Thursday, December 17, 2015

I get a false tagging in someone's pornographic image on Facebook (for the first time)

There’s a first time for everything, and I guess that includes getting “tagged” on Facebook.

Today, after someone had been confirmed as a Friend, I got a bizarre email warning me that I had been tagged on a particular pornographic (adult, heterosexual) image.  Indeed, the image and post was in my timeline.  I wrote a comment “That’s not me, not even close.”  The item disappeared from my Timeline in about ten minutes, as well as from my Activity Log.

This was a case of tagging an image that was not one of me.  People are sometimes sensitive to the idea that real images can be tagged when they are photographed in certain places, like bars.

Here is Facebook’s Help Center entry that covers the issue.

Monday, December 14, 2015

Search engines can report possibility that a site is hacked

Lately Google search results have been reporting sites that may have been hacked or that might contain drive-by downloads.  Underneath the search result you see a little “This site may be hacked” or “This site may harm your computer.”

Google’s support page for webmasters whose sites show this message is quite detailed and demands a lot of technical expertise to follow (especially in shell scripting).  Webmasters using shared hosting would normally expect their hosting companies to assist with this.  There is a possibility that all the sites on a particular shared hosting server could be affected.

I saw this on a popular site yesterday (will not identify), and visited the site on a device I don’t use for critical purposes.  The site looked normal.  It was a blog, and it could have been that the somewhat unusual verbiage and site organization fooled the engine.  I don’t see the result with Bing on that site, only Google.

A few months ago, one  of my two Wordpress sites had an issue when a spam comment loaded on top of the web page.  I have Askimet but somehow the service missed this one.  The problem went away when I, as administrator, merely deleted and marked the comment as spam. The site did not get flagged by Google.
Sites that are not frequently updated might be more vulnerable.  The possibility of illegal content could be a legal risk for some webmasters.  But around the country, news media show scattered reports of sites hacked with radical religious propaganda.

In 2002 two flat files on an old Apache legacy site (one file discussing nuclear terror) were hacked.

Monday, December 07, 2015

Social media companies have to assess how identify violent or terror-promoting content

Social networking sites, especially Facebook, Twitter and Instagram, are coming under increased pressure to screen material for terror-inciting content, according a Wall Street Article Monday by Deepa Seergaraman, Alistair Barr and Yoree Koh.

Until recently, companies have allowed posts that depicted past terror acts on the theory that they are important news.  Now, the companies have to consider whether they were posted just for enticement. Computerized algorithms have a hard time doing this.
It's easier to identify child pornography, since there is a database with NCMEC of known images with digital footprints.  But no such system exists for terrorism.  Screening for these issues could extend eventually to private cloud storage.
The service most under pressure seems to be Twitter.  (Facebook removed a post by Tashfeen Malik quickly after the attacks.)  Twitter also has to deal with the way users interpret the dynamics of its service, as some people now consider certain reply behavior by unrequited followers as “stalking” or at least rude, while others don’t.  I discussed this on my main blog Friday (Dc. 4).

Thursday, December 03, 2015

US CERT issues advisory about "Dorkbot"

US Cert (United States Computer Emergency Readiness Team) has issued a major bulletin about the “Dorkbot”, a botnet that is used for several illegal purposes, including stealing online payment information and participating in DDOS (denial of service) attacks, link here . The alert is called “TA15-337A”.  It affects Windows systems.

CERT believes modern anti-virus companies are keeping up with this particular item.
One of the best defenses against payment fraud or bank attacks is regular inspection of all one’s financial accounts online.  It may be easier to have fewer of these so it is easier to check them frequently. Accounts should be checked every week during normal business hours (as some systems might have weekend maintenance, and it is possible to call immediately and get attention when catching a problem in a business day).
Private or small-business websites could be jeopardized by DDOS. But better hosting companies can detect attempts and blacklist or block access (even for public sites without logon) from specific IP addresses or ranges (by HTL-Access) automatically.  Some hosts (like FourSquare) send warnings to website owners, or may even post incidents on WHOIS.   Some website owners (hosting their own servers) might learn the server-side programming to do this themselves.

Thursday, November 26, 2015

EFF compares digital security encryption to home security systems, in opposing government calls for back-door decryption to combat terroris,

Cindy Cohn, of Electronic Frontier Foundation, left a compelling essay for Thanksgiving Day, "Stronger Locks, Better Security”, link here.

The piece is motivated by the idea that tech companies should provide a “back door” decryption for the federal government to use in anti-terror investigations, albeit under court supervision.  This would be accomplished by Apple and other companies keeping “highly secured” copies of decryption keys put on mobile devices somewhere in an Iron Mountain (or Cheyenne Mountain) facility, maybe to be secured in a manner comparable to NORAD.

