Tuesday, April 29, 2014

Chrome said not to be detecting revoked security certificates for Heartbleed; Microsoft seems close on fixing IE


Dan Goodin reports in Ars Technica that the Google Chrome browser so far catches only about 3% of the security certificates revoked since the Heartbleed bug was exposed.  The link is here
  
That observation could give a false sense of security.  If this is right and Google fixes it, browsing might start to get much slower.
    
Also, tonight, I got a big Windows 7 update from Microsoft on one machine, marked as “recommended”, requiring restart to take effect, but not requiring system reconfiguration. This fix might be related to or preparatory to fixing the recently discovered Internet Explorer bug.  I have yet to receive a Windows 8 fix. 

Monday, April 28, 2014

Internet Explorer finds a new vulnerability to honeypots


Technology media sources are reporting a vulnerability in Microsoft Internet Explorer, versions 6 to 11,  The problem lies in the way IE handles objects that have been deleted but are still in memory. Reports indicate than an attacker could get control of the victim’s Windows-based PC by visiting a “honeypot” website with a certain payload. 
   
Microsoft has not as, of this writing, yet released a fix.  Most likely, a new IE module (about a 40 meg download) will be released soon by itself as an automatic update, and it should be done immediately. The fix would not be released to users of Windows XP, however, since their support is discontinued. 

WONTFix has a detailed story here. about vulnerability CVE-2014-1776, National Vulnerability Database link

It seems that it’s safer right now for users to stay with Chrome or Firefox.  I have found, however, than on smaller notebooks, Wordpress and Shockwave do not work properly in combination in these two but do in Internet Explorer!  

Wednesday, April 23, 2014

Webroot Brightcloud site ratings: a closer look


I occasionally get warned on sites by Webroot Secure Anywhere. Some have an orange ball on search results and seem to be marked orange because they are new and little information is available.  Some sites that would seem reputable get blocked.
    
I find various discussion forums and threads, such as this one.
  
It seems that the site to look up is Webroot’s “Brightcloud” which has a URL lookup here.  It requires a captcha.
    
I consistently find with sites that get an orange rating (and even some that get blocked) that the sites have low popularity but do not show a history of any actual infections in the past twelve months. 
  
Brightcloud does allow URL owners to submit requests for review, here

Thursday, April 17, 2014

"Kill switch" should make cell phones more secure in practice; strong password protection of phones works in conjunction with 2-step verification sites


Media reports indicate that a “Kill Switch” will be engineered into all mobile phones sold in the United States after summer of 2015. The major players in the detail include Apple, Samsung, Google and Microsoft.  Police departments want it, to reduce the incentive for thieves to snatch cell phones on the streets and in subways, with some encounters becoming increasingly violent.

George Gascon, from San Francisco, reports previous industry resistance based on loss of profits from theft insurance and replacement phones.  But cell phone thefts for the past twelve months in the US are up by almost 1 million. 
     

Moreover, some observers, such as Melissa Melton in “Activist Post” note that the feature would give law enforcement or governments to disable phones of people they just don’t like. Her post is here.  In the meantime, police and security experts advise owners to password protect their phones, even with strong passwords, although that advice wouldn’t seem related directly to Heartbleed. 
   
Password protection of hardware would be relevant to the issue of putting 2-step verification accounts, especially Google, on your smart phone. 



Tuesday, April 15, 2014

Heartbleed bug aftershocks could slow down Internet as many sites have to revoke their security certificates all at once


Brian Fung, Washington Post technology blogger titles an article (on The Switch Blog) online quite bluntly “Heartbleed is about to get worse, and it will slow the Internet to a crawl,”  link here.  The front page print version Tuesday morning (April 15) is a little more reserved, “Heartbleed bug’s fixes threaten to disrupt Web; Newly revealed vulnerability forces sites to take action that could slow down Internet”.  Indeed, the whole encryption infrastructure has a case of Ebola virus.

The basic problem is that many sites, especially smaller businesses, will have to revoke the security certificates and install new ones.  Browsers will have to download long lists of revoked certificates to check because of a flood of cancellations in a short time.  The problem may be worse for mobile users, especially Android, than for desktop and more powerful laptop users with high speed connections.  Bandwidth capacity of some providers could be challenged, although telecommunications companies like Comcast and Verizon will probably be expecting the surge.

There would be a question as to whether browsers could make changes to make the search through long lists of previously encountered revocations more efficient.

