Tuesday, September 30, 2014

Creator of StealthGenie arrested by FBI for marketing an "illegal" app used for stalking

The creator of the StealthGenie app, which can be used to spy on someone when installed on his or her smartphone, was arrested by the FBI Monday, as reported in a story on CNNby Doug Gross here. The creator was Hammad Akbar, of Lahore, Pakistan.  The CNN story links to another by Erica Fink, “Stalker: A creepy look at you online”.  The capabilities to track someone in real time are legal only for law enforcement.

Surveillance by parents of minor children would be legal, as would surveillance of employees in some cases. 

The website for “StealthGenie” was not available Tuesday morning.  But YouTube videos advertising (even from the company) it were still working.  They might well get taken down soon.
A person would need access to the phone to install it to stalk, so usually this could come about when someone is beings stalked by someone they “trust” (like someone dating the person) who has access to their stuff.   

Sunday, September 28, 2014

Is bloatware ever actually malware?

When I got my HP Envy All-in-One back from Geeksquad (IT blog, Sept, 28), the technician reported that he had “removed threats” without specifying which, and that now there were no viruses and no hardware issues.  He also said that he had removed “bloatware”, which was “Cozi” and “Pinger” according to the Microsoft Reliability Report in the Action Center.
In the past, GeekSquad has used A-Squared to find and remove viruses not found by nearly all major anti-virus vendors.  That may have been the case this time.  Since getting the machine back, there have been no freeze-ups or SmartDrive “false positive” hard disk errors.  The suggestion is that there might have been some sort of malware on the original machine. 
Once in a while, the display screen does go blank, and comes back when touching the mouse, as if the time counter for deciding when to go to sleep didn’t quite function properly.
The “Farmville” pop-up still sometimes appears and disappears quickly. It appears to be installed on 8.1.  

Thursday, September 25, 2014

"Bash" bug in Linux-based environments (including Mac) explained; most users probably not affected


Tim Lee of Vox has a detailed discussion of The Bash Bug in Linux-based systems, which include Mac personal computers, "Bash" stands for "Bourne-Again-SHell".  If you go to terminal on your Max (Tim explains how to navigate to it, and I just did it on my own), you'll see if you have Bash (I do, in 10.6.8 -- my test is above).  His main story is here, and there is a "proof of concept" simulation at "trusted security" here.

The main problem is a "recursion" in the shell that, if not properly implemented, hackers can exploit to inject malware or make machines into botnet zombies.

It looks like MacOS versions in MacBooks are probably OK, but security professionals at Apple are burning the midnight oil on this one anyway.  There should be more definitive news in a few days. Right now, there would not be much of a defense, although anti-virus software should be able to detect malicious activity soon.

This can't be good for Apple stock, which already suffered from a "bent wrist" iPhone (enough to please Tiny Tim).

US Cert has a bulletin on the GNU Bourne-Again Shell vulnerability here.

I'm contemplating going too 10.9 (maybe a new machine) and Sibelius 7.5 soon to finish a music project.

The latest, Friday morning, is that Apple says that "Shellshock" isn't a problem for its users, Yahoo! Finance link here,  But it if were, we would wonder if other third party apps, like Avid Sibelius, for music composers, could be affected by an operating system fix and update.

Unix servers can have vulnerabilities, as like when "Site commands" are left open (as with a 2002 incident that affected me).

Update: Sept. 29 

Webroot has a statement on Bash or Shellshock here

Wednesday, September 24, 2014

More new tips to avoid hackers (mostly with smartphones and home routers, and appliances)

Here's the latest set of "seven tips" to fend of hackers, by Jose Pagliery on CNN, link here.

Generally, I follow most of these, with a major caveat.  I don't do any banking on my smartphone.   I suppose that as time goes by I'll come under more pressure to use my phone to pay for things by phone rather than using credit card stations, will-call's, or print-at-homes.  Getting a taxi is sometimes easier if you have the taxi software and can pay with it -- but that's also an exposure.  (It's also a security plus -- if anything happens to you physically, police could find you,)

Web sites on cell phones are always asking for location.  That could lead a stalker to know where you are, if you think you could be a mark.

I don't think you need https if you're not going to do any business -- if you don't have to log on to the site to see the content.  I NEVER have required users to do this (log on ) for my sites, because I don't want the risk -- but I can see how there could be a point -- if there is new content only for some people to see.  But then, you can set up private Vimeo instead (if it's a video).

It is true that even if you don't log on to see a site, your visit is recorded on server logs.  There was a case in 2005, when I was substitute teaching, when I needed to know which views of a controversial screenplay of mine had been made from school servers, and I was able to determine that easily.

But MOST people probably aren't in a situation where anyone cares where they logged on, if from home.  From work (where an employer cares), that's a different matter.

No, I really don't need Internet-smart appliances.  But I can see that as home security systems (and security cameras) get more sophisticated, and controlled from smart phones (like what Comcast XFinity sells now), there could be new issues with hackers -- when you're on vacation.

Practically everyone has a home router, as cable companies promote them, and many modern laptops don't have Ethernet ports (you can buy one with a USB adapter).  The biggest concern would be misuse for copyright infringement or child pornography, and the murky liability and maybe police work.  Yet EFF has written before that all WiFi connections should be public.  No, when I see a neighbor's unprotected connection, I don't use it-- just my own.  But I can see that families could be leaving themselves exposed.