Cohn offers an analogy to homeowners installing sophisticated home security systems and installing pick-resistant deadbolt locks.  The latter, made mainly by Medeco, became popular in the 1970s, first with apartment dwellers in New York City.  If the government required homeowners install less secure physical perimeter security, homeowners, especially those who live alone or where both spouses work or travel heavily, would be unacceptably vulnerable to crime and even become uninsurable.  So the same analogy holds for security of one’s computing environment and one’s own social media accounts, websites, and particularly mobile communications.  If one is forced to deal with weaker mobile security, inevitably (especially for women) stalkers and criminals would present an unacceptable risk even if police could more easily intercept major plots.

So the overview is that security is really morally a matter of personal responsibility.  That sounds fine for libertarians, and suits the 2nd Amendment lobby.  But sometimes the whole is more than the sum of its parts.

Tuesday, November 24, 2015

Norton Firewall squawks on an older MacBook

I got out an older MacBook this morning (from 2011), with the Mac OS 6.8, and tried to give it some maintenance use and found the Norton Firewall blocking access to updating Adobe Flash, and for a while to Blogger postings.  It had never done that before.

Not sure that it means anything, may have something to do with an outdated operating system.

It is getting difficult to keep computers more than four years old up to date and running properly.

Monday, November 23, 2015

ABC sponsored story from Norton raises an iceberg: drive-by website infection, maybe steganogrpahy

Monday, ABC News offered a sponsored story from Norton, about the risk of getting malware from “drive-by” sites, where merely opening the page can load malware (or “scareware”).  Some of these may be misspellings of well-known commercial sites, especially news sites (like when “news” is miss-typed as “bews”).  Commercial anti-virus vendors don’t always catch all of them (especially the “scareware” which doesn’t load an executable).

One possibility is for sites to be hacked, as has happened even with news sites.  Recently, a major church had its site hacked and replaced by Viagra ads, with the attacker traced to Russia.

 Unfortunately, the church had not backed up everything off-line, and apparently was running its own server rather than using a professional hosting company.  It has changed that practice, and now will use FourSquare (which is pretty good about warning about unusual volume or possible DDOS).  Webroot has written about this possibility, mostly in the area of SQL injection attacks.  There is the imagined possibility that illegal content could be loaded this way, posing legal risks to owners perhaps.

Shortly after 9/11, security experts expressed a concern that enemies might hack sites (even small amateur sites) to send “stegonographic” instructions to other operatives.  Discussion of that possibility in the media pretty much had stopped by the end of 2002.  But in April 2002, two pages on an older legacy site of mine were hacked with material related oddly to nuclear terror and Finland.  This was reported to the FBI.  But the incident has not recurred, and no real-world attack related to the contents of the hack has ever happened.

The possibility of steganographic attacks could lead to the idea that websites with low volumes or infrequent updates by the owner should not be allowed to stay up.  On the other hand, such an attacker risks being discovered if the owner regularly and randomly checks the site even if it isn’t update a lot (including checking directories for unlinked files).  It’s at least conceivable that an attack could be detected in advance any time a public web page is involved.  So that’s a natural deterrent.

The recent events in Europe seem to have been coordinated with off-the-shelf encryption products installed on the mobile devices themselves – private conversation that is pretty much the cultural opposite of publishing and steganography. The main debate now seems to be whether tech companies should be required to keep copies of encryption keys (the “back door”) so that law enforcement could intercept terror attack plans, with court supervision and proper warrants or subpoenas.
Still, there’s a chance that the old 2002 debate will return.

Thursday, November 19, 2015

Kaspersky squawks about new routers from Xfinity; has Microsoft turned the corner on security with Windows 10?

I did install the new Comcast-Xfinity Arris modem-router for higher 5G speed yesterday.

I note that Kaspersky gives me a warning on it in Windows 10, but other packages (Webroot and Trend) to do not.

The MacBook says it does meet WPA2 standards, so I don’t know why Kaspersky flags this (it flags a lot of things, and Windows 10 sometimes encrypts images I want to see).

Nick Wingfield has a detailed article in the New York Times on Wednesday, “Microsoft sheds reputation as an easy mark for hackers”,  It does seem that Windows 10 has gone to some lengths for security.

However, YouTube shows some detractors.

On the router, I "redacted" the evidence just the way the CIA would.
and this is what the Mac says.

Wednesday, November 18, 2015

Anonymous helps Internet companies infiltrate ISIS misuse

NBC News has republished a major Reuters story this morning (and put it on Facebook’s news feed) about Anonymous and its own attempt to snarl ISIS with “ethical hacking”, rather like the character “Q” in recent James Bond movies.  The story is here.  The story also links to another account of new cybersecurity in Britain.

