Saturday, December 29, 2012

Microsoft W7 security fix appears to require more than one account on a personal computer

There is more to say about this most recent security fix to Microsoft W7 in the logon logic (Dec. 21, 2012 posting).

Twice today, on cold boot of my Dell XPS laptop with Windows 7, after getting to the “Welcome” step with the spinning circle, the machine just put up a blank light blue screen, no dump.  If I pressed the power button, and then told the boot BW screen to proceed normally, the boot finished normally. Checking around online indicated that to get around this, put up another admin account in Safe Mode. 

I went ahead and did this, not bothering with Safe Mode (it works in regular), creating another admin account and a regular user, with passwords and hints.  I found that neither user got all the programs (like Chrome) unless you add them again.  And I couldn’t get the regular user to give update access to Word documents.  If I’m the “owner” of the machine, it’s still much easier to work that way.

I did find that I don’t get the hang on a cold start (at least the first test).  Well see tomorrow.  I think that the software is counting logons and suddenly requiring another account or it goes into a loop looking for one.  One site said that when this loop happens it stops after about 15 minutes and says “logon failed”.  I didn’t wait that long.
Microsoft still seems a bit sloppy with these updates.  They can interfere with getting work done (even on Saturday night – why am I not clubbing?) 

Sunday morning (as with Benjamin Britten): fix still seems to hold. 

Friday, December 21, 2012

Can a Microsoft W7 security update require a cold restart?

I got a single Microsoft update for Windows 7 this morning for KB2753874, regarding a vulnerability that would allow an attacker to gain control of a personal computer and execute commands on it (like log on to your bank accounts, or copy keystrokes), if you visited certain malicious websites or opened a document with “True Type” or “Open Type” font files, with explanation here

This would be one of the scariest possible attacks. 

The single update took longer than usual to install.  Then, on restart, the computer would not completely reboot, but stayed on a blue screen.  Upon prompting with the power button (on a Dell XPS from 2009, a computer that originally had Vista), it went to the account locked screen.  Upon one more prompt with the power button, it turned off properly. On cold restart, it booted up normally.  On a subsequent restart, it took slightly longer than usual and executed the startup menu in a different sequence than usual. 

I haven’t before experienced a Microsoft update need a cold restart to work properly.  The machine comes up and tells you it didn’t shut down normally the last time, but does restart as usual if you just press Enter once. 

I usually rarely get single updates like this (except for the Malicious Software Removal Tool).  Anyone else had this experience? 

(Yup, I've heard people say "Microslop".) 

Thursday, December 20, 2012

Scammers go to the gutter after tragedies with fake domains; more on Windows 7 stops

A word to the wise.  The media (especially Anderson Cooper, and Piers Morgan, who just tweeted an example) are reporting on a number of scams, domain names set up to help victims of the Newtown tragedy.  Similar scams exist also for Hurricane Sandy, but didn’t get much attention. (The Morgan tweet linked to a jewelry scam that, in Firefox, displays a "red circle" from MyWOT right on Twitter.) 

Here’s a typical news story, on NewsVine.  

There is a risk that scammers will create trademark-infringing domain names, deliberate misspellings (or different tld’s) to start fraudulent collection.

I really haven’t noticed that much phishing from either incident in my own inbox.

On another matter, a few of the conservative sites get really crazy with ads that hang Windows 7 for a minute or so, trying to load something like, “”.  Is “realtime” a Windows 7 service that needs to be in my Startup menu?  I actually allow pop-ups for “journalistic” reasons.  Webroot Secure Anywhere does not consider this to be malware.  The Washington Times and the Washington Examiner do a lot of this.  But then again, so does CNN and Major League Baseball.  

Saturday, December 15, 2012

PC Magazine now rates Webroot Secure Anywhere in the top three

PC Magazine has listed Webroot Secure Anywhere as one of the three most effective anti-virus software products in detecting and blocking malware threats.  The other two products scoring highest are Norton and BitDefender.  The story, by Neil J. Rubenking, is here.  

Webroot switched to a cloud-based product about eighteen months ago, and that means that users don’t have to let time-consuming data signature updates run.  The article also points out that antivirus companies are now getting away from annual releases of their products.
I have Kaspersky and Trend Micro on two other netbooks, and the Kaspersky is always asking for a data file update. 

It have Symantec Norton on my MacBook.  

The most effective anti-virus software tends to move from company to company as years go by.  What was best three years ago isn't necessarily so now.  

At one time, Webroot (I believe it's based in Colorado) called its anti-virus engine "Spysweeper" (the label I still use on the blog for it), which is how it was known in the industry (like with Geek Squad) and used Sophos as its engine.  

