Wednesday, May 29, 2013

AOL displays unwanted ads before returning to inbox, regardless of user's wishes

Just a little note -- today, when I went into AOL, something "happened".   When I sent a new email (not a response), instead of offering me a chance to return to the Inbox, an ad would flash, usually from a mortgage company claiming to offer refinancing and inviting the visitor to click on rates.

I don't know whether this could be due to malware or is just a marketing ploy for revenue.  But it's normally improper to display an advertisement on a user's screen (this happened on a PC in an XP environment and on a laptop in a Windows 7 evnironment) when the user did not navigate to it. But companies are probably finding it harder to earn revenue.

The browser was Chrome.  I don't know if setting "do not track" could suppress the display.

And it's pretty obvious that it's dangerous to enter into financial contracts online introduced in such a cavalier manner.

Oddly, I got one cell phone call where the caller thought I was responding to a Craigslist ad.  No.  I haven't. Hope something isn't going on.

Update: May 30

Late in the day, one day after this posting, I got a call from an 866 number in northern VA (identified by Xfinity on my TV) on my (Comcast digital) home phone/  The voice was broken, and the caller said he was from AOL.  He said I needed to change my account.  This sounded suspicious.  He gave me a number to call back as "1-855-763-3147", which does not match any of the contact numbers on AOL's site (1-800-827-6364).  I tried the 855 number and it said it was AOL, but I am going to check later with the number of the site to see if this is legit.  Does anyone else know what is going on?

Later, when in a Windows 8 environment but signed on to AOL, I was visitng Major League Baseball (MLB), and when going to a Wrap for a game, I got an ad from AOL.  The problem went away when I signed out of AOL (on Google Chrome).  Weird!

Tuesday, May 28, 2013

MPAA wants the right to infect computers with "pirated movies" with ransomware

Here is a shocking proposal that the MPAA (the Motion Picture Association of America) is floating among members of Congress and probably state legislators.  Make it legal for content owners (or their trade group – the MPAA) to infect computers holding pirated material with “ransomware” – which would keep computers unusable until owners “turned themselves in”. 

It’s obvious that this infection could occur based on flimsy or wrong evidence, or that real criminals would masquerade as content owners.
The story floated on a site called “Boing” and was tweeted by Webroot today, link here

Could a pirated YouTube video be infected?  What if a blogger embedded if before it got taken down; would anybody visiting the blog get infected with the ransomware?

Is this called , “attack your customers”? 
Just don't go through life thinking "It's free".  

Friday, May 24, 2013

Internet Explorer 10 security features and "do not track" explained with update

Today, my Windows 7 Dell XPS Machine greeted me with a replacement for Internet Explorer, with IE 10. The update comprised over 60 MB and took about 15 minutes to install and about 10 minutes to restart.

Microsoft says it copies preferences from earlier versions of IE that are replaced, and offers a detailed discussion of its "Do Not Track" policy, all on this statement, which is displayed the first time you bring up IE 10 after the update.

Note that turning on "do mot track" does not guarantee that a website you visit will not track.  Microsoft merely asks it not to.  EFF has complained and written about this.  

Thursday, May 23, 2013

Twitter to add two-step verification capability, to help visible users ward off hacks

Twitter is reportedly offering a two-step sign-in verification similar to Google’s.

The capability is motivated by the recent spate of hacking attacks on twitter feeds of highly visible entities.  

It does not appear to have as much flexibility as Google’s but requires a (cell) phone and email confirmation.
So far, the capability seems to be optional.

The Los Angeles Times has a story by Salvatore Rodriquez,here. 

But two-step verification will become a trend.  Financial institutions are likely to use it.  It will be important for web users to keep smartphones working  and maintain good connectivity in all locations (which still is a problem in some areas).  

One tip is to be sure you are getting texts before you sign on to a new computer.  You can send a text to your phone number from email.  (Presumably re-signs on trusted computers don't require verification until a password is changed.  That's how Google accounts work now.)  

Twitter also offers the ability to limit who can receive your tweets, and the ability to mark content as sensitive.  

It’s often common on for celebrities or professionals to have personal and professional accounts, and make only the professional accounts totally public.  

Monday, May 20, 2013

New Yorker: we're losing the cyberwar already; a computer's fan staying on could mean it's infected

The New Yorker magazine, the May 20, 2013 issue, p. 64, has a major essay by John Seabrook on the state of Internet security today, and it is not encouraging. It’s called “Network Insecurity: Are we losing the battle against cybercrime?” link here

No longer is it enough for PC users and companies to play “defense” against “known” threats.  Polymorphism has been warned about for years, anyway. 

