Tuesday, December 31, 2013

NSA can target individual computers with malware with TAO Program (report from German magazine)

The NSA can hack personal or business computers before they are delivered to customers, or sometimes when customers get operating system errors (particularly from Microsoft), which might be intentional. 
There was a report to this effect in the German magazine Speigel, for example here
The NSA has a “Tailored Access Program” or TAO, to hack specific targets, exploiting known operating system or browser vulnerabilities or cookies. 
It would appear that these efforts have been made only against Americans with certain kinds of overseas connections.  But the government has long feared that “steganography” could place hidden instructions for attacks on innocuous websites, including those run by amateurs.  This danger was widely discussed right after 9/11.
Despite the tremendous automation of snooping by the NSA, the compartmentalization of information (within the CIA, Pentagon, all sorts of agencies) probably still hinders the communication of "street level" observations that even amateur bloggers who "connect the dots" (like the character Jimmy in Smallville) by hand. 

In some cases TAO has taken some visitors to fake Facebook or LinkedIn pages in order to intercept “whitelisted” postings intended only for “Friends”.   I don’t think this is likely to involve many “average” Americans.  But social media sometimes has hidden clues to security-associated crimes and possible terror plans.  There was at least one murder of a security employee in 2008 where threats against her could be found on Myspace and in spam blogs.  It’s unclear how much information police got out of social media at the time, some related info here

Saturday, December 28, 2013

"Kill switch" for smart phones could provide massive consumer target for hackers, terrorists

I thought I would pass along an “opposing viewpoint” from USA Today on Friday, December 27, to the idea of a smart phone kill switch.
The counter-opinion warns that a kill-switch system could itself fall to hackers, or possibly terrorists or enemy rogue states, or even to our own government if it really got out of hand.  Millions of cell phones could suddenly be made inoperable in a geographical area by some sort of attack, rather like a “Son of EMP”. 
The link to the counter opinion is here which in turn links to USA Today/Gannett’s opinion, which really doesn’t address the terrorist risk. So the smart phone "kill switch" may go the way of the "Kill Bill" movies.  . 

Friday, December 27, 2013

Webroot URL classification downgrades many "reputable" smaller sites to orange

I have noticed that the Webroot URL Classification displayed by Firefox on search engine results often rates many sites that appear reputable as “orange” (caution) with a “confidence” of “0” and a score of “40”.  Some of these sites it will warn as more likely than normal to have malware if you go to them, but not all. 

The sites are often smaller sites of individuals or smaller organizations or political action groups. 

My own “billboushka.com”, on a Unix server, which supplements “doaskdotell.com”, on a Windows server, gets an orange (the “doaskdotell” gets a green and a check).  I don’t know what Webroot finds wrong.  But I do have Wordpress, in an older version, with a login screen that I think might benefit from more security.  I also have MySQL, were I have played with my “opposing viewpoints” idea (IT blog, Sept. 11, 2012), which I don’t attend to very often.  Maybe that is seen as a weakness (for injection attaks?)   My “doaskdotell” is misclassified as “real estate” it sells political commentary and books (mostly through third parties). 
Webroot explains its Classification intelligence system here.  It describes it as a “Content Classification Service” under “Webroot Security Intelligence Solutions”. 
The orange dot will give a complete score to a mouse browse-over, but not a complete report.  McAfee will give a complete report on SiteAdvisor, as will MyWOT.  I have found that MyWOT tends to downgrade “child safety” scores on blogs or sites that have subscription advertising or that have many embedded videos.  They may be saying that sites that allow third parties to display content are inherently riskier, at least for minors.
Some sites get downgraded (especially by McAfee) for bigoted or hateful content, even if there is no technical risk of malware.  And some get downgraded by all services if they have a poor business reputation according to media intelligence.

Webroot rates "healthcare.gov" as orange with a score of 40 because of technical instability and security flaws.  It rates the DC Health Exchange as Yellow with a score of 50 because of potential security holes.   

Target still has a green rating from Webroot despite the recent massive breach.  But the site itself did not have a breach; the machines in the stores did.  

Update: (Later Friday)

Now "billboushka.com" has gone to green with a score of 92 (after I contacted Webroot on Twitter), and many other smaller sites that I follow have gone to green at the same time.  

Thursday, December 26, 2013

Phishing scams try to do service of process or demand court appearances

Here's another phishing danger: emails claiming service of process, or saying that you must make a court appearance.  Process service can be done by mail, or can be left in person by an adult household member in most states (or at apartment complexes or mailbox stores), but it is not done by email.  
The scams I see by email, trying to collect bills for credit cards I don't have or payments for cars I don't own, are just getting plain obvious.
It's not that easy to copy me.  