Wikipedia attribution link for second picture, Pikes Peak Summit. I drove it in a rental manual transmission care in 1994, and didn't use my brakes coming down (you use low gear). It was awesome. There is a restaurant on top and people work at 14000 feet.  

Tuesday, December 11, 2012

New "drive-by" ransomware impersonates the FBI, seems to have affected thousands in US already

Various media sources have reported a piece of malware that seems to take the form of a “drive-by” attack (upon visiting certain infected websites), called “Reveton” or “Moneypak” (these may be similar but different items).  They interrupt the user’s (Windows) experience with a warning purporting to be from the FBI (or IC3) that your computer is locked, with a demand to pay ransom through a credit card.  Of course, paying the ransom doesn’t free the computer. This is somewhat different from some previous malware in that it doesn’t appear to offer “fake” anti-virus software.  It may disable existing anti-virus software, particularly if it is out-of-date.

The FBI (in Tennessee) has a warning about the idem here.

Of course, the FBI and other law enforcement agencies and police departments do not interrupt users with malware like this (although maybe the Stuxnet planted against Iran makes people wonder).  Law enforcement normally contacts or apprehends suspects directly. 
The IC3 version is described in SC Magazine here.

Station WJLA in Washington DC has a story today on the item.

Norton offers a removal tool for this item, which may not work in all environments, here. It may work if you use a different anti-virus product, but it is better to contact your own anti-virus company. 

Botcrawl has the most detailed discussion of “Monkeypak” that I can find, with very detailed removal instructions (involving Windows commands and safe mode).  The user may want to print this out.  The link is here.

The virus seems to make use of the webcam on a PC or laptop.  
Many users would have to take an infected computer to a service (like Geek Squad) to unlock the machine.
 It’s a good idea to have a service contract (about $200 a year) if you have several computers and laptops.

Friday, December 07, 2012

Kennedy Center spelling and other sites; more on W7 hangs

I just noted an oddity this morning with a popular symphony orchestra site.  The correct spelling for the Kennedy Center in Washington DC is "".  Take out the hyphen, and you get to another site that appears to offer ways to buy tickets.  It gets a Green from McAfee Site Advisor, a 100 from Webutation (on Firefox), and "not enough data" from MYWOT.  If the site were not legitimately part of the Kennedy Center, it could also present a trademark infringement issue.

I still get hangs from Windows 7 in emebdded ads on a few sites (lately, CNN and some television stations) that start "realtime services".  The computer cursor wakes up when the service responds, which takes up to a minute, once since the last reboot.  Webroot and Trend Micro do not consider this undesirable behavior. (Haven't seen this on an older netbook with W7 and Kaspersky).

Here is another example of a popup or embed  from CNN today that made W7 pause:

Wednesday, December 05, 2012

Mac users warned about new trojans; McAfee marks some sites as yellow in search engines when it has no report

Webroot Community Forum  is warning users about a Mac Trojan associated falsely with the Dalai Lama, called “Gyalwarinpoche” and recommends not visiting it, at least on a Mac.  It installs itself in the user’s home directory under the name “Dockset” and does not show up in Finder.  It uses java. 

The Webroot link, tweeted today, is here.

The Webroot story gives reference to a Cnet story about Mac Flashback Malware.  It can pretend to be an installed for Adobe flash.  It grabs passwords and acts like a keylogger.  That story is here
In another matter, I encountered an anomaly with McAfee Site Advisor in a Windows 7 environment this morning. A site for “Public Participation Project”, called “” gave a yellow warning through McAfee in search engines, but when I looked at the McAfee report it was gray and said it hadn’t been tested yet.  I don’t get the inconsistency. There are more details on the “BillBoushka” blog today.

Tuesday, December 04, 2012

Anderson Cooper presents some tips on protecting "private" photos on social media

On Monday, December 3, 2012, Anderson Cooper (and cohost Caroline Manzo)  presented the issue of protecting photos that you post online when you intend them to remain within a specific circle of friends.  That’s not a practice I particularly recommend, but here is a (website url) link that gives some tips from Mashable. 

Note that you can turn off the GPS tagging in your smart phone, and can watermark your photos. 
You can also add McAfee protection to the contents of your Facebook account, here. You need to be logged on to Facebook to see it.

I tuned in late, but I didn’t see any discussion of a related problem (which has been presented before) , other people taking pictures of you in possibly compromising places (maybe bars) and posting them (I took this up on my main “BillBoushka” blog on Nov. 26, 2012, as an “online reputation” problem).  Anderson has taken up that problem before, and I expect that he will again, maybe with attorney Parry Aftab or’s Michael Fertik.  The speaker and photographer has more rights in a public place than you might think.  But you can set up Facebook so photos can’t be tagged without your permission.
Caroline also talked about Internet threats, as here.

