Wednesday, November 30, 2011

"Forward Secrecy" will enhance https


Parker Higgins at Electronic Frontier Foundation has an important discussion of a new security enhancement to “https” or encrypted sign-on, and that’s called “Forward Secrecy”.  The link is here. Apparently, Google is introducing it with its accounts (to augment remote 2-step verification).    With Forward Secrecy, some information needed to decrypt messages in the future is “ephemeral” and is never stored.  It’s a kind of “reverse pay-if-forward”. 

Monday, November 28, 2011

More on web sites "yellow-rated" by Webroot

Since I have (somewhat consistently, recently) gotten yellow warnings from a number of sites from Webroot that McAfee and MyWOT accept, I looked up a review on PCMag, from 2011, here. The sites particularly include movie reviews, retail, and some foreign blogs.

The reviewer talks about McAfee and Norton flashing red-colored (blacklisted) pages that Webroot missed.  I haven’t experienced this; on a few rare occasions, I’ve seen red pages from all, including MyWOT.  Google and Bing (as well as Yahoo! safe search) seem less likely to include these sites these days from search results. 

The yellow page is supposed to indicate suspicious behaviors sometimes associated with malware distribution or keylogging or other infectious behaviors, on sites that have not been "blacklisted".  Webroot does not seem to say exactly what behaviors are suspicious; is it what we call “unsafe code”?  One could wonder how the passage of SOPA might affect the way site-security ratings work (and the other way around).

It would be helpful if all site rating services could distinguish between hazards of computer infection (upon visitation or use) compared to a reputation for other bad business practices (such as was the case with Righthaven and MyWOT). 

In some cases, I don’t give a link to a Webroot-yellow site; for example, I may be able to find a Facebook page for the company and use that instead. 

Monday, November 21, 2011

Cyber attacks on utility infrastructure through public Internet are happening, according to Privacy Clearninghouse; bundling of land line phone can lead to home security holes

A story by Selena  Frye in Tech Republic, “Warning: this privacy website might depress you”, link here  was link-tweeted today by Webroot.

The story is about a database in the Privacy Rights Clearinghouse that has come up with some incidents where the operation of a public utilities in the United States was compromise by cyber attack. One story concerned a water pump in Illinois.  In 2002, some critics started warning that utilities could be vulnerable to terrorists with cyberattacks, but most people wondered why they were even accessible through the public Internet. 

One could peruse the Privacy Clearinghouse Chronology of Data Breaches, link here.  

There’s a least another reason for your power to go out.

Here’s something else: cable and FIOS companies are bundling land-line phone service with television and Internet. Home security systems are dependent on land-line connections, and a bundled service may be much less robust against both natural disasters and possibly deliberate attacks.  The cable and home security industries need to start working together on this.
Update: Nov. 26

There are later reports that the water pump failure was caused by a foreign contractor but not by malware or hacking itself. Ellen Nakashima has the story Nov. 25 here.



Saturday, November 12, 2011

Webroot scan shows a Kelogger for Chrome; not sure if false positive yet

Today, Webroot Spysweeper quarantined a “commercial system monitor” that it called “Gumshoe Keylogger  for Chrome,” with Sophos research report here  (code AF770ECL). A commercial system monitor installed by an attacked on a home computer could steal passwords and personal or banking information.

In April, 2011, Google wrote an answer to a similar question about this (and another warning just called “Keylogger for Chrome” which it says are Webroot false positives.  It’s not clear from the answer if this refers to the “Gumshoe”. McAfee is also discussed as having flagged warnings.   The link is here.

A legitimate keylogger will exist in any browser that supports Search Auto Complete in Google.  This topic requires more research. I'll have to notice whether future Webroot scans find the same item.

Update: Nov. 26

Webroot, under the latest release of Mozilla (but not Chrome) continues to warn about sites that all other site safety services accept, particularly some movie official sites and some overseas blogs about protests and detentions. 




Wednesday, November 09, 2011

FBI, Estonian police bust huge botnet causing DNS contamination

Trend Micro reports the takedown of a massive botnet Tuesday Nov. 8 of over 4 million nodes by the FBI and Estonian police, with the detailed technical story here. The takedown of Esthost is being called the biggest cybercrime bust in history!

The botnet comprised computers with DNS settings pointing to foreign IP addresses.

This story may be related to a report Monday of DNS “cache poisoning” in Brazil. 

Ordinary home users in the US may not have been much affected. Cases of what may look like DNS contamination may result from misspelling of domain names to synonyms that are taken over by distributors of malware and fake anti-virus software or ransomware.

However, in July 2008, major security companies held emergency meetings at Microsoft over predictions of how DNS contamination could occur.

Update: Nov. 10

Shaun Waterman reports on the incident in the Washington Times, "Six Estonians arrested in 'cyber-infestation'" which he says affected about a half million personal computers in the US, and 4 million around the world, link here.

Tuesday, November 08, 2011

Cloud email and other Internet services start to offer 2-step verification processes, using cell phone; Gmail (Google account users) encouraged to switch to it now

First, I want to recommend that everyone read the detailed article in the November 2011 Atlantic, p. 100, “Hacked”, link here. The TOC subtitle is "An inside look at the unsettling perils of cloud computing, and how to avoid them". 

