Tuesday, December 26, 2017

Mapping out a tentative plan to make all my sites https (if realistic)

In early January 2018, I will look into the possibility of making my remaining sites https.
Bluehost now has a link on the issue.  What I don’t know yet is whether this can be applied to more than one domain on one account (with addons).  In the past only one account could be https.   Here is a clue to how it might work that I found.  It sounds like this would have to be planned carefully (dealing with possible internal server errors), and would take time and labor. 

Electronic Frontier Foundation has a link on this issue, but I have not yet looked into how it would apply in my situation. 
Electronic Frontier Foundation has a product with a trade name “https-everywhere” which you can install in some browsers, link. But I don’t know how this affects access to all sites.

Google would need to weigh in on the issue of https for “Blogger” blogs linked to domain names. 

Google however has weighed in on the desirability of making all sites (not just those requiring log-in or doing transactions and passing or storing PII) https.   So I would expect to see progress on this question soon. 
Search engines are starting to prefer https. I can tell that now by noticing results on searches I do often. 

I’ve had some issues on my old legacy flat-html site doaskdotell.com with IIS permissions leading to 503 errors.  I don’t see a direct connection to https but the errors could come as an automated way for IIS to shut down a DDOS attack within an application pool in a shared hosting provider (story). I will look into whether to get SSL for this in January.    
Furthermore, in an era without net neutrality, we could face a day when telecom providers will screen out domains that don’t have https.  That would at least make economic sense, to me at least. 
One interesting issue for me is that my two providers (BlueHost and Verio) now belong to Esurance, the same owner (check Wikipedia).  Maybe there could be some savings by consolidating onto one of them. But again, could mean a lot of work. 

Monday, December 18, 2017

Be careful about the mechanics of how Twitter private messages work on your iPhone

I had an occasion tonight where someone sent me a direct message on Twitter.  I was in a MacDonalds and tried to reply on the iPhone.  Twitter converted it into a public tweet and chopped it at 140 characters.   I had to delete the tweet and send the message again when I could get to a regular laptop.
If you leave your normal tweets public, be wary of how it works on an iPhone (6 in my case) if you want to respond to a private message.  It may not remain private.  The Twitter direct message is supposed to be more like email than a public post (not quite like Snapchat).

At least my account survived the supposed “Twitter Purge” today.

Wednesday, December 13, 2017

Travelers need to beware leaks in RFID security

IBM has an article warning travelers to beware of their security on hotels with magnetic key locks, with RFID technology (radio frequency ID). 

There are a number of dark web tools which can break them or hack components on mobile phones.
High-profile people are more likely to be targeted.

I sometimes simply put laptop computers away and out of sight in hotel rooms when traveling.  If I have a rent car for the day, I tend to take them with me.  I may want them to blog anyway.

The article mentions Faraday cage technology to protect access cards and credit cards (a microcosm of the EMP threat). 

Recently, my own car access key triggered the alarm of the next car in a garage.  While I’m at it, I’ll note how easy it is to get in the wrong car that looks like yours on the road.  One time I did this by accident in a sudden summer thunderstorm. The unlocked car had the same newspapers, road atlas, and clutter on the front seat, amazing coincidence.  I didn’t notice the apartment tag for a whole minute. 

You play on the road, you can't get a walk-off win.  You need your bullpen. 

Saturday, December 09, 2017

Will telecom providers (without net neutrality) buy their own anti-virus companies and enforce their own standards for sites that can connect?

I wanted to notice that I’ve noticed that occasionally Trend Micro ratings of websites slip back from green to untested.  This has happened to one of my Wordpress sites, and to other reputable sites belonging to individuals whom I know.

Sometimes this may happen after sites undergo major restructuring, with elimination of old links and adding many new ones.

I also wanted to mention that I’ve been keeping an eye on the “https everywhere” issue.  On Nov. 13 I discussed Blogtyant’s long-winded advice on this issue, which appeared rather suddenly (I had prodded Ramsay on this matter several times).

In the short run, I don’t think that sites that don’t take personal information, do financial transactions, or require login present a risk without SSL.  But remember Ramsay encourages webmasters to seek out customers and offer email signon, which is going to require more confidence from subscribers.  

