Tuesday, December 31, 2013

NSA can target individual computers with malware with TAO Program (report from German magazine)

The NSA can hack personal or business computers before they are delivered to customers, or sometimes when customers get operating system errors (particularly from Microsoft), which might be intentional. 
There was a report to this effect in the German magazine Speigel, for example here
The NSA has a “Tailored Access Program” or TAO, to hack specific targets, exploiting known operating system or browser vulnerabilities or cookies. 
It would appear that these efforts have been made only against Americans with certain kinds of overseas connections.  But the government has long feared that “steganography” could place hidden instructions for attacks on innocuous websites, including those run by amateurs.  This danger was widely discussed right after 9/11.
Despite the tremendous automation of snooping by the NSA, the compartmentalization of information (within the CIA, Pentagon, all sorts of agencies) probably still hinders the communication of "street level" observations that even amateur bloggers who "connect the dots" (like the character Jimmy in Smallville) by hand. 

In some cases TAO has taken some visitors to fake Facebook or LinkedIn pages in order to intercept “whitelisted” postings intended only for “Friends”.   I don’t think this is likely to involve many “average” Americans.  But social media sometimes has hidden clues to security-associated crimes and possible terror plans.  There was at least one murder of a security employee in 2008 where threats against her could be found on Myspace and in spam blogs.  It’s unclear how much information police got out of social media at the time, some related info here

Saturday, December 28, 2013

"Kill switch" for smart phones could provide massive consumer target for hackers, terrorists

I thought I would pass along an “opposing viewpoint” from USA Today on Friday, December 27, to the idea of a smart phone kill switch.
The counter-opinion warns that a kill-switch system could itself fall to hackers, or possibly terrorists or enemy rogue states, or even to our own government if it really got out of hand.  Millions of cell phones could suddenly be made inoperable in a geographical area by some sort of attack, rather like a “Son of EMP”. 
The link to the counter opinion is here which in turn links to USA Today/Gannett’s opinion, which really doesn’t address the terrorist risk. So the smart phone "kill switch" may go the way of the "Kill Bill" movies.  . 

Friday, December 27, 2013

Webroot URL classification downgrades many "reputable" smaller sites to orange

I have noticed that the Webroot URL Classification displayed by Firefox on search engine results often rates many sites that appear reputable as “orange” (caution) with a “confidence” of “0” and a score of “40”.  Some of these sites it will warn as more likely than normal to have malware if you go to them, but not all. 

The sites are often smaller sites of individuals or smaller organizations or political action groups. 

My own “billboushka.com”, on a Unix server, which supplements “doaskdotell.com”, on a Windows server, gets an orange (the “doaskdotell” gets a green and a check).  I don’t know what Webroot finds wrong.  But I do have Wordpress, in an older version, with a login screen that I think might benefit from more security.  I also have MySQL, were I have played with my “opposing viewpoints” idea (IT blog, Sept. 11, 2012), which I don’t attend to very often.  Maybe that is seen as a weakness (for injection attaks?)   My “doaskdotell” is misclassified as “real estate” it sells political commentary and books (mostly through third parties). 
Webroot explains its Classification intelligence system here.  It describes it as a “Content Classification Service” under “Webroot Security Intelligence Solutions”. 
The orange dot will give a complete score to a mouse browse-over, but not a complete report.  McAfee will give a complete report on SiteAdvisor, as will MyWOT.  I have found that MyWOT tends to downgrade “child safety” scores on blogs or sites that have subscription advertising or that have many embedded videos.  They may be saying that sites that allow third parties to display content are inherently riskier, at least for minors.
Some sites get downgraded (especially by McAfee) for bigoted or hateful content, even if there is no technical risk of malware.  And some get downgraded by all services if they have a poor business reputation according to media intelligence.

Webroot rates "healthcare.gov" as orange with a score of 40 because of technical instability and security flaws.  It rates the DC Health Exchange as Yellow with a score of 50 because of potential security holes.   

Target still has a green rating from Webroot despite the recent massive breach.  But the site itself did not have a breach; the machines in the stores did.  

Update: (Later Friday)

Now "billboushka.com" has gone to green with a score of 92 (after I contacted Webroot on Twitter), and many other smaller sites that I follow have gone to green at the same time.  

Thursday, December 26, 2013

Phishing scams try to do service of process or demand court appearances

Here's another phishing danger: emails claiming service of process, or saying that you must make a court appearance.  Process service can be done by mail, or can be left in person by an adult household member in most states (or at apartment complexes or mailbox stores), but it is not done by email.  
The scams I see by email, trying to collect bills for credit cards I don't have or payments for cars I don't own, are just getting plain obvious.
It's not that easy to copy me.  

Monday, December 23, 2013

AC360, Webroot cover the baldface hosting of criminal hacking activities after Target attack

CNN, on the AC360 show this evening, described the extent to which amateurs can learn to hack from the Internet, and the plethora of sites hosting criminal activity. There’s no link for this latest story yet, and this is no place to replicate where all the advice is, but Webroot has been following this development, as in this Threat Blog story here.  The discussion came out of the Target hack. 
With all this employable technical skill, why to people need to turn to crime?
In February, NBC experienced a hack in which a ‘drive by” user could get infected merely by surfing if he or she had not updated browsers and operating systems (Microsoft) with the very latest patches, here. http://money.cnn.com/2013/02/22/technology/security/nbc-com-hacked-malware.

Update: Dec. 24

ABC discussed Brian Krebs's investigation of "card dump" websites that sell stolen information, many of them hosted in the Ukraine.  Krebs also now reports that criminals are posing as Target and sending phishing emails.  

