Saturday, December 27, 2014

Will Wordpress soon enforce https for content? Also, ransomware masking as emails from FedEx

Electronic Frontier Foundation has a summary of the initiative for worldwide encryption of all web traffic, article here by Bill Budington, link

Of particular interest is an announcement by Automattic that it would be serving all pages in https for its subdomains in Wordpress by the end of 2014 (or is that 2015)?

I have not seen this happen yet on either of my two Bluehost domains, and I haven’t gotten any emails or notifications about it or seen it on the dashboard.  I’ve tried them with https and get an invalid security certificate.

Should ordinary web content, not requiring logon and not involving collecting data of users, be encrypted?  Maybe, especially if you have a lot of visits from authoritarian countries (and it seems like I do).

In another warning (from AOL), there is a phishing attack of emails designed to look like FedEx shipments (probably UPS, too).  If you click on the link, your computer freezes and you’re greeted with ransomware.

Indeed, a properly working anti-virus program should warn you not to go to the site, or stop any such script from running.  But why hasn’t Microsoft fixed any vulnerability that allows such a website to upload and execute such a script at all?  This shouldn’t be possible. 
Maybe CERT will have an advisory soon.  Sounds like we need another W7 or W8 update right away.   

Saturday, December 20, 2014

US CERT releases technical details of "SMB Worm" used in attack on Sony; more on cell phone vulnerabilities

US-Cert (that is NCCIC) in Pittsburgh has issued a detailed technical description of Targeted Destructive Malware, Alert (TA14-33A), a discussion of the “SMB Worm Tool”, link here.  This is the package that was apparently used by “Bureau 121” from North Korea on its attack on Sony.
Webroot, and other security companies, have written that it’s relatively easy for criminals overseas to sell these tools on the “dark web” in the black market.  Tools like this could be deployed against utilities, financial institutions, Internet providers, and the like; so all of these companies need to be particularly vigilant against these kinds of attacks and configure their systems to make them less likely.
Small business users can make themselves more resilient by keeping physical backups offline and by keeping some computers off of networks.  Apparently MacOS systems or Linux are not as vulnerable, at least now.  Maybe there is more of a case for generalized use of Mac in business. 
In another development, Craig Timberg, on the Switch Blog of the Washington Post, reports that Gernab security researchers have found a flaw that lets anyone listen in on your cell calls, link here

Update: Dec. 21

Michael Hltzik of the Los Angeles Times gives a lot of detail as to why the FBI's conclusion that North Korea started the attack is questionable, and why Sony's problems may be more serious than at other companies, here. 

Friday, December 19, 2014

ICANN apparently hacked, but apparently no harm to ordinary domain owners; check your WHOIS

ICANN, the Internet Corporation for Assigned Names and Numbers, announced Tuesday, December 17, 2014, that it had been hacked, according to a story in Slate by Lily Hay Newman here.

Apparently the hack occurred out of an archaic “spear phishing” attack in emails to employees.
The actual content in the CZDS is encrypted and supposed to be OK.  It seems unlikely that the hack exposes any ordinary webmasters to risk of redirection.  Nevertheless, webmasters should remain alert, check all their domains, and particularly review their WHOIS information (even if privately registered) once a month.  ICANN requires that domain owners review the information yearly (and sends emails) but more often is wise.
Webmasters may find that some domains (like Wordpress blogs) are hosted on shared IP addresses.  This is OK. 
The ultimate nightmare could something like finding your domain name redirected to a porn site.
This reminds me of a problem in 2008 where Microsoft held an emergency security summit after Finnish security researches found a serious security hole in the domain system (ID theft blog, Aug. 9, 2008). 
 It's also worthy to note that people with older home routers should regularly reboot them (turn off, wait, and turn back on (causing a firmware update, perhaps taking five minutes or so), to get rid of any malware.  This does seem to fix the "Moon virus" in some routers, which could cause random redirection of some sites. 

Thursday, December 18, 2014

How the Sony attack really happened has not yet been explained in detail, and we need to know now (Later: admin leak discovered)

News reports are still sketchy on why large corporations and governments are not able to protect themselves against determined hacking attacks.
Webroot has an interesting story, from Dec. 2, of how Sony’s own backup and restore was taken over, and the hacker owner shows up in Google Play, story here