Other observers encourage SSL because in many parts of the world people cannot visit the web without being spied upon by governments.  That is one reason why Electronic Frontier Foundation has pushed “https everywhere”.

I bring this up again today a bit speculatively in conjunction with the ending of “net neutrality as we know it” after a Dec. 14 vote.  Actually, the issue will probably be litigated for a long time (as far as the most doomsday predictions of how telecom companies would milk small business, which I don't see a genuine economic incentive for them to do).  But one development that looks pretty likely (economically, even) to me is that telecom providers will buy their own web security companies and offer their own anti-virus, and courts will almost certainly say that this is OK.  They already offer their own home security (I use Cox) which probably sounds like a good thing for consumers, but requires a lighter touch from regulators to be available.

This sounds important to web publishers because telecom companies would then probably offer to block sites that don’t have green ratings from their own anti-virus providers.  As I noted before, these ratings are often fickle  The companies might have to be more transparent on how they assign ratings (which in turn could invite subversion or compromise by overseas criminals).  They might have to be review new sites sooner, but this could open up the idea of standards that a site needs to be viewed as “legitimate”, a potential problem for small business.

The other requirement, of course, is that a telecom company could refuse connection (or offer to refuse it) to any site not “professional” enough to offer https.  (Although until relatively recently many newspapers didn’t offer https on ordinary stories:  it was paywalls that got them into doing this.)

That’s a problem for someone with multiple domains, if the hosting provider allows only one addon (per account) to do https.  This has been the case for BlueHost, but I see now that BlueHost has a link for activating it (even “free”).  I will check in to whether this works for multiple addons (which Bluehost has an internal A-record structure for that links them to a master domain) and report soon (by early 2018 at the latest).

Sunday, December 03, 2017

Phishing emails now threaten Apple account suspension

I continue to get a lot of phishing emails claiming to be Apple claiming I purchased services and games in third world countries, never showing up on a credit card statement.  I don’t know if it hurts me if somebody impersonates me in Indonesia or Kazakhstan.

But today I got one claiming my Apple account was about to be suspended.   The domain had a .nl TLD.  Many of the emails come from “my.com”. 

I forwarded these to reportphishing@apple.com.

I do note that Apple now enforces two-step verification to sign on to iCloud on a laptop or desktop,  For some reason, my photos haven’t backed up since Oct. 1, even though I have separate WiFi from Cox on my phone when at home. 

Wednesday, November 22, 2017

Uber hack may need self-protection by consumers

Fortune Magazine has rather stern advice for consumers regarding the recent Uber hack, here

Uber hasn’t yet said how it will notify consumers or whether it will force a password reset.  The article says do it.  And don’t use the same password you use on other accounts.

Fortune disagrees with Uber's contention that consumers don't need to worry. Bur Fortune, despite the title of the article, really doesn't tell you how you can tell if you were affected. 


Of course, what’s so disturbing is that Uber apparently paid off the hackers and didn’t tell anybody for a long time. Presumably the hackers threatened to give the data to other hackers.  It’s like naming names. See something, say something. 

Tuesday, November 14, 2017

Has the NSA made us all targets of foreign enemies?

The New York Times has a long and detailed story of the breakdown of the work of the “Shadow Breakers” at the NSA, and how the tools of the group were taken and used to develop ransomware to target some consumers, especially less secure companies and hospitals last spring.

The booklet-length article by Scott Shane, Nicole Perlroth, and David E. Sanger appears here. 
You wonder how safe any computer or website or company will be against an enemy that is determined and combative enough, to infiltrate the NSA through employees or contractors.


And EFF has made so much of the surveillance issue over the years. 

Monday, November 13, 2017

Well-known blogging consultant urges everyone to go to https now -- but it's complicated

Ramsay Taplin, Australia’s “Blog Tyrant” has come up with a detailed post on how Bloggers can convert their sites to https, link
It’s important to remember that this applies only to specific domains, not to subsites of Blogger or Wordpress.

I wrote a detailed comment.  Since the comment period is time-sensitive, I’ll reproduce my own comment here:

How important is https for a page that does NOT require user logon or collect user info? That does NOT process funds, PII, etc.