Saturday, December 21, 2013

Amazon apparently the subject of a phishing scam

I don’t know whether this has any relation to the Target leak, but Friday afternoon I received an email in my AOL inbox purporting to be from Amazon, with details about an order Dec. 9 in an attachment, which was a zip file.
I examined the email on an old computer that I do not use for any other purposes now.  The sender address, when looked at by passing the cursor, really did appear to come from Amazon.  I went to my Amazon account and found the date of my most recent order to be Dec. 8.
I forwarded the email to “stop-spoofing” at amazon, and got back a response that “in all likelihood, this email did not come from us”.

Most phishing attacks show a real sender available to the mouse cursor.  This one did not.  It still pointed to Amazon. 
I also got a phishing email from a business associate of the eldercare lawyer I had worked with a few years go.  It asked for a loan for a kidney transplant.  This was an obvious "emergency scam" and it showed a sender email address of a different email under the cover.  But this is the first time I have seen law firms targeted to be made to look like the sender in a phishing attack.  
Any explanations?

I also get phishing emails for credit cards I don't have, with attachments -- a bad sign?

Friday, December 20, 2013

Target security lapse already affecting some consumers who had used debit cards with pins

There are already some reports of consumers finding bank account withdrawals when they had used debit cards at a Target store since Nov. 27.  So it appears that the heist might have compromised pin codes.  There was a report of a woman in Washington DC with checks bouncing already.

I used my Target Visa once early this month and did not see any irregularities on my Target or any other credit card or bank statements. 

However, if consumers are already reporting pilferage, the possibilities for massive withdrawals or invalid charges seems enormous.

All indications suggest that the Target incident occur inside its data center. 
There are various IT procedures which are supposed to guarantee integrity of elevation procedures within an IT shop.  I’ve discussed them on my IT Jobs blog and will go into more detail soon on some particular issues I am aware of in mainframe environments.  It’s possible that this heist is based on a very old vulnerability.  

Update:  later

Target says that it has no evidence that debit card pins were compromised.

Update: Dec. 21

The Washington Post reports that its former security columnist Brian Krebs actually broke the Target story on his security blog, and his latest report is here.  Target is offering discounts and some free credit monitoring and still denies that debit card pins were compromised.

Debit cards can often be used as credit cards without pins, and the charges are easier to reverse when fraudiulent.  This happened to me once in March 2013.

Update: Dec. 28

Target is admitting that debit card pins were taken, but not the encryption keys with them, that are outside the company.  However consumers with easily guessed pins (like "1234") could certainly be at risk. 

Thursday, December 19, 2013

Apple Macbooks not necessarily safer than PC's from webcam spying through "RAT".

Although conventional wisdom regards MacIntosh as safer than Windows, that may not be the case with webcam camera snooping.  Timothy B. Lee and Ashkan Soltani have a story Thursday morning in the Switch Blog of the Washington Post, “Your laptop: Is somebody watching without your knowing?” on the front page, titled “Research shows how MacBook webcams can spy on their users without warning”, link here.  There is a light which is supposed to come on if the webcam camera is in use, but hackers have found a way around letting it come on, by programming on several different chips. 
The case in point regarded a high school student arrested and prosecuted for extortion after capturing pictures of various women and sending them threatening emails. 
The article discusses the RAT, or “Remote Administrator Tool”. 
The simplest way to stay off camera may be to tape something opaque in front of the camera peephole at the top of the laptop.

I've used the webacma on my Macbook once to make a trial iMovie, but I'll be getting back to this soon. 

The Post is also reporting that hackers gained access to employee passwords (apparently, again).  

Wednesday, December 18, 2013

Unused or unfamiliar shared hosting capacities could present a security trap for webmasters

Here’s another word to the wise, for webmasters who may use a variety of hosting companies and arrangements. 
Some hosting companies, including shared hosting, will offer a wide variety of services, such as a large number of potential email addresses, or blogging platforms or MySQL facilities.  It’s possible that a webmaster who simply wants to self-publish won’t learn how to use these, and that they could become vulnerable to hackers, who conceivably could hijack some unused features of a domain for illegal purposes.  The webmaster will be unaware because what he or she uses still works normally. It’s possible that he finds out from the proverbial police knock on the door in the middle of the night.  In practice, self-defense might not be easy.
I see that this issue was discussed on Dec. 11 here, after a Webroot Threat Blog post.  

It’s important to pick webhosts who are proficient in the technologies offered.  For example, I’ve noticed that one host offers only “admin” as a username for a Wordpress logon, and that doesn’t sound like a good idea for security.  It’s a good idea to pay attention to using longer and more complex passwords.  Hosting companies should probably start consider offering two-step logons, even though they may not seem as attractive as do Google or Yahoo accounts.  

It's possible that Section 230 immunity might protect amateur webamsters from some downstream liability for unknown misuse of their domains by hackers.  That sounds like a good question.  When does the possibility of attracting trouble make a domain a potential "nuisance"?  I've wondered that. So far, policy has stayed away from this view, of holding people responsible for what others could be tempted to do.  But public pressure from many parents, especially, can change that. 
Blogs on shared hosts often do attract a lot of spam comments, although most of it is silly and harmless (a lot of it is in Chinese).  Always turn comment moderation on, and bulk moderate as necessary. 

Thursday, December 12, 2013

Shodan search engine said to pose a threat to infrastructure, home security

CNN Money has a detailed story about “Shodan, the scariest search engine on the Internet”, by David Goldman, here.  
The site, link here, has a broadcast headline, “Expose online devices: webcams, routers, power plants, iPhones, wind turbines refrigerators, vioP pones”.  That could be a home router, perhaps, or maybe smart thermostat or security system controls.  It could be any critical infrastructure component carelessly left connected to the Internet.
CNN Money also has an illustrated story, “The Hackable House. “ Maybe we should go easy on putting everything in the home under smart controls.  How safe will Xfinity or ADT smart home security really be from hackers?  

