Wednesday, August 26, 2015
Is wireless WiFi (compared to Ethernet) harmful to kids?
Can the switch from hardwired Internet to wireless expose
people, especially children, to harmful “radiation”? That’s the focus of a lawsuit in
Massachusetts, which claims a schools change form Ethernet to WiFi made their
son sick, ABC news story here.
Arguably, children’s skulls are thinner or their brains more
vulnerable?
What about most homes and hotels with wireless routers, and
children in them? We’ve heard this
question before with cell phones.
Sunday, August 23, 2015
Is that cheesy "leave this page" pop-up harmful?
Some websites, especially those that try to sell financial
planning or health-related services by introducing themselves with long-winded
and leading videos or articles with many pages, come up with a javascript “leave
this page” pop-up. That may be
appropriate when closing a page on which you had to complete a transaction that
had already started, but it seems cheesy and manipulative, even intimidating,
as a sales technique. Is it harmful to
your PC?
Picture: Real life "Traffic jam" at the Segamore Bridge to Cape Cod, weekend, early Aug. 2015.
Thursday, August 20, 2015
"Reflective Denial of Service Attacks" explained by CERT
US-Cert in Pittsburgh has released a new warning about “UDP-Based
Amplification Attacks”, also called “Distributed Reflective Denial of Service”
(DRDoS) attacks. These attacks are based
on connection-less protocols that don’t validate source IP addresses.
CERT recommends that ISP’s not permit these kinds of
connections or offer them. But they may
have become more common as ISP’s have started offering almost limitless
bandwidth and disk space to small customers.
These attacks could be a problem for smaller ISP’s (less
common today than in the late 90s) or for those who run their own connections.
Update: March 29, 2016
Any casual perusal of YouTube shows many videos on how to conduct DDOS. Many of them require some scripting command language knowledge. I'm a little surprised that their presence doesn't violate YouTube TOS, or maybe I'm not surprised. There is mention of Anonymous and trying to attack ISIS on the Dark Web, too.
Update: March 29, 2016
Any casual perusal of YouTube shows many videos on how to conduct DDOS. Many of them require some scripting command language knowledge. I'm a little surprised that their presence doesn't violate YouTube TOS, or maybe I'm not surprised. There is mention of Anonymous and trying to attack ISIS on the Dark Web, too.
Monday, August 17, 2015
EZPass phishing scam exposed; some customers can get legitimate emails from EZPass.
Security companies are warning of a phishing scam involving
E-Zpass, claiming that you owe money and have allowed unpaid charges to
accumulate on your transponder.
Consumer Reports has a story on the scam here.
EZPass has an explanation of its own phishing policy here. EZPass can take legal action, including prosecution and civil action (trademark) if scammers are caught.
However, EZPass will send a legitimate email when a credit
card on file expires and it has trouble adding the next incremental credit
(usually $35, after a balance falls below $7).
This happened with me in early July, and the email arrived early on a
Sunday morning when I was going to drive to Philadelpha on toll roads. The website did not work, but the transponder
did OK. On Monday I called to solve the
problem, but had to call twice and wait through holds to get through to customer
service to fix the problem.
It is true that unpaid tolls can cause fines. This happened to me once with a rental in
2002 on the horrible Delaware turnpike.
More recently, car rental companies (in Florida, around Orlando) just
generate another bill to the credit card on file when the bill comes in, so the
system has gotten better.
Thursday, August 13, 2015
Enemies use crude techniques to build on-line target lists, but corporate and government database (and commercial software) vulnerabilities add to the problem
The media (especially CNN) today discussed a new “target
list” of about 1400 people in the US (and probably including the UK and
Australia), compiled by a well-known enemy (ISIS) determined to use social media to
launch asymmetric and psychological warfare. (CNN has yet to post the news story, as of early Thursday evening; late in the evening it did, here.) Troy Hunt has an interesting
analysis of how these names and other identifiers could have been compiled from
multiple sources, many of them government or corporate databases with employee
or military personnel information, link here.
