I suppose Geek Squad and similar companies would have a business model bringing home computers up to standard. Question could occur with home networks and routers, as to proper configurations if different computers had different vendors, or whether a given computer could or should have more than one vendor, or whether Microsoft Windows Firewall is sufficient (or whether Microsoft can beef it up). Another important issue would be the application of automated security updates. Computers or laptops that had not been used in a long time could also present issues.

Emma Woollacott has the story on TGDaily, here (included a download of the Microsoft paper, which is dynamic PDF will need to be saved on your computer). The title is "Microsoft wants 'sick' PC's banned from the Internet".

Saturday, October 02, 2010

Stuxnet worm reminds us of the need to keep work computers quarantined from home computers

Ellen Nakashima has a major article on the Stuxnet worm in the Washington Post om Saturday, Oct. 2, especially about the danger to U.S. power plants and other infrastructure. The link is here.

Apparently the worm can live on home computers with windows systems, probably without symptoms (rather like hidden "bedbugs"), but it could make home computers into “typhoid mary’s”. If some one uses a flash drive at home and then at work on certain machines in a power plant, the possibility of infection could exist, even though the power plant should not normally be accessible through the Internet. Government agencies and companies will have to be even stricter about keeping work and personal computers separate than in the past.

Because so many people use home routers and may bring wireless laptops home from work, there might also exist other ways of “cross contamination”. This is sounding like health department regulations for commercial kitchens.

I expect that Webroot and McAfee will be publishing blog articles about Stuxnet soon, as will companies in the process control software business.

Wednesday, September 29, 2010

Should website safety ratings take into account litigiousness?

A blogger site dealing with the Righthaven mass copyright litigation has informed visitors about a Firefox plugin that will block access to newspaper websites known to be participating in the litigation. The instructions are here.

What strikes me is that WOT (also a Firefox plugin) could develop the ability to warn users about sites known to be litigious. Then bloggers could be increasingly careful about any “copying” of material from these sites (or, in cases of sites known to sue frivolously for libel, when writing about the entities).

Friday, September 24, 2010

McAfee loads new Security Center; questions about routers, ISP provisioning, and work-from-home

McAfee yesterday replaced its Security Center on one of my machines, and it has a “new look”. There appears to be an improved Spyware detection module (like Spysweeper) but the most important feature appears to be the “My Home Network “ feature, which appears to monitor the home Router (Netgear for me) as well as the PC. It appears that it is intended for a home where the same McAfee product is installed on all machines. Because vendors (BestBuy) recommend or pre-install different vendors (Webroot/Sophos/Spysweeper, and Kaspersky), I would have to make a decision on this. McAfee also offers a new Parental Controls module (for COPA-like filtering) and PC Optimization.  The Security Center also loads much faster from the tray icon.

Also, because of a possible employment matter, I might have to look in to having Comcast let me provision my router so that one has to sign in to the Router as well as the computer (Comcast does not seem to allow this now). That would add more security.

Some employers for work-at-home jobs (like Alpine, Live Ops, etc) would require dedicated PC’s for work, separately. It could be that the way Network routing is set up with Comcast and other vendors (provisioned at the ISP, not at home) could present a security issue for some employers in some work-at-home situations. I’m not sure how Verizon FIOS works. This all bears investigation.

The first time the new Security Center updated the dat file, it kept sayingit could not connect to the Internet (when the connection was working) until the computer was rebooted, the Security Center re-opened, and two cycles of "checking for updates" were done; then it worked.

Wednesday, September 22, 2010

Malware dropper "spills" other spam-generators on testbed PC

Eric Brandt has an important warning on the Webroot blog, “Epic malware dropper makes no attempt to hide”. The discussion is about yogetheadshot.php.exe (VT),, which “spills” other malware on your PC, making it a node for sending out pornographic spam, potentially a legal risk for the computer owner. It also involves exploiting the Windows System Backup Dumper (winbudump.exe).  Webroot announced this story on Twitter this morning.

There is a wordpress blog entry (July 11) that tracks this back to an Adobe Acrobat vulnerability, link here.  But this vulnerability is supposed to have been patched.

I got a bizarre email to “undisclosed recipients” today on gmail trying to have a “relationship”. This was some of the strangest spam I’ve seen. No links, just an email address. No html. The AOL spam filter didn’t catch it. But the nature of the “relationship” was not something mature adults (gay or straight) would want.