Viruses and worms used to be more likely to have obvious symptoms.  Now, they seem related to enlisted computers unbeknownst into massive industrial and political spying and retaliation. Often there are few or no symptoms, just oddities.

And corporate networks are particularly vulnerable because of “spear –phishing” by employees, and the possibility of employees using their own computers for work.  (At home, I always used my own computer for support, and there were legal reasons for doing so that would not apply today.)

One symptom of infection can be that your computer’s fan is always on – because the hackers’ applications are using the machine’s spare power.

The article discusses two-step verification, and one could express surprise that more banks don’t insist on it.  But on a mobile device that doesn’t seem to apply.
The article doesn’t do much with downstream liability, or the possibility of framing an "enemy" with a cyberattack..   What if a virus did download child porn to your computer, and you never saw it, and didn’t  find out until you took it in for repair?  

Friday, May 17, 2013

Major phone hacking scam leads to $500,000 bill for Missouri realtor

There was a recent report on ABC of a realty business in Missouri that received phone bills one month of over $500000 for accounts it didn’t have, even from companies it didn’t have accounts with.
Verizon has its own page of the major phone scams, and they are considerable.  Here is its link

ABC News story from Diane Sawyer is available only as a video (suggest using Chrome, Safari or Firefox, not IE):

Lindsey Janus reports. The incident started with incessant calls with no one on the line. Hackers opened accounts on her number overseas in countries including Somalia.  And Melissa, the realty owner, wasn’t able to get the charges reversed until ABC News intervened, even though the carriers admitted the hacking. 
It would seem as if the phone carriers should have security systems in place able to detect unusual spikes in activity.
In 1995, I had about $300 of phone calls from Canada appear on a credit card, which ATT reversed without argument, after he card (which had not been stolen) was canceled.  I actually found out the card was compromised at a grocery store and got a call at work the next day from Merrill Lynch, issuer of the card.

Update: May 19

CNN's Clark Howard also discussed how criminals are getting paid by third party companies for "cramming services" onto phone bills.    He also recommended that smart phone owners get apps that can cause their phones to be both trackable and inoperable if stolen. 

Monday, May 13, 2013

"Business model" pays for malware execution on hacked PC's (Webroot report)

Here’s a new “low” in the “Internet mafia” world, perhaps getting ready to appear in a soap opera plot soon (like with the character Nick Fallon in NBC’s “Days of our Lives” who, unlike “Nolan” in “Revenge”, has become a real but fictitious jerk).  The idea is to pay for hacked PC malware executions, most particularly, in all likelihood, for DDOS (denial of service) attacks on politically incorrect government agencies and financial institutions.  Another use might be to get fake advertising revenue – all from the world of “Argo”. 
Dancho Danchev describes it all on the Webroot threat blog today (it’s well worth looking at in entirety occasionally), tweeted a while ago by the company.  The link is here

Dabchev plays devil’s advocate with the “business model” here, which has its own internal contradictions, starting with TOS violations (which probably can’t in themselves be crimes anymore). 
One wonders why the world has become so cynical, cybercrime needs to become a regular employer, ability to offer stable income based on “business model”.  Do kids not have enough constructive things to do?  I don’t think kids see that much soap opera.  

Webroot has a complete channel on YouTube to illustrate issues from its Threat Blog, including mobile issues.  

Wednesday, May 08, 2013

WTOP, Federal News Radio hacked with Trojan that might infect some visitors using Internet Explorer; both sites offer press releases; detailed investigation ongoing

The Washington Post is reporting that two mainstream news sites, WTOP and Federal News Radio, were hacked recently. Some users using some versions of Internet Explorer (probably older unpatched versions) may have been infected by visiting the sites earlier this week.
The infections would have included pop-ups that offer “fake anti-virus software” and a botnet program that tries to commadeer PC’s to simulate clicks on ad networks. 
The Washington Post story by Hayley Tsukayama appear on p. A11, link here.
As of early Wednesday afternoon, both sites were blocking access through Internet Explorer.  Both sites say that access through other browsers is OK.  It is unclear if the latest IE version with the latest security patches would be immune, or if Microsoft plans more security patches soon (which seems likely, meaning users should be using automated update). 
WTOP has an explanation here (recommend Chrome or Firefox or Safari) here