The group says it has helped close down ISIS-related Twitter accounts (could it get some of this wrong and close down a legitimate user?) and has posed as possible recruits to gain access to Dark Web sites and encrypted messaging apps, which are becoming controversial.

As noted yesterday, it appears that terrorists use off-the-shelf messaging apps (like Telegram) and “go dark” before an operation starts.  There is controversy over whether a mandated back-door (for NSA or other law enforcement access) would open ordinary users to more crime, or to government intrusion not related to terror (for example, taxes).  A major issue seems to be that Apple has placed the encryption tools on the phones themselves but does not keep copies of them for subpoenas.

Saturday, November 14, 2015

"See Something, Say Something" can result in bizarre findings on the Internet (like supposed Muslim body-shaving); maybe a bizarre DDOS side-effect?

I’ve encountered a very bizarre issue in Windows 10, that may or may not be content-related.

Following up on the news stories about the horrible events in France, I was looking at some old material on 9/11 late last night, and was curious about stories that the 9/11 hijackers had shaved their bodies in their motel rooms the night before.  (This may have been just in Boston.)  I found a Slate article that gave me a “forbidden” error 403.  Then Windows 10 hung, and I had to restart it with the power button.  When Windows came back up, I entered just “” and got the story and link.

Today, I got the error 403 again and the system seemed to slow down.  So I restarted it, this time “legally”.  I tried the link on an older Windows 7 machine and it worked fine.  But in the past, Slate (and a few other big news sites, especially Major League Baseball) could cause Windows to hesitate momentarily on Windows 7 (it doesn’t now).

It’s possible that the error happens because of Kaspersky, too.

It is possible for an Apache server to deny public access from a specific IP address, which is a tool used to control DDOS attacks.  Possibly the server thinks my address is compromised (if it has experienced a DDOS recently), but only in the Windows 10, Kaspersky environment.  This is rarely done with ordinary users.

Of course, the content of the article is provocative.  It is conceivable that another passenger (particularly a gay male) might have noticed this about the men who would turn out to be the hijackers while in the airport terminal.  Should he have said something?  Apparently the ritual has some religious significance, and could indicate that the practice expects to end his life.  That definitely fits into the “see something, say something” idea.

It is possible for “ordinary bloggers” to get tips on the Internet.  I got a few in the first few years after 9/11.  In fact, some people got a bizarre email on Sept. 1, 2001 that was thought to be spam or malware (I remember seeing it on my old Compaq laptop computer in a motel, as I was away in Canada Labor Day weekend that year, living in Minneapolis.)  I believe I got what looked like a warning about another Indonesia bar attack in the fall of 2002, and called authorities (and indeed there was a bust three days after I called).  The most recent such message came in 2005, concerning the history of OBL, and I did spend about 20 minutes talking (by cell phone) to an FBI agent in Philadelphia about the email.  These have become less common as social media has taken over, while emails like this are more likely to be just spam (or malware) than they used to be

Friday, November 06, 2015

Washington Post examines growing concern for security of Linux kernel

The Washington Post has a huge front page story about the Linux kernel by Craig Timberg today (Friday, November 6, 2015), along with the strange history of its creation and author, Finnish software engineer Linus Torvalds, link here.
The unusual business model (or lack of model) for the way this product evolved as open source is quite remarkable.

There is a long discussion of the relative security of various operating systems, how Windows has been viewed as less secure and less stable even though it is the most versatile on personal computers.  (Some Apple fans will question my assessment of  “versatile”).  The Linux server (as opposed to Unix) has become rather standard for industrial and commercial servers.

So there is concern whether this introduces a strategic vulnerability to our entire infrastructure, especially the power grid.  Torvalds says, simply don’t connect the power grid directly to the Internet (which seems to be part of his answer to Ted Koppel’s book “Lights Out” which I’ll review soon).  He also indicates that his creation of the system was personal in nature and motive. Tordvalds also says,  If he had to worry about the theoretical possibility that someone will be mean enough to circumvent any possible security strategy, he could never get anything done.  I echo that sentiment.

I recall that a co-worker from the 1990s, Tom Oehser, created a version of Linux that fit on one floppy (popular at the time, in the days before USB drives).  It’s still available here.

 I tried it once when living in Minneapolis, maybe in 1999, with an old Everex laptop.  Tom believes in self-teaching, and once told me he ran an early Internet server back in 1994 from a 386 machine in his own home.

