Thursday, August 31, 2017

FDA issues warning about pacemaker vulnerability to hackers


Now, if a threat "From Russia without Love".
The FDA has issued an alert concerning 465,000 pacemakers because of a software vulnerability, which could endanger patients. WJLA has the story here.

The FDA's own firmware update page is here.

It takes a visit to a cardiologist's office to get the firmware updated.

Pacemakers can prevent sudden death from cardiac arrest in people with certain arhythmias.

Friday, August 25, 2017

Op-ed in WSJ argues expansion of the Safety Act of 2002 to expand ransomware defenses


Brian Finch has a disturbing op-ed in the Wall Street Journal, p. A15, Thursday, Aug. 22, 2017, link.  Finch writes “while a systematic cataclysm is possible, targeted hacks against businesses do more harm.”
  
The writer says that even poorly written ransomware attacks can damage whole businesses, even large ones.  He argues that the Safety Act of 2002, which provides liability protections to companies that take up defensive strategies, should be expanded. 

Businesses are more vulnerable to phishing than many individuals, because attackers can emulate the actual business trademarks in their headers. 

Wednesday, August 23, 2017

Cell phone numbers get stolen to empty virtual wallets


The New York Times reports on thefts of phone numbers by people calling major telecom providers and finding vulnerable agents. 

The usual targets are people with large virtual wallet accounts, often in digital currency, who have talked about it in social media. 

It seems as once virtual money is stolen this way, it cannot be recovered, as it usually can for a little while with a bank account.

There are proposals that virtual wallet transactions need more time delay.


The New York Times has a story Tuesday by Nathaniel Popper, here 

Tuesday, August 22, 2017

Most modern laptops, tablets, phones and storage now seem immune to magnetic disturbance


I’ve written on this blog before (July 28) that individuals and small businesses should consider making optical backups (CD’s) as well as Cloud and regular disk copies, but I may have “spake” too soon (even in a message to Webroot).  It looks like modern flash drives (which are now in the last laptops instead of ordinary harddrives) have very little vulnerability to magnetism.  Here’s the article by Simon Hill on Digital Trends.  This may be relevant to the debate on the damage that can be done by enemy electronmagnetic pulse (EMP).

I’ve wondered if living very close to electric utility transmission towers could affect electronics (because of induced magnetic fields) but it does not appear so.

But users really should buy only the Single Layer Cell drives, which are the fastest and the most expensive, but you get what you pay for here  (Datarecovery article).  They last much longer.  It’s like diamond needles vs/ Sapphire playing vinyl.
  
Companies and even homes should pay attention to the possibility that environmental hazards could affect defibrillators or life-saving equipment, or in some cases people with pacemakers (NIH).



Update: September 3

I've watched a video that does confirm the idea that the E1 stage of an electromagnetic pulse from a nuclear explosion could affect solid state electronics (as in  car or modern phone or computer) even though ordinary magnets do not.  I will have to check on this further (and talk to Geek Squad).  This is a developing story.  The E3 phase (which also happens with solar storms) will not normally harm home electronics. 

Tuesday, August 15, 2017

DOJ requests IP addresses of visitors to Innauguration Day protest site


A shared hosting provider DreamHost (which specialized in Wordpress) has resisted a federal DOJ demand for the IP addresses of over 1.3 million visitors to a website “DisrruptJ20.org” set up to coordinate violent protests against President Donald Trump on Inauguration Day in Washington DC.  Ellen Nakashima has the detailed story in Economy and Business in the Washington Post on Tuesday August 15, 2017 here. The company is resisting those demands. 

  

It’s not clear how much protection https would offer, although it would prevent investigators from seeing what had been viewed.  But this the sort of situation that has led the Electronic Frontier Foundation to suggest that users learn to use TOR, even in the U.S.  

It's possible for people to be implicated in crimes using evidence from browser visits.  I don't know whether this could go further, monitoring behavior of people who might be believed to present s future threat, like to minors.  Even visits to certain Facebook pages could be interesting to some investigators, even in civil situations.



Update: Aug. 24

A federal judge in Los Angeles has ordered DreamHost to provide email addresses (probably IP addresses) of visitors to Disruptj20.org, Washington Post story by Keith Alexander here.

Here is Disruptj20's appeal to the public.

Monday, August 14, 2017

Techie who stopped WannaCry arrested for earlier hacking activity, which may have been legitimate


Marcus Hutchins, the 23-year-old Brit who helped stop WannaCry with a  kill switch, has been arrested y the FBI for supposed participation in spreading Trojan Horse Kronos  malware (from 2014-2015) through phishing or Word documents that can compromise bank accounts, story    This earlier activity is unrelaed to WannaCry.


But activity researching malware could be confused with actually spreading it.  US hacking laws are set up in such a way that prosecution for legitimate research is possible.  This sounds a bit like the “downstream liability” debate.
  

Hutchins was arrested at a conference in Las Vegas. 

Thursday, August 10, 2017

2-step verification: there are controversies within


There is controversy over which sub-method for two-step verification is safer.  Is sending an SMS message, common with Google and banks, and simpler for many users, less safe that an authentication app which does not require another message over the Internet?


Security Stack Exchange provides a detailed discussion from 2016 here
  
Ars Technica also reports on a special app for 2-step verification for Whats App, and the user rules are quite strict.


Tuesday, August 08, 2017

Conventional wisdom on complicated passwords changes


Here’s an interesting piece challenging the conventional wisdom on password security in the Wall Street Journal , by Robert McMillan.

The piece does not recommend forcing people to use special characters and random combinations of numbers and letters, upper and lower case, and to change passwords often. The problem is that when people change them, they don’t change them enough.
  
The other idea is that you don’t need to change a password unless you have reason to believe it is compromised. 

Monday, August 07, 2017

Phishing emails appeal to job skills I've never said I have


Here's another interesting phishing scam.  Emails that say they are interested in my "selling background".  How many times have I said that I am nor a huckster?  I've never sold insurance or mortgages.  I've worked on the IT systems supporting them.

Oh, maybe I'm treating "sales" and trolling consumers (which is how you generate leads) beneath my dignity.

There are also reports of a phishing scam imitating the Better Business Bureau.

I've also gotten one phish claiming a "relative" is in jail overseas/ 

Saturday, August 05, 2017

Odd dns link seems to try to load with some Wordpress pages in Windows 10 Creators Update ("incapdns")


I’m noticing odd behavior of my Wordpress blogs in Windows 10 Creators Update environment.
When I go to a specific page, in Chrome or Firefox (so far), sometimes the page tries to load from “incapdns.net”, which seems to be some ad-serving network judging from Google searches. Yet the blog post right now does not serve ads. It is conceivable that it comes from am embedded YouTube video which does have ads.

I’ve messaged Trend Micro to ask if this is acceptable behavior. A full scan does not find malware.
The Trend security report shows no problems.

I’ve also noticed that in Windows 10 Creators Update the sound can fail and YouTube will not play, and the problem clears with a Restart.

Update:

Apparently I get the same result on another computer with an earlier version of Windows 10.  Will try Windows 7, MacOS tomorrow.

I'm wondering now if this has to do with BlueHost's  "add-on" structure for hosting accounts.  This may be the domain that converts the physical url's to logical one's with dns resolution.  This process could eventually prove useful in a strategy to implement "https everywhere".

But I had found some negative links about the site online and sites that claimed to remove it.