Thursday, July 30, 2015

Windows 10 may offer game-changing security features

Webroot tweeted a "Darkroom" story concerning three important security features with Windows 10.  It would appear that most enterprises will expect developers or business partners to be using W10 by the end of 2015.  These advantages look significant.

The most important may be a Device Guard to stop zero-day attacks, before security companies can block them. A second is Windows Hello, which offers a biometric signin for users.  This could actually work to an advantage for home security, too;  an intruder would not be able to log on to a properly equipped PC.  Use of these devices might require care;  would a fingerprint reader work with hands greasy from cooking? Another feature is Passport, which allows users to authenticate sites and apps without passwords.  This is two-step verification with a “plus”.  It would seem that major service providers like Google would jump on this pretty soon.

These features could give Windows an edge over Apple MacBooks. Apple employees still often say that their computers don't really need anti-virus, but that is questionable.  Apple is likely to implement the same capabilities in a future OS, and pressure computer owners to upgrade, which then runs some risk of interfering with existing media applications.  
Webroot also greets windows 7 and 8 users with a panel and link explaining the compatibility with Windows 10.  I don't see such a notice from Trend Micro on another of my machines. 

Update: Aug 1

Windows 10 WiFi Sense is creating controversy, as CNN explains.  It isn't something that I personally would need. But the risk is said to be minimal. (Really?)

Update: Aug. 4

Tech Republic has a detailed article on how to undo the potential privacy invasions inherent in Windows 10, and it's pretty intricate, by Conner Forrest, link here. I'm going to wait for the initial heat to simmer down before installing it myself.  I don't know yet if the Geel Squad plan will do it for me if left with them.  Expect the download and install to take up to three hours, with many periods of blank screens, and many restarts.  It's like roasting a Thanksgiving turkey (and it's only August).

Tuesday, July 28, 2015

Disabling flash in Chrome; new serious Droid vulnerability reported

Timothy B. Lee has an article July 27 on Vox media recommending that users disable Adobe flash in Google Chrome, with a plugin called “Flash control”.  The link is here.  I tried it, and then I found that YouTube videos that use it show a red dot, which will allow the video to play when clicked a second time. Fewer videos use it than in the past. 

Safari seems too default to not allowing Flash to start automatically (on macBooks) and on my iPhone and iPad they don’t play at all when embedded in blog posts.
Security researchers are reporting a serious Android vulnerability called Stagefright, as in this article by First Post, link. This is a media library feature coded in C++, which is said to be more vulnerable than “memory safe languages like Java” although Java has been criticized for security exposures in more recent times.  The exploit reportedly can be triggered by an MMS message that requires no action on the part of a user, so it is more dangerous than phishing. 
I had Droid phone until early 2014 (a Blackberry before that) when I switched to iPhone 5 on renewal.


Monday, July 27, 2015

Chrome gets "It's dead" crashes on an HP Envy after Microsoft's latest emergency security patch

Ever since installing the security patch for a Microsoft vulnerability last Wednesday (July 22), described as KB3079904 (disallowing some remote code execution) here. Chrome has behaved oddly in my Windows 8 HP Envy environment.  Occasionally, it crashes with an “It’s dead, Jim”, saying that the operating system forced the page to close. The page will load it you hit “reload” a second time.  It seems to happen going to a “New Tab”.  Also, sometimes the “most frequently visited” tabs no longer work, requiring keying in the URL.

This does not seem to happen on my Toshiba Satellite, which also did the same update. So there seems to be some problem in the way Windows 8.1, HP firmware, and Chrome communicate after this update, which disallows some unsafe code.  

It also seems that Kifi (another Chrome plugin) sometimes crashes, with this latest update. 
Chrome’s explanation is here
It's possible that the way HP implements IAStorlcon from Intel complicates the issue. 
Webroot scans remain clean.

