Wednesday, March 26, 2014

Webroot subscription renewal seems to have a deadly-embrace trap, possibly related to original Geek Squad setup at Best Buy stores; Microsoft applies urgent KB to startup vulnerability

I am experiencing some misadventures with my Webroot renewal.  About a month ago, the control panel turned amber and warned me that the subscription would soon expire.  I updated the account, and it turned green.
  
About ten days ago, a little icon in the lower right corner (Windows 8) showed up, warning me again.  I tried the link, and this time it sent me to the Best Buy site to renew.  I did so.  The icon did not go away. 
I tried it a second time.   I don’t see any charges on any credit cards (I used American Express Optima) But the printout says that the card will be charged on a particular date in April 2014. 

  
I tried to go into the “My Account” link on the Control Panel.  Normally I would expect it to tell me the subscription date.  It invites me to log on.  But I had to create a logon account.  This seemed to work normally, until it asked me if it wanted me to add this “console” to an existing account.  That makes sense because I also have Secure Anywhere on an older Windows 7 Dell machine downstairs.  I said yes. 

  
But now I can’t log into it with the strong password I just created, or get the security question right.
  
Geek Squad does the support, so I supposes I will have to go to Best Buy near Falls Church VA and talk to Geek Squad about this.  Here is what I think happened.  When I bought the computer, Geek Squad set up the account and security questions and passwords.  Somehow I lost that sheet.  The system seems caught in a deadlock (or logical deadly embrace) between information entered by the Best Buy store and information I am trying to reeneter.  I don’t want it to be impossible to renew in April.

  
I would much prefer that credit card renewals be processed immediately so that we know that the renewal worked, rather than have to wait to the renewal date to see the charge and see proof that it worked.  Otherwise, the machine might suddenly not be protected for a time, and it takes very little time for hackers to get in otherwise. 


Update: March 27, 2014

GeekSquad says that the credit card charge does not happen until thte due date, and therefore the repeated appearance of the Webroot renewal notification icon is normal.  This seems a bit sloppy.

GeekSqaud used a java applet to look at the signon problems.  You sign on to GeekSquad, they give you a six-digit temporary pin, which lets them push an applet.  Windows will ask for permission for it to run.  You need java on your machine, but I do seem to have it as part of W8.  I suppose I can see how java could make a machine more vulnerable to hackers, who could mass attack by generating pins.  I'm not sure what the safest strategy to deal with this idea would be right now.  We'd have to look at what the Webroot Threat Blog has written about java recently.

They weren't able to resolve the logon issue, so I'll have to call Webroot directly soon.  It seems to have to do with the way it was originally set up at Bestbuy and the fact there is more than one machine.  That is uspposed to work.

The Webroot Secure Anywhere does run;  it's just that I can't get on to my account on their webserver. because of this deadly embrace.


Update: April 4, 2014

As I logged on this morning, Webroot would not start until I updated again.  But then the Best Buy Script told me my credit card wouldn't be charged until 2015!  My American Express still doesn't show the charge due today, but maybe it is too early in the day.  I can activate it when I boot up with doing the card transaction over again.  Obviously, if they don't catch this and fix it today, I will have to call again.  This seems to be a problem on Best Buy's servers.  It seems that Webroot is going through Best Buy to guarantee that the fee is paid, which is another possible point of apllication failure.
Update: April 9, 2014

I talked to Geek Squad a couple times.  One representative said that my machine should have been up and connected when the charge was applied. I'm not sure this makes sense, because you need a java applet to connect to the machine, or do you?

But this morning, Microsoft suddenly informed me that I needed to do an urgent update to Windows 8 with KB2922229.  I did the restart, and this time Webroot started normally without the warning.  But it may have been a startup problem.
Microsoft's link is here.  The vulnerability seems urgent.


Monday, March 24, 2014

Could smartphones become desired by thieves or street muggers just because of the bank and personal account access set up on them?

Just got my iPhone, as my Droid contract ran out, and this one is actually a little cheaper, but there is a 6G data limit.

The real point is that this phone is obviously faster and it will be easier to load apps and do more stuff in mobile mode.  That sounds good for travel.  But is it a good idea to do too much from phones?