Saturday, September 20, 2014

Trend Micro bawls me out on my "lack of privacy"

Well, I have Trend Micro on my replacement Toshiba Satellite Radius (which reminds me of the film company “Radius TWC” and “Snowpiercer”). 

Trend gave me a “tongue lashing” report on my lack of privacy after I re-installed Mozilla.  It is particularly concerned about visibility to advertisers and to the possibility of tagging photos.  Of course, the photo issue exploded recently with the iCloud hack, and that can have to do with what happens even when you aren’t online. 
Google Chrome is also talking about “synching up encryption” on all the machines that access my account.  I’ve never seen this before.  I’m not sure how I’m supposed to do it yet.  It would probably matter mainly for work overseas in non-democratic countries. 
I do watch financial accounts online regularly.  I have yet to discover fraud based on identity theft or hacks.  (It has happened with a stolen credit card before.)   I do wonder about getting spam emails for credit card bills for accounts I  don’t have (mainly for overseas banks). Maybe somebody has replicated my identity in eastern Europe or Russia, and used it over there.  Putin would put people up to this.  

Tuesday, September 16, 2014

McAfee Security Scan warns me about my past incidental visit to 4chan

McAfee Security Scan is often offered free with Adobe products.  Today, on a Windows 7 machine, when it ran, it came back “code yellow” and gave me a warning that had visited two suspicious sites, the “imageboards” “4chan.org” and “4cha”.  “4Chan” has been controversial because it hosts questionable content like the nude photos (of female celebrities) stolen from the Cloud and posted by hackers.  But I’m not aware of any reports of malware.
There have been legal questions whether visitors who look at any underage explicit photos there are “possessing” child pornography. A person might not know that an image or thumbnail that appears on the board is underage. There are questions, apart from the underage material, as to whether the site could be forced to remove material posted without permission. 
Still, I was surprised by McAfee’s Security Scan finding that I had accessed it and flagging it.  

Wednesday, September 10, 2014

5 million gmail passwords hacked by Russians; Facebook and Twitter also have 2-step verification

Webroot is reporting that about 5 million gmail accounts were hacked (it’s happened before) by brute force, and gives information on 2-step verification on not only Google, but also Facebook, Twitter, and Microsoft Outlook, story by Richard Melick, link here.  We need to see banks adopt this technology. 
The Bitcoin Forum has a list of the names, but it is in Russian, in part. 
You can check if your gmail was compromised with the “Isleaked” site, here.

You can put in placeholders to avoid spelling out your entire email address.

A Fox station offered this and another link to check, and then had second thoughts, link here

Saturday, September 06, 2014

My own difficulties renewing Norton anti-virus on the Mac

I noticed that on a 2011 MacBook laptop that I use for music, my Norton subscription has expired.

And furthermore, when I try to renew it, I can’t get the Norton website to direct me to an update that runs on Mac OS 10.6.8 (the lowest update available is for 10.7 and Apple is already up to 13).  In fact, most of the links on the website take me only to Windows-based products!

So soon I’ll visit an Apple store and see how to get this updated.  It seems as though vendors are into making you replace operating systems every two or three years or else everything goes obsolete.  They won’t leave you alone.  
Update: Sept. 10

I tried to chat with an agent at Norton to get a renewal code, and got caught in a loop on the Norton site.  I got the Norton site to update my account only from a Windows machine.  Maybe the problem was I hadn't verified the email yet, but it shouldn't look and keep on refreshing the base page.

Update: Sept. 14

I did get the subscription date to advance to 2015 with a renewal code from a chat agent.  Norton replaced the module once with the same product and a restart. 

Monday, September 01, 2014

FBI to probe iCloud nude photo leak

The FBI has launched a probe of the hacking of the Apple iCloud and the leaking of nude photos of some female celebrities (like Jennifer Lawrence and Kate Upton) from their private cloud accounts (apparently deleted items) to “4chan”.  The Huffington Post has a headline story this evening by Anthony McCartney, “iViolated”, here.  Apparently the photos had been taken on iPhones and stored on the phones, not on personal computers.
I wrote a posting on my main blog this morning, exploring a much bigger context, exploring the context of Section 230 of the 1996 Telecommunications Act, which would preclude downstream liability for sites like 4chan and, for that matter, Blogger, YouTube and Wordpress.
Possibly photos could be watermarked as they are stored in private clouds, which would tell a service provider later that posting of them is illegal.  Google is already using such an automated system to identify images known already to be child pornography.  Possibly this technology could be expanded.  

Update: Sept 2

ABC News reports that Apple did not find any systemic compromise of its security, and encourages the use of two-step verification of cloud storage (with strong passwords) particularly if very private or personal materials are stored and if someone would actually make money by getting them (as with celebrities).  Hopefully, most "ordinary people" don't have images that would be compromising.   Again, the idea remains, the government could some day troll cloud accounts for child pornography with hashtag matching.

Update: Sept. 6

Apple is changing security to limit the number of wrong password attempts allowed in access to its Cloud.   It will also warn users when material from the Cloud is loaded to different devices. Here is the ZDNet story

Watch more news videos | Latest from the US