Tuesday, June 27, 2017

Major ransomware attack spreads from Ukraine, related to Petya/eternal blue, locks up boot drive rather than individual files, Microsoft may have patch already


Here is the New York Times story on the latest ransomware attack, called “Petya”, which seemed to spread quickly from the Ukraine this morning   It is also related to a malware scheme called “eternal blue”.

So far, a few American companies, including pharmaceuticals and one law firm, and smaller hospitals have been affected.

Trend Micro has a detailed writeup as of 12:30 PM today.

Heavy.com has a detailed story.

It is not clear if users who had installed previous Microsoft vulnerability patches are protected.



It is not clear if the latest Microsoft systems are less vulnerable.  It also spreads through Port 445 (for Microsoft shares).  This virus seems to affect master boot records rather than encrypting files.

 The Microsoft page published today June 27 says that Windows Defender Antivirus removes the threat so it should not be hard for all antivirus companies to do this.

Malware Tech has a good explanation that novices can understand, here.


Thursday, June 22, 2017

Curious phishing email from "Apple-ID" imposter when i walk into an Apple store for a Genius Bar consultation


Just as I checked in an Apple store for genius bar support for an issue I have with my passwords, I got a phishing email from “Apple ID” claiming I had just purchased “Clash of C;ans”, “Box of Gems”.  

There were no credit card transactions in my accounts matching this purchase.

Apple was perplexed, saying this was a phishing email and is checking into the security issue.

Saturday, June 17, 2017

Phishing trojan in Microsoft documents has mouseover vulnerability


Trend Micro reports a version of malware possible in Microsoft documents (specifically PowerPoint) where infection is possible merely by passing a cursor over a link in the document without clicking it.

It’s called OTLARD/Gootkit.  It seems to be spread mainly by phishing attacks to companies where employees are likely to be fooled by official-looking emails.  

Friday, June 16, 2017

iPhone popup malvertising adware claims I have "4 Virus", tries to sell fake removal software


Today, while visiting a Guardian article on anti-gay attitudes in Indonesia on my iPhone6, I kept getting popup urging me to download anti-virus softeare and claiming my phone was “28.1% infected” by the “4 Virus”.  It claimed I had visited adult web sites (I hadn’t).  That’s a dangerous claim. That could be related to other malware claiming you have child pornography.



Note the misuse of the Google trademark, also.



It’s a little concerning because I had popups turned off.  It happened only on this site, and I deleted the cache and cookies afterward.

Interesting article is here,  Here’s something more directly related.

Friday, June 09, 2017

Facebook scam claims the service is no longer free, demands a Ponzi payment


I had an incident Thursday where a Facebook “Friend” who seemed to live in a violence-prone area of the southern Philippines messaged me claiming that Facebook would no longer be free and that I had to pay into some Ponzi scheme.  The message was in poor English.
 
This is another obvious scam to be aware of.  I did report it, but Facebook has not responded directly.

Wednesday, June 07, 2017

WannaCry now has a chain-letter Ponzi scheme implementation


Now, there is a version of ransomware in the “WannaCry” family that aims at creating a Ponzi scheme,  The target can get her data back and avoid paying the ransom if she infects at least two other computers  It really sounds like the ultimate chain letter, or multi-level marketing scheme.  Always Be Closing, indeed.

Or, to get your data back, become a criminal, "like us".  Break the law.  Resist???
 
Sheea Frenkel has the Business Day story in the New York Times today, link here.

Tuesday, June 06, 2017

CERT warns of SNMP vulnerability for workplaces


DHS Cert in Pittsburgh is warning of a vulnerability in SNMP, Simple Network Management Protocol, which can be compromised to again unauthorized access to network devices.

This is not as likely to affect individuals or very small businesses, as larger organizations.  It would be possible to target a particular employee, for example, for blame.  So this advisory sounds more like a workplace issue.
 


That reminds me of the warning back in the early 1980s at a credit reporting company that associates must always sign off when not at the terminals and keep passwords secret, and could be terminated for misuse of their accounts by others.
 
Workplaces also have a problem in that spammers may imitate the employer’s trademarks and look in phishing attacks that would not work against home users.