Hunt believes that the “hackers” paid very little attention
to who the people are or what their jobs are.
Much of the data could come from publicly available sources (and there
are numerous websites that sell culled public record information to
subscribers).
But several techniques were used including “pastes”, and
scrapes exploiting known Adobe vulnerabilities are presented. There is also a new acronym, HIBP, “have I
been pawned”.
Another newspaper, the Epoch Times, in a story by Joshua Phillipp, reports that much of the technical expertise for ISIS Internet activity is in the former Soviet bloc, some of it in Russia, link here. This would seem consistent with what Troy Hunt presents in his article.
Another newspaper, the Epoch Times, in a story by Joshua Phillipp, reports that much of the technical expertise for ISIS Internet activity is in the former Soviet bloc, some of it in Russia, link here. This would seem consistent with what Troy Hunt presents in his article.
Thursday, August 06, 2015
"Bitflipping" attacks on memory chips; are "telepathy" attacks next?
An article by Dan Goodin in Ars Technica Aug. 4, 2015, describes an unusual hardware
attack called “bitflipping.” The idea is to overload memory chips (in DDR3 chip
modules) by deliberately attacking memory millions of times a second. This kind of attack might be possible with
usual malware distribution (by phishing or drive-by sites). You could almost imagine this in a sci-fi
context as a “telepathy attack”. Maybe Clive Barker was right about the role of magic when he wrote "Imajica" all the way back in 1991.
You wonder about the wisdom of allowing modules to run with
voice commands, maybe even thoughts.
Wednesday, August 05, 2015
Zero-day vulnerability in recent Mac OS 10 versions (to adware) getting attention of security researchers
OS 10.10 now is reported to have a “zero-day vulnerability”
that would allow hackers to install adware without needing owner’s password
approval. ArsTechnica has a story by Dan Goodin here. Some of this has to do with a “DYLD_PRINT_TO_FILE” exploit, a
so-called “sudoers” hidden Unix or Linux file, blog post by Thomas Reed (and Adam Thomas).
It’s also unclear that existing security products could pick
up this exploit. The vulnerability is
said to live in 10.10.4 and in a beta version of 10.10.5.
It's interesting that more of these blog postings are showing snippets of deliberately "unsafe code".
Tuesday, August 04, 2015
Serious exploit possible on Linux servers doing DNS translation, could lead to DOS attacks
Dan Goodin of Ars Technica reports on a serious flaw in the
way DNS translation is practiced on Linux servers for many websites, in a
service called Bind, story link here.
The flaw would appear to leave websites vulnerable to DOS
attacks, or to redirection. This may
have happened sporadically in recent months with some small businesses.
The issue would seem to affect administrators at web hosting
companies the most, or those who run their own servers.
Sucuri has a blog post on “Bind9”, “denial of service
exploit in the wild” here.
In 2008, there was a major concern over the security of the
DNS conversion system, enough to cause emergency international meetings to be
hosted by Microsoft. These problems had
been detected by researchers in Finland.
I reported this on my “identity theft” blog on August 9, 2008 (probably not
the best place).
Monday, August 03, 2015
Researchers show firmware hack of MacBook is possible
Jack Varcarel of Wired reports on a “proof of concept”
firmware infection of the MacBook, in an article here. He also notes that Dell and Lenovo, at
least, have been more proactive in protecting firmware than Apple, so the idea
that Macs are automatically safer isn’t always true.
A firmware infection would happen in two steps. First, a phishing link or possibly infected
site would load some introductory malware (which a virus scanner should
detect). The malware could lead to firmware infection if a subsequent infected
device (like an Ethernet adapter) were inserted. Bad Ethernet adapters might be sold on
e-commerce sites. This sort of scenario
is more likely with industrial or political espionage (even state-sponsored)
than ordinary home users.
One particular vulnerability was called “Thunderstrike 2”. Normal antivirus software won’t find firmware
infections.
Darlene Storm has a similar story in "The Fix" in PCWorld here.
Darlene Storm has a similar story in "The Fix" in PCWorld here.
Subscribe to:
Posts (Atom)