Monday, December 03, 2012

Washington DC sets up "bricking" to counter street cell phone thefts

Television station WJLA is reporting that Washington DC has put in a “bricking” plan to disable stolen cell and smart phones. 

The “bricking” means that once the phone is reported, the SIM card or phone can never be reused.  However thieves are slow to realize that the stolen phones are quickly becoming worthless. 

There have been problems with theft in residential areas of the city and on the Metro, especially near exit doors of cars.  

The DC government and Metropolitan Police have set up a website for bricking, here

Monday, November 26, 2012

McAfee Site Advisor displays different in browser than in reports; so does Webutation

Here’s another little oddity I’ve noticed about McAfee Site Advisor. 

Some of my blogs show up as untested (gray) on Site Advisor in search engine results and in Firefox, Internet Explorer and Chrome when I go to the sites.  If I navigate to the McAfee report, it shows up as green (illustration).

Other blogs of mine (about half) display properly in browsers. In the past, all of them did.

Webutation (on Firefox) also behaves this way.  On a couple of blogs, it gives a low score (about 70) in the browser, but shows 90 or 100 if I go to the report.  Sometimes, but not always, going to the report results in recalculation for the browser display.

Saturday, November 24, 2012

Banks need to be careful with scheduled maintenance

On Black Friday evening (November 23, 2012) I checked some bank balances online and found that when I went to a UBS account, the main website worked, but when I went to the client login, I got a DNS error.  The client logins all occur on subdomains with prefixes to the “ubs”. 

I searched through my emails and called the 888 tech support number.  I was surprised that they were unaware of the problem until they tried it themselves, and got a blank screen (I think the call center is in Ohio).  Explanation, they must have been doing maintenance.

The logon did work late Friday evening and everything was OK.  But the moral of the story is this:  when banks do maintenance they should inform their customers online as well as their phone support customer service employees.  They shouldn’t just let abends or DNS errors or internal server errors happen.  Customers have good reason to wonder if sites are being hacked.

It would be a good idea for financial institutions to consider implementing two-step logons similar to that available for Google accounts.  One possible problem: the need for the banks to all have their own custom smartphone apps for such purposes. 

Thursday, November 22, 2012

NBC News covers password security

Tom Costello, on NBC Nightly News Wednesday Nov. 21, reports on password security, including another incident where hackers broken into her account to send 20000 emails around the world asking for money.

Visit for breaking news, world news, and news about the economy

The article says that people can learn enough from your social media accounts to put together password guesses.   The more you link accounts, the greater the risk.  And use “Argo-fake” answers to security questions that no one can guess and that are not on the Internet.

It is also a good idea not to rely on the cloud completely, but to make backups of data (including creative manuscripts and web pages)  and keep them in physically scattered locations (including a safe deposit box in a bank).  It’s may be a good idea to have hand copies of passwords and question answers not stored on the web (or even on your computer) anywhere.  It is also a good idea to check everything frequently.  That can be a problem for people who go out of the country or go to the hospital, for example.  For example, hospitals ought to allow patients who are well enough to purchase wireless service the way they pay for phone.  

There have been over one billion hack attempts this year, according to the report. 

Sunday, November 18, 2012

McAfee flags a few embedded YouTiube videos; a note on Gstreamer; a note on Webroot Secure Anywhere

I have a couple of little anomalies to report.

I've noticed since Google Chrome picked up the McAfee Site Advisor plug in, that once in a while McAfee blocls and embedded YouTube video as dangerous (red rating). I found this to be the case with my review on the Movies blog of "The Dark Knight Rises" on July 12, 2012.  The embedded video was the Warner Brothers official trailer and seemed to have been posted by WB.  I found that played manually with the "watch" subcommand it did not get the warning, but it did with "embed".  I went ahead and chose a different YouTube video, an interview-preview of the movie from ENTV, with no problems.

I don't know why a YouTube video would get marked red, no less one from Warner Brothers, the official studio trailer, unless it has something to do with the "notoriety" of the movie.

I've also noticed that in Windows 7 my user directory had a new folder called ",gstreamer-0.10" with a single bin member "registry-i686.bin".  It gets updated whenever I reboot.  Gstreamer is related to multi-media.  Webroot does not give any warning on a Security Anywhere scan.

Also, about once a month. Windows 7 asks me permission for Webroot Secure Anywhere to make a change to the registry.  

