Saturday, August 30, 2014

Sports sites seem to offer phony java, browser upgrades; have they been hacked?

Major League Baseball, and probably other big league sports licensing groups (like the NFL) probably need to watch their own websites – which are technically very elaborate – for possible (foreign) hacks.  Today I got an unnecessary invitation to download java (with the java teacup trademark, which may have been faked) before trying to watch a video about a Nationals win in Seattle. I clicked out, renavigated to the video, and the six home runs played just fine.
A few weeks ago, I got a phony invitation to upgrade Google Chrome, which sounded flaky. 
MLB should re-examine security for its site and check it for any malware or adware that violates MLB policy.  I doubt that these kinds of software "upgrades" would be considered acceptable under their own TOS. 
I’ve noticed that a few other websites, like conservative websites with more radical or strident  views (like the Washington Times) will offer popup ads that when you exit, make you reaffirm that you really want to leave the page.  And they also offer sponsored videos that keep leading you on to watch without telling you the real point.  These don’t seem to harm anything or contain malware, but they are certainly tacky and unprofessional.  

Wednesday, August 20, 2014

Could the government really scan cloud backups of home hard drives? Would it?

Recently there has been some press attention to Google’s turning over to law enforcement some images in an email from a man in Houston, where those images matched, by digital watermark, images known to be child pornography, most likely from a running database managed by the National Center for Missing and Exploited Children in Alexandria, VA.

Generally, the tech community has been supportive of Google’s action, which I discussed in detail on my COPA blog Aug. 10.  Google could argue that it was required to turn over the info, and it makes no secret of its rooting out child pornography on its systems. 

Legally, too, putting illegal images on an email is a form of distribution, even if intended for only recipient. 
The question remains, however, what if the same strategy were implied for images from a hard drive stored by a cloud service.   Legally, there might seem to be a difference because the government might have a hard time making a case for “intent to distribute”.
The idea is scary for another reason.   An attacker could plant images known to be illegal on someone’s computer with malware, with the intention of framing the person.  (We’ve seen this problem with WiFi routers, but to mess with a home user’s supposedly private content this way would sound even more sinister.)   The only systematic answer would be for all major antivirus companies to add scanning for watermarked images as part of their routine scans.  But then what legal position would that put the anti-virus company in?   

Thursday, August 14, 2014

What is the "Farmville Free Game" popup?

This morning, after booting up Windows 8.1, I noticed a popup in the upper right corner of the screen for the “Farmville Free” game.  I was browsing in Google Chrome.  I had looked at a few of my own blogs.  I looked up what this is, and it seems to be legitimate (and be marked green in Mozilla by Webroot).  A link is to a forum on this matter is here.  I did a cold reboot, and it did not recur, when surfing in Chrome (my own blogs or anything else).  Webroot scan did not find any problems.  
Does anyone know anything about this popup?  

Update: Sept. 15, 2014

It appears that Farmville2 is included with Windows 8.1 and that this popup comes from Windows.  Sometimes it happens right as I boot up.  It's harmless, but rather tacky.

Update: March 4, 2015

The Farmville icon persisted until I closed it.

Wednesday, August 13, 2014

New HP computer shows an unwanted dll member, a mystery

On my new HP ENVY “desktop” with Windows 8.1, I’ve noticed the presence of a bizarre Dynamic Load Library element, “_ocl_svml_e9.dll”.  It appears if I enter the letter “E” on the Windows 8 Tablet desktop as if I wanted to bring up “Excel”.

I noticed this after one apparent hard drive error, which I recovered from by simply turning off the machine and doing a cold boot, which took a little longer than usual.  After that incident, I signed up for the HP Support Assistant monitoring of firmware problems. I noticed that Windows 8.1 Action Center ran on bootup, possibly to mark a hard-drive sector as unusable.   

A little nosing around suggests that this is obscure malware whose purpose is unknown. But a site in Japanese, ExEdb, says, when translated, that this module is inessential and may be left on the machine. 

Webroot Secure Anywhere does not flag this module during routine scans.  

Thursday, August 07, 2014

Going from Windows 8 to 8.1; Webroot, Defender, and vssvc issues

There is some controversy over whether you have to disable your anti-virus software to go to a new Microsoft operating system.

Today I updated a Toshiba satellite from Windows 8.0 to 8.1.  I had gotten two contradictory tweets from Webroot as to whether it was necessary.  I did not disable it.  After the two hour procedure. the Action Center told me that Webroot was turned off, as was Windows Defender.

I tried to turn them both on from the Action Center. Windows would intercept Webroot in the usual fashion, but the Action Center was unresponsive.  Nevertheless, when I checked the Webroot icon, Webroot said it was on.  I ran the scan, and it took longer than it had in 8.0.

Later, Windows defender also insisted on running its own scan.  Both scans were clean.  In time, the Action Center message went away.

The Webroot told me that it found an occurrence of vssvc.exe and wanted to remove it from the startup menu.  It gave me 60 minutes to stop it from doing so.

I let it go ahead and do so.

But then the cold boot failed.  I'll provide more details soon.

I don't think this had anything to do with vssvc.exe, which is used for "shadow copy", link. .  


Wednesday, August 06, 2014

A "spam" comment gets past Blogger's usual notification and security procedures; a significant security hole?

