Thursday, June 28, 2012

Conservative news sources warn of retaliation for govt involvement for Stuxnet, Flame

The multiple news stories about the reported role of the US government (NSA) in the Stuxnet work cyber propagation against Iran is raising fears of “payback” against US infrastructure, according to a front page story in The Washington Times Thursday, by Shaun Waterman, link here
The main issue is why so many industrial control systems (ICS) are easily accessible through the public Internet.  The software itself is reported to be accessible, not the facility (like power plant or oil pipeline pumping station) that uses it in a distributed fashion.
One of the more immediate concerns relates to the Keystone Pipeline components.  

Wednesday, June 20, 2012

Theater, bookstore, retail perks cards now used in phishing scams?

Recently, I received an email purporting to be from AMC Stubs, saying that my AMC Stuns perks card for AMC Theaters had expired, and that I had "zero days" to renew it.

Tonight, I went to an AMC theater (the Shirlington in Arlington VA), and the manager found my card active, with no evidence of impending expiration.  He did say that cards last for one year until renewal is necessary.

Is this another subject for phishing:  theater chain or bookstore, or retail chain (CVS, Rite-AID), maybe even Costco renewal?  Advice -- take the card in person to a store. 

As for Stubs, it sounds like the name of a movie.

Anderson Cooper did a show on scams and id theft today  (see TV blog).

Update: June 25

I got an email from Geek Squad to "renew" a tech support contract I had just signed a month ago.  Now I have to wonder if this could be spam and will have to contact them directly. 

Tuesday, June 19, 2012

Amazon, PayPal reported to have malware problems

The Webroot Threat Blog is reporting exploits, detected by Secure Anywhere, from ordinary use of in purchases, and more recently from PayPal.  I have not encountered any warnings from Amazon (I just used it again to make a chess book purchase).  I don’t use PayPal, since all of my e-commerce is outsourced right now.

Webroot describes the items as “client-side exploits and malware”.   Secure Anywhere has detected unwanted “.exe” files with long strings of numbers as names which it calls MDS files.  They appear to related to more adware and spyware tracking.

The link for the story is here.

PC Online, with the version in the Netherlands, is reporting new Mac OS exploits here (can translate in Google), link

Monday, June 18, 2012

Email sender spoofing is "alive and well", sometimes as part of a DOS attack

Today I got an AOL email from a “real world” friend with no subject.  First, I wish email programs would require a subject. 

I was suspicious, so I opened it on an old computer that I use for background testing of Internet stuff and never do any work requiring passwords or personal information on.  (I don’t network my own computers directly  or use P2P.) 

It gave a link to “” and Firefox MyWOT and McAfee said this host is OK.  I linked on the old computer, and the website tried to take me to an obscure social networking site that Chrome would not connect with (either URL or security issues).   This appeared to be a badly coded attempt to earn quick money (probably Russian) through malware by getting users to give page requests and perhaps take a survey (a well-known scam based on Facebook misspellings, leading to cell phone spam from sites like "guessology"). 

I couldn’t tell easily from the header detail on AOL whether the email had really been sent from the person’s computer (by hijacking it, logging on to make the computer a zombie, as with a DOS attack, or by P2P), or if the email sender address has simply been spoofed.  The email came from Yahoo!, and didn't appear to be a Microsoft Outlook exploit (as was common about twelve years ago). 

Either way, sender spoofing (directly or indirectly) still seems to happen a lot. 

Friday, June 15, 2012

Asquared, Spyware doctor find many viruses missed by better-known vendors

I took in a Toshiba Netbook to Geek Squad on June 7, 2012, with symptoms of very slow bootup, which sometimes fails (sometimes in the black screen), and slow startup of processes.  The initial expectation was that a hard drive might need to be replaced (only 18 months old but shaken to the floor once on an Amtrak train).

The netbook (which runs under Windows 7 Starter and had all updates, and has Kaspersky anti-virus ans firewall) passed all the hardware tests, including hard drive.