Tuesday, May 30, 2017

Mortgage company sites get hacked, siphoning payments from homeowners with phishing schemes


The FBI Office in Minneapolis is warning consumers about “mortgage phishing”.  Before closing, a mortgage company’s database is hacked and the criminals send phishing emails to accept payment, with a fake website and emails to fool the consumer into believing she is paying the mortgage company.

NBC News has the story here.

Back in 2000, I was paid a settlement from Texas that was stolen this way, but I got repaid anyway.

Sunday, May 21, 2017

Be wary of Facebook friend requests from existing friends


Be wary of Facebook friend requests from people who are already friends.

Kim Komando has a page on the problem here , and WJLA-TV will have a story about it Monday night, May 22.

There have been cases of people creating duplicate fake profiles to divert friend requests. 
Fake requests could also solicit personal information.

A fake profile of someone could be used as a ploy to call for money, claiming a need for bail or arrest in a foreign country.  That’s a common scam.  In my case, my friends would probably be very suspicious.

I had one fake make of mine a few months ago (with no posts) which a friend (who knows my books well) reported and it was deleted by Facebook before I found out about it.  She said it had happened to her once and that it is a fairly common scam, probably from overseas hackers.  



Update:  May 24

Sinclair Broadcasting's ABC affiliate WJLA 7-on-your-side has a video on the problem, aired May 22, here

Friday, May 19, 2017

Property insurance companies start to cover ransomware, sometimes bundled with home and auto; is this always a good idea?


NBC News is reporting that several insurance companies, including AIG (from 2008) are offering new cyberinsurance, against identity theft and specifically ransomware losses. The story and video are here.

Homeowners’ policies today often cover identity theft now, but the ransomware payments and recovery seems to be new.   Usually this coverage has to be requested as an add-on endorsement for about $100 a year.

Bundling cyberinsurance with property insurance (auto and home) in umbrella (“rain shield”) insurance may not always be in the best interest of consumers.  It could lead to companies’ being nosey about consumer online reputation and habits.  This does not need to complicate covering your home from a tornado or car from a drunk driver.

The report mentioned threats against consumer cloud accounts (maybe bogus, by phishing). Consumers should always watch their bank and investment accounts online diligently. And don't click on attachments or links from sources you don't know.  Verify that the mail really came from (or would come from) the company in the header.  There is such a thing as safe computing. 

Thursday, May 18, 2017

New covert malware attempts to mine for bitcoin on your computer


There are reports of a new “invisible” malware, It’s called “Adylkuzz” and it seems to be designed to get karma points toward bitcoin mining. CNN has a story here.

It apparently offers the dubious”benefit” of blocking other malware (maybe even ransomware) while it runs.  Of course, ransomware usually demands payment it bitcoin.

Friday, May 12, 2017

Massive "WannaCry" malware hits Europe, Russia; Edward Snowden had found it


There are plenty of news accounts of the “Shadow Brokers” attack on many systems around the world, revealed today, hitting Spain, Russia, and the British NHS pretty hard.  Here is a New York Times story.

And the Washington Post story. The NSA has known about the vulnerability which was apparently exposed by Edward Snowden,

Microsoft updated its systems in March but another patch is said to have been released this week. It is unclear if the latest updates Tuesday (to Windows 10, including 1703 Creator’s Update) has all the fixes. My systems updated this week and show up-to-date.

The UK NHS (single payer healthcare) infection apparently occurred with zip file attachments.  But the media reports that the WannaCry  malware could be spread by infected ODF files.

Webroot, in a tweet, directed me to read this Microsoft bulletin about SMB MS017-010 here.  UK Computing has a story here. Infection seems much more likely through Server and through network shares, it seems less likely at home.

Timothy B, Lee of Vox has a detailed explanation here.



Update: May 13 

US Cert's analysis of the problem.

This worm can spread from computer to computer within a network with a different user clicking on a phishing link or dangerous site.  It's not clear it can get through a firewall.

A 22-year-old programmer in Britain (or was it Indiana) disable the current malware by buying an unregistered domain used as a pivot in the worm.