Yesterday (Tuesday, August 5), I received an odd comment in my moderation queue on Blogger for my “BillBoushka” blog (see profile), on a posting having to do with revenge porn.  The posting also mentioned the recent Middle East (religious) conflict.  The comment was a long exposition about some Christian teachings, especially regarding St. Peter, and it didn’t seem relevant, except maybe in the respect that a good Christian would not post revenge porn.  I had not gotten the usual email notification on AOL, and it had come from a Blogger member with a Google account, and had not been marked as a spam comment.
Blogger comment moderation often will mark anonymous comments as spam comments.  In those cases, an email notification to AOL appears, but the comment does not appear in the moderation queue, and it is not possible to override the spam classification from the email.  (We can argue why I don’t use the gmail account;  I just think there is more security in using two separate companies for the process.)
I allowed the comment.  Almost immediately, I found an item in my spam folder on AOL called “message” saying “hello you have received a comment from your message on blogpost”.  I did NOT receive the usual notification from Blogger to my AOL inbox, which provides a dynamic link to the post so I can easily check the comment. 
I checked the spam message on an older (XP) computer on which I don’t do any essential work now.  I clicked on the embedded link, and McAfee Site Advisor (that older computer has Site Advisor and Kaspersky) blocked it, saying that the domain was a known for phishing.   It’s hard to see what the point of the phishing attack might have been. 
I checked the person’s account on Blogger.  He had a legitimate blog on Christian materials, and, from comments that I could find from Google, has generated some controversy.  (I’ll let the reader gumshoe this on his or her own;  this posting isn’t to attack anyone or their beliefs.)    
I removed the comment (although the blog posting still shows that a comment had been removed by the Blog Administrator) and wrote a comment myself, explaining what had happened.  I did get a proper notification from Blogger through my AOL email account, and it behaved normally.   I also found a similar comment on this blog in May 2014, which I also “removed” for safety.  
One possible concern could be this:  Could an attacker pose as that person by signing on to his account and then get around Blogger security to send comment spam, to get that person in trouble or harm the person’s reputation?   I would think that the two-step verification for Google accounts would stop this.  (By the way, Microsoft accounts seem to use two-step verification now, too.) 
One another small site that I have (, I sometimes get comments slipping by moderation on an old Wordpress blog. On my newer Wordpress blogs, I use Askimet to filter spam comments.  So far, no comments have gotten past moderation and most spam has been flagged.   

Tuesday, August 05, 2014

"So Hopeless Broken" router vulnerability detection contest sponsored by EFF, ISE

Electronic Frontier Foundation and Independent Security Evaluators are sponsoring a “SOHOpelessby broken” hacker competition to unveil ordinary router vulnerabilities, with the main contest link here. Security Evaluators has a report on the vulnerabilities it found in ordinary home and office routers here.  EFF also documents its Open Wireless Movement with its Open Wireless Router Firmware,  link here


Adrian Crenshaw posted the 50-minute video on the topic on YouTube “Derby Con 30 5202: The Implications of Pervasive Vulnerabilities in Soho Router”. 

Monday, August 04, 2014

"Free" video player gets flagged by Webroot as serving adware; not sure if this is an imitation of a legitimate player

Today, I received and posted a comment on my TV Reviews blog for an entry August 1 about an NBC report on Hannah Anderson’s kidnapping last year.  The report had been hard to find online.  I got an anonymous comment (which this time got past Blogger’s spam comment filter) giving a link to a Vodlocker video of the report.  I checked Vodlocker’s “reputation” on Webroot through Firefox on my older Windows 7 Dell computer, and it turned up green – OK.  So I posted the comment, which gave the name of the link to the video with the spelling of the video element name, but the link did not load a hyperlink in the comment stream.  I don’t know whether the video might have infringed on NBC’s copyright, but that would sound possible. 

So I tried it manually, in both Chrome and Firefox on two computers.  I always got invited to replace the video player.  I’ve gotten this invitation from reputable sites before – most of all Major League Baseball.  On MLB, you can ignore the invitation and just view the video with your present player (Windows Media in Windows 8 in my case).  But with vodlocker, at least on this element, the invitation persisted.
I tried clicking on it on my older Dell Windows computer (which is no longer used for critical applications like banking).  Webroot Secure Anywhere immediately intercepted it (before Windows 7 could ask me for permission to execute it), warning on “c:\users\owner\downloads\flvplayersetup.exe”, in group “Pua.Adware.Installer”.   The Webroot “W” notification icon had a red bar in it, and I noticed that the automated scan was 8 minutes into execution.  This may have been coincidental.  The scan completed without finding threats.  I rebooted, and ran the scan again (it takes 30 minutes).  No threats.   I also checked the directory with Windows Explorer (both machines) and did not find this “exe” element.  It’s possible that Webroot Secure Anywhere quarantined the element immediately.  But normally it asks for permission (when a “red line” shows up on the notification icon) before removing or quarantining a threat.
The product seems to be “Free Player Local”, which is supposed to be able to play BluRay.  There is a product called VLC Media Player.  I don’t know if it’s related to this issue.
It’s possible that the download is legitimate, but a false positive for adware, or that it might be an illegal copy of a legitimate media player.  Does someone know?  Maybe the invitations are for a legitimate product. 

Note: The Blogger label "Spysweeper" refers now to "Webroot Secure Anywhere.  A number of years ago the product was called Spysweeper.  Generally, Geek Squad, in my experience, has preferred Webroot, Kaspersky, and Trend Micro on Windows machines, and uses A-Square for researching difficult infections.  

Sunday, August 03, 2014

"Tutoring" and "piano teacher" email spam -- and I don't see how it can even work.

I honestly don't know how these "math tutor" and "piano teacher" scams work, but I sometimes get emails that look like this.  Note the Bcc.  They definitely sound "too good to be true".  Why would someone contact a  complete stranger by email this way to tutor his son?  So this has to be spam, and a scam, but I don't see how the perpetrator could collect anything at all from it.