The Independent (UK) has a detailed timeline of the Sony hack here
The New York Times has some details here  But the Daily Mail has a bigger story on the way the hyper-Communist country recruits cyber soldiers ("Bureau 121"), here.  And Slate gives Sony a real tongue-lashing here
Still, can a properly defined security system ward off any conceivable attack?  Experts haven’t explained exactly how "they" got in.  Was it ordinary malware from email attachments or thumb drives?  It sounds more likely that it was direct connection to IP addresses.  But properly designed firewalls should have prevented intrusion.
There’s also a question of what operating systems were being used.  Was it Windows Server?  More likely it was Unix or Linux.  IBM Mainframe OS’s are very difficult to hack, and I know from a previous job application that Warner Brothers has a lot of mainframe – but I don’t know about Sony.
Again, "you" can't tell content providers not to talk about North Korea or radical Islam -- otherwise no content would have integrity.  Large corporations, especially, and governments need to make their networks impenetrable.  I don't know why they can't do it, but a lot is at stake.  Do ISP's, cable providers, and social media sites have better security than Sony?  I believe so.  But no one has explained even how a company like Sony was so vulnerable -- outside of possibly a disaffected insider. 
Back in the 1998-2001 era, small ISP’s would get “attacked” by DDOS’s directed to their servers.  There are techniques for repelling such attacks by making the packets “bounce”, like robocalls.  In April 2002, two HTML files on my old “” site (now were hacked.  The hack started ina passage discussing suitcase nukes, in an essay posted shortly after 9/11.  A Unix Site Command had been left open at the ISP.  It has never happened again.  The idea that a particular passage was hacked is disturbing, but it hasn’t happened again, and no major terror attack (like what I was hypothesizing in that passage) has happened.  I simply reloaded (by WS-FTP) the clean file from a separate floppy backup when I discovered the problem and fixed it in one minute. I'll add that I do not have anyone's personal information;  people don't log on to my own sites.
Home and small business users can consider not linking all of their computers with one router, and keeping physical backups on their own as well as using the cloud.  It’s also safer to turn a machine off when it isn’t in use for a long period.  Some basic security is old school.  

Update: Later Dec. 18

CNN reports that apparently hackers stole Sony systems administrator credentials, to "fake" an inside job.  And, contrary to earlier reports, there is more evidence that some of the actual hacking may have originated inside North Korea, and been routed to other countries.  Still, it seems that Sony did a rather unprofessional job of managing its security, and didn't take symptoms seriously.  Why didn't it hire a professional security company? 

There is also a question of why crudely written hack or email (with language sometimes similar to what you see in overseas spam) was reported in the press, and not immediately sent to law enforcement in secret, so that Sony wouldn't be in a public "Catch 22" position.  Sony carelessly let itself get "outplayed" just as in a chess game.  
Every major corporation (power utilities, banks, Internet service providers) should be reviewing how it protects its administrator security right now -- tonight -- and tighten the ship. 

Wednesday, December 10, 2014

How effective are Microsoft Malicious Software Tool and Windows Defender? Why do they take so long to update?

I’ve noticed during Microsoft automatic updates on both Windows 7 and 8.1 that the Microsoft Malicious Software Removal Tool takes a very long time to install, typically about ten minutes, whereas most other updates are quick.  Windows Defender can also take time.
The WMRT is not a substitute for anti-virus software;  it is a “second opinion” that can remove malware only after the fact, and it’s only updated once a month.  Here’s a story about it on Computerworld by Michael Horowitz from 2009, link
There is also a module called Windows Defender, which Microsoft explains here
But Windows Defender seems to score poorly in “real world protection” compared to third-party products, according to Tablet PC review, here.

Sunday, December 07, 2014

Odd request from a YouTube add to update a driver; ignored; more on Moon router virus

Today, when I went to play some classical music on YouTube, I got an ad in the corner to the right of the YouTube display area, saying “you need another driver” with an invitation to download.  I X-ed out (did not download), and the web page then asked me to check a reason for canceling the ad.  I checked “inappropriate”.  Of course, I feared that this could be malware.  The video worked normally with no update. 

Persons should not click on ads inviting them to download drivers.  When one needs a particular driver, one should go to the site for the company that provides the driver.  This should not have been an acceptable ad on YouTube.

I didn’t think to snap a picture of the ad.  I snapped a different one when I tried it again.  It’s normal for YouTube to display an ad on the upper right side of the page. 

Also, last week, one time when I brought up my HP Envy on Windows 8, the system said it was re-arranging the startup (I really didn’t notice anything) and then invited me to download and install Skype.  I checked the publisher name when Windows Firewall intervened, and it appeared to be the correct site and executable from Microsoft.  It loaded OK and works, and Weboot accepts it,

But, again, the user should not be invited to try new software at startup.  It’s OK to display a “legitimate” ad,  but one should always go to the site for the company. 

On another matter, I have rebooted the Netgear router.  It took about five minutes, so it probably did a firmware update, and I’m told that this should fix the “Moon” virus. I haven’t seen any more fake Adobe requests.   Today, once when I went to, I got redirected to an nbcnews subsite of Yahoo, but this appear to be an NBC problem; no warnings from Webroot.  

