Saturday, December 27, 2014

Will Wordpress soon enforce https for content? Also, ransomware masking as emails from FedEx

Electronic Frontier Foundation has a summary of the initiative for worldwide encryption of all web traffic, article here by Bill Budington, link

Of particular interest is an announcement by Automattic that it would be serving all pages in https for its subdomains in Wordpress by the end of 2014 (or is that 2015)?

I have not seen this happen yet on either of my two Bluehost domains, and I haven’t gotten any emails or notifications about it or seen it on the dashboard.  I’ve tried them with https and get an invalid security certificate.

Should ordinary web content, not requiring logon and not involving collecting data of users, be encrypted?  Maybe, especially if you have a lot of visits from authoritarian countries (and it seems like I do).

In another warning (from AOL), there is a phishing attack of emails designed to look like FedEx shipments (probably UPS, too).  If you click on the link, your computer freezes and you’re greeted with ransomware.

Indeed, a properly working anti-virus program should warn you not to go to the site, or stop any such script from running.  But why hasn’t Microsoft fixed any vulnerability that allows such a website to upload and execute such a script at all?  This shouldn’t be possible. 
Maybe CERT will have an advisory soon.  Sounds like we need another W7 or W8 update right away.   

Saturday, December 20, 2014

US CERT releases technical details of "SMB Worm" used in attack on Sony; more on cell phone vulnerabilities

US-Cert (that is NCCIC) in Pittsburgh has issued a detailed technical description of Targeted Destructive Malware, Alert (TA14-33A), a discussion of the “SMB Worm Tool”, link here.  This is the package that was apparently used by “Bureau 121” from North Korea on its attack on Sony.
Webroot, and other security companies, have written that it’s relatively easy for criminals overseas to sell these tools on the “dark web” in the black market.  Tools like this could be deployed against utilities, financial institutions, Internet providers, and the like; so all of these companies need to be particularly vigilant against these kinds of attacks and configure their systems to make them less likely.
Small business users can make themselves more resilient by keeping physical backups offline and by keeping some computers off of networks.  Apparently MacOS systems or Linux are not as vulnerable, at least now.  Maybe there is more of a case for generalized use of Mac in business. 
In another development, Craig Timberg, on the Switch Blog of the Washington Post, reports that Gernab security researchers have found a flaw that lets anyone listen in on your cell calls, link here

Update: Dec. 21

Michael Hltzik of the Los Angeles Times gives a lot of detail as to why the FBI's conclusion that North Korea started the attack is questionable, and why Sony's problems may be more serious than at other companies, here. 

Friday, December 19, 2014

ICANN apparently hacked, but apparently no harm to ordinary domain owners; check your WHOIS

ICANN, the Internet Corporation for Assigned Names and Numbers, announced Tuesday, December 17, 2014, that it had been hacked, according to a story in Slate by Lily Hay Newman here.

Apparently the hack occurred out of an archaic “spear phishing” attack in emails to employees.
The actual content in the CZDS is encrypted and supposed to be OK.  It seems unlikely that the hack exposes any ordinary webmasters to risk of redirection.  Nevertheless, webmasters should remain alert, check all their domains, and particularly review their WHOIS information (even if privately registered) once a month.  ICANN requires that domain owners review the information yearly (and sends emails) but more often is wise.
Webmasters may find that some domains (like Wordpress blogs) are hosted on shared IP addresses.  This is OK. 
The ultimate nightmare could something like finding your domain name redirected to a porn site.
This reminds me of a problem in 2008 where Microsoft held an emergency security summit after Finnish security researches found a serious security hole in the domain system (ID theft blog, Aug. 9, 2008). 
 It's also worthy to note that people with older home routers should regularly reboot them (turn off, wait, and turn back on (causing a firmware update, perhaps taking five minutes or so), to get rid of any malware.  This does seem to fix the "Moon virus" in some routers, which could cause random redirection of some sites. 

Thursday, December 18, 2014

How the Sony attack really happened has not yet been explained in detail, and we need to know now (Later: admin leak discovered)

News reports are still sketchy on why large corporations and governments are not able to protect themselves against determined hacking attacks.
Webroot has an interesting story, from Dec. 2, of how Sony’s own backup and restore was taken over, and the hacker owner shows up in Google Play, story here

The Independent (UK) has a detailed timeline of the Sony hack here
The New York Times has some details here  But the Daily Mail has a bigger story on the way the hyper-Communist country recruits cyber soldiers ("Bureau 121"), here.  And Slate gives Sony a real tongue-lashing here
Still, can a properly defined security system ward off any conceivable attack?  Experts haven’t explained exactly how "they" got in.  Was it ordinary malware from email attachments or thumb drives?  It sounds more likely that it was direct connection to IP addresses.  But properly designed firewalls should have prevented intrusion.
There’s also a question of what operating systems were being used.  Was it Windows Server?  More likely it was Unix or Linux.  IBM Mainframe OS’s are very difficult to hack, and I know from a previous job application that Warner Brothers has a lot of mainframe – but I don’t know about Sony.
Again, "you" can't tell content providers not to talk about North Korea or radical Islam -- otherwise no content would have integrity.  Large corporations, especially, and governments need to make their networks impenetrable.  I don't know why they can't do it, but a lot is at stake.  Do ISP's, cable providers, and social media sites have better security than Sony?  I believe so.  But no one has explained even how a company like Sony was so vulnerable -- outside of possibly a disaffected insider. 
Back in the 1998-2001 era, small ISP’s would get “attacked” by DDOS’s directed to their servers.  There are techniques for repelling such attacks by making the packets “bounce”, like robocalls.  In April 2002, two HTML files on my old “” site (now were hacked.  The hack started ina passage discussing suitcase nukes, in an essay posted shortly after 9/11.  A Unix Site Command had been left open at the ISP.  It has never happened again.  The idea that a particular passage was hacked is disturbing, but it hasn’t happened again, and no major terror attack (like what I was hypothesizing in that passage) has happened.  I simply reloaded (by WS-FTP) the clean file from a separate floppy backup when I discovered the problem and fixed it in one minute. I'll add that I do not have anyone's personal information;  people don't log on to my own sites.
Home and small business users can consider not linking all of their computers with one router, and keeping physical backups on their own as well as using the cloud.  It’s also safer to turn a machine off when it isn’t in use for a long period.  Some basic security is old school.  