Wednesday, December 11, 2013

Shared hosting services now get spoofed in dangerous phishing attacks at webmasters

Recently, I’ve noticed phishing emails that appear to simulate the recipient’s web hosting service, warning of “security updates” and lockouts.  This seems more insidious that the obvious imitations of AOL, because most shared hosting providers are not as well known as everyday trademarked brand names, but criminals are still trying to mine them.

Once the criminal has the webmsaster’s logon credentials, he could send illegal content from the domain, very dangerous legally indeed for the website owner.  In April 2002, I had experienced a hack on an older Unix setting of one of my sites when the "Site command" was left open by the service provider. 

Wednesday, December 04, 2013

Trustwave reports massive password heist affecting at least 2 million users worldwide, and many popular sites

CNN Money is reporting a massive password heist of over 2 million user-pw combos from a large number of visible sites, including Facebook (the most affected), Twitter, LinkedIn, Google, Yahoo!, and payroll processor ADP.  Facebook and Twitter, at least, notified affected users (as far as they knew) to change the pw’s. The breach was discovered by Trustwave and seems to have originated from some servers overseas with a particular Trojan, with the botnets managed from servers in the Netherlands (as apparently identified by law enforcement now) and probably Russia and various other countries.  It’s not clear that much (or even any) harm has really occurred, but it’s clear that payrolls could be compromised, or illegal content could be distributed in a hacked user’s name.
Webroot has a discussion of the issue here
CNN has a full story here and reports that Trustwave discovered the hack on Sunday Nov. 24, 2013. 
Trustwave published its findings on December 3 and they are quite detailed, with analysis according to password strength, here.
On a few occasions, when I’m on Blogger, Google has said that an account is logged on elsewhere.
The message quickly disappears.  I have changed passwords in response, and I have two-step logon.  That does not affect this problem.  It appears that it may be related to Windows 8 caching and not actually be a security problem.  It has happened when the server connection was weaker and sometimes generating other errors, which go away in time when connectivity improves.
I think that other services should provide two-step logon, but I do wonder how this affects cell phone security.  What happens if your cell phone is stolen in a street or subway robbery?

Saturday, November 30, 2013

Webroot now rates website safety on Firefox search engine results

I’ve noticed that Webroot Secure Anywhere has been rating sites that I search in Firefox, listing “Category, Confidence and Score”.  Sometimes there is more than one Category.  My own “doaskdotell.com” gets a Green but is misclassified as “real estate”; it should be “personal sites and blogging”.  (There is an obscure article about real estate prices on the site.)  The MyWOT (Web of Trust) score appears behind the domain on Firefox. 
For some reason, Webroot has downgraded as orange (and interrupts with warnings) some sites that sound legitimate.  One of these sites is “fwd.us” which is Mark Zuckerberg’s organization to support immigration reform, and another is “Kid Focused” which has information about raising children, including Internet safety (previous post yesterday). 

It’s possible that merely having an email sign-up list lowers a score with site-rating accompanies.  Maybe so does accepting ads. 

Friday, November 29, 2013

"The family computer" concept seems alive and well

Recommendations for parents on kid safety.  “Washington Family” Magazine (given out free at churches) for Nov. 2013 has an article on p. 38 by Mary Jo Rapini, “Monitoring your child’s behavior online”, which recommends just that, including having the “family computer” concept, in a public area of the house.  Maybe this is only for tweens.  Older kids will have a lot of homework online, and talented kids (prodigies in music, programming) may have legitimate reasons to spend more time in their own computing efforts. 
Yet, parents really do need to monitor what is going on, or there can be real consequences, as we know from a lot of news stories.
Rapini has an earlier article from Aug. 29, 2012, “Kid Focused” which says “’Monitoring you kids doesn’t mean ‘spying’”, link here

I couldn’t find the Family article on its own site, but Rapini has it on her own site, curiously in ready-to-print mode in PDF, here

Saturday, November 23, 2013

Spike Lee case shows how causing another person to be targeted wrongfully can lead to liability

Here’s another thing to ponder when on social media, or blogging.  Spike Lee was sued by an elderly couple in Florida when he incorrectly tweeted their home address as belonging to that of the social pariah George Zimmerman.  Hollywood Reporter has a story here

There was a $10000 settlement, and the couple repeatedly wants to break the “release of all claims” which CNN’s “Legal Guys” says won’t happen.

But anyone who causes someone else to be targeted by criminal activity with a social media post can be held liable.  It’s a disturbing concept. 

I personally stay away from “personal outrage” at these kinds of cases.  

NSA infects computer networks deliberately with malware to perform surveillance, according to Dutch newspaper

A Dutch newspaper is reporting that the US NSA has deliberately infected 50,000 computer networks with malware in order to perform survelliance.  Most of the targets are overseas, but some could include organizations, small businesses or individuals in the US.  The NSA can turn on the “sleeper” malware at will.
There would be some question as to how much of a threat it could be.  An individual who works mostly on a laptop or modern tablet or even when mobile is likely to turn off the device often.  The malware typically has no symptoms and is carefully hidden from most anti-virus software.  However, random non-repeatable problems might be attributed to such malware.
The link for the report is here.  