The writer describes an incident in 2011 when he and his wife returned from a trip to China, and one morning his wife found that her Gmail account was locked up. By logging on to his own Gmail, Fallows discovered that his wife’s account had been hijacked for a “Mugged in Madrid” scam.

What happens is similar to spam with sender spoofing, but it is more dangerous because the email owner’s account is logged into (by stealing the password) and used to send spam.  In this case, the spam tries to collect money from “friends” of the victim.  (It’s easy to imagine trying to do this with a Facebook Friend’s list.)   Of course, with well-educated populations, most people will recognize the scam and not respond.  But the scam is operated usually from a poor country, where the scammer needs only to collect from maybe 1% of the contacts to “make a living”.

It’s not clear how the password was compromised. The most likely explanation (multiple choice test question) is that his wife had used the same password (although strong) on less secure sites, including Gawker.  It’s possible to crack passwords today even when the server like Gmail limits attempts from an automated script.  (The same sort of issue has existed with using captcha’s to prevent spam, particularly spam blogs.)  Since the logon is encrypted (https), it shouldn’t have been sniffed, but perhaps overseas in China it could have been.

As to the extra dangers: In theory, it would sound as though the account owner could have legal liability. Unlike simple spoofing of his sender name, the actual account is used. I haven’t heard of litigation or prosecution from this. But what if an account were hijacked from the cloud and used to send child pornography? Some prosecutors still believe in a potential “absolute liability” doctrine for misuse of one’s own resources.  This would be a good question for Jeffrey Toobin or Richard Herman on CNN.

Fallows says that his wife's entire Gmail content spaces was deleted (usually this doesn't happen), and only because of recent changes in Gmail policy was the company able to restore it. Typically, companies are more concerned that they can permanently delete materials when told to by consumers (for privacy reasons). [Facebook may be the exception.]

Fallows describes the common transient attacks on Gmail, and recommends that users start taking advantage of Google’s two-step verification process, which has been in use for about a year.  I just signed up for it today.  The theory is that to log on a user must have not only a password, but also access to a physical cell phone.

The process applies to the entire account, not just Gmail.  When you sign up, the process tests your cell phone first with an SMS message.   (It does not force you to change the password if it is already strong enough.) You will get a second text (which you must use) for your first “live” logon.  You can use one pw per computer (and once for every browser on that computer, in my experience) every 30 days.  I presume that this means that if you have several laptops, you go through the process for each machine. (If your cable provider changes your IP address or you have more than one way to get on – by going to a hot spot, I’m not sure if you have to reverify I wonder if Webroot Spysweeper's prediliction for quarantining cookies will cause more frequent need for new verification codes.)  When you plan to travel, you should set up your travel laptop the day before.  

The process supplies backup codes and the opportunity to add a second phone should the cell phone not be working.

Owners of some devices (including Androids and recent Blackberries) can download a Google Authenticator, which generates codes not dependent on a cellular wireless connection.  After download on the Blackberry, it can be found under “Downloads” (an envelope icon) and the application icon looks like a G in heavy metal.   When I signed up, it did not give me the opportunity to use it.

Once you use the process, other applications (like Picasa for pictures) will require generation of one access code per app.  Save these in hard copy (and back up on a thumb drive or Carbonite).
Google’s main link for the 2-part process is here


Fallows’s Atlantic article discusses Gmail only, and doesn’t mention that the process applies to the whole Google account.  But Fallows passionately recommends that everyone use it, as do most other security experts who write about it on the Web.

This suggests that banks (and especially brokerages) might start using a similar process to protect customer accounts. Other email providers, like Yahoo! and AOL, would be well advised to follow suit. (I have been spoofed many times on AOL, with a particularly massive incident in 2006, but never had the account taken – particularly dreaded in early days when my publications were on Hometown AOL.)  Shared hosting ISP’s might also start using it; most have recently started to require strong passwords on everything.  Would it be practical for Facebook and Twitter?  Probably not – if mobile access is part of your strategy, how do you require the user to have a second device on hand?

(Second photo: from the DC Metro, Jan., 2012).


Update: Jan 27, 2012

Today, I couldn't physically grab my cell phone to open the text message from Google quickly enough, and it sent me a second text.  When I finally opened it, Google still took the first verification code, which continued to work on the same computer (and same browser, Chrome; different browser will generate another code request).  I'll have to make sure the code "stays down" today.

Feb. 2

Google's new privacy policy indirectly means that the 2-step process is even more important than before.


Monday, November 07, 2011

Site redirection to surveys occurs with wrong tld's on popular sites (as well as phonetic misspellings); Brazil reports DNS cache poisoning crisis, could spread to US?

Today, there was an odd incident trying to access the “Khan Academy” online school, which was reported on CNN last night by Fareed Zakaria.