Monday, December 23, 2013

AC360, Webroot cover the baldface hosting of criminal hacking activities after Target attack

CNN, on the AC360 show this evening, described the extent to which amateurs can learn to hack from the Internet, and the plethora of sites hosting criminal activity. There’s no link for this latest story yet, and this is no place to replicate where all the advice is, but Webroot has been following this development, as in this Threat Blog story here.  The discussion came out of the Target hack. 
With all this employable technical skill, why to people need to turn to crime?
In February, NBC experienced a hack in which a ‘drive by” user could get infected merely by surfing if he or she had not updated browsers and operating systems (Microsoft) with the very latest patches, here. http://money.cnn.com/2013/02/22/technology/security/nbc-com-hacked-malware.

Update: Dec. 24

ABC discussed Brian Krebs's investigation of "card dump" websites that sell stolen information, many of them hosted in the Ukraine.  Krebs also now reports that criminals are posing as Target and sending phishing emails.  

Saturday, December 21, 2013

Amazon apparently the subject of a phishing scam

I don’t know whether this has any relation to the Target leak, but Friday afternoon I received an email in my AOL inbox purporting to be from Amazon, with details about an order Dec. 9 in an attachment, which was a zip file.
I examined the email on an old computer that I do not use for any other purposes now.  The sender address, when looked at by passing the cursor, really did appear to come from Amazon.  I went to my Amazon account and found the date of my most recent order to be Dec. 8.
I forwarded the email to “stop-spoofing” at amazon, and got back a response that “in all likelihood, this email did not come from us”.

Most phishing attacks show a real sender available to the mouse cursor.  This one did not.  It still pointed to Amazon. 
I also got a phishing email from a business associate of the eldercare lawyer I had worked with a few years go.  It asked for a loan for a kidney transplant.  This was an obvious "emergency scam" and it showed a sender email address of a different email under the cover.  But this is the first time I have seen law firms targeted to be made to look like the sender in a phishing attack.  
Any explanations?

I also get phishing emails for credit cards I don't have, with attachments -- a bad sign?

Friday, December 20, 2013

Target security lapse already affecting some consumers who had used debit cards with pins

There are already some reports of consumers finding bank account withdrawals when they had used debit cards at a Target store since Nov. 27.  So it appears that the heist might have compromised pin codes.  There was a report of a woman in Washington DC with checks bouncing already.

I used my Target Visa once early this month and did not see any irregularities on my Target or any other credit card or bank statements. 

However, if consumers are already reporting pilferage, the possibilities for massive withdrawals or invalid charges seems enormous.

All indications suggest that the Target incident occur inside its data center. 
There are various IT procedures which are supposed to guarantee integrity of elevation procedures within an IT shop.  I’ve discussed them on my IT Jobs blog and will go into more detail soon on some particular issues I am aware of in mainframe environments.  It’s possible that this heist is based on a very old vulnerability.  

Update:  later

Target says that it has no evidence that debit card pins were compromised.

Update: Dec. 21

The Washington Post reports that its former security columnist Brian Krebs actually broke the Target story on his security blog, and his latest report is here.  Target is offering discounts and some free credit monitoring and still denies that debit card pins were compromised.

Debit cards can often be used as credit cards without pins, and the charges are easier to reverse when fraudiulent.  This happened to me once in March 2013.

Update: Dec. 28

Target is admitting that debit card pins were taken, but not the encryption keys with them, that are outside the company.  However consumers with easily guessed pins (like "1234") could certainly be at risk. 

Thursday, December 19, 2013

Apple Macbooks not necessarily safer than PC's from webcam spying through "RAT".

Although conventional wisdom regards MacIntosh as safer than Windows, that may not be the case with webcam camera snooping.  Timothy B. Lee and Ashkan Soltani have a story Thursday morning in the Switch Blog of the Washington Post, “Your laptop: Is somebody watching without your knowing?” on the front page, titled “Research shows how MacBook webcams can spy on their users without warning”, link here.  There is a light which is supposed to come on if the webcam camera is in use, but hackers have found a way around letting it come on, by programming on several different chips. 
The case in point regarded a high school student arrested and prosecuted for extortion after capturing pictures of various women and sending them threatening emails. 
The article discusses the RAT, or “Remote Administrator Tool”. 
The simplest way to stay off camera may be to tape something opaque in front of the camera peephole at the top of the laptop.

I've used the webacma on my Macbook once to make a trial iMovie, but I'll be getting back to this soon. 

