Monday, September 23, 2013

A few security companies report grave variation of ransomware trojan that actually puts "illegal content" on users' computers, possibly legally compromising them

Webroot is advising users that there is now a ransomware Trojan that not only demands payment for a supposed child pornography infection, but actually moves the illegal content to your computer and displays it.  A YouTube video in a “VlogThreat” blog entry at Webroot’s site by Marcus Moreno and Richard Melick explains how the “shakedown” works here.


The link for the Webroot entry is here.
  
There are a few other stories on the web about this. For example Avira has a report dated in May 2013 here
  
A company called Hitman Security has another report from May, 2013, here.  The Trojan, called a “BKA Trojan” apparently was widely reported in Germany. 
  
I have not seen a lot of discussion of this problem yet among other major anti-virus vendors.  
  
Generally, these sites are saying that the problem is difficult to fix at home with a virus scanner, even in safe mode, and require a technician to fix.  But there seems to be a Catch-22 in this.  In many states, technicians are required to report CP infected computers, and most stores (like Best Buy Geek Squad) report them as policy.  Most states (like the U.S. at a federal level) have laws that make it a crime to “knowingly” possess or view an illegal image, so the first time, accidental view would not itself be a crime.  But a few years ago, some journalists were writing that possession in some states could be an “absolute liability” offense, suggesting that someone whose computer who got infected was in, a legal sense, an accomplice, at least through negligence.   I don’t know if that’s true now.  
  
I see that I posed this question with a July 23 posting on this blog, and noted that Florida law apparently requires consumers to contact police themselves if this happens and then seems to give them an affirmative defense.   Florida’s link is there.  But conceivably, a consumer could be required to destroy the computer in some states.  Possibly even his own cloud accounts and social media could be destroyed out of a legal requirement for caution, as well as his own work. This needs more legal attention, and unfortunately, some politicians, in the guise of protecting children, may not be sympathetic to consumers caught in the middle. 
   
The FBI does not seem to have specific information on this problem yet.  The best that I could find is here.
  

This issue does need immediate attention from state attorneys general.  Unfortunately, their behavior on the Section 230 issue doesn’t bode well.  

Friday, September 13, 2013

Webroot blocks a high profile Hollywood media site -- why?

A little strange glitch today.  I tied to go to a site called Nylon Magaznie.  Internet Explorer 10 (windows 8) told me it couldn’t display the page because of a programming error.  I’ve never seen that before.  I went to the main site, but Webroot said it was blocked for possible malicious content, although it did display most of the page.  But McAfee site advisor showed the site (in Firefox) as OK.
  
Webroot Secure Anywhere rarely tells me that it has to block a site, at least from a more or less mainstream media company. 
  

Maybe this is just a matter “unsafe code” (running out of memory) in java or C#.  

Wednesday, September 11, 2013

Microsoft Action center warns on manufacturer startup items, like Toshiba flash cards; they use resources and might be emulated by malware

The Microsoft Windows 8 Action Center this morning warned me of three items that take more time in Startup and could reduce battery life, or possibly introduce security issues.  One was Logitech, my keyboard and mouse.  The other was  Tcrd Main, which is Toshiba’s own Flash Card app.  An advisory warns that is possible for Trojans to mimic legitimate Toshiba Satellite software, on this link
  
The Toshiba Flash Cards utility replaces the conventional Microsoft Hot keys. 
  
I am not a fan of manufacturer-supplied operating system enhancement, because it requires additional updating from the manufacturer, and could complicate Windows security updates.
  
Recently Toshiba did two major security updates of its own, including one to the video player, and they took longer than most Microsoft updates do.  


Webroot Secure Anywhere does not flag this tcrdmain.exe as suspicious.  

Friday, September 06, 2013

NSA has developed ways to get around almost any corporate or user encryption systems

The New York Times is reporting Friday morning that the NSA, working in conjunction with the British counterpart the GCHQ, has undermined “basic safeguards of privacy on (the) Web”, in a story by Nicole Periroth, Jeff Larson, and Scott Shane.  The print subheadline is “Supercomputers and guile subvert much encryption, documents reveal”, link here (paywall applies).  
  
The New York Times also says that it (along with ProPublica) was asked not to publish this story.  I’ve tweeted this fact, and I’m surprised I don’t see more about this from parties whom I follow yet, but I think I soon will. ProPublica gives its rationale for publishing here, and mentions "Minority Report" rationale where it imagines some day that the government could read people's minds or dreams or telepathic communications ("Dreamscape" or "Inception").  
   
The articles give long detailed technical discussions with illustrations of how the NSA “methods” (a java pun) work. 
    
Could the NSA (or FBI, etc) have read the “diary” on my own PC, where I log my dreams and fantasies, which I never post anywhere?  Probably.  I don’t think they would find it particularly interesting.  But there’s a hidden danger.  If someone ever tried to frame me for a crime, then the government’s ability to see such data could complicate matters.  More likely, it could spy on backup copies of the diary in the cloud (Carbonite).  No, I don’t think this has happened.  But you can see how it just might.
    