I found an old link to this site which, on my on May 30 posting on the Bill Boushka blog which, when I clicked on it, apparently took me to an online survey site.  (This has been a problem when misspelling Facebook).  I checked again on firefox and found that today the correct name is khanacademy.org, (the misspelling with "kahn" and .org resolves to “rm.910587.kahnacademy.org” but sometimes won’t load and leads to a connection reset -- again, suspicious behavior which should lead a surfer to suspect misspelling). 

A Webroot scan subsequent to the accident found multiple spy cookies but no viruses.  
 
If you enter KhanAcademy .com in Mozilla, it resolves to org.  I also found fake entries for the .com version in Facebook.

It now looks like the wrong sites came from misspelling "Khan Academy" as  (incorrectly)   "Kahn".   I also found fake entries for the  misspelled .com version in Facebook.    (I also corrected the Khan spelling on a May 31 post on the my main blog.)  It's easy to scramble unpronounced letters in other languages. 


Again, it seems that hackers to usurp unused tld’s of popular sites, as well as likely misspellings.  "Social surveys" usually try to collect personal information and make money my gang-sending cell phone texts, as well as install spy cookies.

And now Net-Security is reporting that Brazilian ISP’s are encountering “DNS cache poisoning attacks” when visitors go to common sites like Google and Facebook, putting up fake pop-up windows with fake anti-virus software.  The report posted today is here.  Kaspersky has been reporting on the problem. 

Is there any chance that the cache poisoning is happening to popular sites in the US, in order to implement crude hacks to get personal information?

Check my posts on the DNS crisis in 2008 in August 2008 on my "id theft" blog. Some attorneys with a technical and security background have warned that the SOPA or Protect-IP legislation now proposed in Congress could encourage DNS cache poisoning.

Saturday, November 05, 2011

Android offers trojans that you have to pay for

Webroot has an important story by Armando Orozco and Nathan Collier (on Twitter today) about websites dedicated to selling only rogue Android applications with Trojans.  Not only that, the applications have legitimate versions often available for free.  And users are cajoled into sending at least three premium rate SMS text messages.  This sounds like a very bizarre scheme to be sure.  You get what you pay for, all right (and that wasn’t always the case in my early days of buying classical music records).

Here’s Webroot’s link.

I don't think any of this applies to my "Obama-owned" Verizon Blackberry -- yet. 

Thursday, November 03, 2011

Web publishing industry could face existential threat from "malvertisements" -- malicious adware the gets past screening by major sites, publishing services

Byron Acohido has a major front page story in USA Today on Thursday Nov. 3, “’Maldavertisements’ take their toll; tainted ads infect computers, send victims griping on Twitter”.

A security film “RiskIQ” (link) reports the spread of up to 15000 tainted ads from supposedly legitimate sites in May 2011.

It’s not absolutely clear from the story whether users were infected merely by the embedded display if the ad, or only when they intentionally or willingly visited the ad. The story seems to suggest that for a couple hours visitors could be infected merely by visiting a site called SpeedTest (link), which measures the effectiveness of broadband connections.  Fortunately, the company caught the problem quickly.  I just checked the site on Mozilla and found it has good trustworthiness ratings from everyone, including MyWOT.

Another firm reporting serious risks to home users is Stach & Liu,  (website url) link

The most common complaint seems to be “ransomware”, that locks up a user’s computer until the user pays a “ransom” by credit card for fake anti-virus “protection”, rather like an on-line Mafia protection racket.  These ads have also been common in “spam” comments on blogs, but they are easily avoided when webmasters monitor comments before allowing posting. 

USA Today also reports that users are complaining on Twitter (rightfully so), causing loss of readership and revenue for some sites.  MyWOT reviewers often downgrade sites merely for carrying ads. 

It’s pretty easy to see how this problem could become an existential threat to the whole website advertising industry, which supports “self-publishing” by newbies (apart from social networking).

Major companies do screen the ads, but criminals have been finding ways to get around screening procedures, as detailed in the USAToday video.   Some ads are sold through networks of “middlemen” (or maybe like novelist Thomas Costain’s “moneyman”).  Some find ways to mimic “legitimate” sources with a process that seems to resemble sender-spoofing in email, leading to spam.

The New York Times had a major incident in the fall of 2009 with a malware that pretended to come from Vonage.  It’s not clear if the malware was launched merely by visiting the NYT web page. Ashlee Vance has a story Sept. 14, 2009, here. I see that I have a blog posting on that incident Sept. 14, 2009 here.

It’s not clear if Mac users have been affected much.


The link for the USA Today story is here.

Tuesday, November 01, 2011

MyWOT, Mozilla, Webroot mark wel-lknown advertising service, on well-known sites, as unsafe

Today, when I went to RogerEbert.com  on Mozilla and looked up a review of the “4M’s” movie, I got an interruption warning from MyWOT about zedo, which is a company that delivers “advertising technology solutions” to publishers.  The way MyWOT seems to interact with Mozilla and Webroot, it left the impression that continuing was very dangerous.  I found this hard to believe from a well-respected site.  When I checked MyWOT on zero, I found merely yellow warnings from users, here.

I can only add that Webroot is very strict about certain kinds of advertising cookies being used, when other security software allows them. 

I find that some of my blogs get marked down for "vendor reliability" by MyWOT merely because of the ads that they accept.