Tuesday, November 03, 2015

Kaspersky is very quick to block advertisers on mainstream news sites

Here’s something interesting about Kaspersky.  It blocks pop-ups from some advertisers on major established news sites (like CNN) as “phishing” sites.  But it does seem to cast a very wide net, not giving any advertiser the benefit of the doubt.

With most major corporate sites, Kaspersky still sometimes seems to expect “https” to be offered, and will flash a warning about security certificate even if I simply key in the domain name (with no http).  This does not happen with sites that have converted to all https (Washington Post, Electronic Frontier Foundation).

Kaspersky seems to have the strictest environment for Windows that I have ever encountered.  Wikipedia says that the company is headquartered in Moscow, with holding company in the UK.   I wonder how it survives in Vladimir Putin’s country, whose whole economy seems to be predicated on worldwide Internet crime.
I’ll note here today that I am reading Ted Koppel’s “Lights Out” about the way weaknesses in corporate security for power companies could bring down major parts of the US grid (especially vulnerable to rogue state enemies), and will discuss in a book review soon.

Friday, October 23, 2015

On a Wordpress site, comment spam related to gaming "digital currency" gets past security controls

Last night, when I navigated to my (Wordpress) “Do Ask, Do Tell Notes” site  it seemed that I got redirected to “”.  It may actually have been a pop-up (I haven’t turned on the blocker yet) from passing my cursor over the most recent comment, on the left side of the page (which shows up on a computer but not on mobile)  

That comment had gotten past Akismet’s spam comment control, somehow, and been entered earlier that evening.  Apparently it had html code that would cause the Blogger posting to pop up.  (One of my “subsponsors” on did this one time, and I removed the auto-pop code html manually from the embed.)  

I marked the comment as spam on my control panel, and the behavior went away.  But I don’t know how it got there in the first place.  Had it gotten past the spam comment control, it would have generated a comment moderation email. 

The scheme seems to be aimed at getting as many clicks and links as possible (“link farming”) and seemed oddly connected to a gamer’s earning “gems”, a kind of digital currency (like bitcoin, or like Second Life Linden Dollar) by generating links.  

The actual game  is quite legitimate and Wikipedia describes the currency here  The actual game board is interesting, and even looks a bit like the fantasy world in my own screenplay (on a space station), except that the levels within any one station in my world are vertical.   But the blog posting that I saw pop up looked like a typical “spam blog” post with many run-one lines of repeated content and no paragraphs.  That has been a controversy on Blogger for years, particularly around 2008 (less of an issue these days).  In at least one case in 2008, clues to a major (still) unsolved crime were left in one of these blogs.  
I ran the usual Kaspersky checks and everything was clean. 

Wednesday, October 21, 2015

Kaspersky seems less likely to rate amateur sites for reputation; more on Wordpress and security

I have noticed, since starting to use Kaspersky on the HP Envy, that Kaspersky seems to have rated fewer sites for reputation than had Webroot of McAfee.  In particular, Kaspersky has rated about half of my Blogspot blogs as green, but not rated the others, and it doesn’t seem to have rated any of my Wordpress domains or my legacy sites.  Kaspersky may generally be paying less attention to rating “amateur” sites than some other security vendors.  But it does seem to rate Google’s hosted blogs fairly quickly. 
Most blogging consultants (like “Blogtyrant” Ramsay on Twitter) consider Wordpress to be superior to Blogger, and I would generally agree.  Wordpress is set up to be hosted by other companies with formal contracts with customer users, which tends to mean support is likely to be more forthcoming (and can be obtained by phone as well as help forums).  Under BllueHost, I have 4.3.1, and Bluehost normally updates automatically. 
However, Wordpress (especially older versions) is known to have some vulnerabilities, as listed here.  A quick Google search does show a few scattered reports a few years back of some Blogger vulnerabilities, too. And the same holds for Tumblr.  
One idea that could improve security would be to make it easier to update blog content (on any major service platforms) on modern mobile devices.  People who run broadcast content should be able to maintain the content and respond to problems at all times, which makes going off the grid difficult. 

Sunday, October 18, 2015

Bizarre abuse of shortened URL's on Twitter

I had a bizarre Twitter-life experience late Saturday night on an HP Envy (oh, why was I home?)  There was a tweet about the use of vintage subway cars on the IRT to the Mets game. It somehow mentioned the New York Daily News.  But when I clicked on a shortened URL link, I got redirected to a domain called “” or “” with the description “Make short links and make the biggest money” with further links.  I could not get the proper Daily News story to appear. I was on Google Chrome.

I don’t think it takes much common sense to be suspicious of unsolicited ads having to do with currency exchange rates.