I have four domains on BlueHost, which as of now will set up one as SSL (with an enhanced SiteLock passage). I did pick one of the addons (because it is possible to do transactions on it although i do them rarely in practice). In my case that is doaskdotellnotes.com (not the site I have shared most often). I am expecting BlueHost will change things so that all four can be https. Also, Google’s free Blogger will make all free domains https but does not with those that have their own domain names.  That is because SSL is by main domain name (e.g. blogger.com int he case of Google). That also seems true of Automattic  (example) https://jboushka.wordpress.com/ (there’s not much there — that’s a copy of some old stuff). It wo uld be helpful to know if Google, WordPress, BlueHost etc will do anything soon to make this “easier”.
You can navigate to my Blogger Profile.  “Movie Reviews” “Book Reviews” and “Bill Boushka” all resolve to specific domain names and right now do not have https.  The other thirteen are Blogger subdomains.  They can be viewed with or without https.  Some embedded videos from some news sources do not yet work when viewed in https.
Ramsay’s directions are very long and complicated, and I would wonder how many bloggers have the time to do this.  The blogging business paradigm that he advocates generally works with niche blogs aimed at very specific audiences, and often go along with small businesses that actually would use email lists.  This might be very hard for a lot of small businesses to do.
I suspect BlueHost and other providers will make this simpler in the future.  Business persons should also consider hacker security protection like SiteLock.
Electronic Frontier Foundation has long urged all websites to go to https, even those that don’t require logon or do transactions or collect PII.
I’ll come back to this in more detail in the near future (I don’t know how near) on my Wordpress news blog. 

Saturday, November 11, 2017

Criminals can make duplicate house keys from images created by apps

Recently local television stations warned consumers about the dangers to home security posed indirectly by apps that encourage you to photograph your house keys so that duplicates can be made.  Thieves have done this to go ahead and commit burglaries. 

Wired has a typical story by Andy Greenberg from 2014, here.    Some of the apps include KeyMe, KeysDuplicated and KeySave.

One risk is allowing parking valets to have access to house keys.

The reports don't way whether these apps would work with higher security locks like Medeco, 

Thursday, November 09, 2017

School districts come under disturbing attacks from foreign hackers

School districts have come under attack from hackers, including ISIS-related, in a few different ways.  They seem vulnerable because of particular service providers and particular platforms that they use.

Here’s a report from northern New Jersey.

There were also disturbing attacks, some of them threatening, in Iowa and in the Flathead area of Montana (Post story).
I didn’t encounter any of this when working as a substitute teacher in northern Virginia 2004-2007, but times have changed. 

Tuesday, November 07, 2017

ABC reports fake Droid apps that can steal pw's to social media, bank accounts

ABC News is reporting an epidemic of fake apps, particularly on Android smartphones, that can steal passwords to social media and bank accounts, even when the phones are not in use.

The ABC News story is here. WJLA has been carrying the story locally in the DC area, with a demonstration where several volunteers get hacked. 

I do very little in the way of transactions on my own phones.  

Tuesday, October 31, 2017

Phishing attack targets iCloud

Here’s just a small report, on a rather transparent phishing attack.

It purports to come from “Support iCloud” and says that your Apple ID has been blocked.  But it’s easy to tell it didn’t come from Apple.

Curiously, I signed onto iCloud in the normal way on my Windows 10 and the site asked some extra security questions. 
There had been a week where I didn’t update the iPhoto cloud because I have new WiFi (from Cox) in the condo and I hadn’t connected the smartphone to it yet. 

Tuesday, October 17, 2017

"Krack" attack can compromise WPA2 wi-fi security

Rapid7 has reported a serious security flaw in wi-fi routers in homes and businesses that would appear when external enemies are in close proximity, such as in adjacent apartments, hotels, or public wi-fi connections.

Alyssa Newcomb on NBC News reports on it as the "Krack Attack".  It bypasses WPA2 standards.

Users should apply forthcoming Windows and Max fixes and firmware from router companies as soon as possible,  Firmware usually gets updated be restarting a router once a week. 

Thursday, October 05, 2017

Phishing attacks try to intercept real estate sales with wire fraud

Persons approaching purchase of property in real estate transactions should become wary of phishing attacks that submit wire transfer instructions which turn out not to be from the real title company.