Tuesday, November 13, 2012

Washington Post insert explains Metasploit; McAfee founder forced on the lam overseas

On Tuesday November 13, 2012 the Washington Post included a “special report”, “Cybersecurity”, as a Section AA. The main news story is “Zero Day: Under Attack: Trojan horses, malware and other tools for the heist just a click away”, by Robert O’Harrow, Jr.  The online version is titled “Hacking tool kits, available free online, fuel growing cyperspace arms race”, link here.  

The main focus of the article is a site named Metasploit, which brands itself as “Penetration testing software”, and has perfect scores from website safety rating services, link here, and is associated with a security firm called Rapid7 (link).  

 Companies use this site to stress test their infrastructure from deliberate attacks, but the same “tools” are available free to anyone with an Internet connection.

But the same tools are easily available free to hackers and script kiddies 

In another story, Bill McAfee, who founded McAfee, Inc. in 1989 as one of the first major anti-virus companies, is a person of interest for a slaying in Belize and is hiding out from police, whom he fears will slay him, according to media reports such as this story for Business Week by Adam Williams, link 

In the mid 1990s, Norton was perhaps the leading company, but I recall a coworker who ran the corporate LAN describing Bill McAfee as dedicating himself to eliminating computer viruses. In the good old days, most computer viruses were spread by floppy disks and email attachments.  Remember the Jerusalem virus?  The Microsoft Word “concept virus”?  By 2001, they had gotten much more serious.  I remember the “Magister” virus at work just before 9/11.  My machine didn’t get it, but many employees had their Windows 2000 or NT machines re-imaged.  “This is the real thing” people said.  It wasn’t.  

McAfee does not (as of my discussion fiv emonths ago) have a good reputation with the Geek Squad, which has favored Kaspersky, Webroot, and Trend Micro, and even uses some special removal tools like Asquared and Spyware Doctor (see June 15, 2012).  

Monday, November 12, 2012

Webroot Secure Anywhere changes system panel, some interesting running totals

Webroot has made some changes to its Secure Anywhere product. If you invoke the icon, it displays a system console which shows a running total of system events (now almost 300 million), and a note of the most recent automated system scan.  I’m not sure what it means by “2 secured sessions”, or by system cleaner. The  firewall is monitoring about 27 processes with over 80 internet connections. 

Thursday, November 08, 2012

NYTimes offers strong password tips and security practices (including travel)

Today, the New York Times has some pretty useful tips in an article by Nicle Perlroth, “How to devise passwords that drive hackers away”, p. B8, Business Day, link here

Some interesting observations are that a strong 14-character password (using special characters, all cases, letters and numbers randomly) should take 24 hours to crack. Others are to use nonsense answers to “security questions” and to use separate browsers for surfing and for critical business.

Use of password management systems can be double-edged, just as can using the “Cloud” for all your backups.  It’s a good idea to have physical copies of your data in more than one location, and to have printed or handwritten copies of your passwords.  Think carefully before traveling of how things can go wrong. 

There is even a recommendation to create passwords by “encrypted jamming” so that you don’t know it and could not be forced to turn it over to an intruder in case of a physical confrontation (as when carrying a laptop on the street or conceivably a home invasion).  That sounds like having a maximum daily withdrawal amount on an ATM debit card (good idea, unless...).  Hopefully these kinds of confrontations so far have been very rare in practice.  But some executives might need to consider them (at least in the movies).  

Wednesday, November 07, 2012

Bogus Facebook notification emails link to dangerous trojans

The Webroot Threat blog has a story on bogus Facebook notifications (from
“friends”) serving malware, bt Dancho Danchev, here.

The emails contains links to infected sites with Trojans that enable the attacker to control the subject’s machine, for DOS attacks or for access to normally protected accounts, like banks and Gmail.  Possible major hacks could occur this way. The Trojans include “Ransom.win32” and “Generic.KDV”.

You can secure your Facebook account if you think it has been compromised by going to the subdirectory “/hacked” after you log on.  You will be asked to supply your password again. 

I get bogus notifications all the time, one or two a day at least. 

Tuesday, October 30, 2012

Reader posts a comprehensive resource for internet safety

A reader provided me with this resource on Internet safety, called “Internet Safety Tips: A  Comprehensive Resource”, link here

I’ll underline a few of the tips.  One is to log off sites before shutting off a computer. That’s especially true with public computers.  Another is to delete cookies before getting of public computers.  I don’t have much occasion to use them now, but there is a case for saying that hotels could really help travelers by providing much more “business center” capacity with much better security.  That’s particularly relevant if people go to hotels to stay connected after residential power losses due to storms like Sandy.

Another tip has to do with using the best encryption for a home wireless router.  We could see more cases in the future where the idea of legal liability for misuse by wardrivers is explored.