Twitter says it carefully monitors the short-link or tiny-url use on its site. It is hard to say whether there could have been a hack on Twitter or instead on the New York Daly News.
Something like this has happened with other adware on my cell phone when trying to look at the “At Bat” feature of a “game in progress” on during the playoffs.  Adware comes up and won’t go away until closing Safari and then opening it again.

I restarted the machine, and ran a full Kaspersky scan (takes about 80 minutes) during overnight sleep.

The scan revealed one item of “adware” which I quarantined (I could not tell if it had come from this incident), and two unwanted programs or “bloatware” not considered malware but possible targets for hacking, which I also quarantined.

I sent tweets to both Kaspersky and Webroot and asked them to check with Twitter and NYDN about the incident.

There is a revealing story in the New York Times Sunday by Nicole Perlrouth, “Hackers prove they can ‘pwn’ the lives of those not hyperconnected”, here. There was an example of a simple use of phishing and Facebook.

Thursday, October 15, 2015

Does cyber warfare threaten average users?

Robert Samuelson has an op-ed in the Washington Post today, “The coming cyber-wars”, link here.    Samuelson questions whether in the end the Internet will turn out to have been a good thing, if we could lose our power grid and wind up living out the scenario of NBC’s “Revolution”.

Now I’ve written repeatedly that there is something wrong if our power grid even had a topological connection to an Internet that enemy hackers can reach. But another way to attack is to get employees to connect infected thumb drives to their networks, and enemies are turning special attention to spying on off-Internet networks.

Samuelson refers to a WSJ story by Damian Paletta, Danny Yadron and Jennifer Valentino-Devries, here.

But it would be more likely that “average users” could be affected if whole networks (whether power grids or financial, or even telecommunications or social media services) were attacked and went down.

Tuesday, October 13, 2015

CERT warns on new botnet aimed at attacking bank accounts

US Cert is warning users (alert TA15-286A) about Dridex P2P-Malware botnet, which is designed to steal financial site credentials and possibly drain bank accounts.
The link from CERT is here  and was broadcast by email Tuesday morning.
The title of the malware mentions P2P, but it appears that the virus is also spread through ordinary phishing attacks.  The malware can apparently also hijack a machine to send DDOS attacks.


Sunday, October 11, 2015

Obama won't interfere with Silcon Valley encryption to protect users; more false warnings from Kaspersky on non-encrypted web pages; warning that hackers sell fake ID's to minors

The New York Times, in a story by Nicole Perlroth and David E. Sanger, is reporting that the Obama administration has promised not to seek routine access to encrypted user data, at least without valid warrants, link here.  Doing so could expose all the major US tech companies to foreign hackers (especially state sponsored) and could endanger the security of some individual users in sensitive situations. 

In a bizarre twist, Kaspersky gave me a security certificate warning in Windows 10 for this New York Times story, when the NYTimes does not seem to have implemented https for all its content yet (at leas not for this story).

In another matter, Fox News in Washington DC this evening warned that foreign hackers had become involved in the printing of fake ID cards and driver’s licenses (to get around age limits, as for bars). 

Saturday, October 10, 2015

Kaspersky, in Windows 10, blocks Fandango

A strange little experience today.

Kaspersky, in a Windows 10 environment, wouldn’t let me use Fandango to buy movie tickets on a credit card, at least in guest mode.  It claimed a propensity for phishing and based its conclusion on “heuristic analysis”.

It allowed an override, but then the Fandango site came up in when appeared to be an unusable format.

Fortunately, the movie wasn’t close to selling out.  The theater (Angelika) said it would look into this.

Wednesday, October 07, 2015

Https now allowed by Blogger; Kaspersky gets quite strict on security certificates

A couple more issues that have come up with my conversion to Windows 10 and Kaspersky on one machine (HP Envy).

I’ve noticed that Google now offers "https" for Blogger, for blogs with the blogspot domain without (for right now) a custom domain name.  I have just enabled that for this blog, so you can key in https if you life.  I’ll look at this soon for my other blogs. Google’s page on the capability is here.  You have to enter the “https”;  it does not automatically convert for you.

I’ve noticed also that Kaspersky, in Window 10, warns the user every time she inserts a drive through USB to scan.  Also, it warns on the security certificates of many sites, even some of Google.

Another feature I’ve noticed with Windows 10:  on some sites, you cannot click on embedded pictures in webpages to enlarge them, you get disconnected from the site.  Same site it’s permissible

Update: Oct. 8

I've noticed that when some images are imported by Blogger in a Windows 10 environment, and then fixed manually in html with respect to height and width, they view OK in ordinary browsers but may not be viewable in blogs enabled by https.  Also, the images are not viewable on the Blogger panel which is already under https.  It appears that Windows 10 is encrypting some images that algorithms tell it contain text and conceivably some PII.