Here’s how you can check certificate status:

As of the middle of the day Tuesday, I haven’t noticed much effect yet on website speed, although I have to order some tickets online soon.  I did watch a long YouTube video yesterday with no effect. 
It appears that the big companies like Google and Facebook have done all their fixes.  As I noted yesterday, Wordpress seems to have some issues that may be related.  I’ve personally handled these fixes without difficulty.  Banks, by and large, weren’t using this facility.  The biggest users might be sites that sell tickets and travel.  They could have a hard time getting reprogramming done properly.
  
One idea that I think smaller sites must consider is separating content from commerce, and using more than one domain.  Although I know that Electronic Frontier Foundation has recommended that people use https everywhere, I don’t think that is necessary for ordinary news browsing in western countries.  No, I don’t see the NSA as an issue here, but I would be concerned overseas in places like Russia and China. 
   
It used to be common for book authors to set up sites offering some free content and then their own e-commerce to sell books.  Now, I simply outsource all my own credit card stuff to Amazon, Barnes and Noble, iUniverse and XLibris so I don’t have to offer secured encrypted access at all (although foreign visitors might have an issue – and my analytics show a lot of traffic from non-democratic countries, despite all the filters and censorship). 
  
In the meantime, the public is paying more attention to the way the world’s security infrastructure is maintained, often by amateurs and volunteers, sometimes in remote areas.  The Washington Post is now wisely writing that we should not be trusting control of the power grid and industrial processes to an infrastructure without more professional oversight.  

Monday, April 14, 2014

Jetpack on hosted Wordpress installations should be update pronto for security flaw, similar in nature to Heartbleed, it seems

Bluehost and other hosting providers have notified Wordpress customers using Jetpak to update their installations to Jetpack 2.9.3, to fix a two-year-old bug that would allow an attacker to bypass the control panel and publish material.  Wordpress has also said that it may disable Jetpack on installations that don’t update.  Fortunately, the update is quick and can be done from the Plugin’s link on the control panel. The customer is updating his own hosted space, not his computer. 
   
CSO has a story on the problem here  George Stephanis explained the fix on Wordpress here
  
It wasn’t immediately clear if this problem was related to Heartbleed, but the coding issues described sound similar.  But the fix needs to be made even for users not using encryption of https. 

  

Friday, April 11, 2014

Advice on Heartbleed-related password changes now; Security and Open Source infrastructure depends too much on volunteers, inadequately paid people


CNN Money has some guidance counseling on which passwords should be changed now because of the Heartbleed Bug, here. I’ve taken care of Google (2-step) and Facebook.  My Wordpress host sent emails recommending replacement of the Jetpack, but I don’t think in my setup it was using Open SSL.  I’ll have to look further or call them before replacing engines. 

   
Note than many major banks and financial institutions have not been found to be affected after all. Neither is Twitter, so far.

  
The Washington Post on Thursday, in an article (link) by Craig Timberg, discussed the way Open SSL and many other Internet security feature (with emphasis on Open Source, especially with Firefox) are maintained by volunteers, small companies or other engineers not properly compensated, while real enemies (especially overseas, like in Putin’s Russia) get more savvy.  

   
The Post article indicated that much of OpenSSL was the responsibility of a single person who works out of a home office, with “industrial infrastructure”, in a rural area “on the shoulder of Sugarloaf Mountain”, near I-270, about ten miles from Frederick Maryland and maybe 25-30 miles from the Washington DC line.  The article does not specify the individual or the address, of course.  But the “shoulder” of Sugarloaf is generally understood to be an extension of the ridge that extends north under the highest point along I-270 (where the road narrows to two lanes each way).  The mountain is about 1300 feet at the highest point, and usually the ridge is 600-900 feet in most places.  There is a similar ridge in northern Virginia west of Tyson’s Corner.  I drove around the area to see what living in the area looks like.  I found a road “Slate Quarry”, near I-270, that was basically one-lane, and ran back into the woods, sometimes by expensive homes.  It encountered another road that advertised an “artist’s colony” that I never found.  I wound up on Sugarloaf Road, and then Thurmont(?), seeing some places called “The Farm”, then “New Hope Farm”, and a Quaker settlement.  Some of these places may have been small “intentional communities” (see Issues blog, April 7, 2012).  I turned onto Route 80, went into Urbana for a moment (that was the name of a fictitious town in the Parker Brother’s game “Star Reporter” in the 1950s), then went back west, and tried a few more country roads, again seeing many homes, especially big homes.  A lot of people in this area, who might appear to belong to the “Doomsday Prepper “ crowd known for Second Amendment Rights and big 4-wheel drive vehicles, appear to live very well.  But they have to be able to deal with septic tanks, propane tanks for generators, and a lot of issues of physical self-sufficiency.  I think that libertarian author Charles Murray (“Coming Apart”, Book review blog, March 14, 2012) lives in the general area and might be familiar with this issue.  I have relatives in Ohio who have this sort of lifestyle in a remote area, and live well, if privately.

