Tuesday, January 29, 2013

Hack of government's USSC calls attention to outdated computer crime laws, bit also to ordinary site safety

Reports continue to appear trying to explain the hack of the United States Sentencing Commission last week.  A good account, with the statement from Anonymous, occurs on Zdnet, here
As of Tuesday afternoon, the site “ussc.gov” was not reachable.  As of Jan. 26, according to zdnet, the original IP address still showed the defaced site’s contents.
Many people feel that the DOJ was bullying Internet activist Aaron Swartz with what amounts to a facetious prosecution.  The USSC recommends sentences, and apparently these can be used to force plea bargains.  In practice, it would take over a million dollars for a blogger to defend himself (herself) against even a frivolous or groundless formal indictment.  Hence, the government (as any government overseas) can maintain a chilling effect against dissent when it wants to, even when there are constitutional protections. 
I once faced a situation on 2005 where I did not pursue possible  (First Amendment based) litigation against a school system (when I was a substitute teacher) because there were hints of a legal theory by which I could have been prosecuted under Virginia law, which can make it illegal to post material for an “illegal purpose” if no legitimate “purpose” is apparent (that’s the implicit content doctrine that I have discussed on other blogs).  However, actual prosecution would require corroborating evidence of criminal intent from an independent source other than the website itself.  That sort of technicality in interpretation also occurs with the Second Amendment in the gun control debate.  One can see my main blog July 27, 2007 for more details.
Business Insider has another account (here) of the ussc hack. That article also links to a discussion of the 1986 Computer Fraud and Abuse Act, (Wiki link )which when it was passed was motivated by the 1983 movie “War Games” – where it’s illegal to “exceed authorized access” to an interstate computer network, a law badly outdated in the context of the Internet and obviously open to abuse. 
Webmasters will want to review the tips at “Stop Badware”, which are laid out pretty well among several  links here. Some of the suggests include using encrypted file transfer procedures (I suppose the old Microsoft Front Page wouldn't be well thought of now), and making sure the computer you work from is clean, and being wary of ad or third party networks you work with.  It’s possible for a site to get “blacklisted” by Google or other companies, but some of the warnings from website rating services (like MyWOT) seem to be incorrect and can be triggered by certain ads or third-party ad-ons. 

It is always a good idea to use the site, do searches on it and monitor statistics (and sometimes log files) to see if activity is "normal".  It is also a good idea, if you use shared hosting, to know how often your provider backs up sites.  And it's a good idea to keep physical copies of the content of your site, backed up in more than one physical location (even in a bank vault), and on optical as well as magnetic media.  

I had a hack of two HTML text files on an old site in 2002, based on a discussion of nuclear weapons and Al Qaeda.  A friend investigated the ISP and found that the Unix server had left the SITE command open.  I had copies of the files and simply re-exported them, and the problem never recurred. 

Friday, January 25, 2013

New webcam "peeping Tom" virus spread by email greeting cards

On Thursday, January 24, 2013, NBC News reported on a computer virus that specifically allowed attackers to spy on users through webcam cameras, even when laptop computers are in sleep mode.

Visit NBCNews.com for breaking news, world news, and news about the economy

NBC set up an experiment with a suburban New Jersey family showing how an attacker could see the most intimate matters if they were in the sight line from a webcam.

The virus also apparent can track bank and other private account logons.

It is spread by a “greeting card” email attachment. 

I site called “Cybercops” has some more information here

Thursday, January 24, 2013

Gozi Virus had raided bank accounts; 3 prosecuted; Banks ask NSA for help

The Los Angeles Times has a major story by Andrew Tangel about the “Gozi Virus”, which could load argo-fake websites for banks and trick consumers into revealing their logons and giving away their balances, with story link here

The virus has infected 40000 computers in the United States since 2005.

Federal prosecutors released news of charges against a Russian, Latvian and Romanian.  Many of the rogue servers were in Romania.

And today the Washington Post has an editorial “Rise of the ‘botnets’: Time for Congress to help against cyber attacks”, link here

Post reporter Ellen Nakashima has reported that major banks are now turning to the National Security Agency (NSA) for help. 

Users should frequently check all their online financial accounts online, during normal banking hours.  

Friday, January 11, 2013

Oracle leaves serious zero-day vulnerability in java

Some computer security experts are encouraging users to disable java if they don’t use or need it, because of an Oracle java vulnerability left open since October 2012.

The report says that the Black Hole Exploit Kit and Coll Exploit Kit, for distributing ransomware, both take advantage of the Oracle unfixed vulnerability.  The articles suggest that Oracle was negligent in the way it handled the problem in October.

There is a detailed technical story at TNW, “The Next Web”, here

Arstechnica has a detailed story by Dan Goodin here

CERT, the Software Engineering Institute at Carnegie Melon, has a report Vulnerability Note 625617, saying that Kava 7 fails to restrict access to privileged code, in a bulletin here

CERT is advising users to disable java.

Infection could occur by visiting a deliberately crafted HTML document.

Softpedia has a story that suggests that Windows users are warned if they are executing unsafe code, link here.  There are reports that this problem is more serious in Max and Unix environments.  Be careful where you surf.

Update: Jan. 12

Jim Finkle of Reuters reports that Oracle will supply a fix to java "shortly".

Update: Jan. 15

Oracle supposedly completed a patch Sunday Jan. 13.  I have not yet seem any prompts or instructions to apply the fix myself.

Update: Feb 8

Oracle pushed a replacement Java engine on my main Windows 7 laptop as soon as I booted up after returning home.  It took about 5 min.  The next hard boot (Feb. 8) took a little longer than usual.

Thursday, January 03, 2013

Microsoft patches older versions of IE from state-sponsored malware; Twitter goes "mobile" for some IE users

Microsoft has issued a fast fix for Internet Explorer 6, 7, and 8, regarding how IE can access deleted objects, giving hackers an ability to plant “drive-by” malware on websites.  

Of particular concern is a malware element called Bifrose, which appears to be extremely sophisticated and outside the capability of most hackers.

There is a story by Jeremy Kirk for IDG on PC World, here

By the way, the PC World generates a survey, which can be exited, that Webroot noted as potentially harmful this morning.  So don’t do the survey.

Something else bizarre has happened.   Twitter switched back to its mobile version on my Internet explorer setting on my Dell XPS.  It says it does this for IE 6 and 7 (which are vulnerable).  But I’m supposed to have IE 9 already.  So I’m not sure what is happening.

Wednesday, January 02, 2013

Facebook New Year's glitch exposes some personal greeting messages

There was a “minor” Facebook security glitch New Years Eve that allowed “outside men” (a term from my Army days in the late 60s) to see users’ New Years Eve messages.  The NBC News story is here

I did not get any of these, but all of my settings are public (or everyone).   I don’t post overly “personal” content (as to specific people in a purely  social context) on Facebook or Twitter.  I do this only through email (and that can be risky).  Nope – as for social media – “who dates who”  (gay or straight) is off limits for me.  I do see that others sometimes post about “relationships”.

A friend tweeted that he was “touched” by all these “Happy New Year” messages from corporations.
The UK Mail online has a link giving some personal pictures of Mark Zuckerberg (and wife and dog) supposedly exposed through an earlier security glitch.  Who owns the copyright on these photos?  Some of them are “cute”.   The link is here