I see a more subtle danger with this.  If the NSA can ultimately undermine the security of the most restricted communications, such as those that run a nuclear power plant, then enemies of the US and the West or of specific entities in the West might be able to figure out how to do so.  That makes a scenario of a novel like Byron Dorgan’s “Gridlock” (reviewed on my Books blog yesterday) more plausible than I would normally think it could be.  It could also mean that it could be very difficult for a small business or person or organization to protect itself against a very determined attacker.  

Wednesday, September 04, 2013

Phishing pretending to be from Apple is more convincing than most

Although spam threatening account suspensions is very common (particularly pretending to be AOL), there is a spam entry claiming to be from "helpdesk @ apple.com" saying that your Apple account will be suspended unless you click and apply the update.

AOL marked one of these messages as spam but not the second.

Most phishing emails don't really spoof the sender (you can see a different address by moving the cursor over it; it's often in China).  But this one actually has managed to make AOL think it really came from Apple.  I'm not sure how it did that.

So don't fall for this one, either. This is not "free phish" (or "free fish").  

Monday, September 02, 2013

Past is prologue: September is a month to be very careful; were some of us warned before 9/11 by a phishing email Labor Day weekend 2001?

In September 2001, during my last four months at ING-ReliaStar in Minneapolis, there were a few little incidents that sound today oddly prescient of today’s warnings about cybewarfare and even power grid security.

September 1, 2001 was a sunny Saturday, and I had just moved into a larger unit in a convenient modern downtown highrise apartment building, the Churchill.   I guess this started a sequence that confirms the adage, “You never know what is going to happen in the future.”  I went up to Duluth and then onto Thunder Bay, Ontario, for the Labor Day weekend.  On Saturday night, I wasn’t able to get AOL up on my laptop in the motel with its connection.  Sunday night, in Thunder Bay, I did, although AOL charged something like $1.95 or an out-of-country connection session.  I recall an odd email with attachment with a subject line including the characters “911” in it.   It had come in during the middle of the day Saturday.   I figured it was spam and would deliver a virus and simply deleted or marked it as spam and never looked at it.  A few friends reported getting a similar email.  I wonder what I would have “known” had I read it.
  
On Tuesday, September 4, during lunch at work, I walked over to a Walgreens downtown (Minneapolis) and happened to see a “Popular Science” magazine with a flashy cover communicating the idea that terrorists could destroy the power grid and all personal electronic with nearby EMP explosions.  I’ve discussed that particularly on the Books blog (April 13, 2013 and July 20, 2012).  That possibility actually inspires a scene in the film “Oceans 11”, which I would see on December 7, the last film I would see before learning of my layoff.  Again, others in the office saw the Popular Science story, one techie in particular (he alone had a server under his desk in his cubicle).
  
On Thursday, September 6, the company was hit with the worst virus attack ever, from a critter called the “Magister” virus.  It could steal clients’ personal information.  Tech support went through the entire company and had to clean about a quarter of the desktop computers.  Mine was not infected, but the woman whom I worked with “fixing bugs” was, and she had a day without access to her own desktop. They said, “this is the real thing”.  They got everything cleaned up by Sunday, September 9.
Some of this is more a story for the “IT Jobs” blog, but Monday night, September 10, I saw the only “water volleyball” game in the 33rd floor pool of the apartment building, with the glitter of downtown Minneapolis at night just outside.  It’s quite spectacular.  Tuesday morning, I did not find out about the 9/11 attacks until a woman came to my cubicle about 8:25 AM CDT just as I had closed a couple of production support tickets for user problems.
  
We actually went on a “team building” event, a cruise on the St. Croix river, 30 miles away that day.  
   
We didn’t hear any of the horrible unfolding news until we got back about 4:30 PM. 
Two weeks later there was another virus incident, but much less widespread.  But the quirky circumstances were such that I feared my own home computing environment, from which I maintained my own websites supporting my books, could be compromised.  I spent some time talking to the “server” guy (who had seen the PS report and gotten the same bizarre 911 email earlier in the month) about it.
  
The next morning I looked at my personal appointment calendar, and saw that I had a scheduled meeting with my project leader and his manager, to “discuss issues”.  I quickly found out that they were concerned that  I had taken another team’s concern when the intricacies of this second “virus attack” weren’t my business.   I can certainly believe they were wrong.  This was, of course, during those crazy weeks right after 9/11 in which nobody knew what to expect.  The news media contained speculation that ordinary computer users or “newbie” websites would be contaminated with “steganography” planted by terrorists.  Web use could become much more regulated.  As for work,  I expected layoffs and a downturn later, and suddenly I felt it might personally be for the best.  That would come in December, and maybe it was the best thing for me, given the huge severance.
  
What to take away from all this?  Seemingly unrelated, random events seem to occur, and then you find out they weren’t quite so random after all.  This is a time for everyone to be very careful, and, yes, perhaps that starts with the president.