Update: Later Dec. 18

CNN reports that apparently hackers stole Sony systems administrator credentials, to "fake" an inside job.  And, contrary to earlier reports, there is more evidence that some of the actual hacking may have originated inside North Korea, and been routed to other countries.  Still, it seems that Sony did a rather unprofessional job of managing its security, and didn't take symptoms seriously.  Why didn't it hire a professional security company? 

There is also a question of why crudely written hack or email (with language sometimes similar to what you see in overseas spam) was reported in the press, and not immediately sent to law enforcement in secret, so that Sony wouldn't be in a public "Catch 22" position.  Sony carelessly let itself get "outplayed" just as in a chess game.  
Every major corporation (power utilities, banks, Internet service providers) should be reviewing how it protects its administrator security right now -- tonight -- and tighten the ship. 

Wednesday, December 10, 2014

How effective are Microsoft Malicious Software Tool and Windows Defender? Why do they take so long to update?

I’ve noticed during Microsoft automatic updates on both Windows 7 and 8.1 that the Microsoft Malicious Software Removal Tool takes a very long time to install, typically about ten minutes, whereas most other updates are quick.  Windows Defender can also take time.
The WMRT is not a substitute for anti-virus software;  it is a “second opinion” that can remove malware only after the fact, and it’s only updated once a month.  Here’s a story about it on Computerworld by Michael Horowitz from 2009, link
There is also a module called Windows Defender, which Microsoft explains here
But Windows Defender seems to score poorly in “real world protection” compared to third-party products, according to Tablet PC review, here.

Sunday, December 07, 2014

Odd request from a YouTube add to update a driver; ignored; more on Moon router virus

Today, when I went to play some classical music on YouTube, I got an ad in the corner to the right of the YouTube display area, saying “you need another driver” with an invitation to download.  I X-ed out (did not download), and the web page then asked me to check a reason for canceling the ad.  I checked “inappropriate”.  Of course, I feared that this could be malware.  The video worked normally with no update. 

Persons should not click on ads inviting them to download drivers.  When one needs a particular driver, one should go to the site for the company that provides the driver.  This should not have been an acceptable ad on YouTube.

I didn’t think to snap a picture of the ad.  I snapped a different one when I tried it again.  It’s normal for YouTube to display an ad on the upper right side of the page. 

Also, last week, one time when I brought up my HP Envy on Windows 8, the system said it was re-arranging the startup (I really didn’t notice anything) and then invited me to download and install Skype.  I checked the publisher name when Windows Firewall intervened, and it appeared to be the correct site and executable from Microsoft.  It loaded OK and works, and Weboot accepts it,

But, again, the user should not be invited to try new software at startup.  It’s OK to display a “legitimate” ad,  but one should always go to the site for the company. 

On another matter, I have rebooted the Netgear router.  It took about five minutes, so it probably did a firmware update, and I’m told that this should fix the “Moon” virus. I haven’t seen any more fake Adobe requests.   Today, once when I went to, I got redirected to an nbcnews subsite of Yahoo, but this appear to be an NBC problem; no warnings from Webroot.  

Tuesday, December 02, 2014

How did the Sony Pictures hack happen? Why can't a large corporation protect itself? Same malware a home threat?

The hack of Sony Pictures, with the destruction of data on its corporate networks, seems to be the largest ever on a US company. 

But five films, including the upcoming “Annie”, were leaked, and available on piracy servers through P2P. 
There is a lot of suspicion of North Korea over the upcoming release of the comedy “The Interview”, with Seth Rogen and James Franco, where the US CIA recruits two journalists to assassinate the president of North Korea, which seems to take the film as a “threat” (almost like in the Elonis case, discussed on my main blog yesterday).  This is a little bit like my situation as a substitute teacher, where a fiction screenplay was interpreted by some as suggesting that I could be a “threat”.
But it’s also unclear why Sony’s own security systems were not able to prevent the hack, and how they got in, or how North Korea had the expertise to do this. 
The Wall Street Journal has a detailed and typical news story here
Webroot is characterizing this as a “ransomware” attack. It is possible that the company was using a “malware infected host”.  It’s not clear from news reports is there is a specific worm or virus related to this attack that home security software should scan for.  Webroot’s brief story is here
CNET has a story about the FBI warning to businesses here. The FBI has sent out a “flash warning”.