Microsoft has a new update.   Windows 10 computers are not affected. However earlier computers still running Windows 8 or earlier may be vulnerable if not updated after May 13, particularly if connected to network shares.  Here is the latest I can find. I find their advice problematic;  older computers to not run Windows 10 very well.

Ars technica discusses Port 445 exposure (not requiring user interaction) here.



Update: May 16

Here's a blog post from Kaspersky about the Lazarus Group and possible ties to North Korea.

Update: May 17

Trend Micro offers a Folder Shield, which provides one more layer of protection against a designated folder, in the Data section.  It also offers users with earlier Windows OS to check to see if they have all the necessary patches against WannaCry.

Tuesday, May 09, 2017

Chrome browser said to be enforcing https standards


A site called “Nestify” is advising web users that Google Chrome will apparently mark all non “https” sites as unsafe, and also mark certain https sites as unsafe if they don’t pass certain standards. The article, shared today on Twitter, is here

It’s obvious that sites that require you to log in need encryption and SSL.  It’s less clear if you’re browsing and the website owner doesn’t require you to log in.  But the business climate of most webmasters today is that most of them need to sell something (however rarely) to some visitors, so an all https environment seems more credible.

Generally, newspapers having a paywall (as more do all the time) are starting to use https for all access (now the New York Times does). Vox does not require login but has installed SSL (maybe because Timothy B. Lee works there and influenced the company to do so).  But some news broadcast networks don’t yet, as they all have totally “free” content.

The article mentions Wordpress sites.  Right now I have four Wordpress blogs on Bluehost, under one account with three add-ons.  Blue Host allows one site per account to have SSL right now.  Since BlueHost has a subdomain naming structure internally, it would sound plausible that they could offer it to all addons on a hosting account at some point with more “programming” or re-engineering of how some routing works.  But that could be hard to install without interfering with access. 

My native Wordpress blog  (URL)  I’m putting some old archived material there) is SSL, as are 13 of the 16 Blogger blogs.  The three that are equated to domain names are not https because SSL is based on domain name (“Blogspot.com”). 

Wednesday, May 03, 2017

Unusual phishing scam targets Google Docs


There is a bizarre phishing attack involving sharing of Google Docs.  It will lead you to a real Google account page but then to fake documents page, as Timothy B. Lee explains on Vox here.

Fixing the hack involves removing an instance of “Google Docs” from the Google app permission page. Changing your own password doesn’t do any good.


 
But apparently this scam has circulated before, given YouTube videos about it.

Monday, May 01, 2017

Facebook memes could pose security hazards


Some security experts are warning Facebook users about memes on favorite activities, like asking users to identify a fake concert among others they have attended, as in this New York Times story here.
 
It’s possible for some criminals to guess security questions for other accounts from these, or to use social engineering to target users for future scams, according to some security experts.

I’ve never played on such a meme.

But one time I was greeted with a survey when logging on to Facebook, only to find later I had indeed misspelled the domain name.  Fortunately for me, nothing came of it.

Thursday, April 27, 2017

US Cert warns on state-sponsored malware that could hurt ISP's offering shared hosting


US-Cert in Pittsburgh (DHS) has sent out a detailed bulletin (TA17-117A) about foreign malware, apparently aimed mainly at Unix or Apache servers, that could steal information from customer accounts, particularly in shared hosting environments.

The report is very detailed and technical  and requires a lot of knowledge of PHP and other scripting to understand.

But it suggests that all service providers insist on longer passwords, more frequently hanged, and use 2-step verification from consumers.
 
The greatest danger, though, would seem to customers who have major consumer data.  And this seems to be a tool that may be of value to state actors in special situations (like North Korea’s Sony hack).  There could develop some political sensitivities about who could become a target in a shared environment, making them harder to secure in general.

Sunday, April 23, 2017

Facebook wants you to recognize your Friends by face for security verification -- a likely story


Facebook is trying a controversial new security tactic: when people use Facebook from computers far away from home, they may be asked to verify names of friends by profile faces.

John Costine has a typical news story on Ad Week here.