Monday, October 05, 2015

Vigilante hacker attacks over 10000 routers to give benevolent warnings

A vigilante “ethical hacker” has apparently been hacking unprotected WiFi routers and warning owners.  His blog is here.
The news story appeared in “The Hacker News” here.  The exploit is written in Perl.
Most of the affected routers seem to be used to control appliances, home security, and “the Internet of Things”.
Again, an security encryption standard below WPA2 is considered inadequate.


Thursday, October 01, 2015

With Windows 10, confusion over use of Webroot, and facts are in dispute right now

I did pick up my HP Envy with Windows 10 (replacing Windows 8.1) yesterday from Geek Squad.
I was told that Webroot has an issue with Windows 10, and that freezes have been reported.  So Geek Squad loaded Kaspersky.  I must admit that I found a "missed call" and voicemail on this matter on my iPhone (and was slow checking it), so GS went ahead and decided to use Kaspersky. 
I sent a Twitter message to Webroot, which denies that there is a problem, and says it is investigating the source of the “rumor”.  When I get more details from Webroot or GS, I’ll report the facts here as they come in.

I had used Kaspersky on an older Toshiba travel laptop purchased at the beginning of 2011.  It is much easier to use now, with fast automatic updating.  It appears to be load-based rather than cloud-based (but I could be missing something).
Kaspersky flashes warnings when I go to a website whose security certificate doesn’t check out.  One of these sites was accuweather (which I am monitoring because Hurricane Joaquin is menacing the East Coast in a few days). Kaspersky also enables “secure keyboard input” when entering passwords. 

Kaspersky also rates websites found on search engines.  It grays out more sites than does Webroot (saying it has no information on the site).  My "doaskdotell" is grayed out on Kaspersky but green on Webroot.
Kaspersky says I need to enable "data protection" (which I will investigate) when I log on to a bank site.  It also offers "safe browser mode" and "Safe Money", which I will look into. 

Wednesday, September 30, 2015

Watch for new Facebook hoax; more on mobile privacy

There is a hoax on Facebook, telling users to post legal jibberish to protect their privacy, according to the Newsy site, story here.  It's called the "pay for privacy" hoax, almost a kind of scareware. . 
Tuesday, the Today show reviewed location privacy recommendations for smartphone users.  For some people with inherent security problems (corporate executives, persons in bad relationships with a stalking risk) these are serious.  Apple’s own privacy recommendations are here

There is a pertinent question as to whether international politics (and terror) could increase the possibility of targeting ordinary citizens who would have been off the radar in the past

Sunday, September 27, 2015

Microsoft BSOD error in Windows 8 underscores a vulnerability that could lead users to unkowingly get unwanted content and malware from everyday apps

Last night, while returning from a trip, I happened to look at a tweet with attached images from a particular person, and I decided to save one of them “for my own use” on the hard drive on a Windows 8.1 machine that I use primarily when playing on the road.  When I tried to enlarge it by clicking on it (as is normal in Windows Explorer) the machine (a 2014 Toshiba Satellite) displayed the Blue Screen, saying it had to restart because of a “Bad Pool Caller” (Microsoft link ).  The machine restarted OK (taking a while).  Google Chrome said it had not been shut down, and brought up the tweet on restore, and this time the click worked all right.  I saved the image.

Later I noticed, in explorer, that Windows had saved a whole subdirectory of this Twitter user’s images, about 130 of them.  The images were innocuous (a few were thumbnails of other users).  But what catches my intention is this is one way unknown content can be stored on an unsuspecting user’s PC, even without P2P. 

This occurs to have happened because of a coding issue, either in Twitter or Microsoft or both.  Instead of loading just one object, it loaded an entire class of objects.   It is rather like loading an entire array instead of a single member of the array, as indexed (like in a mainframe application in an older procedural language like COBOL). 

Bugs like this do happen when a subscript or index is left out, or not properly initialized, or when they “run away”.   This appears to be the result of some “unsafe code” and not malware.

But this kind of vulnerability could allow an attacker to load undetected objects, like malware, onto a user’s machine, even through a well respected app like Twitter.  It could, at least theoretically, even load other illegal content (like child pornography) on an unsuspecting user.

I have noticed that other software packages sometimes create folders with miscellaneous objects when loaded.  This is true with CD’s from instant cameras (as in drug stores) or when Blogger content links are saved manually.  Some of the embedded objects do get backed up into the Cloud by Carbonite, for example.  This has never caused a direct problem, but it could expose users to security risks from unknown or unwanted content. 
 I did run Trend Micro quick scan and it showed no threats. I tried to full scan before going to bed and found it would not run while the machine went to sleep, so I'll have to try it when I have time to monitor it for three or four hours.  