Wednesday, July 22, 2015

Trolls still populate old-fashioned forums; disturbing demos of auto electronics hacks

Online trolls sometimes use discussion forums to find people to target in the real world, according to a Metro Section Washington Post story by Justin Jouvenal, link here. The particular incidents seem to stem from the Fairfax Underground site in northern Virginia. 
Forums like these were common in the late 1990s, well before modern social media sites came into being.  Problems could also occur with listservers.  I remember one such person on a Libertarian Party of Minnesota server in 1999. 
AOL had a movie review forum called “Movie Grill” back around 2000.  Some flamed me and sent pseudothreats because he mistook my review of “A Perfect Storm” as a justification for how the shipping company in the film actually treated the characters, rather than just a statement of what happens in the movie. Some people interpret everything they see online as having personal meaning.
In another matter, news services are reporting on “proof of concept” hacks of electronics on cars through entertainment systems (Wired story by Andy Greenberg)  There will be more coverage of this soon. It's called "the carjacking of the future".  If you were hacked and caused a (fatal) accident, would you be legally liable? 

Monday, July 20, 2015

Ashley Madison hackers threaten to release consumer PII unless site shuts down, a form of "criminal" vigilante moral activism?

A popular website, “Ashley Madison” (belonging to Avid Life Media), whose tagline is “Life is short, have an affair”, has reportedly been hacked (by “The Impact Team”), with attackers threatening to divulge the PII of up to 37 million users if the site is not shut down. Krebs Security has a story here.  The actual data for the site is supposedly on the "Dark Web" and requires special browsing tools like TOR. 

Information about the fantasies of subjects (which the hackers called "cheating dirtbags") was reported available for 90 minutes.  
This is the first hack that I can recall (other than Sony Pictures) directed at a site just because of political or moral disapproval of its content.  (Various random small businesses around the country have reported radical Islamic hacks.) 
There’s also controversy over the offer to remove a profile for $19.  Ars Technica questioned the credibility of this practice in an article by Megan Geuss in Aug. 2014, here

Update: Aug. 19

Media outlets report that a lot of details were released today by hackers for vigilante "morality enforcement" motives.

Early notes from analysis of the release by John Herman, here,  Tim Lee on Vox has an explanation here.  One danger is that people could have been entered onto the site without their knowledge. 

Saturday, July 18, 2015

WSJ advises small businesses on fending of hackers, and on cyberinsurance

Lou Shipley has an article in the Wall Street Journal on p. A9 Friday, July 17, 2015, “How small businesses can fend off hackers”, link here.

The presumption is that, as a business, you keep your own consumer data rather than outsourcing all of it for credit card processing.   Or you may outsource to a company transparent to consumers who still think they are dealing with you (as compared, say, to using only big e-commerce retailers like Amazon and BN).  It may sometimes be necessary to do this to protect the use of a trademark. 
The author recommends buying cyberinsurance.  But this may be possible only if you have enough actual consumer volume to justify it and seem “legitimate”.


Thursday, July 16, 2015

Young technical researcher in FL wins a million miles from United for uncovering security flaw

A web security researcher. Jordan Wiens, from Florida, has won 1 million flier miles from United in a contest to find vulnerabilities in the airline’s security, Reuters story link here
Jordan’s own account of the event, much of which must remain confidential in detail, is here. Wired has a story here

Jordan apparently works in Melbourne FL, just south of the Kennedy Space Center, which I by chance visited Saturday.  I used USAir/American and was not aware that airlines had these kinds of “contests”.


Tuesday, July 07, 2015

Another browser hijack in Chrome based on a misstyped AOL domain name

Today, I experienced another “browser hijack”.  After changing a password to AOL, I tried to go to the main site.  I must have mistyped the domain name.  I got a “This is a system error” blinking message with an 800 number to call.  It was cleared by closing the browser and restarting the machine.
The browser was Google Chrome and operating system was Windows 8.1 on a HPEnvy.
Webroot scan is clean, because the malware does not actually load an executable on the computer. 
By the way, I see that AOL has gone to 2-step verification, and that it seems that old passwords entered before going to it may not work.