Most of us have “Friends”, especially overseas, whose names we do not remember or whom we don’t recognize.  That is particularly the case for users whose posts are public and are often about news stories or rather impersonal.  Possibly the algorithm would ask you to identify Friends upon whose news feeds you frequently give Likes or make comments.  But the policy seems to be self-contradictory, or be predicated on an internally conflicted idea of social media “friendship”.

It's possible that users could mitigate the problem by continually using Facebook while in route by phone.  But this may not work with long plane flights (where cell service is not allowed) to distant destinations.  If driving, of course, you could use it frequently, at rest stops (if you have good nationwide coverage).  It’s also possible that the policy will apply more to overseas travel.

Monday, April 17, 2017

Consumers can be on the hook for fraudulent use their phone accounts (land or cell)


Consumers, both business and home, can be held responsible for fraudulent calls made with their account by hackers, overseas.

Look at this story in the Los Angeles Times about a customer of Spectrum (formerly Time Warner)  The particular customer owns a public relations firm in Brentwood, CA.   She wound up with a $6400 bill for calls to Cuba.  The news story was on WJLA in DC tonight.

Practically all telecom companies put these provisions in their fine print.  However, in practice, most companies have been willing to forgive calls that were obviously fraudulent.

The problems can occur with either landlines (usually digital now with cable providers) or cell.  There would be a logical question if a hack could occur anywhere else but inside the telecom company, which ought to be relevant to any litigation of charges like this.  But consumers may be threatened with termination of service in the meantime.

In the summer of 1995, just was hacking was getting started, one of my Visa cards was suddenly rejected at a supermarket, and I quickly got a call from the bank, about $3000 of calls from Canada placed on the card through ATT.  The charges were all reversed and the card replaced.  The cause of the hack was never explained.

I have not had significant charges for robocalls.



And back in Texas, around 1999, a $4000 payment made to me to settle an old problem over an assumed mortgage was stolen electronically.  But it was refunded to me properly.

Hacking has been around longer than people think, even on older mainframes;  companies have countered them generally by tightening application elevation procedures, a security topic that was all the rage in the 1990s, before Y2K.   There were actually some security mishaps in my workplace in the early 1990s:  a contractor one time stole a server, and another time an operator was arrested for embezzlement, scary stuff if it happens where you work.

Saturday, April 01, 2017

Gaming scams; Federal Reserve phishing attack


Local station WJLA in Washington DC reports on recent phishing scams involving gamers wanting to move to a next “level” in the community operated by a game.  Since I don’t “game” I’m not sure how it could work.  But people whose accounts have been fraudulently manipulated will find them canceled by gaming manufacturers.  Symantec has an article here.    I wonder if this applies to Second Life.

It would be like having a USCF chess rating fraudulently raised.

There is also a new phishing scam of “embargoed news” from the Federal Reserve.

Friday, March 10, 2017

Can my iPhone have viruses?


Yesterday, while browsing a supposedly mainstream news site on my iPhone 6, a popup claimed I had six viruses on my phone.  It took a little trouble to make it go away, but it finally did.
This does appear to be the old “fake anti-virus software” problem well known to Windows users from a decade ago.   I don’t see any evidence of tampering with any financial sites accessed from the phone (as I check them on varied environments frequently), and I don’t see any evidence of infection in any images or videos I moved to a windows machine for use (I did a full Trend Micro scan).



Nevertheless, I did a little check on the latest advice on iPhone and Mac malware, and here is a good article (although from 2012).   The article has some interesting discussion of past security problems in the java language and virtual machine, which was all the rage fifteen years ago.

You may be able to get rid of an “adware” message from Safari by going to airplane mode and closing and reopening Safari (video above).  This is similar to getting rid of a fake “system message” scareware browser hijack on a Windows machine.

Wednesday, March 08, 2017

CIA's Vault 7 does sound like a Roadside Attraction, to me at least


There’s a lot on the Internet now about the CIA’s Vault 7 “scandal”.  Milo Yiannopoulos carried the most bombastic story on his own beefed-up conservative news site (since he left Breitbart, but he presents very similar stories to Breitbart), here.

CNN has answered Milo by finally putting up a detailed story on how Wikileaks got the scoop, here.

