Thursday, April 27, 2017

US Cert warns on state-sponsored malware that could hurt ISP's offering shared hosting

US-Cert in Pittsburgh (DHS) has sent out a detailed bulletin (TA17-117A) about foreign malware, apparently aimed mainly at Unix or Apache servers, that could steal information from customer accounts, particularly in shared hosting environments.

The report is very detailed and technical  and requires a lot of knowledge of PHP and other scripting to understand.

But it suggests that all service providers insist on longer passwords, more frequently hanged, and use 2-step verification from consumers.
The greatest danger, though, would seem to customers who have major consumer data.  And this seems to be a tool that may be of value to state actors in special situations (like North Korea’s Sony hack).  There could develop some political sensitivities about who could become a target in a shared environment, making them harder to secure in general.

Sunday, April 23, 2017

Facebook wants you to recognize your Friends by face for security verification -- a likely story

Facebook is trying a controversial new security tactic: when people use Facebook from computers far away from home, they may be asked to verify names of friends by profile faces.

John Costine has a typical news story on Ad Week here.

Most of us have “Friends”, especially overseas, whose names we do not remember or whom we don’t recognize.  That is particularly the case for users whose posts are public and are often about news stories or rather impersonal.  Possibly the algorithm would ask you to identify Friends upon whose news feeds you frequently give Likes or make comments.  But the policy seems to be self-contradictory, or be predicated on an internally conflicted idea of social media “friendship”.

It's possible that users could mitigate the problem by continually using Facebook while in route by phone.  But this may not work with long plane flights (where cell service is not allowed) to distant destinations.  If driving, of course, you could use it frequently, at rest stops (if you have good nationwide coverage).  It’s also possible that the policy will apply more to overseas travel.

Monday, April 17, 2017

Consumers can be on the hook for fraudulent use their phone accounts (land or cell)

Consumers, both business and home, can be held responsible for fraudulent calls made with their account by hackers, overseas.

Look at this story in the Los Angeles Times about a customer of Spectrum (formerly Time Warner)  The particular customer owns a public relations firm in Brentwood, CA.   She wound up with a $6400 bill for calls to Cuba.  The news story was on WJLA in DC tonight.

Practically all telecom companies put these provisions in their fine print.  However, in practice, most companies have been willing to forgive calls that were obviously fraudulent.

The problems can occur with either landlines (usually digital now with cable providers) or cell.  There would be a logical question if a hack could occur anywhere else but inside the telecom company, which ought to be relevant to any litigation of charges like this.  But consumers may be threatened with termination of service in the meantime.

In the summer of 1995, just was hacking was getting started, one of my Visa cards was suddenly rejected at a supermarket, and I quickly got a call from the bank, about $3000 of calls from Canada placed on the card through ATT.  The charges were all reversed and the card replaced.  The cause of the hack was never explained.

I have not had significant charges for robocalls.

And back in Texas, around 1999, a $4000 payment made to me to settle an old problem over an assumed mortgage was stolen electronically.  But it was refunded to me properly.

Hacking has been around longer than people think, even on older mainframes;  companies have countered them generally by tightening application elevation procedures, a security topic that was all the rage in the 1990s, before Y2K.   There were actually some security mishaps in my workplace in the early 1990s:  a contractor one time stole a server, and another time an operator was arrested for embezzlement, scary stuff if it happens where you work.

Saturday, April 01, 2017

Gaming scams; Federal Reserve phishing attack

Local station WJLA in Washington DC reports on recent phishing scams involving gamers wanting to move to a next “level” in the community operated by a game.  Since I don’t “game” I’m not sure how it could work.  But people whose accounts have been fraudulently manipulated will find them canceled by gaming manufacturers.  Symantec has an article here.    I wonder if this applies to Second Life.

It would be like having a USCF chess rating fraudulently raised.

There is also a new phishing scam of “embargoed news” from the Federal Reserve.

Friday, March 10, 2017

Can my iPhone have viruses?

Yesterday, while browsing a supposedly mainstream news site on my iPhone 6, a popup claimed I had six viruses on my phone.  It took a little trouble to make it go away, but it finally did.
This does appear to be the old “fake anti-virus software” problem well known to Windows users from a decade ago.   I don’t see any evidence of tampering with any financial sites accessed from the phone (as I check them on varied environments frequently), and I don’t see any evidence of infection in any images or videos I moved to a windows machine for use (I did a full Trend Micro scan).

Nevertheless, I did a little check on the latest advice on iPhone and Mac malware, and here is a good article (although from 2012).   The article has some interesting discussion of past security problems in the java language and virtual machine, which was all the rage fifteen years ago.

You may be able to get rid of an “adware” message from Safari by going to airplane mode and closing and reopening Safari (video above).  This is similar to getting rid of a fake “system message” scareware browser hijack on a Windows machine.

Wednesday, March 08, 2017

CIA's Vault 7 does sound like a Roadside Attraction, to me at least

There’s a lot on the Internet now about the CIA’s Vault 7 “scandal”.  Milo Yiannopoulos carried the most bombastic story on his own beefed-up conservative news site (since he left Breitbart, but he presents very similar stories to Breitbart), here.

CNN has answered Milo by finally putting up a detailed story on how Wikileaks got the scoop, here.

This probably doesn’t matter to Internet users in the US much (except maybe those doing illegitimate stuff overseas on the Dark Web -- the CIA "normally" cannot "legally" spy on people at home).  But it does show that hackers could likewise compromise “the Internet of Things” and conceivably spy on people through smart TV’s (even when off but plugged in).  In the very worst circumstances, voyeurs could spy on women or children.  It also shows that in extreme circumstances, foreign hackers (like in Russia), maybe state supported, could spy on high profile Americans at home.

Young OAN correspondent Trey Yingst, 23, asked Sean Spicer about Vault 7 in a White House briefing Tuesday, and Spicer refused to comment.  I was watching (at home on CNN -- I don't have WH access, at least not yet).

This is almost the stuff you would need if you thought aliens from other planets could masquerade as Clark Kent clones among us. What would Donald Trump do about real aliens?  You can't deport somebody 40 light years away.

Saturday, March 04, 2017

Webroot warns of new IRS, Paypal phishing attacks

Webroot is warning users about fraudulent IRS W-2 emails, in this article.    The IRS won’t send you emails (except to verify that returns have been accepted – thru HRBlock).  State tax departments (like Virginia) often send business customers legitimate emails (like when sales tax reports are due).

And PayPal users are often targeted in phishing attacks (lately through Gmail), as in this Webroot story.   Since some small non-profits take Paypal but not credit cards (to help “unbanked” clients), most people need Paypal (which can be connected to a credit card for replenishment).