Tuesday, September 21, 2010

MSN reports on Twitter "onmouseover" hack, since fixed

Today, MSN reported (with a YouTube video by Sophos/Webroot) of an attack on Twitter, whereby a user, if passing a mouse over a url, would find it hacked and sent to a spammer’s porn site. It’s been fixed now. The MSN story (“Twitter counters onmouserover security flaw”) is by By Athima Chansanchai with link here.

The writer says she escaped the problem by going right to Tweetdeck before going onto normal Twitter.

Monday, September 20, 2010

Webroot offers upgrade, but says call tech support

I got an Alert from Webroot today that it had a new version to download (for Webroot Antivirus with Spysweeper). When I went to answer it and download, it said that it detected that I save photos and videos online (which I indeed do, in Google Picasa), and that I should call the tech support to be talked through the installation.

I did not go through with it, as I do not have time to stop and wait to reach tech support on the phone for a complicated procedure on Vista. I’ve never seen an anti-virus package do this before.

I do see a new product “Webroot Internal Security Complete” (link)and it mentions file and photo sharing, but this may be for a P2P environment. It does appear to offer an improvement over Windows Firewall for outgoing wireless communications where there could be concern over wardriving. Maybe that’s what is offered. But it will take time to track down and install, it appears, if you’re an existing customer.

Thursday, September 09, 2010

New mass-mailing email work attacks today

Sophos reports a mass-mailing email worm affecting many companies and government agencies, filling employee inboxes with spam to today Sept. 9. It sends an unsolicited email that purports to link to a PDF but actually runs a VB executable. The Sophos blog article on the problem is this.  The worm reportedly spoofs an email address from an infected computer as the sender.

Most antivirus companies have updated dd files by now, and online protection (including Sophos or Webroot) will block access to that URL.

Diane Sawyer gives the story from ABC World News Tonight (the email virus did hit ABC) here.


Back in September 2001 (two weeks after 9/11), my own workplace was hit by a "virus attack" and for a few hours I was afraid that I could have infected my home computer.

Sunday, September 05, 2010

Password security is getting a new look: sometimes less is more

Randall Stross has an interesting piece on p 3 of Business Day of the Sunday New York Times, “A strong password isn’t the strongest security”, link here.

Indeed, the requirements to have so much randomness in passwords (as with companies that run password crackers, as did mine back in 2001) does lead people to write them down and save them, undermining security.

In fact, password security becomes irrelevant once a machine is infected with “real” spyware or keyloggers.

At the other end of the security spectrum, Stross points out that even weak passwords can’t easily be guessed in just a few tries. However, most companies (and indeed, particularly, most school campuses) do not lock people out for a long time after a few unsuccessful logon attempts because enemies (or students with bad grades) could disrupt legitimate use of peoples’ accounts.

A good compromise on password strength policy is to allow shorter, weaker passwords but only those that occur at a lower that statistically significant level.

Wednesday, September 01, 2010

Australian site recommends second opinions on virus scans, firewalls; keep experimenting

As Australian site Arnet has an interesting article by Lincoln Spector dealing with how a “protected PC” gets infected, here.

Spector recommends “second opinions” from second anti-virus vendors (although some cause conflicts – I find that McAfee and Kaspersky don’t interfere on an XP machine). He also recommends not depending on Windows Firewall, which has been criticized for the ability to monitor outgoing packets in a wireless environment (possibly even if your home has a wireless router if you think there is any practical risk of wardriving).

He even recommends not using the same vendor for anti-virus and firewall, as the recommendations for the “best buy” of each keep changing every few months.

Monday, August 30, 2010

Virtual browser from Invincea could deflect web malware attacks

If you want to protect your computer when web browsing with the “canary in the coal mine” technique, there is a virtual browser from a small northern Virginia company called Invincea, with its own account of the opportunity here , as extracted from the Washington Post on June 7, 2010.

If the virtual browser encounters scareware or other malware, only the dummy browser is attacked. Presumably this would be particularly effective with SQL injection attacks.

The question remains how effective this screening is when compared to browser ratings (McAfee Site Advisor or Mozilla Web of Trust) or anti-virus company intervention (as with Webroot Sophos).

Saturday, August 21, 2010

McAfee announces its most dangerous celebrities (starting with Cameron Diaz), with respect to fake fan sites.