There are good tips about online reputation, which I’ve discussed extensively on my main (“BillBoushka”) blog.   One important tip is not to forward private emails.  On the other hand, Twitter encourages retweeting of posts, so on Twitter (as everywhere else) think about what you post and make sure you want the world to see it.  Don’t be overly confident about privacy settings or “concentric rings”.

Picture: look at what a customer found at a well-known restaurant recently in Arlington. 

Thursday, October 18, 2012

Malware could impact implanted medical devices

Today, Webroot tweeted a story of a “proof of concept” experiment  (from Australia) where a hacker could manipulate a heart pacemaker and electrocute someone, link here. 

This has happened in the movies before (I think it happens in one of the Bond 007 films), but I’ve never heard of murder being committed this way before in real life.

Apparently the medical device can receive a wireless signal that an attacker could generate.

Does this possibility explain why many hospitals say they don't allow cell phones or wireless devices in patient rooms?  Is there really a risk of hacking through them?
This could raise airline security questions, too.

Although my own mother died at 97 of congestive heart failure in late 2010, the idea of a pacemaker never came up.

Also, today, the Wall Street Journal is reporting on increased DOS attacks on US Banks from Iranian hackers, p. A11, link here

Friday, October 12, 2012

Shamoon virus outbreak in middle East prompts warnings to companies from Panetta; could it spread to home users?

A large number of computers in Saudi Arabia owned by Aramco, and in Qatar owned by Ras Gas, have been infected and rendered “inoperable” by a virus called Shamoon, as in this story Sept. 25 Summer Said of Dow Jones in the Gulf Times,  link.  

Leon Panetta has warned that similar attacks could compromise railroads or power companies in the US, as in this story on P A5 of the Oct. 12 Washington Post, link here

It still is hard to believe that components of critical infrastructure would be accessible through the public Internet.  Some infections might have been introduced by flash drives.

Panetta has called Shamoon the most destructive virus yet for the private sector, Reuters story here

It’s not immediately apparent whether it could impact ordinary users, or how a home user could encounter it.   It appears capable of acting as spyware and of destroying data, both. 

But Kaspersky’s Dmitri Tarakanov has a detailed technical discussion on how Shamoon works, here

So it’s fair to say that data signature files from major vendors (including Kaspersky) have been updated for this threat, and that Cloud-based services (Webroot Secure Anywhere) would recognize it. 

The virus is reported to have major bugs and appears to have come from a hactivist group rather than a state.  One of its payloads is a small piece of an image of flag-burning.  There is some mention of the idea that this virus or a similar one can affect both Windows and Unix based systems. 

There is some similarity between Shamoon and Wiper, which shut down some businesses in Iran last spring.
Effective cyberwarfare against the US and the west (not including the use of crude DOS attacks) assumes access to critical infrastructure from the public Internet in most cases, and this should be relatively easy to stop.  Much more grave threats could come from EMP weapons, which can be small and non-nuclear and can affect significant areas even from the ground.  The US Army has and uses these weapons in Afghanistan (and used them in Iraq) now, so conceivably they could fall into the wrong hands or be crudely duplicated.  

The New York Times is also reporting on Panetta's remarks big time Friday morning.

Thursday, October 11, 2012

EFF offers tips for travelers, particularly when crossing borders

Electronic Frontier Foundation has a detailed white paper, dated Dec. 2011,  on safety for your digital life (Internet accounts and physical data on your computers, both work and personal) when you travel, particularly across the border, link here

In some cases, international travelers could face delay, compromise of their data (if it is sensitive) or even damage if there are customs inspections of data as they cross borders.

EFF recommends that travelers consider carrying no data and retrieve data from the Cloud, if going to a country and location with good service.

The practical risk of misuse of much personal data, however, is often low, and many travelers may prefer to have backup copies of important files on their travel machines.

Users might consider using two-step verification and changing passwords on machines they will take with them.  But that strategy could backfire if a customs agent keeps the machine for a while.  I actually like the idea of handwritten sheets with critical information, as long as the traveler is very careful about what’s on his person.

I personally have not encountered any TSA-related problems yet with travel.  I have carried an iPad and small conventional laptop in a TSA-approved bag, along with accessories in a carry-on, without incident. 

Monday, October 08, 2012

Pete Townshend's story illustrates the risks of false accusations of c.p.

Pete Townshend appeared on ABC “The View” today (Oct. 8, 2012) and recounted his being accused of trying to access child pornography in Britain in 1999, and winding up on an offender’s registry for five years.

A posting on the UK Daily Mail by Peter Sears tells his story, here

Apparently, he paid seven pounds by credit card in 1999 to access a site with a conspicuous link to c.p.