Tuesday, December 02, 2014

How did the Sony Pictures hack happen? Why can't a large corporation protect itself? Same malware a home threat?

The hack of Sony Pictures, with the destruction of data on its corporate networks, seems to be the largest ever on a US company. 

But five films, including the upcoming “Annie”, were leaked, and available on piracy servers through P2P. 
There is a lot of suspicion of North Korea over the upcoming release of the comedy “The Interview”, with Seth Rogen and James Franco, where the US CIA recruits two journalists to assassinate the president of North Korea, which seems to take the film as a “threat” (almost like in the Elonis case, discussed on my main blog yesterday).  This is a little bit like my situation as a substitute teacher, where a fiction screenplay was interpreted by some as suggesting that I could be a “threat”.
But it’s also unclear why Sony’s own security systems were not able to prevent the hack, and how they got in, or how North Korea had the expertise to do this. 
The Wall Street Journal has a detailed and typical news story here
Webroot is characterizing this as a “ransomware” attack. It is possible that the company was using a “malware infected host”.  It’s not clear from news reports is there is a specific worm or virus related to this attack that home security software should scan for.  Webroot’s brief story is here
CNET has a story about the FBI warning to businesses here. The FBI has sent out a “flash warning”. 

Wednesday, November 26, 2014

CoinVault ransomware has appeared suddenly in November 2014

Bleeping Computer has a valuable information and FAQ guide for the new CoinVault ransomware, link here

This new kind of ransomware contains the decryption within the executable, and offers the victim one file “free” as proof that it can be done.  Payment is accepted only in Bitcoin.

The malware is distributed through email zip attachments disguised as .PDF files. It might be more likely to affect people who routinely work with attachments from clients.  
Webroot seems to be one of the first companies to research it. 

Monday, November 24, 2014

"Regin": deep-rooted malware seems to be engineered by NSA and Britain's GCHQ, probably not significant for most "home users"

There are reports of a worm called “Regin” which appear to have been developed by US, British and other European governments, especially Britain’s GCHQ.  The Intercept gives a very detailed account of how it works here. It would appear to affect Windows 7 and 8 users and be intended for deep level espionage.  It is unlikely to be noticed by a home user, although it is conceivable that in some cases it could cause Windows 8 to behave erratically or to freeze.  I wonder if it has anything to do with some instability on my Windows 8.1 HP Envy.
CNN has a simpler account here

A lot of the analysis work of the malware was done by Symantec (Norton anti-virus). 


Saturday, November 22, 2014

Router hack may cause unwanted Adobe download requests

There is new explanation for the unwanted popup I sometimes see to install an Adobe flash player.  It has occurred on one Windows 8.1 machine from and  

I have even communicated with the abuse departments of both MLB and Adobe about the popup, and Adobe recently emailed to me that it had acted (legally, probably with a trademark claim) to stop the particular popup.  

An Adobe forum suggests that it is a router that is infected, not the computer.  The link is here.  The malware is called the “Moon virus” or "Moon worm".   It’s hard to see how a Netgear router itself (firmware) would be hacked (it is password protected) but it’s possible that the hack could be on the ISP’s servers.  The implication is that as long as one doesn’t not click on the link, nothing will happen.  But the unwanted exe (which Chrome now warns about as a threat but Webroot doesn’t yet) disappears from the notification bar when the browser is simply closed (all sessions). 
A hacker news bulletin (link) has an even more sinister warnings that router hacking could lead to fake bank sites coming up.  Therefore, when a home user checks his or her financial statements, it’s a good idea to check them on more than one computer, or on more than one kind of device (try both mobile and PC), more than one operating system (try Mac if you have it), and more than one router.  If you have a hotspot with your cell phone, use that occasionally instead of your home router.  Or even check at a terminal inside your bank branch if it offers one (Wells Fargo is pretty good about this).  

Update: Nov. 26

Here's another writeup from the UK on the Moon virus, seeming to have something to do with Conduit, link here.

I got a fake Adobe update popup this evening on an older Dell Windows 7 laptop when I was on (trying to go to the Washington Nationals page).  In Windows 7, it started downloading, and Webroot Secure Anywhere stopped it immediately.   I closed the browser.  Webroot scan ran for 20 minutes and verified the malware had not actually loaded or installed.  I tried the mlb site again and it worked normally.  I did go ahead and rebooted the machine and nothing unusual happened.  

Friday, November 21, 2014

Webcam hack from Russia seems like an old trick

Home webcam cameras all over the world have been hacked, with some live-feeds available from a website hosted in Russia. The Register UK a typical news story here

Generally, most of the hacks seem to be separate cameras posted at various locations around businesses and homes, not just laptop webcams.

The hacks can be stopped by merely changing default passwords on these devices.   These are also common with some newer home security systems, but users of these probably would have known to protect them.