Thursday, November 21, 2013

Law enforcement, intelligence paying more attention to spam

I have learned, in some private discussions lately, that law enforcement and intelligence is more concerned than it used to be about the possibility that “steganographic” instructions for crime or possibly terror attacks could be embedded in spam, as in emails, blogs, or particularly unmonitored comments.  Law enforcement has, of course, in recent years looked at social media for evidences of crime;  in a few cases it has been overzealous in interpreting hyperbole as “threats” as in a recent case in Texas (July 3, 2013). 
I continue to receive a large volume of bank-related spam, and "Nigerian scams" that get through AOL.  Banks usually say, when the emails are sent to "abuse", that they've seen the emails before. 
Again, there are some specifics that I can't get into, but in general I'm surprised about the scams and counterfeit goods that people fall for, even people who don't live paycheck-to-paycheck.  The urge to want something for nothing ("it's free") seems too strong for some people. 

Monday, November 18, 2013

AOL makes members enter captcha to send email today

Today, an odd thing happened on my AOL mail account.  I was replying to an email from China about its wanting to use a duplicate of my domain name as a subdomain for an entirely different company (I talked about this on the Trademark blog Nov. 1) when I suddenly was forced to log on to a site to enter a captcha.  I first thought it came from the site in China and noticed that it came from AOL only when I sent an email to myself.  I did do the Turing test, and it worked, and wasn't repeated.  It seemed odd to do the test for someone signed on to AOL. It has never done this before.

AOL is not that good at filtering out a lot of spam, and I still get a lot of spam purporting to be from AOL itself. 

Friday, November 15, 2013

CryptoLocker virus tries to sell the user's own data back

The latest scourge being discussed widely is the CryptoLocker virus (or CryptoLock) usually spread by phishing and email attachments, which demands that the victim pay up to get his encrypted data back.  The criminals are selling the person’s own data back.  There is a “groundhog day” scheme or three or more days to pay up, and after that the ransom goes up.  There is some talk of “two-sided” encryption.  The Extreme Tech article by Graham Templeton is here. 

To add "insult to injury", "victims" have to pay by Bitcon on MoneyPak. Many people will not have accounts in these currencies and will not know hot to pay.  I've never had a reason to use "hidden" digital currencies to hide them from surveillance. 
CERT, the Computer Emergency Response Team, reported on the problem by email today, with a lot of extra links with tips.  CERT says that network shares and even cloud data can be affected.  .

Thursday, November 14, 2013

Germany will try keeping local Internet traffic from being routed through servers out-of-country as a security measure

Here’s a new technique overseas for Internet safety:  keeping web accesses and email traffic to and from web addresses within the country from being routed outside the country.  Germany proposes trying this now, to protect the privacy of its own consumers from possible criminals overseas but moreover from possible NSA snooping (or snooping by British secret service, which may be even more aggressive), according to a Washington Post story by Michael Birnbaum on Nov. 1, 2013, link here
The story reports that the encryption and various routing mechanisms of Google and Yahoo! (especially through North Carolina and northern Virginia servers) has been “cracked” by the NSA.  Drive out along the Loudoun Parkway and see it going on.

Tuesday, November 12, 2013

Smaller sites have become more vulnerable to hackers because of DIY techniques

A blog posting by Dancho Danchev on the Webroot threat blog, Nov. 1, warns amateur webmasters that even their “small” sites with few users can become targets of cybercriminals and hackers in the “new world order” of DIY (do-it-yourself hacking tools), despite the widespread reports of hacks of banks and government agencies.  He also discusses a mysterious “Google dorks” concept. It sounds like a kind of trolling. 
The post is here.
Google recommends that webmasters routinely maintain industry-standard email addresses at their sites to see if anyone (like “Stop badware”) has reported the webmaster’s site to be infected.  Some of these usernames would be “info”, “webmaster”, “postmaster”, “abuse”, and the like.  The most important web page explaining all of this is here

One possible problem is that some web hosting services might not automatically provide these email addresses; the website owner may have to set them up.
Shared web hosting security does matter.   One problem common some years ago on Unix servers was leaving the “Site” command open to hackers. 

Wednesday, November 06, 2013

Facebook will strengthen protections of teens against cyberbullying

Facebook will strengthen anti-bullying protections, by making it easier for teens who feel cyberbullied to contact adults on their frends’ lists and to notify the company, according to a Washington Post story November 6 by Cecilia Kang, link here

Facebook calls the new facility a Bullying Prevention Hub, and also uses security capabilities already provided by Instagram. 
The Post includes a 15-minute video “On Background” by host Nia-Malika Henderson,   Justin Patchin comments on a slight decrease in cyberbullying reports since 2011. Dr. Gwenn O’Keefe talks about how it is difficult to walk away from online bullying because there is always a copy of it, and people can continue it when they are home, so it never “goes away” or gets forgotten.  72% of teens and adults 14-24 say that digital abuse is a big problem.
It is curious that schools have looked the other way on bullying when in the adult workplace it’s so easy to bring suit over “hostile workplace” conditions.

I do have a concern that cyberbullying will lead to further calls to weaken Section 230.  

Sunday, November 03, 2013

The first big Internet virus dates all the way back to 1988, and it could self-replicate

One of the first Internet malware entities ever (that is, viruses) was developed in 1988 by a grad student named Robert Morris, as explained in on The Switch blog by Timothy Lee today, “How a grad student trying to build the first botnet brought the Internet to its knees”, link here. 
In those days, I had an ATT 6300 computer running MS-DOS only, and would soon get an AST Research machine.  WordPerfect and Q&A were more popular than  Word.  Not that many people went online from home, but Compuserv was becoming available at work.
Morris’s virus could spread from one Unix machine to another without much user intervention.  In the 1990’s. most viruses were spread by floppies or by clicking on executables in emails.  The whole idea of an automatically self-replicating piece of malware would come back big time around 2001, just before 9/11, with resulting DDOS attacks.  My own ISP, at the time “virtualnetspeace”, run by a coworker using shared rack space, would have to fight off a DDOS attack in July of that year before getting out of hosting.  I do remember those days.  The real gurus in those days know how to fend off deliberate packet attacks. They called it "attacking your machine". 