People should only wire money to accounts that they can confirm separately really to belong to the title company. 

Monday, October 02, 2017

Bluetooth security vulnerabilities are reported

Webroot is warning users of the risks of Bluetooth devices as possibly attracting hackers, as in this article   Webroot advises users to turn off devices when not in use.  This appears to apply to wearable devices, which could provide a portal for hacking personal information from phones.


I’ve noticed that the Microsoft Action Center, on at least one computer, recommends resinstalling a Bluetooth driver after the Creators’ Update of Windows 10.  But there don’t seem to be any symptoms.  I wonder if this relates to the same possible vulnerability. 

Saturday, September 16, 2017

Phishing scam tells you your Facebook account is suspended

Here's the most recent phishing scam.  You get repeated emails telling you to restore your Facebook account with one click.  It comes from "facebookmail dot com".

So just log in to Facebook yourself and check for yourself.  

Another scheme is to misspell Facebook and take you to a survey page.  

Monday, September 11, 2017

More sophisticated phishing scheme pretends to warn of invalid overseas iTunes purchases

There is a clever phishing scheme now where the attacker sends an email that purports to be from Apple advising you of an overseas purchase of a game from iTunes for about $50.  There is a PDF of the receipt and a link to challenge it.  Previously, there may have been another email without attachments advising of the purchase. If you run the cursor over the sender, it doesn't have Apple in the domain name.

This scheme is a little more complex than a lot of them.  You can forward it to "reportphishing" at apple.com  

Friday, September 08, 2017

More concerns about Kaspersky and Russia in NY Times

The New York Times has an article today, “The Cyber Insecurity Company”, or with online title, “The Russian company that is a threat to our security”.  That’s Kaspersky Labs.

Best Buy and Geek Squad today favor Trend Micro, but before they have bounced between Webroot and Kaspersky. But the article notes that companies that use Kaspersky will have their networks exposed to servers in Russia.

That probably doesn’t matter to home users, no matter how paranoid you are about Putin or Ukraine or Chechnya.  But it would matter to most international companies, or to anyone that keeps user PII on his servers. 

DOD is no longer allowed to use Kaspersky.   

Thursday, August 31, 2017

FDA issues warning about pacemaker vulnerability to hackers

Now, if a threat "From Russia without Love".
The FDA has issued an alert concerning 465,000 pacemakers because of a software vulnerability, which could endanger patients. WJLA has the story here.

The FDA's own firmware update page is here.

It takes a visit to a cardiologist's office to get the firmware updated.

Pacemakers can prevent sudden death from cardiac arrest in people with certain arhythmias.

Friday, August 25, 2017

Op-ed in WSJ argues expansion of the Safety Act of 2002 to expand ransomware defenses

Brian Finch has a disturbing op-ed in the Wall Street Journal, p. A15, Thursday, Aug. 22, 2017, link.  Finch writes “while a systematic cataclysm is possible, targeted hacks against businesses do more harm.”
The writer says that even poorly written ransomware attacks can damage whole businesses, even large ones.  He argues that the Safety Act of 2002, which provides liability protections to companies that take up defensive strategies, should be expanded. 

Businesses are more vulnerable to phishing than many individuals, because attackers can emulate the actual business trademarks in their headers. 

Wednesday, August 23, 2017

Cell phone numbers get stolen to empty virtual wallets

The New York Times reports on thefts of phone numbers by people calling major telecom providers and finding vulnerable agents. 

The usual targets are people with large virtual wallet accounts, often in digital currency, who have talked about it in social media. 

It seems as once virtual money is stolen this way, it cannot be recovered, as it usually can for a little while with a bank account.

There are proposals that virtual wallet transactions need more time delay.

The New York Times has a story Tuesday by Nathaniel Popper, here 

Tuesday, August 22, 2017

Most modern laptops, tablets, phones and storage now seem immune to magnetic disturbance

I’ve written on this blog before (July 28) that individuals and small businesses should consider making optical backups (CD’s) as well as Cloud and regular disk copies, but I may have “spake” too soon (even in a message to Webroot).  It looks like modern flash drives (which are now in the last laptops instead of ordinary harddrives) have very little vulnerability to magnetism.  Here’s the article by Simon Hill on Digital Trends.  This may be relevant to the debate on the damage that can be done by enemy electronmagnetic pulse (EMP).