Some authorities say that these hacks have gone on for a long time.  They have been used as plot devices in films (like "Pornography, A Thriller", Movies blog June 18, 2012, and I think it's happened in soaps like "Revenge" (with likable bisexual techie guru Nolan Ross doing the hacking) and "Days of our Lives").  

The hackers say they did this as a “proof of concept”, and to demonstrate a major hole.  But criminals could use these devices for “peeping Tom” purposes, like to create child pornography, or even to know when people aren’t home.   

Thursday, November 06, 2014

Fugitive in PA used unprotected WiFi routers; password managers based on biometrics come onto the market

A couple of alarming or interesting stories came out today. One is that fugitive Eric Frein, who had hid out in northeastern Pennsylvania for over a month, had used open WiFi routers in the area to get Internet access (as well as solar cells for power).  Apparently this refers to homes with routers wirthour passwords, or weak passwords, or without the usual encryption.  The AP story, in the UK Daily Mail, is here
And Molly Wood, in the Personal Tech column for the New York Times, “Machine Leaning”, p. B6 Thursday, writes about “augmenting your password protected world”, with new devices that you “log in to” with biometric identification.. Hoyos Labs (link ) will offer IU, a facial recognition app that will manage your passwords and log on to sites for you – but you have to use the app rather than your browser inn a normal way. The article also describes EyeLock (link ), an IRIS scanner that looks like a hockey puck, that you can’t afford to lose. The link for the story in here

The idea that facial recognition could be really reliable sounds amazing to me.  It seems so easy for appearance to chance – with age for openers.  Or by weight loss, as with Jake Gyllenhaal in “Nightwatcher”. 

Tuesday, November 04, 2014

Webroot updates coverage on large corporate hacks; biggest danger to ordinary users still seems to come from phishing

Well, what’s my own security news?   Last week, a Metro machine cracked my Bank of America debit card as I tried to update my Smart card.   Sorry, I had to use cash.  I went into a branch in downtown Washington and the employees thought it was still OK, since it still worked.  I insisted on replacing it, and indeed the replacement came to by business box (which is a safer delivery option than a home address) in a few days (with a temporary).  No sign that the Bank has started the European chip technology to make debit cards harder to forge.  (I’ve had trouble with Metro machines twice now.) 
Then, on a day trip last week, I stop at a restaurant in Marshall, VA and notice this is a “cash only business” only when ready to pay.  Fortunately, I had the cash.  But more small businesses are obviously petrified of the security risks right now with cards.
Igor Piatniski has an update on all the big corporate hacks on the Webroot Threat blog, link here.  I still use my debit card at a local grocery store, drug store, and hardware store with no problems.  But I do watch all bank and financial statements online regularly.  Not everyone does this.  And I don’t bank with the cell phone.  I still use the laptop, because I need it for my “work” even when I travel anyway.  I still think security on a PC is a little easier to manage.   On credit card statements, yes, I look, but I admit there is a possibility for small charges to slip by.  I think a couple times, charges disguised as “annual fees” for something obscure might have been slipped onto a bill, for a card.  Oh, yes, Target got around to replacing my regular Visa  credit card, finally.  Maybe I was on the list after all. 
The anecdotal evidence is that very small fraudulent charges and debits may be much more common with compromised accounts than wholesale attempts to drain bank accounts.  I keep seeing a few small charges that I can't explain, randomly. 
One other item:  I've noticed some phishing emails recently offering to a "restore your Facebook account". And I still laugh at the obvious "Nigerian" scams and very obvious fake charities that I see (as in the movie "Believe Me", reviewed Nov. 3 on the Movies blog).  

Wednesday, October 29, 2014

Sites using Drupal content management could be compromised by SQL injection vulnerability unless they applied patch immediately

A major content management system vendor was apparently hacked, and customers have been warned that unless they patched their systems within seven hours of the discovery of a vulnerability to an SQL injection attack. Restoration would require going to database backups as of Oct. 15.  This would be very costly for some operations, perhaps news sites. 
The content company is Drupal.  I’m not aware that any of my stuff uses it.  Also, I don’t keep ANY consumer or user personal information on any sites.  I hope there are no ties to Blogger or Wordpress;  I don’t think there is.  (Wordpress uses simply MySQL, I think.) 
The detailed news story is on zdnet, link here.   Drupal’s own announcement is here
Webroot tweeted this story today a short time ago.  This was the first I had heard of it.