The police also raided his home in 2003 after getting information from US authorities (customs or FBI) based on records of a site in the US hosting c.p.

But he says he never intentionally viewed any illegal content.

Townshed has an autobiography explaining the incident, “Who I Am, A Memoir” just published by Harper.
The incident shows how accusations of this crime can occur.  There has been concern that they can come about with virus infection. 

Friday, October 05, 2012

"MitB" malware can "missprocess" payments in real time

A news story by Kyle Wagner on Gizmodo reports that a new kind of malware can steal or modify payment info from an Internet browser in “real time”.  The item is called “Man in the Browser”, or “MitB” (not “Mitt’), which apparently got more sophisticated recently.   In the past, it had acted like a typical keylogger.  But now it can really process payments in real time to a fake institution.

The link for the story is here.

The story would tend to imply that it’s important to see the “verification” image when you log on to a bank’s browser so you know that you really reached the bank’s true site.   Always log in directly with the URL yourself, not from a link.

The article (and particularly the comments) recommends some new encryption products.  

Thursday, October 04, 2012

FTC fines person over $100 million for selling fake anti-virus software

The FTC is getting aggressive – not just against telemarketers, endorsers, and collectors of minors’ information (other blogs).  Information Week reports that a woman has been assessed a $163 million civil judgment for her participation in running a “scareware” ring (in six countries) that duped consumers into purchasing fake antivirus software, sometimes apparently by locking their computers until they paid ransoms. 

About five years ago, it was common to find sites that, if linked from a Windows XP system (before I had Vista and W7) would bring up a Microsoft application box (like what is generated typically by .NET) telling you your machine was infected  and encourage you to navigate to the fake virus software link. In my experience, you could close the box and “nothing would happen”.  Eventually the machine that this happened on became unbootable, but that could have been because of hard drive aging. 

Comments advertising these products with links were often spammed onto blogs, until Blogger and Wordpress began filtering them out, and in the meantime I (as did many other bloggers) implemented mandatory comment moderation.  

The Information Link story by Matthew J. Schwartz (tweeted today by Webroot) is here

Schwartz links there to another one of his valuable articles, about Malnets.  My own major ISP, Verio, at least used not to offer java on shared hosting because of what it said were security problems with server-side processing (it offered “only” php as a language).  I had another small site on another ISP which offered "java starter", for about four years, from 2002-2006, when it suddenly tanked on support.  I’ll tell that story later, because it’s important.  

Tuesday, October 02, 2012

Internet security companies discuss the "stolen accounts" business

Webroot is reporting (on its “Threat Blog”) on the increase in “do-it-yourself” (“DIY”) techniques that seem to encourage novice cybercriminals to try to enter the world of trafficking stolen Internet accounts (email, FTP, rootkits, shells).  There seems to be a “multi-level marketing” scheme which draws in novice cybercriminals, who are often deserted (as in legitimate MLM’s, the guy at the top makes most of the money and can often run). 

The latest post by Dancho Danchev is “A look inside a boutique cybercrime –friendly E shop”, in four parts, the last of which is here.  The link is here

Another party in the AMR (adaptive multi-rate audio) business writes about having hosting accounts “stolen” and then shut down, here on “Black Hat”, link

This seems to be related to the activity that Webroot is discussing in its Threat Blog. 

Thursday, September 27, 2012

Employee personal social media accounts could attract dangerous phishers to workplaces

The Washington Post has a front page story on the indirect danger to workplace networks from social engineering of phishing attacks aimed at employees.  The story by Robert O’Harrow Jr. is titled “Zero Day: Cyberattacks hit targets with human touch”, online “investigations” link here

Cybercriminals troll the personal social media accounts of low-level workers in sensitive jobs, and figure out how to send them emails, often with sender-ids spoofed with names of other coworkers, that will lead to infection of their employers’ networks with spyware, that could lead to industrial espionage or to compromise of customer accounts.
It’s disturbing that personal social media accounts can lead to these risks for employers, and they could lead to more “conflict of interest” and blogging policies.  

Thursday, September 20, 2012

Hackers associated with Muslim outrage or with Assange claim credit for outages really caused by ordinary server programming bugs ("unsafe code")

Media sources report a slowdown at the Bank of America website and possibly other financial institutions this week (particularly Tuesday September 18), because of alleged cyber attacks motivated by the amateurish anti-Muslim film supposedly made by private right-wing elements within the US.

Michael Endler has a story on Information Week here

I have my own checking at BofA and have noticed no problems this week.  I have noticed slowdowns before in the past, and one or two outages.

