Thursday, April 27, 2017

US Cert warns on state-sponsored malware that could hurt ISP's offering shared hosting

US-Cert in Pittsburgh (DHS) has sent out a detailed bulletin (TA17-117A) about foreign malware, apparently aimed mainly at Unix or Apache servers, that could steal information from customer accounts, particularly in shared hosting environments.

The report is very detailed and technical  and requires a lot of knowledge of PHP and other scripting to understand.

But it suggests that all service providers insist on longer passwords, more frequently hanged, and use 2-step verification from consumers.
The greatest danger, though, would seem to customers who have major consumer data.  And this seems to be a tool that may be of value to state actors in special situations (like North Korea’s Sony hack).  There could develop some political sensitivities about who could become a target in a shared environment, making them harder to secure in general.

Sunday, April 23, 2017

Facebook wants you to recognize your Friends by face for security verification -- a likely story

Facebook is trying a controversial new security tactic: when people use Facebook from computers far away from home, they may be asked to verify names of friends by profile faces.

John Costine has a typical news story on Ad Week here.

Most of us have “Friends”, especially overseas, whose names we do not remember or whom we don’t recognize.  That is particularly the case for users whose posts are public and are often about news stories or rather impersonal.  Possibly the algorithm would ask you to identify Friends upon whose news feeds you frequently give Likes or make comments.  But the policy seems to be self-contradictory, or be predicated on an internally conflicted idea of social media “friendship”.

It's possible that users could mitigate the problem by continually using Facebook while in route by phone.  But this may not work with long plane flights (where cell service is not allowed) to distant destinations.  If driving, of course, you could use it frequently, at rest stops (if you have good nationwide coverage).  It’s also possible that the policy will apply more to overseas travel.

Monday, April 17, 2017

Consumers can be on the hook for fraudulent use their phone accounts (land or cell)

Consumers, both business and home, can be held responsible for fraudulent calls made with their account by hackers, overseas.

Look at this story in the Los Angeles Times about a customer of Spectrum (formerly Time Warner)  The particular customer owns a public relations firm in Brentwood, CA.   She wound up with a $6400 bill for calls to Cuba.  The news story was on WJLA in DC tonight.

Practically all telecom companies put these provisions in their fine print.  However, in practice, most companies have been willing to forgive calls that were obviously fraudulent.

The problems can occur with either landlines (usually digital now with cable providers) or cell.  There would be a logical question if a hack could occur anywhere else but inside the telecom company, which ought to be relevant to any litigation of charges like this.  But consumers may be threatened with termination of service in the meantime.

In the summer of 1995, just was hacking was getting started, one of my Visa cards was suddenly rejected at a supermarket, and I quickly got a call from the bank, about $3000 of calls from Canada placed on the card through ATT.  The charges were all reversed and the card replaced.  The cause of the hack was never explained.

I have not had significant charges for robocalls.

And back in Texas, around 1999, a $4000 payment made to me to settle an old problem over an assumed mortgage was stolen electronically.  But it was refunded to me properly.

Hacking has been around longer than people think, even on older mainframes;  companies have countered them generally by tightening application elevation procedures, a security topic that was all the rage in the 1990s, before Y2K.   There were actually some security mishaps in my workplace in the early 1990s:  a contractor one time stole a server, and another time an operator was arrested for embezzlement, scary stuff if it happens where you work.

Saturday, April 01, 2017

Gaming scams; Federal Reserve phishing attack

Local station WJLA in Washington DC reports on recent phishing scams involving gamers wanting to move to a next “level” in the community operated by a game.  Since I don’t “game” I’m not sure how it could work.  But people whose accounts have been fraudulently manipulated will find them canceled by gaming manufacturers.  Symantec has an article here.    I wonder if this applies to Second Life.

It would be like having a USCF chess rating fraudulently raised.

There is also a new phishing scam of “embargoed news” from the Federal Reserve.