Monday, October 20, 2014

Phone dial (900-number) scammers hitting small businesses with Internet land lines

The New York Times has a major front page story Monday by Nicole Perlroth, “Dial and Redial: Phone Hackers Stealing Billions”, link here. Around the country, hackers are invading Internet-connected phone systems of small businesses on weekends and making a cut on calls to “900” numbers (or their international equivalents), often to sex businesses overseas.   In at least one case, the hackers were associated with Islamist terror groups (related to Mumbai) so it is possible that ISIS has used this technique. 
Telecomm carriers have still sued the businesses for bills in the hundreds of thousands, as there is no fraud protection as there is in the credit card industry, and carriers insist that customers are responsible for securing their own systems.  This may be impossible, and state lawmakers are noticing.

I think there was an idea like this in the 1997 novel “The Trojan Project” by Minnesota author Edmund Contoski. 


ABC News has a story about the practice (hitting a Missouri realtor) and it sounds like maybe it could happen at home, especially to a home-based business.  But the realtor says that her phones actually started ringing incessantly.  But on a weekend, or when someone is away from home for a period, it could happen.  

Monday, October 13, 2014

Shodan, the "other" search engine to find "things"

Here’s something to know about: “Shodan” (inspired by the game “System Shock”), the “search engine for the Internet of things” – somehow connected to a housecat in a popular TV ad.  Rather than websites, it searches for Internet connected devices – routers, televisions, refrigerators, home thermostats, security systems, especially those with weak passwords.  The basic domain is here. Yes, it can find power plants, which really should be walled off from the public Internet, but we’ve known since 2002 how exposed they are.  It does NOT find ordinary websites, so I don’t know if it is part of the “deeper Internet” in reputation management. (The "io" TLD refers to British Indian Ocean Territory.) 
CNN Money calls Shodan “the scariest search engine on the Internet”, link here. No, I don't have any appliances hooked up to the Internet.  Obviously, it makes it easy for the NSA to monitor anyone's TV viewing habits -- for anyone with Internet TV. 

The site was launched in 2009 by John Matherly.   Despite the hype, law enforcement and the US military and homeland security use it for investigation all the time.  

(For major story on Snapchat, see Oct. 11 on COPA blog; more to come.) 

Thursday, October 09, 2014

Washington Post offers major insert on cybersecurity, says we are at a critical turning point

The Washington Post offered a major insert Wednesday, Oct. 8, 2014,  “Cybersecurity: A Special Report”, link here
The Editor Mary Jordan starts out with an op-ed. “Cyber attackers have the upper hand.” She mentions DARPA (Defense Advanced Research Project Agency) and a prize associated with a “Cyber Grand Challenge”. The agency director, Arati Prabhakar, has a piece, “Building the unhackable system.”
Ellen Nakashima and Askhan Soltani have a paper “The ethics of Hacking 101”, with descriptions in university courses in hacking, at the University of Tulsa and Carnegie Mellon.  In some cases, only students who will go to work for law enforcement or go into the military are accepted.

There is a “call to action” from Alejandro Mayorkas, Deputy Secretary of Homeland Security. 

Tuesday, October 07, 2014

Popup from Major League Baseball wants to install new Adobe Flash Player and new java engine, looks suspicious to me.

Occasionally, I get a pop-up prompting me to install a new Adobe Flash Player and java engine from Major League Baseball (, especially when trying to play on of the videos.  It claims to be required and a security update (suspicious) and comes from a URl for an "easy update" company.  This certainly sounds suspicious.  I always just click out of the pop-up (in Chrome) and everything plays normally.

If this is malware somehow placed on the mlb site by hackers, MLB should investigate and remove it.  I've seen it before, but it might become more common during the playoffs and World Series if not stopped.

Webroot does not flag anything, although it might if I actually tried to go to the site that does the update.

It seems to happen only in Windows 8, not in Windows 7 or lower, or on the Mac.

Reputable, well known sites for sports and news do get hacked sometimes.  That seems to be following on the attacks on the payment systems of retailers.  This might be the next trend.

Does anyone have any info?

Update: Nov. 13, 2014

I got the popup today in Chrome when I went to the Washington Nationals' site to learn about trades.  The site seems to be "".   I doubt that it is legitimate,  The Adobe trademark appears to be reproduced exactly, as are all the scripts.  I'm surprised and Adobe haven't put a stop to this.  

Monday, October 06, 2014

Examiner reports on self-destruct option for hard drives, and on Mac botnet (unclear if part of Bash)

There is now a hard drive that you can set up to self-destruct, with a text message, as explained in a story on The Examiner, link with video here.  It is a 128 gig drive.

The Examiner is also reporting a vicious Mac Malware botnet called “Mac.BackDoor.iWorm” which somehow leverages upon Reddit, story here. It is not complexly clear right now if this is related to the “Bash Bug” (Sept 25).   