Internet security company McAfee has a report indicating that fake “unauthorized” fan websites based on celebrities create security hazards, particularly with proffered downloads and especially screensavers, any of which may introduce spyware. The report is at this link and his the title “CAMERON DIAZ NAMED MOST DANGEROUS CELEBRITY IN CYBERSPACE: Justin Timberlake's Ex Knocks Current Girlfriend Biel to #3 Spot; Fourth Annual Report by McAfee Reveals Searching for the Stars is Safer This Year”. McCafee has trademarked its “McAfee Most Dangerous Celebrities”.

Generally, only very well known celebrities have created these problems. But often very young celebrities generate “unauthorized” fan sites.

Switched.com also had a report on this here.

Some (mostly younger and tech-savvy) celebrities, like Ashton Kutcher, are very aggressive in managing their own web presence (partly because Kutcher part-owns a media studio) on social networking sites, personal blogs, and Twitter. It's probably less likely that "crooks" could impersonate them on the web and get away with it.

Friday, August 20, 2010

New York Times has major column on thwarting cyberbullying

Riva Richmond has a major report under the “Personal Tech” column of the “Business Day” Section of the The New York Times, on Thursday, Aug. 19, “Some ways to thwart an online bully,” here.

A major part of the report is an explanation of how to block someone from being able to access you on Facebook from Facebook, but the explanation includes the fact that a Facebook report and block will not affect access outside of Facebook. Cyber Bullying is listed as one of the legitimate reasons for a Facebook block, as is nudity, a fake profile, or racism or hate speech. But you can "divorce" somebody on Facebook, just like you can tell them never to call you again in real life.

The article mentions two other services, Safety Web (link) and Social Shield  (link) . These services could also help parents of kids who are doing the bullying.

Remember, bullying sometimes is a kind of retaliation. Kids who were bullied physically might be drawn into cyberbullying as a way to “fight with your fingernails”.

Thursday, August 19, 2010

Microsoft "zero-day" vulnerability could affect most third-party apps

Greg Keizer has reported, on Computerworld, a “zero-day” Microsoft vulnerability that he says he had noticed affected over 40 applications (when he was gumshoeing a shortcut problem) but now says it could be many more.


Each application would have to be patched separately, or else a patch for developers could be issued, instead of some massive update for home users which could break some applications.  Apparently the vulnerability applies to XP, Vista and 7.

The link for the story is here.

The problem was reported by Mitja Kolsek, CEO of Acros Security in Slovenia.

Users might be able to reduce vulnerability by closing some ports.

The problem has to do with the way some execution elements are linked, comparable to the “controversy” in mainframe IBM programming between dynamic and static link decks.

Saturday, August 14, 2010

Proliferation of encryption certification authorities seen as a new security hazard

Miguel Helft has an important story in the New York Times Aug. 13, “A Warning in the Weak Link in the Security of Web Sites” Browser vendors like Microsoft, Firefox and Google Chrome have the authority to appoint security certificate authorities, which have proliferated. The link for the story is here.

These companies certify that a site’s encryption is authentic, and display a closed lock icon somewhere around the browser’s tool bar.

In at least one case, a certificate authority was found to have installed spyware on some Blackberry handsets.

The story seems important also because Firefox has been promoting “universal encryption” of all web traffic.

(See International Issues blog posting today, also, for more on the problem in UAE.)

Tuesday, August 10, 2010

Cisco published top ten Malware attacks in 2Q of 2010

Lisa Phifer has an important article in “Security Planet” on “The Ten Top Malware Threats”, here, she notes that many of them are now spread through ordinary browsing of websites. The list came from Cisco for the Second Quarter of 2010, and was based on malware data files from McAfee, and Webroot (Sophos).

She notes, in place ten, "Backdoor.TDSSConf.A", which belongs to a TDSS family of “kernel-mode rootkits” which can disable antivirus programs with rootkit tactics, and can be difficult to stop after a page is actually browsed if not intercepted first by browser controls. There is also "Mal/frame-F" which uses "iframe" tags to redirect users to other websites without their knowledge.

"JS.Redirector-AT" can redirect users to other sites with porn, phishing, or scareware implants. Here the article notices that some home users may want to disable javascript execution, at least when embedded in Adobe documents.

"PSW.Win32.Infostealer.bnkb" may log keystrokes associated with online banking.