I’ve wondered if living very close to electric utility transmission towers could affect electronics (because of induced magnetic fields) but it does not appear so.

But users really should buy only the Single Layer Cell drives, which are the fastest and the most expensive, but you get what you pay for here  (Datarecovery article).  They last much longer.  It’s like diamond needles vs/ Sapphire playing vinyl.
Companies and even homes should pay attention to the possibility that environmental hazards could affect defibrillators or life-saving equipment, or in some cases people with pacemakers (NIH).

Update: September 3

I've watched a video that does confirm the idea that the E1 stage of an electromagnetic pulse from a nuclear explosion could affect solid state electronics (as in  car or modern phone or computer) even though ordinary magnets do not.  I will have to check on this further (and talk to Geek Squad).  This is a developing story.  The E3 phase (which also happens with solar storms) will not normally harm home electronics. 

Tuesday, August 15, 2017

DOJ requests IP addresses of visitors to Innauguration Day protest site

A shared hosting provider DreamHost (which specialized in Wordpress) has resisted a federal DOJ demand for the IP addresses of over 1.3 million visitors to a website “DisrruptJ20.org” set up to coordinate violent protests against President Donald Trump on Inauguration Day in Washington DC.  Ellen Nakashima has the detailed story in Economy and Business in the Washington Post on Tuesday August 15, 2017 here. The company is resisting those demands. 


It’s not clear how much protection https would offer, although it would prevent investigators from seeing what had been viewed.  But this the sort of situation that has led the Electronic Frontier Foundation to suggest that users learn to use TOR, even in the U.S.  

It's possible for people to be implicated in crimes using evidence from browser visits.  I don't know whether this could go further, monitoring behavior of people who might be believed to present s future threat, like to minors.  Even visits to certain Facebook pages could be interesting to some investigators, even in civil situations.

Update: Aug. 24

A federal judge in Los Angeles has ordered DreamHost to provide email addresses (probably IP addresses) of visitors to Disruptj20.org, Washington Post story by Keith Alexander here.

Here is Disruptj20's appeal to the public.

Monday, August 14, 2017

Techie who stopped WannaCry arrested for earlier hacking activity, which may have been legitimate

Marcus Hutchins, the 23-year-old Brit who helped stop WannaCry with a  kill switch, has been arrested y the FBI for supposed participation in spreading Trojan Horse Kronos  malware (from 2014-2015) through phishing or Word documents that can compromise bank accounts, story    This earlier activity is unrelaed to WannaCry.

But activity researching malware could be confused with actually spreading it.  US hacking laws are set up in such a way that prosecution for legitimate research is possible.  This sounds a bit like the “downstream liability” debate.

Hutchins was arrested at a conference in Las Vegas. 

Thursday, August 10, 2017

2-step verification: there are controversies within

There is controversy over which sub-method for two-step verification is safer.  Is sending an SMS message, common with Google and banks, and simpler for many users, less safe that an authentication app which does not require another message over the Internet?

Security Stack Exchange provides a detailed discussion from 2016 here
Ars Technica also reports on a special app for 2-step verification for Whats App, and the user rules are quite strict.

Tuesday, August 08, 2017

Conventional wisdom on complicated passwords changes

Here’s an interesting piece challenging the conventional wisdom on password security in the Wall Street Journal , by Robert McMillan.

The piece does not recommend forcing people to use special characters and random combinations of numbers and letters, upper and lower case, and to change passwords often. The problem is that when people change them, they don’t change them enough.
The other idea is that you don’t need to change a password unless you have reason to believe it is compromised. 

Monday, August 07, 2017

Phishing emails appeal to job skills I've never said I have

Here's another interesting phishing scam.  Emails that say they are interested in my "selling background".  How many times have I said that I am nor a huckster?  I've never sold insurance or mortgages.  I've worked on the IT systems supporting them.

Oh, maybe I'm treating "sales" and trolling consumers (which is how you generate leads) beneath my dignity.

There are also reports of a phishing scam imitating the Better Business Bureau.