Tuesday, September 30, 2014

Creator of StealthGenie arrested by FBI for marketing an "illegal" app used for stalking

The creator of the StealthGenie app, which can be used to spy on someone when installed on his or her smartphone, was arrested by the FBI Monday, as reported in a story on CNNby Doug Gross here. The creator was Hammad Akbar, of Lahore, Pakistan.  The CNN story links to another by Erica Fink, “Stalker: A creepy look at you online”.  The capabilities to track someone in real time are legal only for law enforcement.

Surveillance by parents of minor children would be legal, as would surveillance of employees in some cases. 

The website for “StealthGenie” was not available Tuesday morning.  But YouTube videos advertising (even from the company) it were still working.  They might well get taken down soon.
A person would need access to the phone to install it to stalk, so usually this could come about when someone is beings stalked by someone they “trust” (like someone dating the person) who has access to their stuff.   

Sunday, September 28, 2014

Is bloatware ever actually malware?

When I got my HP Envy All-in-One back from Geeksquad (IT blog, Sept, 28), the technician reported that he had “removed threats” without specifying which, and that now there were no viruses and no hardware issues.  He also said that he had removed “bloatware”, which was “Cozi” and “Pinger” according to the Microsoft Reliability Report in the Action Center.
In the past, GeekSquad has used A-Squared to find and remove viruses not found by nearly all major anti-virus vendors.  That may have been the case this time.  Since getting the machine back, there have been no freeze-ups or SmartDrive “false positive” hard disk errors.  The suggestion is that there might have been some sort of malware on the original machine. 
Once in a while, the display screen does go blank, and comes back when touching the mouse, as if the time counter for deciding when to go to sleep didn’t quite function properly.
The “Farmville” pop-up still sometimes appears and disappears quickly. It appears to be installed on 8.1.  

Thursday, September 25, 2014

"Bash" bug in Linux-based environments (including Mac) explained; most users probably not affected


Tim Lee of Vox has a detailed discussion of The Bash Bug in Linux-based systems, which include Mac personal computers, "Bash" stands for "Bourne-Again-SHell".  If you go to terminal on your Max (Tim explains how to navigate to it, and I just did it on my own), you'll see if you have Bash (I do, in 10.6.8 -- my test is above).  His main story is here, and there is a "proof of concept" simulation at "trusted security" here.

The main problem is a "recursion" in the shell that, if not properly implemented, hackers can exploit to inject malware or make machines into botnet zombies.

It looks like MacOS versions in MacBooks are probably OK, but security professionals at Apple are burning the midnight oil on this one anyway.  There should be more definitive news in a few days. Right now, there would not be much of a defense, although anti-virus software should be able to detect malicious activity soon.

This can't be good for Apple stock, which already suffered from a "bent wrist" iPhone (enough to please Tiny Tim).

US Cert has a bulletin on the GNU Bourne-Again Shell vulnerability here.

I'm contemplating going too 10.9 (maybe a new machine) and Sibelius 7.5 soon to finish a music project.

The latest, Friday morning, is that Apple says that "Shellshock" isn't a problem for its users, Yahoo! Finance link here,  But it if were, we would wonder if other third party apps, like Avid Sibelius, for music composers, could be affected by an operating system fix and update.

Unix servers can have vulnerabilities, as like when "Site commands" are left open (as with a 2002 incident that affected me).

Update: Sept. 29 

Webroot has a statement on Bash or Shellshock here

Wednesday, September 24, 2014

More new tips to avoid hackers (mostly with smartphones and home routers, and appliances)

Here's the latest set of "seven tips" to fend of hackers, by Jose Pagliery on CNN, link here.

Generally, I follow most of these, with a major caveat.  I don't do any banking on my smartphone.   I suppose that as time goes by I'll come under more pressure to use my phone to pay for things by phone rather than using credit card stations, will-call's, or print-at-homes.  Getting a taxi is sometimes easier if you have the taxi software and can pay with it -- but that's also an exposure.  (It's also a security plus -- if anything happens to you physically, police could find you,)

Web sites on cell phones are always asking for location.  That could lead a stalker to know where you are, if you think you could be a mark.

I don't think you need https if you're not going to do any business -- if you don't have to log on to the site to see the content.  I NEVER have required users to do this (log on ) for my sites, because I don't want the risk -- but I can see how there could be a point -- if there is new content only for some people to see.  But then, you can set up private Vimeo instead (if it's a video).

It is true that even if you don't log on to see a site, your visit is recorded on server logs.  There was a case in 2005, when I was substitute teaching, when I needed to know which views of a controversial screenplay of mine had been made from school servers, and I was able to determine that easily.

But MOST people probably aren't in a situation where anyone cares where they logged on, if from home.  From work (where an employer cares), that's a different matter.

No, I really don't need Internet-smart appliances.  But I can see that as home security systems (and security cameras) get more sophisticated, and controlled from smart phones (like what Comcast XFinity sells now), there could be new issues with hackers -- when you're on vacation.