Monday, September 21, 2015

Apple iPhone hack reported, many relatively obscure apps affected

iPhone users have suddenly learned that they could have been affected by  a hack that allowed fake apps to be installed.  BGR has a list of infected apps at the end of this article, link here.  The app that caught my eye was Win-Zip, but I haven’t actually downloaded any apps on the shortlist. In the past, the iPhone has been viewed as more closed and more secure than Droid (which I had from 2011 to 2014).
CNN has a similar story reporting that over 225,000 iPhones have been hacked, and that iTunes products can be stolen from compromised phones, link here
The story has a video showing some iPhone security tips, including expanding the character set for pin codes, and ways to hinder advertisers from tracking you.
I have not really found it practical to do a lot of work on the phone.  I usually do banking from a laptop or PC with standard firewalls and security software in place.  Blogging from just a phone has not been practical (although Facebook and Twitter are OK).  Almost no product or service is as easy to use on a phone as on a well-equipped modern laptop with fast processor and connection.


Friday, September 18, 2015

Safe Internet access when playing on the road (and needing to get through the bottom of the ninth)

The site Newsy has a valuable resource on use of public Wifi spaces.

This advice using a private VPN if possible, and specifically disabling file sharing.  (I’m not sure if that matters if you don’t have P2P software downloaded.)

It also recommends using 2-step identification whenever possible, and “forgetting” networks when signing out.

It also recommends using only networks that require signon.

The idea that someone will eavesdrop on a conversation in an ordinary hotel room seems improbable to me.  But you have to think about some factors; one hotel in NYC has given me the same room whenever I’ve been there.  I’ve found that Bluetooth connections (like on Ultrabooks) are less stable in hotels than at home because of signal distraction.
Maybe the simplest tip in the smartphone era is to use your smartphone as a hotspot.  It seems to work pretty well – but your carrier needs to have a strong signal in the location where you travel. Verizon seems to have the largest coverage area in the US.


Thursday, September 10, 2015

Russian state-sponsored malware hosted from servers in poor countries, hidden in satellites

This story, tweeted by Webroot today, may not seem too relevant to home users.  It seems as though the Kremlin is using satellites to store hidden methods in its cyberespionage, which could affect some American companies (such as computer vendors).  The cyberespionage is served from malware hosted mostly in Africa, especially in poor countries like Somalia or the CAR.  The story is here.

Although tracking this activity should be something the NSA knows how to do.  But not without spying again on American companies and sometimes users.
I guess we can ask, is Vladimir Putin a psychopath. 

Wednesday, September 02, 2015

Another silly Chrome hijack scareware attack; also, Mac offers a big security update to OS 10.10

Late last night,  on my HP Envy under Windows 8. 1, I observed another Chrome hack, when I was on a troubleshooting site called Wikiguga, investigating a spurious error when I installed a new iMovie on my Macbook (for what it’s worth, the iMovie still works OK).  All of this, by the way, came as a supplement to Mac OS 10.10.5, OS Yosemite, which included a new iTunes, and is supposed to have major security improvements, possibly to address issues covered last month.; the whole process took about 30 minutes and did consume some of my time! 
I suddenly got one of those red-and-white “System Error” web pages (on the Envy) with a female voice (sounding like a hooker) advising me to call the 800 number at the bottom to release the page lock (and pay on a credit card, to be sure).  The History trace shows that the Wikiguga got redirected to “” (an apt name), and then to “”.

The rest of the computer worked OK, just Chrome was locked.  So I pressed the power button twice and “restarted” Windows 8.1.  This time, when Chrome came up, Chrome, curiously, did NOT say it had not been properly shut down, and Chrome did not invite me to visit the fake site again
Why doesn’t Google Chrome fix the browser so it can’t be hijacked by a malicious website redirect?

A Webroot Secure Anywhere scan (after a full “correct” restart) was clean and showed no executables had been loaded.

So this is a very transparent and silly kind of hack (probably from Russia or eastern Europe) that would work only on the most gullible. I don’t know if the FBI dedicates any resources to stopping these. Maybe it’s part of Vladimir Putin’s way of getting young Russian dads some income.

Wednesday, August 26, 2015

Is wireless WiFi (compared to Ethernet) harmful to kids?

Can the switch from hardwired Internet to wireless expose people, especially children, to harmful “radiation”?  That’s the focus of a lawsuit in Massachusetts, which claims a schools change form Ethernet to WiFi made their son sick, ABC news story here.
Arguably, children’s skulls are thinner or their brains more vulnerable?
What about most homes and hotels with wireless routers, and children in them?  We’ve heard this question before with cell phones.  