I've also gotten one phish claiming a "relative" is in jail overseas/ 

Saturday, August 05, 2017

Odd dns link seems to try to load with some Wordpress pages in Windows 10 Creators Update ("incapdns")

I’m noticing odd behavior of my Wordpress blogs in Windows 10 Creators Update environment.
When I go to a specific page, in Chrome or Firefox (so far), sometimes the page tries to load from “incapdns.net”, which seems to be some ad-serving network judging from Google searches. Yet the blog post right now does not serve ads. It is conceivable that it comes from am embedded YouTube video which does have ads.

I’ve messaged Trend Micro to ask if this is acceptable behavior. A full scan does not find malware.
The Trend security report shows no problems.

I’ve also noticed that in Windows 10 Creators Update the sound can fail and YouTube will not play, and the problem clears with a Restart.


Apparently I get the same result on another computer with an earlier version of Windows 10.  Will try Windows 7, MacOS tomorrow.

I'm wondering now if this has to do with BlueHost's  "add-on" structure for hosting accounts.  This may be the domain that converts the physical url's to logical one's with dns resolution.  This process could eventually prove useful in a strategy to implement "https everywhere".

But I had found some negative links about the site online and sites that claimed to remove it.

Monday, July 31, 2017

Comcast Business gives another reason not to pay ransomware

Comcast Business is advising customers never to pay ransom for "ransomware" attacks, because often files are merely "deleted" but not encrypted, and can be recovered.  Here's the article from today.

Here is US Cert's latest on Petya, link.

Friday, July 28, 2017

Home users and small businesses may want to consider protecting their digital data storage from EMP attacks (which can be local)

I’ve mentioned this before, but I thought this is an opportune time to reinforce the idea that small business and home users need to rethink more their strategy in protecting their own data.
We’ve certainly heard a lot about novel ransomware attacks this spring, but for the most part home users and small businesses were not affected, because large businesses are more easily impersonated bt attackers (especially overseas).  But another danger is physical attack which could include knocking out the power grids and electronics.

The recoverability of power is a controversial topic, but the US certainly is vulnerable in its inability to replace transformers quickly (or even transport them).  But another issue is that EMP electromagnetic pulses (which don’t require nuclear blasts – there are microwave flux weapons, not well known, that can do this in smaller areas) can destroy electronics, including modern auto ignition systems and data on hard drives and thumb drives.  Furthermore, cloud backup services could be compromised.  No one has written much on how well major data storage services (or publishing platforms or hosting companies) can secure their facilities from electronic damage from pulse-type weapons. 

Users could consider making optical CD backups of critical data as well as building or acquiring special “Faraday” cage devices. CD backups were more popular a decade ago than they are now. 
The military has these today, and I suspect major financial institutions have them.  But little has been written yet my mainstream media sources.  It needs attention.  

The 2009 novel "One Second After" depicts the pileups on an Interstate in North Carolina when most car ignitions fail suddenly.  Frankly, there is suddenly more attention to this idea because of North Korea's threat, which James Woolsey says can be launched from a satellite today.

As far as I know, coronal mass ejections from solar storms do not cause this threat to devices, even though they can short out power grid transformers. .

Thursday, July 20, 2017

Cell phone "smishing"

Here's a warning from Fortune (also on NBC Nightly News tonight) about smart phone smishing scams.

I have yet to get one that I recall.  But you should not respond to unexpected SMS financial messages;  you should go into the financial institution's website yourself (just as with email phishing).

And a few of these scams can infect phones with malware. 

Wednesday, July 12, 2017

Verizon contractor leaves 14 million cellular customer records open to compromise, but no evidence of actual misuse so far

Media reports indicate a breach in the data records of up to 14 million international Verizon customers, including pin data, because a company that facilitates customer service calls left certain intermediate data not properly secured.
The Verge has a news story here.

But there is no evidence that any data has actually been taken, but it is impossible to prove that it wasn’t.  That’s why strict audit trails and access control and elevation integrity are important to data centers.
These kinds of lapses were quite common in the mainframe world until the early 1990s.