Geek Squad scanned it with Kaspersky, Norton. Trend, and its own Analyzer, and found no viruses. But “Spyware Doctor”  (CNETwebsite  review here) found 25 items and was able to remove 9. And ASquared (apparently now called Emsisoft, link), found a whopping 126 items and removed 109.

Geek Squad also removed four unnecessary group processes. 

Here’s a 2009 review of Asquared by Nevyan on blogger, link

From what I can tell, Emsisoft (the word sounds like “emesis”) is designed to supplement other products and not conflict with them.

At the end of 2008, a Best Buy Geek-Squad consultant told me that the “best” company changes every year.  In 2009 it was Webroot/Spysweeper, then it was Kaspersky.  Now it seems that Spyware Doctor and Emsisoft/ASquared catch huge numbers of problems that better known packages miss.  There is also a change from data files to cloud-based security, as with Webroot and Secure Anywhere.

It took eight days to get the netbook back, rather than three, partly because of the tedium of so many scans and fixes (under the Tech Support plan), and maybe partly because of short staff.

Thorough scanning is potentially a serious issue.  Undetected malware could lead to disclosure of important accounts (such as banking, or even self-publishing) and compromise by thieves or even mischief.  Even though reports of “downstream liability” lawsuits and prosecutions against ordinary home or small business users are rare (for child pornography loaded by a virus, or for abuse of a computer to facilitate piracy or DOS attacks), they still represent a remote threat that could happen to anyone, however remote or unlikely statistically (see Nov. 11, 2009 posting on this). 

It’s also disturbing that less familiar security vendors are finding so many problems that major brand vendors miss.

The machine, when I got it home and brought it up, was slow on the first boot, as it had to reconfigure many updates and 11000 registry cleanup changes. After shut down and one more cold restart, the performance was much better (than before the virus removal), although the other Gateway netbook, similar in design, is still faster. Both have 1G memory.

Geek Squad recommends 2G memory upgrades for netbooks.

I also got a warning from Toshiba, an “HDD/SSD Alert, unable to get disk information, unable to use the alert feature”. This makes me wonder if some of the malware was specific to Toshiba marketing.  Maybe all or most of the 126 items found by Asquared were variations of some kind of adware, maybe related to Toshiba specifically.

Thursday, June 14, 2012

Scribd and Comodo Backup used in site redirection scam

Dancho Danchev has an important story on the Webroot Threat Blog about the abuse of Scribd, a site that I have often linked to show PDF's of opinions on court cases.  Cybercriminals are monetizing their activity by redirecting Scribd requests to those of affiliated networks that pay for clicks, usually for "adult" ads, possibly outrightly illegal (as with minors).  Some of the malware is hosted by Comodo Backup.

The link for the story is here.  Webroot tweeted the story Thursday.

Comodo Backup is reviewed by CNET here. Comodo is another major security vendor. In music, "Comodo" means "comfortable". 

Wednesday, June 13, 2012

Virus removal is becoming a much more nuanced professional service

Professional virus removal, by companies like Geek Squad, has become much more elaborate in the past three years or so.  Just running a virus scan or two doesn’t cut it.  Security experts now use a customized safe mode and special boot disks, to get at core viruses that may often get past many virus scans early in their lives.  That could mean virus cleanups take longer, and may make tech support packages (typically about $250 or so for two years for maybe three machines) worth it.  It’s easier with a laptop, since it’s easier to take it in.  Microsoft PC’s are still a bigger issue than Macs.

Here’s a Yahoo! answer
What may need more attention from legal commentators (as on CNN) is the issue of any computer owner liability if their machines are hijacked.   

Monday, June 11, 2012

Apparent airline ticket email scam

Recently, I've received an email on my AOL account marked American Airlines offering a free airline ticket and boarding pass (attachment) that I had not bought.  I marked it as spam, and can only assume that this is the latest scam to get personal information or turn your home PC into a zombie for DOS attacks.