Practically everyone has a home router, as cable companies promote them, and many modern laptops don't have Ethernet ports (you can buy one with a USB adapter).  The biggest concern would be misuse for copyright infringement or child pornography, and the murky liability and maybe police work.  Yet EFF has written before that all WiFi connections should be public.  No, when I see a neighbor's unprotected connection, I don't use it-- just my own.  But I can see that families could be leaving themselves exposed.

Saturday, September 20, 2014

Trend Micro bawls me out on my "lack of privacy"

Well, I have Trend Micro on my replacement Toshiba Satellite Radius (which reminds me of the film company “Radius TWC” and “Snowpiercer”). 

Trend gave me a “tongue lashing” report on my lack of privacy after I re-installed Mozilla.  It is particularly concerned about visibility to advertisers and to the possibility of tagging photos.  Of course, the photo issue exploded recently with the iCloud hack, and that can have to do with what happens even when you aren’t online. 
Google Chrome is also talking about “synching up encryption” on all the machines that access my account.  I’ve never seen this before.  I’m not sure how I’m supposed to do it yet.  It would probably matter mainly for work overseas in non-democratic countries. 
I do watch financial accounts online regularly.  I have yet to discover fraud based on identity theft or hacks.  (It has happened with a stolen credit card before.)   I do wonder about getting spam emails for credit card bills for accounts I  don’t have (mainly for overseas banks). Maybe somebody has replicated my identity in eastern Europe or Russia, and used it over there.  Putin would put people up to this.  

Tuesday, September 16, 2014

McAfee Security Scan warns me about my past incidental visit to 4chan

McAfee Security Scan is often offered free with Adobe products.  Today, on a Windows 7 machine, when it ran, it came back “code yellow” and gave me a warning that had visited two suspicious sites, the “imageboards” “” and “4cha”.  “4Chan” has been controversial because it hosts questionable content like the nude photos (of female celebrities) stolen from the Cloud and posted by hackers.  But I’m not aware of any reports of malware.
There have been legal questions whether visitors who look at any underage explicit photos there are “possessing” child pornography. A person might not know that an image or thumbnail that appears on the board is underage. There are questions, apart from the underage material, as to whether the site could be forced to remove material posted without permission. 
Still, I was surprised by McAfee’s Security Scan finding that I had accessed it and flagging it.  

Wednesday, September 10, 2014

5 million gmail passwords hacked by Russians; Facebook and Twitter also have 2-step verification

Webroot is reporting that about 5 million gmail accounts were hacked (it’s happened before) by brute force, and gives information on 2-step verification on not only Google, but also Facebook, Twitter, and Microsoft Outlook, story by Richard Melick, link here.  We need to see banks adopt this technology. 
The Bitcoin Forum has a list of the names, but it is in Russian, in part. 
You can check if your gmail was compromised with the “Isleaked” site, here.

You can put in placeholders to avoid spelling out your entire email address.

A Fox station offered this and another link to check, and then had second thoughts, link here

Saturday, September 06, 2014

My own difficulties renewing Norton anti-virus on the Mac

I noticed that on a 2011 MacBook laptop that I use for music, my Norton subscription has expired.

And furthermore, when I try to renew it, I can’t get the Norton website to direct me to an update that runs on Mac OS 10.6.8 (the lowest update available is for 10.7 and Apple is already up to 13).  In fact, most of the links on the website take me only to Windows-based products!

So soon I’ll visit an Apple store and see how to get this updated.  It seems as though vendors are into making you replace operating systems every two or three years or else everything goes obsolete.  They won’t leave you alone.  
Update: Sept. 10

I tried to chat with an agent at Norton to get a renewal code, and got caught in a loop on the Norton site.  I got the Norton site to update my account only from a Windows machine.  Maybe the problem was I hadn't verified the email yet, but it shouldn't look and keep on refreshing the base page.

Update: Sept. 14

I did get the subscription date to advance to 2015 with a renewal code from a chat agent.  Norton replaced the module once with the same product and a restart. 

Monday, September 01, 2014

FBI to probe iCloud nude photo leak

The FBI has launched a probe of the hacking of the Apple iCloud and the leaking of nude photos of some female celebrities (like Jennifer Lawrence and Kate Upton) from their private cloud accounts (apparently deleted items) to “4chan”.  The Huffington Post has a headline story this evening by Anthony McCartney, “iViolated”, here.  Apparently the photos had been taken on iPhones and stored on the phones, not on personal computers.
I wrote a posting on my main blog this morning, exploring a much bigger context, exploring the context of Section 230 of the 1996 Telecommunications Act, which would preclude downstream liability for sites like 4chan and, for that matter, Blogger, YouTube and Wordpress.
Possibly photos could be watermarked as they are stored in private clouds, which would tell a service provider later that posting of them is illegal.  Google is already using such an automated system to identify images known already to be child pornography.  Possibly this technology could be expanded.  