Tuesday, October 29, 2013

Safe browsing tweet from Google this morning

I thought I would pass along Google’s own statement on safe searching (which it says is built into Chrome, Firefox and Safari), which the company reminded followers about on Twitter this morning, with this link

My own recent experience is that Webroot is fairly aggressive in identifying suspicious sites when going to them.  My Toshiba Satellite P875 goes to a Toshiba news site by default when I open Internet Explorer 10, and once in a while Webroot flags an ad on that site.

Yahoo! Safe search and Firefox searches, when MyWOT and McAfee Site Advisor, are fairly effective in warning about sites that have been flagged.  But several times Webroot has flagged sites not identified as risky by any safe search.  

This morning, Webroot flashed one warning on a Blogger panel, but the warning disappeared. Not clear what happened.  The Securie Anywhere panel says no active threats have been detected. 

Monday, October 28, 2013

Phone scams offering tech support --- be wary

Local media are reporting telephone scams for personal computer technical support, as written up by Microsoft here
Some callers claim that they will shut off your computer remotely if you don’t work with them.

I got a phone call on a landline (which I don’t publish on my sites) purporting to be from AOL last spring.  The caller started talking about wanting me to change AOL settings, and curiously Comcast XFINITY didn’t screen and identify it.   I did hang up on it.  But it is true that my subscription had expired because a credit card had not been updated after it was lost.   

Thursday, October 17, 2013

Facebook stirs controversy by allowing minors to change settings to public

Facebook has made another change to its privacy policy, setting the default settings now to “friends” for all new minor users and letting anyone (including minors 13 and over) change the setting to everyone.
Previously, the setting for minors had been “friends of friends” (second degree, or one degree of separation). 
Apparently some people are concerned that minors should not be able to post publicly to everyone. They fear that minors do not grasp the permanence of digital postings and of online reputation, but even “whitelisted” postings often get passed around.
CNET has the story here

New users over 18 still default to “public”.
The “Inside Facebook” story is here.

There is a story on NOLA here

Blogger has a minimum age of 13 and I'm not aware of any requirement to mark a blog private.  Google+ originally had a minimum age of 18, but was changed to 13 and apparently restricts postings to friends.  

Wednesday, October 16, 2013

Teen social media tragedy highlights social media security problems as well as possible Section 230 issues

Section 230 concerns may well be raised again after the tragic self-inflicted death of Rebeca Sedwick near Winter Haven, FL after online bullying.

But the 14 year old girl arrested for cyberstalking denies that she made the Facebook post that led to the tragedy.  She claims her account was hacked.

It may be that someone else got her password, and there is certainly a case for Facebook’s initiating two-step sign on, as has Google.  Banks should do it, too.  But it’s more likely that she was on a public computer somewhere and left herself signed on.  Although her attorney says she claims she hadn’t been on Facebook at all.

The question as to whether service providers should share responsibility for harmful use of their sites is bound to come back again because of this case.  But here, it seems as though maybe site security was the issue, rather than censorship, as is usually the case when Section 230 gets discussed.
The CNN story is here.
CNN mentioned that there are many new sites which cater to teens besides Facebook, and that parents need to know what their kids do, but parents have a hard time keeping up.  Chris Cuomo on CNN suggested strengthening parental liability laws.  Many of these sites would have security issues.
Why do 12 and 13 year olds need to be on social media, anyway?  Why aren’t they learning to relate to one another in the real world first?  It’s dangerous if kids believe that their social standing depends on the count of social media “likes”. 
This case, however, needs to be followed, both from the viewpoint of security and possible changes in downstream liability laws in the future. 

Sunday, October 06, 2013

ABC discusses the "CP" ransomware problem, and warns on 5 links never to touch

ABC News has a story on “The 5 Deadly Clinks: Links you should never touch”.  The article starts by discussing the ransomware scam that puts child pornography images on your computer.   It is said to come from Russia. This was discussed on here Sept. 23. 

The five most dangerous links are (1) unfamiliar mobile apps (2) Remote access, pretending to be ISP employees (I once got a suspicious call pretending to be from AOL) (3) Paying attention if visiting porn, with a warning that intentionally clicking on sites known to have “illegal” content (or providing the hyperlinks) can send you to prison (4) authority scams supposedly from banks (5) pharmacy and drug spam.

ABC’s story (by Adam Levin) is here.
On tip 3, remember that Wikipedia reports that the FBI sometimes runs stings to see who will “knowingly” click on illegal content.
Be careful, too, that accidental clicks are more likely on smartphones or touchpad laptops.


Friday, October 04, 2013

Federal indictment issued against some members of Anonymous for DDoS attacks against anti-piracy interests

The major media outlets are reporting on a big federal indictment, from the US district in Alexandria, VA, against thirteen members of the computer hacking group Anonymous, accused of engineering DDOS attacks against major parties who spoke out against piracy, especially through file-sharing. 
NBC News has a story, with a link to a PDF of the indictment, here

Any federal trial would be held in Alexandria VA and people who live in northern Virginia would be eligible for jury summons.  It would be a good question as to whether personal or professional experience with intellectual property issues would disqualify jurors, as would the possibility of a US attorney on the case knowing a juror personally through happenstance.  These sorts of possibilities may be more likely in a case like this than usual.
Reuters has a story by David Ingram on the Chicago Tribune site, here
Most attacks discussed in the indictment seem to have been done with phishing and getting home and small business user computers infected. 