I'll notice whether other airlines get spoofed.

I made a round trip to Dallas last November (from Baltimore) on American, and do have a legitimate account with American.  I don't know if it could have been hacked.  I also have accounts with Delta and USAir.

I would think that the TSA would be investigating this development.  Of course, the fake tickets would not scan at an airport.

Picture: Great Salt Lake Desert, Utah

Wednesday, June 06, 2012

LinkedIn, eHarmony have passwords "disclosed"; seems to involve cracking weak pw's

The Los Angeles Times is reporting that eHarmony also had over a million passwords stolen, mostly by cracking, following reports of massive breach of LinkedIn.

Salvador Rodriquez has the LAT story here

Ars Technica (Dan Goodin) has further details, about the posting of cryptographic hashes, story here   apparently after posting the “easier” pw’s on “insidepro”. 

This appears to have been a “proof of concept” hack. It's likely that the attacker doesn't plan to use any of the individual pw's. He or she ("Lizbeth" from Dragon Tattoo) wants to prove a point. 

My own LinkedIn account was working normally.  I don’t use it a lot.

McAfee gives a red security warning on “insidepro” as “risky to visit”.  (I try “risky” sites on a separate computer not used for any sensitive access.) But MyWOT rates the site green. 

Monday, June 04, 2012

Flame, Shodan both raise questions about new risks to home users; how much machinery is connected to the public Internet?

CNN has a story Monday morning by Douglas Rushkoff, “The cyberwar may be headed to your computer”, about the huge malware suite called Flame, apparently directed by western governments against Iran, here

The article explains how the “product” was designed to make it difficult to emulate, but nevertheless claims that eventually this sort of malware can affect average home or small business users.  I’m not sure I follow the reasoning.

The Washington Post has been running a series “Zero Day: The Threat in Cyberspace”, with a long article Monday morning (front page in print) by Robert O’Harrow Jr., “Everyday machines vulnerable to hacking: Fledgling search engine exposes risks of being connected to Internet”, link here

The story discusses the evolution of the Shodan search engine, which can probe gratuitous connections of industrial control panels to the Internet.  I wonder if my Briggs and Stratton generator is connected.   The Shodan site boldly states “Expose Online Devices”.
For years, since 9/11, there has been speculation about the vulnerability of cyber infrastructure to hackers.  Most of it is supposed to be disconnected and topologically unreachable.  But some pieces are monitored by “smart grid” technology, from remote, which would lead to some use of encrypted connections.  That may become even more the case in the future with, for example, home security and home monitoring systems.  

Friday, June 01, 2012

AOL offers members Private WiFi, DataMask (stop keylogging), One Point (pw mgmt)

AOL is offering its subscribing members several security services.  One is reputation monitoring, which I discussed on my main blog May 31.

Another is Private WiFi, which requires downloading an executable.  I could consider doing this with a small travel  Gateway netbook that I carry on the road.  However, I have found that both a Verizon MiFi card (3G speeds) and the new IPad, used as a not spot (almost 4G speeds) work well and are secure as they assign or require strong passwords. 

Another potential valuable tool is DataMask, which would scramble keystrokes when visiting potentially suspicious websites.  I’m not sure if it protects you from malware already on your machine doing keylogging.  

Again, it requires a download and install, which would probably used on the main Windows PC at home.
Another product is AOL One Point, for managing strong passwords.  Again, a download is required.

I always approach making downloads, and system changes, even from large and well-known companies, with caution.  I’ll report later on how these turn out.  The most applicable for me is probably DataMask.

Another tip:  when you travel, you should change passwords on your travel machine just before you leave and not reuse them at home before you leave.   Still another concern with that tip is whether airport TSA security lets you stay with your own stuff while you’re being screened.  At LAX, it does;  you and your carry-ons are always screened simultaneously so they can’t become separated or stolen.  I wish DC area airports would do the same.