Info Week links to another story reporting that GoDaddy had a recent outage that it says was caused by “corrupt router data tables”, but hactivists claimed “credit” for the outage.

Companies could have outages because of ordinary internal bugs, and hackers might claim bragging rights when the problems are made public.

A few weeks ago,  on a normal weekday, I had a situation where I could not reach my own ISP through my Comcast Internet service, but could reach it through my Verizon hotspot.  Yet most other websites were working normally through Comcast.  The situation lasted about twelve hours. 

Update: Sept. 22

Later media reports suggest that Iran was involved in a DDOS attack against Bank of America, in retaliation for sanctions; the attack was not very "successful".  Ellen Nakashima has a story in the Washington Post here

Thursday, September 06, 2012

Major sports, news, banking sites serve complicated ads that can cause Windows 7 to stall briefly and then give unwanted popup link

I’ve noticed an annoying problem on all my Windows 7 laptops.  After rebooting, and only once before the next boot, the machine will hesitate about thirty seconds when it encounters certain kinds of ads on certain sites (especially newspaper sites and Major League Baseball and, curiously, Suntrust Bank).  The machine freezes, and the mouse pointer or trackpad will not operate. Finally, the machine “releases” (the Dell XPS laptop, which was converted from Vista, beeps a few times), and goes to a full link of the unwanted ad. 
Tapping the trackpad will get the machine to release (but using the wireless mouse, an attachment, will not), but causes a link to the ad, which then fills the screen as an unwanted visit.  The advertiser will be charged for the ad display by the site, which the user may not have intended to visit or have a legitimate interest in.
Perhaps there is a problem with the startup procedure in W7, and the ad is using an application (like some part of Shockwave) that requires additional memory allocation. Or perhaps it is “unsafe code”  (in java or C#) on the site.

This morning, I had the problem with Rosenthal Nissan Honda when visiting the Washington Post site.  I’ll give the link for the ad, which may cause a Windows 7 machine to hesitate.  This problem does not seem to happen on my MacBook, mi iPad,or  my smartphone,  and it doesn’t happen in the older XP operation system.  Here’s the link

I suppose I could get rid of this by playing with the Popup blocker (in Chrome, Firefox, or Internet Explorer – it happens in all of them in Windows 7).

The problem does not seem to occur on any ads served by Google. 

Update: September 10, 2012

Today the hang occurred while the Washington Post was open to a complicated page when I went back into Word to copy the URL.  Once in Word, the computer would freeze if I tried to use Word.  On restart, it gave the usual warning an invitation to use Safe Mode, which can be skipped.

Microsoft Control Center tells me that I need a fix for a Dell memory driver that is used by some media applications.  I just installed it.  We'll see if this fixes it.

I fixed the Word file by hard-copying to another file with a different name.  

Tuesday, September 04, 2012

Major hack of unique Apple ID's from FBI reported

Media outlets are reporting that hackers connected to Anonymous and Lulzsec claim to have obtained unique Apple ID’s (UDID's) of the iPhones and iPads of over 12 million users, from an IBI computer, and have published a link to the ID’s. of 1,000.001 users or customers.

Apple customers who use Cloud services heavily  (or who gave Apple a lot of personal information and who have heavily linked their online accounts) could theoretically be at further risk (maybe in the spirit of the “Wired” writer’s hack described here Aug. 17). 

So far no actual use of the data has been reported.  Will Apple have to offer free credit report monitoring to the million users affected?

It’s a little hard to believe that the data was so “easily” lifted from the FBI.

A typical news story by David Meyer is published by zDNet here

Again, the advice: keep some backups yourself, and check your online accounts frequently.

Saturday, September 01, 2012

"The Economist" reports that future viruses may build on pre-installed apps

The Aug. 25, 2012 issue of “The Economist” offers a brief article “A thing of threads and patches: soon, computer viruses may assemble themselves from other bits of code”, link here

The article discusses a “Frankenstein” program designed by Vishwath Mohan and Kevin Hamlen, from the University of Texas at Dallas, and presented in Microsoft country in Washington state recently at a security conference. 

The theory is that viruses assembled from sequences of pre-installed code (like “Frankenstein” body parts or “pieces”, as in the notorious horror films from the 70s and 80s) would be harder for anti-virus software to detect, at least quickly, and could be useful in quick DOS attacks, or in industrial espionage. 

Monday, August 27, 2012

Facebook friends' names spoofed as spam sender fields, gives links to infected sites, maybe dangerous stuff

Recently, I’ve received spam with names of Facebook friends spoofed into the sender field.

All of the emails give a link to a site, with may be something like “Kliewer customs” or something that looks more legitimate, like “downtown Denver News”.  Some of them give a site based on the name of a person plus a two letter number.  And some emails point to a Flickr album of a person.