News Super World also reports that a Reuters journalist was indicted separately.  

Monday, September 23, 2013

A few security companies report grave variation of ransomware trojan that actually puts "illegal content" on users' computers, possibly legally compromising them

Webroot is advising users that there is now a ransomware Trojan that not only demands payment for a supposed child pornography infection, but actually moves the illegal content to your computer and displays it.  A YouTube video in a “VlogThreat” blog entry at Webroot’s site by Marcus Moreno and Richard Melick explains how the “shakedown” works here.

The link for the Webroot entry is here.
There are a few other stories on the web about this. For example Avira has a report dated in May 2013 here
A company called Hitman Security has another report from May, 2013, here.  The Trojan, called a “BKA Trojan” apparently was widely reported in Germany. 
I have not seen a lot of discussion of this problem yet among other major anti-virus vendors.  
Generally, these sites are saying that the problem is difficult to fix at home with a virus scanner, even in safe mode, and require a technician to fix.  But there seems to be a Catch-22 in this.  In many states, technicians are required to report CP infected computers, and most stores (like Best Buy Geek Squad) report them as policy.  Most states (like the U.S. at a federal level) have laws that make it a crime to “knowingly” possess or view an illegal image, so the first time, accidental view would not itself be a crime.  But a few years ago, some journalists were writing that possession in some states could be an “absolute liability” offense, suggesting that someone whose computer who got infected was in, a legal sense, an accomplice, at least through negligence.   I don’t know if that’s true now.  
I see that I posed this question with a July 23 posting on this blog, and noted that Florida law apparently requires consumers to contact police themselves if this happens and then seems to give them an affirmative defense.   Florida’s link is there.  But conceivably, a consumer could be required to destroy the computer in some states.  Possibly even his own cloud accounts and social media could be destroyed out of a legal requirement for caution, as well as his own work. This needs more legal attention, and unfortunately, some politicians, in the guise of protecting children, may not be sympathetic to consumers caught in the middle. 
The FBI does not seem to have specific information on this problem yet.  The best that I could find is here.

This issue does need immediate attention from state attorneys general.  Unfortunately, their behavior on the Section 230 issue doesn’t bode well.  

Friday, September 13, 2013

Webroot blocks a high profile Hollywood media site -- why?

A little strange glitch today.  I tied to go to a site called Nylon Magaznie.  Internet Explorer 10 (windows 8) told me it couldn’t display the page because of a programming error.  I’ve never seen that before.  I went to the main site, but Webroot said it was blocked for possible malicious content, although it did display most of the page.  But McAfee site advisor showed the site (in Firefox) as OK.
Webroot Secure Anywhere rarely tells me that it has to block a site, at least from a more or less mainstream media company. 

Maybe this is just a matter “unsafe code” (running out of memory) in java or C#.  

Wednesday, September 11, 2013

Microsoft Action center warns on manufacturer startup items, like Toshiba flash cards; they use resources and might be emulated by malware

The Microsoft Windows 8 Action Center this morning warned me of three items that take more time in Startup and could reduce battery life, or possibly introduce security issues.  One was Logitech, my keyboard and mouse.  The other was  Tcrd Main, which is Toshiba’s own Flash Card app.  An advisory warns that is possible for Trojans to mimic legitimate Toshiba Satellite software, on this link
The Toshiba Flash Cards utility replaces the conventional Microsoft Hot keys. 
I am not a fan of manufacturer-supplied operating system enhancement, because it requires additional updating from the manufacturer, and could complicate Windows security updates.
Recently Toshiba did two major security updates of its own, including one to the video player, and they took longer than most Microsoft updates do.  

Webroot Secure Anywhere does not flag this tcrdmain.exe as suspicious.  

Friday, September 06, 2013

NSA has developed ways to get around almost any corporate or user encryption systems

The New York Times is reporting Friday morning that the NSA, working in conjunction with the British counterpart the GCHQ, has undermined “basic safeguards of privacy on (the) Web”, in a story by Nicole Periroth, Jeff Larson, and Scott Shane.  The print subheadline is “Supercomputers and guile subvert much encryption, documents reveal”, link here (paywall applies).  
The New York Times also says that it (along with ProPublica) was asked not to publish this story.  I’ve tweeted this fact, and I’m surprised I don’t see more about this from parties whom I follow yet, but I think I soon will. ProPublica gives its rationale for publishing here, and mentions "Minority Report" rationale where it imagines some day that the government could read people's minds or dreams or telepathic communications ("Dreamscape" or "Inception").  
The articles give long detailed technical discussions with illustrations of how the NSA “methods” (a java pun) work. 
Could the NSA (or FBI, etc) have read the “diary” on my own PC, where I log my dreams and fantasies, which I never post anywhere?  Probably.  I don’t think they would find it particularly interesting.  But there’s a hidden danger.  If someone ever tried to frame me for a crime, then the government’s ability to see such data could complicate matters.  More likely, it could spy on backup copies of the diary in the cloud (Carbonite).  No, I don’t think this has happened.  But you can see how it just might.

I see a more subtle danger with this.  If the NSA can ultimately undermine the security of the most restricted communications, such as those that run a nuclear power plant, then enemies of the US and the West or of specific entities in the West might be able to figure out how to do so.  That makes a scenario of a novel like Byron Dorgan’s “Gridlock” (reviewed on my Books blog yesterday) more plausible than I would normally think it could be.  It could also mean that it could be very difficult for a small business or person or organization to protect itself against a very determined attacker.  