Friday, July 07, 2017

Facebook phishing scam based on former Friend who is deceased

 Be careful of a new Facebook scam. I just got an email Friend request from a former Facebook friend who has deceased. The FB email was spoofed but there was no request on my account. This seems like another kind of phishing scam, possibly on deceased persons.
Be aware also that misspellings of "Facebook" can take you to phony imitation sites that ask for surveys and then connect you to FB (or go into an endless loop, requiring restart).

I have found that I attract a number of people from poor countries as Friends.  This may be related to my blogging about immigration and asylum issues.  Sometimes there are requests for money, help with employment, medical expenses, or charities (or even coming to the U,S., which will not be legal right now -- immediate ICE detention).  Obviously it is normally very difficult to determine which if any of these requests are genuine.


Thursday, July 06, 2017

Milo's first printing sells out, already tempting "Dangerous" phishing scams. Always check your account on Amazon yourself.

Here's a word to the wise.  Milo Yiannopolous's next book "Dangerous" sold out in its first printing (100,000) and my Amazon order wasn't soon enough to be in the first stock.  OK, I ordered Kindle as a stop-gap for $2.99.  But then I get a fake message saying it has shipped, and to click for directions.

So I go to the Amazon site, and see it still hasn't shipped.

So "Dangerous" may have invited some phishing scams already.  

Wednesday, June 28, 2017

Pentagon may be prohibited from doing business with Kaspersky, Moscow-based security software popular on home computers in the U.S.

The U.S. Senate is considering a bill prohibiting the Pentagon from doing business with Moscow-based Kaspersky labs, NBC News story.

Geek Squad has often sold Kaspersky, and I have used it on at least two Windows computers. Kaspersky seems to be one of the most pro-active companies in warning about possibly dangerous websites.  It also tends to give amateur sites lower safety ratings than do many other companies.

Update: July 23

The Washington Post reports on local governments using Kaspersky in an article July 23 by Jack Gillum and Aaron C. Davis, link here .

Tuesday, June 27, 2017

Major ransomware attack spreads from Ukraine, related to Petya/eternal blue, locks up boot drive rather than individual files, Microsoft may have patch already

Here is the New York Times story on the latest ransomware attack, called “Petya”, which seemed to spread quickly from the Ukraine this morning   It is also related to a malware scheme of hacking tools called “eternal blue”.

So far, a few American companies, including pharmaceuticals and one law firm, and smaller hospitals have been affected.

Trend Micro has a detailed writeup as of 12:30 PM today.

Heavy.com has a detailed story.

It is not clear if users who had installed previous Microsoft vulnerability patches are protected.

It is not clear if the latest Microsoft systems are less vulnerable.  It also spreads through Port 445 (for Microsoft shares).  This virus seems to affect master boot records rather than encrypting files.

 The Microsoft page published today June 27 says that Windows Defender Antivirus removes the threat so it should not be hard for all antivirus companies to do this.

Malware Tech has a good explanation that novices can understand, here.

Eweek has a self-innoculation idea of creating a file called perfc, no extensions or content, in Windows\folder (story).

Thursday, June 22, 2017

Curious phishing email from "Apple-ID" imposter when i walk into an Apple store for a Genius Bar consultation

Just as I checked in an Apple store for genius bar support for an issue I have with my passwords, I got a phishing email from “Apple ID” claiming I had just purchased “Clash of C;ans”, “Box of Gems”.  

There were no credit card transactions in my accounts matching this purchase.

Apple was perplexed, saying this was a phishing email and is checking into the security issue.

Saturday, June 17, 2017

Phishing trojan in Microsoft documents has mouseover vulnerability

Trend Micro reports a version of malware possible in Microsoft documents (specifically PowerPoint) where infection is possible merely by passing a cursor over a link in the document without clicking it.

It’s called OTLARD/Gootkit.  It seems to be spread mainly by phishing attacks to companies where employees are likely to be fooled by official-looking emails.  

Friday, June 16, 2017

iPhone popup malvertising adware claims I have "4 Virus", tries to sell fake removal software

Today, while visiting a Guardian article on anti-gay attitudes in Indonesia on my iPhone6, I kept getting popup urging me to download anti-virus softeare and claiming my phone was “28.1% infected” by the “4 Virus”.  It claimed I had visited adult web sites (I hadn’t).  That’s a dangerous claim. That could be related to other malware claiming you have child pornography.