This probably doesn’t matter to Internet users in the US much (except maybe those doing illegitimate stuff overseas on the Dark Web -- the CIA "normally" cannot "legally" spy on people at home).  But it does show that hackers could likewise compromise “the Internet of Things” and conceivably spy on people through smart TV’s (even when off but plugged in).  In the very worst circumstances, voyeurs could spy on women or children.  It also shows that in extreme circumstances, foreign hackers (like in Russia), maybe state supported, could spy on high profile Americans at home.

Young OAN correspondent Trey Yingst, 23, asked Sean Spicer about Vault 7 in a White House briefing Tuesday, and Spicer refused to comment.  I was watching (at home on CNN -- I don't have WH access, at least not yet).

This is almost the stuff you would need if you thought aliens from other planets could masquerade as Clark Kent clones among us. What would Donald Trump do about real aliens?  You can't deport somebody 40 light years away.

Saturday, March 04, 2017

Webroot warns of new IRS, Paypal phishing attacks


Webroot is warning users about fraudulent IRS W-2 emails, in this article.    The IRS won’t send you emails (except to verify that returns have been accepted – thru HRBlock).  State tax departments (like Virginia) often send business customers legitimate emails (like when sales tax reports are due).

And PayPal users are often targeted in phishing attacks (lately through Gmail), as in this Webroot story.   Since some small non-profits take Paypal but not credit cards (to help “unbanked” clients), most people need Paypal (which can be connected to a credit card for replenishment).

Tuesday, February 28, 2017

Fair use may help Internet and smart device users protect themselves from hackers


Kerry Sheehan has an interesting essay at Electronic Frontier Foundation, “Fair Use as Consumer Protection”, link.
 
As you read through the examples, it’s apparent that most of the uses given would help consumers protect their devices from hackers, even perhaps protect home routers from illegal use by others.  It’s possible to imagine that Airbnb would find some of this interesting.

Tuesday, February 07, 2017

Spam comments try to lead to fake Internet security links


I have become aware of the practice of some spammers to send spam comments to blog postings about various Internet security companies with links to fake sites pretending to be the security company   This is a variation of the usual email phishing, where the spammer tries to put spam comments on blogs with fake links.

Comment moderation (or use of services like Akismet) should stop this.

In one case, Google comment moderation warned me on a comment with a hidden link to “webrootsupportphone dot com”.  I have reported this to the company but it appears not to be legitimate.
 
This probably happens with all major security companies.

Tuesday, January 31, 2017

Trump postpones cybersecurity EO, but has specifically mentioned power grid security, which is unusual


President Trump postponed signing an executive order related to cybersecurity today, with no reason specified, according to NBC News, story here.

The president talked to some tech security companies today, and made a brief statement.  It is interesting that President Trump mentioned the power grid as a possible target, as so well documented in Ted Koppel’s book “Lights Out”.   I have actually tweeted "RealDonaldTrump" directly on this issue.

The president could tighten rules about network topology that even allows it to be possible to access the power grids or other infrastructure, or that makes components (like transformers) vulnerable to sabotage.

Sunday, January 01, 2017

"True Key" from Intel, provided facial recognition sign-on, seems to come with a recent Windows 10 update


I recently had problems with an install of a Microsoft update KB3206332 of Windows 10 after the cumulative upgrade last August, on a Toshiba satellite that had been converted from Windows 8.1,

I kept getting repeated errors "0x80070564" after very slow installs ("preparing to install, 1%, then 20%.  Also, when booting up, Trend Micro would take a long time to start, prompting warnings.

Geek Squad got it installed, but said it found malware (with Webroot) that Trend Micro had missed. It thought the errors were due to the malware.

But the adobe flash, which had updated before, now offers a "True Key" option rather than password for log on.  (It has not done this on my HP Envy with the same update.) I tried to use it, and I could not get it to take my picture properly.  Maybe my Comcast Internet wasn't strong enough (it has been shaky recently).  Eventually I had to opt out and go back to regular log on.  True Key will tell you to use your Microsoft password, but actually you have to use the password for that computer, which can be different.

Here's the link for True Key. But curiously that site (which displays the Intetl trademark has a gray rating from Trend, but there is another green link on Intel's site here.  Bleeping Computer says the original link is OK (answer to question here),