Wednesday, September 04, 2013

Phishing pretending to be from Apple is more convincing than most

Although spam threatening account suspensions is very common (particularly pretending to be AOL), there is a spam entry claiming to be from "helpdesk @ apple.com" saying that your Apple account will be suspended unless you click and apply the update.

AOL marked one of these messages as spam but not the second.

Most phishing emails don't really spoof the sender (you can see a different address by moving the cursor over it; it's often in China).  But this one actually has managed to make AOL think it really came from Apple.  I'm not sure how it did that.

So don't fall for this one, either. This is not "free phish" (or "free fish").  

Monday, September 02, 2013

Past is prologue: September is a month to be very careful; were some of us warned before 9/11 by a phishing email Labor Day weekend 2001?

In September 2001, during my last four months at ING-ReliaStar in Minneapolis, there were a few little incidents that sound today oddly prescient of today’s warnings about cybewarfare and even power grid security.

September 1, 2001 was a sunny Saturday, and I had just moved into a larger unit in a convenient modern downtown highrise apartment building, the Churchill.   I guess this started a sequence that confirms the adage, “You never know what is going to happen in the future.”  I went up to Duluth and then onto Thunder Bay, Ontario, for the Labor Day weekend.  On Saturday night, I wasn’t able to get AOL up on my laptop in the motel with its connection.  Sunday night, in Thunder Bay, I did, although AOL charged something like $1.95 or an out-of-country connection session.  I recall an odd email with attachment with a subject line including the characters “911” in it.   It had come in during the middle of the day Saturday.   I figured it was spam and would deliver a virus and simply deleted or marked it as spam and never looked at it.  A few friends reported getting a similar email.  I wonder what I would have “known” had I read it.
On Tuesday, September 4, during lunch at work, I walked over to a Walgreens downtown (Minneapolis) and happened to see a “Popular Science” magazine with a flashy cover communicating the idea that terrorists could destroy the power grid and all personal electronic with nearby EMP explosions.  I’ve discussed that particularly on the Books blog (April 13, 2013 and July 20, 2012).  That possibility actually inspires a scene in the film “Oceans 11”, which I would see on December 7, the last film I would see before learning of my layoff.  Again, others in the office saw the Popular Science story, one techie in particular (he alone had a server under his desk in his cubicle).
On Thursday, September 6, the company was hit with the worst virus attack ever, from a critter called the “Magister” virus.  It could steal clients’ personal information.  Tech support went through the entire company and had to clean about a quarter of the desktop computers.  Mine was not infected, but the woman whom I worked with “fixing bugs” was, and she had a day without access to her own desktop. They said, “this is the real thing”.  They got everything cleaned up by Sunday, September 9.
Some of this is more a story for the “IT Jobs” blog, but Monday night, September 10, I saw the only “water volleyball” game in the 33rd floor pool of the apartment building, with the glitter of downtown Minneapolis at night just outside.  It’s quite spectacular.  Tuesday morning, I did not find out about the 9/11 attacks until a woman came to my cubicle about 8:25 AM CDT just as I had closed a couple of production support tickets for user problems.
We actually went on a “team building” event, a cruise on the St. Croix river, 30 miles away that day.  
We didn’t hear any of the horrible unfolding news until we got back about 4:30 PM. 
Two weeks later there was another virus incident, but much less widespread.  But the quirky circumstances were such that I feared my own home computing environment, from which I maintained my own websites supporting my books, could be compromised.  I spent some time talking to the “server” guy (who had seen the PS report and gotten the same bizarre 911 email earlier in the month) about it.
The next morning I looked at my personal appointment calendar, and saw that I had a scheduled meeting with my project leader and his manager, to “discuss issues”.  I quickly found out that they were concerned that  I had taken another team’s concern when the intricacies of this second “virus attack” weren’t my business.   I can certainly believe they were wrong.  This was, of course, during those crazy weeks right after 9/11 in which nobody knew what to expect.  The news media contained speculation that ordinary computer users or “newbie” websites would be contaminated with “steganography” planted by terrorists.  Web use could become much more regulated.  As for work,  I expected layoffs and a downturn later, and suddenly I felt it might personally be for the best.  That would come in December, and maybe it was the best thing for me, given the huge severance.
What to take away from all this?  Seemingly unrelated, random events seem to occur, and then you find out they weren’t quite so random after all.  This is a time for everyone to be very careful, and, yes, perhaps that starts with the president. 

Saturday, August 31, 2013

More on private encryption keys; are fears of a cyberwar from Syria ovetblown?

Electronic Frontier Foundation has an important statement about service provider private encryption keys, link here

An important subset of this discussion is Perfect Forward Security (PFS). That facility prevents “retrospective” attacks that might even get through https. EFF is mainly concerned about this possibility from government snooping itself, the NSA.

There is discussion today about whether the US infrastructure could come under cyberattack from the Syrian or Iranian forces, particularly if the Obama administration launches air strikes against chemical weapons sites. 
A deliberate attack could make financial processing as we know it now very difficult.

As for the power grid, military systems, or other critical infrastructure systems (like oil pipelines), I would wonder why it is even possible, from the point of view of topology or graph theory, to reach a power grid computer (especially at a nuclear power plant) from my own computer that I type on.  I don’t think it should be (nor should this be possible from a computer in Tehran, Damascus, or Moscow).   But if I can log on to Dominion Power during a storm when the power is out (through wireless cellphone) and look at the status of my outage, there may exist such a direct connection.  Nobody has explained this yet. 