Update: Sept 2

ABC News reports that Apple did not find any systemic compromise of its security, and encourages the use of two-step verification of cloud storage (with strong passwords) particularly if very private or personal materials are stored and if someone would actually make money by getting them (as with celebrities).  Hopefully, most "ordinary people" don't have images that would be compromising.   Again, the idea remains, the government could some day troll cloud accounts for child pornography with hashtag matching.

Update: Sept. 6

Apple is changing security to limit the number of wrong password attempts allowed in access to its Cloud.   It will also warn users when material from the Cloud is loaded to different devices. Here is the ZDNet story

Watch more news videos | Latest from the US

Saturday, August 30, 2014

Sports sites seem to offer phony java, browser upgrades; have they been hacked?

Major League Baseball, and probably other big league sports licensing groups (like the NFL) probably need to watch their own websites – which are technically very elaborate – for possible (foreign) hacks.  Today I got an unnecessary invitation to download java (with the java teacup trademark, which may have been faked) before trying to watch a video about a Nationals win in Seattle. I clicked out, renavigated to the video, and the six home runs played just fine.
A few weeks ago, I got a phony invitation to upgrade Google Chrome, which sounded flaky. 
MLB should re-examine security for its site and check it for any malware or adware that violates MLB policy.  I doubt that these kinds of software "upgrades" would be considered acceptable under their own TOS. 
I’ve noticed that a few other websites, like conservative websites with more radical or strident  views (like the Washington Times) will offer popup ads that when you exit, make you reaffirm that you really want to leave the page.  And they also offer sponsored videos that keep leading you on to watch without telling you the real point.  These don’t seem to harm anything or contain malware, but they are certainly tacky and unprofessional.  

Wednesday, August 20, 2014

Could the government really scan cloud backups of home hard drives? Would it?

Recently there has been some press attention to Google’s turning over to law enforcement some images in an email from a man in Houston, where those images matched, by digital watermark, images known to be child pornography, most likely from a running database managed by the National Center for Missing and Exploited Children in Alexandria, VA.

Generally, the tech community has been supportive of Google’s action, which I discussed in detail on my COPA blog Aug. 10.  Google could argue that it was required to turn over the info, and it makes no secret of its rooting out child pornography on its systems. 

Legally, too, putting illegal images on an email is a form of distribution, even if intended for only recipient. 
The question remains, however, what if the same strategy were implied for images from a hard drive stored by a cloud service.   Legally, there might seem to be a difference because the government might have a hard time making a case for “intent to distribute”.
The idea is scary for another reason.   An attacker could plant images known to be illegal on someone’s computer with malware, with the intention of framing the person.  (We’ve seen this problem with WiFi routers, but to mess with a home user’s supposedly private content this way would sound even more sinister.)   The only systematic answer would be for all major antivirus companies to add scanning for watermarked images as part of their routine scans.  But then what legal position would that put the anti-virus company in?   

Thursday, August 14, 2014

What is the "Farmville Free Game" popup?

This morning, after booting up Windows 8.1, I noticed a popup in the upper right corner of the screen for the “Farmville Free” game.  I was browsing in Google Chrome.  I had looked at a few of my own blogs.  I looked up what this is, and it seems to be legitimate (and be marked green in Mozilla by Webroot).  A link is to a forum on this matter is here.  I did a cold reboot, and it did not recur, when surfing in Chrome (my own blogs or anything else).  Webroot scan did not find any problems.  
Does anyone know anything about this popup?  

Update: Sept. 15, 2014

It appears that Farmville2 is included with Windows 8.1 and that this popup comes from Windows.  Sometimes it happens right as I boot up.  It's harmless, but rather tacky.

Update: March 4, 2015

The Farmville icon persisted until I closed it.

Wednesday, August 13, 2014

New HP computer shows an unwanted dll member, a mystery

On my new HP ENVY “desktop” with Windows 8.1, I’ve noticed the presence of a bizarre Dynamic Load Library element, “_ocl_svml_e9.dll”.  It appears if I enter the letter “E” on the Windows 8 Tablet desktop as if I wanted to bring up “Excel”.

I noticed this after one apparent hard drive error, which I recovered from by simply turning off the machine and doing a cold boot, which took a little longer than usual.  After that incident, I signed up for the HP Support Assistant monitoring of firmware problems. I noticed that Windows 8.1 Action Center ran on bootup, possibly to mark a hard-drive sector as unusable.   

A little nosing around suggests that this is obscure malware whose purpose is unknown. But a site in Japanese, ExEdb, says, when translated, that this module is inessential and may be left on the machine. 

Webroot Secure Anywhere does not flag this module during routine scans.