There were other interesting sights today.  Along Route 80, there was a "Sheriff's Youth Ranch".  There was a sign advertising the idea that college students could avoid debt by buying and renting real estate.  There were estates called "Mountainside" and "Mountain view".  In Virginia, along Route 15, there was a sign "USA Skills".   


Update: April 13

Timothy B. :Lee has a story updated on Vox late Saturday, "Here's why it took 2 years for anyone to notice the Heartbleed Bug," link here. There is a picture from a farm, and I don't know if it is the property of the unnamed person mentioned above, from the Washington Post story.  It looks familiar.  Did I pass it somewhere on Sugarloaf Road?  Memory is fading.

Addition pix below, from NW side, near route 28 intersection.



Wednesday, April 09, 2014

Https undermined by discovery of "Heartbleed" vulnerability in Open SLL; the web's equivalent to Ebola?

There’s a lot of hype in the news suddenly about the Heartbleed Bug, starting with this reference site.   The bug would allow an attacker to read memory areas of OPENSSL software (where a “heartbeat” continues), which normally is expected to provide encryption with https.   The name of the vulnerability is metaphorical; it sounds like Open SSL is infected with Ebola virus (or at least Marburg).  CERT at Carnegie in Pittsburgh will have a lot to say about this one. (The name is "Heartbleed", not "Heartbeat").  
   
There is a technical explanation, in terms of actual code, on the Cryptography Engineering blog here.  It’s clear that any company offering https encryption for consumers or stakeholders needs to fix the problem carefully.
  
Codenomicon, involved with Google in discovering the flaw, has a write-up here
Media reports are saying that users should change all their passwords now.  But this probably wouldn’t help until companies have had time to fix the bug.  For many home users, a gradual change is probably what will be in order.  It’s not clear that this bug has related to actual losses, or whether there is any conceivable connection to the Target and other similar breaches.  It probably has exposed some people to NSA or foreign intelligence surveillance, but this may not be a practical concern for most average users or even small business owners.  It would be a problem for businesses that take credit cards online without outsourcing to much larger retail service vendors like Amazon.  Ticket vendor sites (which are difficult to keep track of anyway) are likely to experience issues. 
   
Timothy B. Lee explains the Heartbleed bug on Vox here.  It’s the “secret key” exposure that is serious for some users.  There’s no way to know for sure if a password of an institution not protected was changed.
Probably, most users will start getting notification soon from some of their financial institutions and perhaps social media sites and other vendors (like show tickets) that they should change passwords.  2-step verification could also be a valuable technique.   

Electronic Frontier Foundation calls this concept "perfect forward secrecy", story here
  
For some reason, Facebook these days is not always staying logged on.  I don’t know if this is related to the problem.
    
Back in the 1990s, a co-worker called me “Ebola Bill”.  For good reason?  



Update: later April 9

Tim Lee wrote another article urging users to change passwords now.  Here it is.  I haven't seen any emails from any vendors yet urging pw changes.  

Friday, April 04, 2014

Wordpress seems to be targeted by hacker toolkits on the underground market (Webroot Threat blog story)

Webroot’s Threat Blog has an article giving details about toolkits on the market aimed at attacking Wordpress platforms, which are often domains that offer blogs as entry, and then have other pages across the top banner.  The link to the article by Dancho Danchev is here

It’s remarkable how varied the tools are, and that the “rootkit vendors” accept payment only from PayPal or BitCoin.
  
WordPress has an article  called “Hardening WordPress”, which recommends measures that require some considerable technical knowledge of administrators (of scripting and Linux or Unix, usually).  If you pay for a service from a reputable hosting company, most of these services are probably being done (especially the WordPress version and plugin updates) automatically by the host on its servers.   I haven’t seen anybody put in two-step verification except Google (which still doesn’t work if your cell phone is snatched on the street).   If you notice really unusual volumes of page requests for you admin page, that could mean someone is trying to hack and crack the password.
   