I thought that the Stuxnet virus was implemented through a flash drive.  Of course, utilities and all other infrastructure have to use security with respect to other “objects” brought into the workplace to be loaded onto their systems.  To that end, telecommuting or use of employee owned laptops (I owned most of what I connected to work with from home during my career) becomes a security issue.  Two-step verification is predicated on a level of physical world security.

Jordan Robertson talks to Bloomberg News about what a cyber war could be like. 

Robertson also says that the domain name attack on the New York Times could have been prevented by a “registry lock”, which Twitter had.

Thursday, August 29, 2013

DNS redirection most recent hacking technique, at least by rogue states or regimes (New York Times and Twitter)

Is the most recent “hack” of the New York Times and Twitter an indication of a change in strategy by hackers?  Is this a risk to home users or small business or even newbie bloggers? Timothy B. Lee and Hayley Tsukayama have the story here

This time, it appears that the “Syrian Electronic Army” got access to the record keeping at an Australian company, Melbourne IT, which apparently the NYTimes and Twitter and others use.  “Ordinary” people are more likely to use one of the numerous domestic companies.  In fact, most large ISP hosting companies also offer domain name registry.  It used to be that the most important player in the US was Network Solutions, still a big player in the Loudoun County, VA technology corridor.
It seems bizarre that an autocratic regime would use such crude attacks against major news media.  This possibility wasn’t viable twenty years ago for Saddam Hussein.  Attacks against news media seem to have no effect on government policy, such as possible military intervention.

A practical risk for users would be financial institutions DNS being hacked and pointed to fake servers,  That is forestalled in part by https, but also by the use of secret images on sign on which tell you that you went to the real site.  A hack could not go on for long without attracting enormous attention from the news media.

I’ve experienced only one hack, in 2002, against an on-line copy of a chapter on terrorism from my “Do Ask Do Tell II: When Liberty Is Stressed” book (“pubbed” in 2002; the online essay had gone up first).  That defacement occurred starting with a passage that discussed possible terrorist use of nuclear weapons.  It contained some bizarre references to areas in NW Russia.   I’m not sure what anyone could make of it.  It was passed on to the FBI.  The corruption seemed to occur by leaving a Unix Site command open.  

So far, it has been large media, corporate and government sites that have been targeted for hacks.  Undermining of small business would have a different aim, a kind of psychological warfare of intimidation of the grass roots, which seems to be how things work within Putin’s Russia right now.  Or that may be how the legal bullies (copyright and patent trolls) work, but with nearly “fake” litigation.  We could say that about SLAPP lawsuits. 

It is taking up to 48 hours for the New York Times to become available again to all users, because correct DNS mapping has to propagate.  I can receive get it now through Comcast. I never did actualy experience the outage.  Twitter worked normally for me yesterday. 

I did have about a 10-hour outage Sunday night and Monday morning on my own doaskdotell.com site, but this appears to have been the result of  weekend ISP shared hosting Windows Server maintenance, which became more complicated than had been expected. 

Wednesday, August 28, 2013

Fake AV will make escalating "offers you can't refuse", as if you owned a "Maria bar".

Some rogue antivirus vendors make “escalating” demands and “offers” to owners of infected personal computers, according to Tony Bradley in a column in his CSO Security and Risk page.   The link is (webite url) here.

Bradley compares it to a Mafia-controlled town, where organized crime requires families (particularly small business owners) to pay “protection” or extortion money after small acts of vandalism, which escalate. He calls this trick "The Offer You Can't Refuse".  
Microsoft Malicious Software Took can usually remove these products.  Microsoft provides a video of an example of a generic “Fake AV” product.

Such attacks are much less likely on pc’s with properly updated anti-virus software.
I used to find offers of fake AV software in spam blog comments until I started monitoring, and Blogger also started filtering them.  All such comments have been removed as far as I know 

Remember the "Mafia bars" of the 1970's?

Tuesday, August 20, 2013

Mobile scam claiming GMail is compromised reported today on local TV station

Liz Crenshaw of NBC Washington (NBC4) is reporting today about a mobile phone virus or worm that flashes to users a message (apparently an MMS or SMS text) that their Google GMail has been compromised, and which then attempts to solicit personal information.

This is a hoax or scam, and should not be responded to. Links in the text should not be reported.  Users can report incidents to their carriers or the FTC.

Off hand, it would sound as if such a scheme could compromise "2-step verification" to Google accounts, which depend on a cell phone.  But users can download an app to generate the verificaion codes and not depend on the text being sent -- suddenly, that method sounds more secure.  Or users can also use special codes that can be saved on a file and used when a cell phone is not available.

Other providers, such as banks and other social media (like Facebook), are likely to adopt such verification methods in the future.  There might need to be common vendors for the code generating apps.
Google accounts started offering 2-step verification about three years ago after password cracking attacks (for international scams trying to get money from relatives for people falsely reported as arrested overseas) made the news.   

Sunday, August 18, 2013

Baby monitor hacked; home locks, security systems and other hardware controlled by networks could be vulnerable

The latest technology safety scandal seems to be the hacking of a baby monitor, which was apparently controllable by remote device or through a home network with a password.  CNET has a typical news story account (website url) here.

Similarly, the smart home, where electronic door locks (like those in hotels),  thermostats, and even the security system itself can be monitored by smart phone and wireless Internet (it might require that a PC be left on while the person is away) could leave the home itself vulnerable to hackers.  Maybe door locks should just be mechanical (and Medeco). 

When I care for my mother at home, with hired caregivers, there was a radio baby monitor in her room, so that the caregiver could hear her in the living room.  But it was not connected to the Internet or my computer.