Number 1, and representing 5% of infections, is “Exploit.JS.Gumblar”, which runs an encrypted executable without user’s consent with subsequent routine browsing.

The author of the article owns Core Competence (link ) a security company with links to this and other important articles.

Monday, August 09, 2010

Microsoft vulnerability and bitmaps; more on application fingerprinting

Vupen Security has reported a vulnerability in most Microsoft systems, caused by a “buffer overflow error in the "CreateDIBPalette()" function within the kernel-mode device driver "Win32k.sys" when using the "biClrUsed" member value of a "BITMAPINFOHEADER" structure as a counter while retrieving Bitmap data from the clipboard”, as reported at this link.

An example of bitmap data may include many Wikipedia jpg images recently.

Hel-Net Security carried the story with the title “new Windows 0-day flaw allows malware installation”, here.

Patrick Thomas, at Black Hat USA, discusses the “Blind Elephant: open source web application fingerprinting engine” in a link on that file, following on a report here Aug. 1.

Sunday, August 01, 2010

Webroot reports on how digital fingerprinting could track "anonymous" virus authors

The “Threat Research Group” at Webroot reported on a technology a company called “HBGary” has developed, as reported by CEO Geg Hoglund, in identifying malware and possible sources by a “digital fingerprint” technology that more or less follows the model of classical fingerprint technology in the real world. Webroot’s blog entry is here and it contains a picture that, when linked, brings up much more detail than first showing in the blog entry. (I’m not sure why the jpg doesn’t display in full in the Webroot blog posting directly.)

The technology should help international law enforcement agencies to track down serious cyberthretas, including possibly acts of cyberwarfare, more quickly.

The FBI has a writeup on how its process to identify hacker code was working back in 2006, with an incident in Turkey regarding the Zotob virus. The link is here.  Surely the process has evolved more since then.

Monday, July 26, 2010

New Webroot SpySweeper stimulates reviewers to consider the general nature of today's threats

Neil J. Rubenking of PC Magazine has a review of Webroot AntiVirus with SpySweepr 2011 here.

He discusses the design (in terms of the stoplight green-yellow-red items) in terms of user friendliness, and then discusses performance in terms of time for sweeps on clean machines, and effectiveness in finding and cleaning threats.

But the most interesting part of his review is general : he discusses whether keyloggers are always malicious (employers and parents can install them), and talks about scareware and rogue antivirus stuff, as well as unwanted adware. The newer threats tend to be more subtle than in the past.

His article compares SpySweeper to Malwarebytes-Antimalware, and Ad-Adware Total Security.

What needs more attention is how to integrate Webroot's firewall, as if is often sold without it, leaving the user to depend of Windows Firewall, which may not be sufficient in wireless environments with data leaving the computer.

Monday, July 19, 2010

Trojan can infect webcams, invading privacy and maybe framing users

The Register” has a report about a Trojan from Germany spread by ICQ which can control webcams and can spy on people when they are at their home computers, possibly for voyeuristic purposes. The story by John Leyden is here.

A webcam Trojan could be dangerous for another reason. Conceivably it could be used to implicate a home user in photographing and distributing “illegal content” himself.

Some family computing security authorities say that parents should not allow kids to have webcams, as they have little real legitimate use (a whole subplot of “Days of our Lives” a few years ago was based on one). New York Times reporter Kurt Eichenwald said that a few years ago after the case of Justin Berry. However, many modern laptops come equipped with webcams.

The report link was distributed today by a Webroot tweet.

Thursday, July 15, 2010

Mozilla pulls add-on that could steal logon passwords

In an article by Brian Prince, Eweek reports that Mozilla had to pull a Firefox add-on for stealing passwords, called Mozilla Sniffer, which had been loaded about 1800 times since June 6. It also pulled an add-on called CoolPreviews.

Sniffer could detect Mozilla logon’s to any website and send them to a remote location, possibly for use in manipulating financial accounts, identity theft, or spoofing.

Add-ons are analyzed for known viruses, but some kinds of malicious code can be detected only by reviewing code, which is more likely to happen in the user community.

Mozilla users are advised to check their add-on lists and make sure they did not use add-ons that have been removed, possibly compromising passwords or other security concerns.

The story would seem to contradict conventional wisdom that Mozilla is always safer than IE. Microsoft has been saying that IE8 (under Windows 7) is three times safer than any competitor.

The link is here and was included in Webroot tweet today.