It’s not so clear from the article whether the hack attacks and DDos attacks are directed at the Wordpress sites, or are more about using the sites as zombies to attack higher profiles sites like governments and banks with DDOS. But Sucuri will check to see if your site is being used to attack others (detail here)   It’s not clear that a site would be taken down because it had been used this way, unbeknownst to the owner.  There may be language about this buried deep in the TOS of hosting agreements, but the danger is probably greater for parties that do all their own hosting. 


Thursday, April 03, 2014

"Man-in-the-browser" attacks can lead to draining bank accounts when online interfaces look normal

Silent Banker, SpyEye, Gozi, and Zeus are examples of malware that can cause “Man-in-the-Browser attacks” with “banking Trojans”.  SourceFire has a video from late 2013 with a chalk talk that shows the danger.


I first saw discussion of this from Checkpoint security after researching a Newsweek article on security by Kurt Eichenwald.

It’s possible for such an attack to intervene in a banking session, and ask for personal information. It’s possible for it to siphon money to an offshore enterprise masking as a bank, and then present the same information to the user. 

For protection, users could consider some additional strategies, most of all checking financial information in more than one browser and on more than one device, preferably in a different operating system.  Don’t just depend on one smart phone or one Windows computer to check balances.  Another is to look at the actual bank statements in PDF format at times. 

Employers with secure environments probably worry about these attacks and corporate espionage, especially from overseas companies (like in China).  But employers could be helpful if the allow employees to check their own balances at work as a cross check.  This could make sense in jobs with security clearances where employee creditworthiness and financial stability is important. 

One of the techniques used by Trojans is “html rewriting” – that’s how they change what the user sees in the browser.

This sort of malware seems to be sold widely in “toolkits” from overseas (especially Russian – read Putin) vendors of malware.  

Wednesday, April 02, 2014

Attempt to go to CNN page results in "Adult" web page loading from adware


Yesterday, when I tried to go to a link for CNN's new interview program with Michael Smerconish, my computer (Windows 8, Toshiba) suddenly displayed a page from "Adult Friendfinder".


A trace of Firefox history showed an ad script from "allextreme.com" searching for ads.  Maybe my cursor passed over an ad on a Google search page somehow.  When I repeated the link, it did not happen again.  I don't think CNN would sell an ad to this side.

Webroot shows the Friendfinder site to be OK, but MyWOT shows red warnings.

The site will show up on Google only on an Advanced search allowing explicit sites and images.  The page that appeared was explicit but appeared to be based on adults.

I don't know how this happened.  I sent a tweet to Webroot.   

Tuesday, April 01, 2014

Global Knowledge offers white paper on "Hackers, Hacking and CEHv8" (certified ethical hacking)

Tech Republic has offered a download to a 16-page whitepaper by “Global Knowledge” (link), titled “Hackers, Hacking and CEHv8”,  by Bob Withers, in the “Expert Reference Series of White Papers”.
  
The “CEH” acronym means “certified ethical hacker”.  Maybe that will be a question on Millionaire. Obviously, that’s an important concept in the paper.  There is actually an exam for “certified ethical hackers”, and we are now up to version 8. Courses are offered by the Virtual Training Company (link).  


Some of the main categories of hackers include “The Script Kiddie, the cyber-criminal, the cyber-spy, the cyber-terrorist, and the hacktivist”. 

Many attacks targeted at high-profiles websites are distributed denial of service attacks, using botnets and zombie computers.  Some attempt to deface the sites, but this is less common.  I had such a defacement in April 2002 of an essay describing the 9/11 terror threat, in a section dealing specifically with suitcase nukes, taken from my second “Do Ask, Do Tell” book, later published at the end of 2002. The hack spilled over onto one other essay on the workplace, probably by accident.  Since I had my own backups, it was easy to restore, and the incident has not recurred.  But one wonders what the motive of such an attack could have been, 

Withers characterizes a lot of hacking as happening “because we can” or “just for the fun of it”, like compulsive or impulsive behavior known to forensic psychiatrists.  The attitude is that we live in a competitive, brutal world and that bullying is the only way to go, so get used to it.

One of the most dangerous ideas could be framing someone, by placing illegal content on their site, or by wardriving a router (the latter is getting better known now by law enforcement, finally).  Likewise, there are a few particularly malicious ransomware attacks that actually have been known to place child pornography on a home computer (Sept. 23, 2013).  Webmasters should always remain in touch with what is on their sites with random security and content checks, and home and small business users should to the same with their installations.