I looked up one of the person’s names on Firefox and found sales links for old cars (OK) and, oddly, chemical and biological weapons.  Rather scary stuff. 

I presume that the sites linked in the emails (I even open them on a separate computer that I don’t use for critical stuff) are hacked or infected. 

It would be possible for someone to download child pornography accidentally this way, which could result in a legal liability. 

I don't know if there was a security breach at Facebook that allowed a script to be written to do this en masse. 

Friday, August 17, 2012

Be careful how you use "The Cloud" and keep making your own backups; a Wired writer's story

Security pundits have been discussing the massive hack on Wired writer Matt Honan’s digital world, starting with Twitter but mainly focused on his life in Apple’s meso-thunderstorm clouds.

It’s pretty clear that there is a risk in “overdoing it” in linking all of one’s devices and being able to automatically repopulate them from the Cloud.

Actually, the whole situation reminds me of the old mainframe work environment in the 80s and early 90s.  You had your own Roscoe libraries, but there were secured procedures to promote source to various test, QA, and production libraries and these were controlled by TSO. Once companies started using client servers or LANS, PC’s typically had their own local drives and then virtual network drivers, with shared data, “clouds” with respect to the organization.

A home user of a “cloud” service would logically want only certain portions (like logical “drives”) of his or her PC repopulated automatically.  I can certain understand the benefits of automatic synching.  For example, if you travel a lot and take a smaller airbook or netbook with you, all the data would be there with you on the plane – nice for cross-country or oceanic flights, especially if you frequent faraway places like China (and you’re editing a novel).  If your iPod gets synched, you can always play any of your music on a home stereo through the iPod dock on your receiver. 

A sensible security procedure would be for the Cloud service provider (Apple in this case) to require Google-style two-step verification before altering anything on your hard drive.

Honan discusses the holes in Apple’s procedure, requiring only credit-card-last-four, mobile phone number, a billing address, and an email address (and the last three are easy to get from most personal websites).  Certainly two-step ought to be there.

There’s one more hooker on the Cloud service Honan didn’t mention: you need OS Lion or later.  I have OS X 10.6.8 on my 2011 MacBook, which is already too “old”.  An upgrade would be a big project, and I’d have to check if it would affect my Sibelius (music composing) application.

I’ve been used to making and keeping physical floppies and now thumb drive backups of my stuff for decades.  I have more than one drive, and they are kept in various locations (at least one is kept in a safe deposit bank at a bank and updated every few months -- rather like PM visits to the dentist!).  It’s getting easier as thumb drives get “bigger” in storage.  I do use Carbonite on two machines, although, as these are Cloud backups, they would need more beefing (I would suggest that Carbonite implement a two-step system, too, as should other companies, like Mozy and Webroot, that offer backups). 

One would also recommend that users consider making optical media (CD) backups as well as thumb drives. I’ve never heard of data loss due to an electromagnetic pulse attack (EMP – which could conceivably be localized -- or maybe even a severe solar storm), but there is (as the popular song says) always “a first time”.

The Aug. 6 story on Wired (which has a follow-up on Aug. 13, where Honan explains how he rescued most of his data) is here

Thursday, August 16, 2012

Trend Micro Titanium 2012 upgrade takes a while to do, requires two restarts

Today, I installed Trend Micro Titanium 2012 on my travel Gateway Winodws 7 computer.

It had been prompting me when starting the 2010 protection.  I found when I accepted the invitation, that it launched Firefox (default), downloaded the element (although the script stopped once, maybe because Windows updates were also downloading). It then slowly executed (when the download element was invoked), and required two restarts, one after removing the old Titanium, and then after the actual install, which took quite  a long time.  The first time, when the box was closed, protection stopped and had to be started again in Windows 7 (along with Windows Defender).

Possibly the impending Windows 7 updates and downloads slowed this down further. 

Wednesday, August 15, 2012

Microsoft never sends updates as attachments (Webroot story)

Webroot is now sending out tweets advising customers of upcoming Microsoft security updates, and I indeed got one as I returned home from a trip last night. 
Microsoft also has warned customers that it never sends security updates as attachments.  In fact, I have not received emails advising of them; only simply the notification icon warning me that updates have been downloaded.  Updates will eventually install and force a restart if I don’t install them, so they can be disruptive, sometimes.  A typical update package takes about 15 minutes to install on a modern laptop.

Malicious software removal updates tend to take longer, as do “.NET” updates (necessitating by my use of Expression Web; I had about a month where an service pacl update to Expression Web had failed and the product would not load.) 

The Webroot story on Microsoft updates is here.