Note the misuse of the Google trademark, also.

It’s a little concerning because I had popups turned off.  It happened only on this site, and I deleted the cache and cookies afterward.

Interesting article is here,  Here’s something more directly related.

Friday, June 09, 2017

Facebook scam claims the service is no longer free, demands a Ponzi payment

I had an incident Thursday where a Facebook “Friend” who seemed to live in a violence-prone area of the southern Philippines messaged me claiming that Facebook would no longer be free and that I had to pay into some Ponzi scheme.  The message was in poor English.
This is another obvious scam to be aware of.  I did report it, but Facebook has not responded directly.

Wednesday, June 07, 2017

WannaCry now has a chain-letter Ponzi scheme implementation

Now, there is a version of ransomware in the “WannaCry” family that aims at creating a Ponzi scheme,  The target can get her data back and avoid paying the ransom if she infects at least two other computers  It really sounds like the ultimate chain letter, or multi-level marketing scheme.  Always Be Closing, indeed.

Or, to get your data back, become a criminal, "like us".  Break the law.  Resist???
Sheea Frenkel has the Business Day story in the New York Times today, link here.

Tuesday, June 06, 2017

CERT warns of SNMP vulnerability for workplaces

DHS Cert in Pittsburgh is warning of a vulnerability in SNMP, Simple Network Management Protocol, which can be compromised to again unauthorized access to network devices.

This is not as likely to affect individuals or very small businesses, as larger organizations.  It would be possible to target a particular employee, for example, for blame.  So this advisory sounds more like a workplace issue.

That reminds me of the warning back in the early 1980s at a credit reporting company that associates must always sign off when not at the terminals and keep passwords secret, and could be terminated for misuse of their accounts by others.
Workplaces also have a problem in that spammers may imitate the employer’s trademarks and look in phishing attacks that would not work against home users.

Tuesday, May 30, 2017

Mortgage company sites get hacked, siphoning payments from homeowners with phishing schemes

The FBI Office in Minneapolis is warning consumers about “mortgage phishing”.  Before closing, a mortgage company’s database is hacked and the criminals send phishing emails to accept payment, with a fake website and emails to fool the consumer into believing she is paying the mortgage company.

NBC News has the story here.

Back in 2000, I was paid a settlement from Texas that was stolen this way, but I got repaid anyway.

Sunday, May 21, 2017

Be wary of Facebook friend requests from existing friends

Be wary of Facebook friend requests from people who are already friends.

Kim Komando has a page on the problem here , and WJLA-TV will have a story about it Monday night, May 22.

There have been cases of people creating duplicate fake profiles to divert friend requests. 
Fake requests could also solicit personal information.

A fake profile of someone could be used as a ploy to call for money, claiming a need for bail or arrest in a foreign country.  That’s a common scam.  In my case, my friends would probably be very suspicious.

I had one fake make of mine a few months ago (with no posts) which a friend (who knows my books well) reported and it was deleted by Facebook before I found out about it.  She said it had happened to her once and that it is a fairly common scam, probably from overseas hackers.  

Update:  May 24

Sinclair Broadcasting's ABC affiliate WJLA 7-on-your-side has a video on the problem, aired May 22, here

Friday, May 19, 2017

Property insurance companies start to cover ransomware, sometimes bundled with home and auto; is this always a good idea?

NBC News is reporting that several insurance companies, including AIG (from 2008) are offering new cyberinsurance, against identity theft and specifically ransomware losses. The story and video are here.

Homeowners’ policies today often cover identity theft now, but the ransomware payments and recovery seems to be new.   Usually this coverage has to be requested as an add-on endorsement for about $100 a year.

Bundling cyberinsurance with property insurance (auto and home) in umbrella (“rain shield”) insurance may not always be in the best interest of consumers.  It could lead to companies’ being nosey about consumer online reputation and habits.  This does not need to complicate covering your home from a tornado or car from a drunk driver.

The report mentioned threats against consumer cloud accounts (maybe bogus, by phishing). Consumers should always watch their bank and investment accounts online diligently. And don't click on attachments or links from sources you don't know.  Verify that the mail really came from (or would come from) the company in the header.  There is such a thing as safe computing.