Federal News Radio has its press release here. Again, the site right now isn't accessible through IE.
Sophos (the anti-virus partner for Webroot) has an explanation of the Trojan called “Troj-FakeAV-GOJ” here
The site Invincea plans a webinar and announcement about “watering hole attacks” here.  There are more reports that the attack involved java and Adobe vulnerabilities as well as Microsoft. 
The John Dvoak blog site is mentioned as affected, and McAfee site advisor has it marked red.  (it’s  However John C. Dvorak has a detailed discussion in PC Mag that is more technical than I can follow in detail right now, but here it is.  He thinks that the “Don’t Be Evil” company has blacklisted, May 6 article  here.  

A few years ago, I received comments on blogs that offered fake software.  I do not get these anymore since they get automatically marked as spam, but I also moderate comments now.  On two or three occasions around 2008 or so, my older Dell 8300 desktop offered the fake ant-virus software on one or two sites, even in Chrome.  This probably caused infection.  But the harddrive for that computer failed and had to be replaced at the end of 2009.  (I have never tried to purchase fake software, but the mere execution of the pop-up block probably installs the trojan.)  

It was not yet clear how far law enforcement, particularly the FBI, has delved into this, or what kind of prosecution would be likely.

Watch for CERT to make an announcement from Carnegie-Mellon on Pittsburgh on this IE/Oracle/Adobe vulnerability, to determine if it is fully patched.  

Tuesday, May 07, 2013

Websites create honeypot accounts and multiple pw's to bemuse hackers

Dan Goodin, of Ars Technica, is reporting on a new proposal that websites storing user passwords can increase security.  This would apply to both social media and financial institutions.  The link is here
The idea is twofold.  One is to create dummy  “honeypot” users to attract and trap hackers .  The other is to store more than one password on a user’s account.  A hacker would not know which password could actually open an account even if he cracked one of them.

This might be more important for mobile devices.  When they are stolen, the thief would often have access to all accounts in use on the smartphone.  As noted, mobile banking and social networking limits the effectiveness of 2-step verification so useful with laptops and regular (especially work) computers. 
Banks could also improve security by limiting the size of possible withdrawals on any debit card within any 24-hour period.  

Friday, May 03, 2013

Do you need to keep your cell phone signed out of social media and your Google account when out on the street or subway?

The other day, I tried to install a taxcab company app on my Droid smartphone, and it made me sign on to Google first.  I hadn’t been using the Google account or social media accounts on the Droid.

A security issue comes up.  If you leave yourself signed-on and use Google’s 2-step verification and you get mugged, or your cell phone is “snatched” in public --  a big problem these days – couldn’t the thief get to your Google account anyway?  After all, the verification code gets set to the same phone (you just switch to read text) or you can use the verification app. 

Is it safer to keep your phone NOT signed on to any social media or to Google and to memorize all the passwords (strong) and use them when necessary?

It would seem so to me. Same would be true of financial sites, especially if they adopt 2-step sign-on. 

 The most dangerous areas seem to be subways (Washington DC has more problems than New York City) and some street areas.  The DC area seems to have unusually severe problems with cell phone thefts.  There is a related post on the “Network Neutrality” blog yesterday. 
I’ve been amazed at how good teenagers and young adults are using smart phones and keying in text messages, even on dance floors.

Wednesday, May 01, 2013

Can circumventing an IP-address block be a crime under CFAA?

In an article on Craigslist on EFF linked this morning on my main (“BillBoushka”) blog, there was some discussion of IP address blocking.
Websites sometimes do block traffic coming from specific IP addresses or ranges, mainly to ward of spam or DDOS attacks. 
EFF takes up the question as to whether it could be a crime for a blocked address to access the site from another address. Apparently, Craigslist had tried to maintain that doing so could be a criminal violation of the Computer Fraud and Abuse Act (CFAA).  But, in the wake of the Aaron Swartz tragedy, a lot of attention is being paid to ensuring that violations of a sites Terms of Service do not rise to the level of criminal complaints. 
The possibility could exist that a particular party blocks another one because of a personal issue, or perhaps by suspicion of overuse, obsession, stalking and the like.  This can be done on Apache and other servers (by manipulating ".htaaccess").  It might be done to prevent “vandalism”.  But it would not be illegal for the same party to use a different IP (like a different mobile device), an Internet cafĂ©, a hotel, etc.