Consider, if you are mugged on the street and the phone is stolen, the whole point of two-step verification is defeated if you put your Google account or any other company using two steps on.  Although right now hardwre resale seems to be the motive for crime, that could change the motives for robberies in the future, especially if a kill switch out on. Criminals could imagine stealing phones in order to empty bank accounts themselves.

Verizon does sell theft insurance, which is pretty inexpensive.

It seems that the whole issue of the safest practices when travel constantly change. (The Malaysian incident is far out, but maybe relevant eventually.)  Is it a good idea to make everything at home smart so you can monitor it from your phone, if it can be hacked?

Here's another thing.  It's safer to drive a cheaper, less flashy car, although the most fuel-efficient (and hybrids) may become more desired by thieves in the future.  And thieves, finding that cars are harder to start when stolen, are more violent when confronting drivers.   Car rental companies often offer upgrades for free (when you arrive at your destination airport) but that can make you more of a target when on the road than with what you drive at home.

All of this is serious.  Catching someone and putting him in prison does not eliminate the loss, which remains.  Ultimately, there are no victims.  

Friday, March 21, 2014

Microsoft "spies" on customer email to catch intellectual property theft

Microsoft seems to have been within its legal rights when it perused customer private email to track down a violation of its own security and intellectual property rights, by Russian Alrx Kibkalo, who leaked proprietary Windows code to a French blogger (so far unidentified) in 2012.  But there is an outrage in the blogosphere anyway, according to a Business Day story by Nick Wingleid and Nick Bilton in the New York Times Friday, link here.

The Verge (Vox Media) has a story on the arrest of the Russian, written by Tom Warren, here

The Electronic Communications Privacy Act allows service providers to read customer material if necessary for security purposes.
    
One could make the point, “maybe you shouldn’t be doing it.”  True.  I don’t have any interest in leaking proprietary code or content.  The sensitive information passed to me has been more along the line of tips (particularly several years ago) which have Homeland Security implications.  Whether I republish them depends on the circumstances (not always), but I don’t claim any “journalist privilege” if something falls into my hands.  It can.  

Monday, March 17, 2014

Trend Micro changes behaviors on my little travel Gateway notebook

A bizarre little thing happened with Trend Micro this morning on my Windows 7 Gateway notebook that I use for air travel.

The notification panel said it had been turned off.  I don’t know why.  I simply clicked on the program in the menu and it went through the “starting your protection” (which takes a while).  I ran the scan, which is unusual in that it names specific worms and Trojans that it is looking for according to current intelligence.  No problems were found. 

I’m wondering if it is possible to get a supplementary security tool, like A-squared, that Geek Squad uses, to do further checks for problems at home myself.  
  

Trend has been applying updates more in recent months than it used to.   

Tuesday, March 11, 2014

When it comes to cybersafety, most upper middle class kids really are all right

Cecilia Kang has an article Sunday, “Don’t panic over your cyberhids” or “The kids are all right” as she reviews a book and interviews the author Danah Boyd, “It’s complicated: The Social Lives of Networked Teens”, link (web url)  here
  
Boyd’s answers sound general.  On cyberbullying, “we have no methodology that everyone can agree on”.  In most cases, she says, there were facts and perhaps coincidences that complicate the story; most bullying incidents were two way streets.
    
She also points out that kids don’t have the luxury of learning from past mistakes.
   
In general, in my own contact with younger emerging adults in my own circles, I have not encountered any reports of major online issues.  Generally, the kids have been all right.  But these are upper middle class kids.  They generally don't need the supervision of a "family computer".  

Thursday, March 06, 2014

Fibbies pounce on Russian hacker who created SpyEye after he stepped overseas; tales of the Dark Web

USA Today offers a detailed story Thursday about super hacker Sasha Panin, now in jail, not arrested until he left Russia because the US does not have an extradition treaty with Russia. 
  
Panin developed “SpyEye”, a tool kit used by criminals for major attacks against retailers and credit card operations.  It was deciphered by TrendMicro about two years ago.  The FBI had to wait until Panin left Russia to pounce.
  
Panin says he went into malware because he couldn’t get a job that paid decently, except in international crime, which Russians view as legitimate business. The whole story seems to show that this is part of Russian strategy, to encourage young people to pilfer from the West.
  
The USA Today story is here. 

Panin was reportedly interested in artificial intelligence and wanted to invent a way for people to live forever digitally, perhaps as nanites as in the show “Revolution”.  He grew up in a smaller city north of Moscow.