Sunday, August 23, 2015

Is that cheesy "leave this page" pop-up harmful?

Some websites, especially those that try to sell financial planning or health-related services by introducing themselves with long-winded and leading videos or articles with many pages, come up with a javascript “leave this page” pop-up.  That may be appropriate when closing a page on which you had to complete a transaction that had already started, but it seems cheesy and manipulative, even intimidating, as a sales technique.  Is it harmful to your PC?
Apparently not.  Here are a few write-ups, on UK PCadvisor, Microsoft, and super user.
Picture: Real life "Traffic jam" at the Segamore Bridge to Cape Cod, weekend, early Aug. 2015. 


Thursday, August 20, 2015

"Reflective Denial of Service Attacks" explained by CERT

US-Cert in Pittsburgh has released a new warning about “UDP-Based Amplification Attacks”, also called “Distributed Reflective Denial of Service” (DRDoS) attacks.  These attacks are based on connection-less protocols that don’t validate source IP addresses.

CERT recommends that ISP’s not permit these kinds of connections or offer them.  But they may have become more common as ISP’s have started offering almost limitless bandwidth and disk space to small customers. 

These attacks could be a problem for smaller ISP’s (less common today than in the late 90s) or for those who run their own connections. 

Update: March 29, 2016

Any casual perusal of YouTube shows many videos on how to conduct DDOS.  Many of them require some scripting command language knowledge.  I'm a little surprised that their presence doesn't violate YouTube TOS, or maybe I'm not surprised.  There is mention of Anonymous and trying to attack ISIS on the Dark Web, too.  

Monday, August 17, 2015

EZPass phishing scam exposed; some customers can get legitimate emails from EZPass.

Security companies are warning of a phishing scam involving E-Zpass, claiming that you owe money and have allowed unpaid charges to accumulate on your transponder.

Consumer Reports has a story on the scam here

EZPass has an explanation of its own phishing policy here. EZPass can take legal action, including prosecution and civil action (trademark) if scammers are caught. 

However, EZPass will send a legitimate email when a credit card on file expires and it has trouble adding the next incremental credit (usually $35, after a balance falls below $7).  This happened with me in early July, and the email arrived early on a Sunday morning when I was going to drive to Philadelpha on toll roads.  The website did not work, but the transponder did OK.  On Monday I called to solve the problem, but had to call twice and wait through holds to get through to customer service to fix the problem.

It is true that unpaid tolls can cause fines.  This happened to me once with a rental in 2002 on the horrible Delaware turnpike.  More recently, car rental companies (in Florida, around Orlando) just generate another bill to the credit card on file when the bill comes in, so the system has gotten better.


Thursday, August 13, 2015

Enemies use crude techniques to build on-line target lists, but corporate and government database (and commercial software) vulnerabilities add to the problem

The media (especially CNN) today discussed a new “target list” of about 1400 people in the US (and probably including the UK and Australia), compiled by a well-known enemy (ISIS) determined to use social media to launch asymmetric and psychological warfare. (CNN has yet to post the news story, as of early Thursday evening; late in the evening it did, here.)  Troy Hunt has an interesting analysis of how these names and other identifiers could have been compiled from multiple sources, many of them government or corporate databases with employee or military personnel information, link here.

Hunt believes that the “hackers” paid very little attention to who the people are or what their jobs are.  Much of the data could come from publicly available sources (and there are numerous websites that sell culled public record information to subscribers).
But several techniques were used including “pastes”, and scrapes exploiting known Adobe vulnerabilities are presented.  There is also a new acronym, HIBP, “have I been pawned”.

Another newspaper, the Epoch Times, in a story by Joshua Phillipp, reports that much of the technical expertise for ISIS Internet activity is in the former Soviet bloc, some of it in Russia, link here.  This would seem consistent with what Troy Hunt presents in his article. 

Thursday, August 06, 2015

"Bitflipping" attacks on memory chips; are "telepathy" attacks next?

An article by Dan Goodin in Ars Technica  Aug. 4, 2015, describes an unusual hardware attack called “bitflipping.” The idea is to overload memory chips (in DDR3 chip modules) by deliberately attacking memory millions of times a second.  This kind of attack might be possible with usual malware distribution (by phishing or drive-by sites).  You could almost imagine this in a sci-fi context as a “telepathy attack”. Maybe Clive Barker was right about the role of magic when he wrote "Imajica" all the way back in 1991. 
You wonder about the wisdom of allowing modules to run with voice commands, maybe even thoughts.