The Post is also reporting that hackers gained access to employee passwords (apparently, again).  

Wednesday, December 18, 2013

Unused or unfamiliar shared hosting capacities could present a security trap for webmasters

Here’s another word to the wise, for webmasters who may use a variety of hosting companies and arrangements. 
Some hosting companies, including shared hosting, will offer a wide variety of services, such as a large number of potential email addresses, or blogging platforms or MySQL facilities.  It’s possible that a webmaster who simply wants to self-publish won’t learn how to use these, and that they could become vulnerable to hackers, who conceivably could hijack some unused features of a domain for illegal purposes.  The webmaster will be unaware because what he or she uses still works normally. It’s possible that he finds out from the proverbial police knock on the door in the middle of the night.  In practice, self-defense might not be easy.
I see that this issue was discussed on Dec. 11 here, after a Webroot Threat Blog post.  

It’s important to pick webhosts who are proficient in the technologies offered.  For example, I’ve noticed that one host offers only “admin” as a username for a Wordpress logon, and that doesn’t sound like a good idea for security.  It’s a good idea to pay attention to using longer and more complex passwords.  Hosting companies should probably start consider offering two-step logons, even though they may not seem as attractive as do Google or Yahoo accounts.  

It's possible that Section 230 immunity might protect amateur webamsters from some downstream liability for unknown misuse of their domains by hackers.  That sounds like a good question.  When does the possibility of attracting trouble make a domain a potential "nuisance"?  I've wondered that. So far, policy has stayed away from this view, of holding people responsible for what others could be tempted to do.  But public pressure from many parents, especially, can change that. 
Blogs on shared hosts often do attract a lot of spam comments, although most of it is silly and harmless (a lot of it is in Chinese).  Always turn comment moderation on, and bulk moderate as necessary. 

Thursday, December 12, 2013

Shodan search engine said to pose a threat to infrastructure, home security

CNN Money has a detailed story about “Shodan, the scariest search engine on the Internet”, by David Goldman, here.  
The site, link here, has a broadcast headline, “Expose online devices: webcams, routers, power plants, iPhones, wind turbines refrigerators, vioP pones”.  That could be a home router, perhaps, or maybe smart thermostat or security system controls.  It could be any critical infrastructure component carelessly left connected to the Internet.
CNN Money also has an illustrated story, “The Hackable House. “ Maybe we should go easy on putting everything in the home under smart controls.  How safe will Xfinity or ADT smart home security really be from hackers?  

Wednesday, December 11, 2013

Shared hosting services now get spoofed in dangerous phishing attacks at webmasters

Recently, I’ve noticed phishing emails that appear to simulate the recipient’s web hosting service, warning of “security updates” and lockouts.  This seems more insidious that the obvious imitations of AOL, because most shared hosting providers are not as well known as everyday trademarked brand names, but criminals are still trying to mine them.

Once the criminal has the webmsaster’s logon credentials, he could send illegal content from the domain, very dangerous legally indeed for the website owner.  In April 2002, I had experienced a hack on an older Unix setting of one of my sites when the "Site command" was left open by the service provider. 

Wednesday, December 04, 2013

Trustwave reports massive password heist affecting at least 2 million users worldwide, and many popular sites

CNN Money is reporting a massive password heist of over 2 million user-pw combos from a large number of visible sites, including Facebook (the most affected), Twitter, LinkedIn, Google, Yahoo!, and payroll processor ADP.  Facebook and Twitter, at least, notified affected users (as far as they knew) to change the pw’s. The breach was discovered by Trustwave and seems to have originated from some servers overseas with a particular Trojan, with the botnets managed from servers in the Netherlands (as apparently identified by law enforcement now) and probably Russia and various other countries.  It’s not clear that much (or even any) harm has really occurred, but it’s clear that payrolls could be compromised, or illegal content could be distributed in a hacked user’s name.
Webroot has a discussion of the issue here
CNN has a full story here and reports that Trustwave discovered the hack on Sunday Nov. 24, 2013. 
Trustwave published its findings on December 3 and they are quite detailed, with analysis according to password strength, here.
On a few occasions, when I’m on Blogger, Google has said that an account is logged on elsewhere.
The message quickly disappears.  I have changed passwords in response, and I have two-step logon.  That does not affect this problem.  It appears that it may be related to Windows 8 caching and not actually be a security problem.  It has happened when the server connection was weaker and sometimes generating other errors, which go away in time when connectivity improves.
I think that other services should provide two-step logon, but I do wonder how this affects cell phone security.  What happens if your cell phone is stolen in a street or subway robbery?