Wednesday, January 28, 2015

Can foreign elements (religious or conventionally totalitarian) silence ordinary criticism in the West with cyber-war?


I’ve started reading Flemming Rose’s book "The Tyranny of Silence", from the Cato Institute, motivated by the Jyllands-Posten Cartoon Controversy, before the recent attacks in France.  The artist and journalist discusses the attempts of some religious groups and authoritarian governments to stifle any discussion of their behavior, to the point of creating security problems, online and in the real world, for civilian companies and even individuals is the West.  The recent hack of Sony Pictures, putatively with the approval of North Korea, is the most glaring example (followed by horror in Paris).
   
So now, whenever there is some kind of disruption or an incident online, one “watches his back” and has to wonder if it could come from this kind of hostility.  Often disruptions occur for legitimate technical hiccoughs or hardware problems, but the individual journalist winds up playing detective and an adjunct to police and homeland security, ruling out something more sinister.  Jokes are not funny.
  
Earlier this week, my main “doaskdotell.com” site was down for about 18 hours, giving a “connection refused”.  Typically, when I site goes down it just hangs, but this time it was deliberately offline.  The site has shared hosting, and I was told there was emergency maintenance on the server.  I suppose it can sometimes take a whole day to rebuild a server (from various backups) if there is a major random hardware failure.  But this had been a very rare event.  And there were some coincidences.
  
Two days before, I had made some of my most provocative blog postings, although not on this domain.  Then, I got a bizarre email, saying that the “.info” domain name up for the site was due for renewal.  I wondered it this was a phish, because I had never ordered a “.info” domain.  I couldn’t find it on “WHOIS”.  The phone number in the email was different from the one on the hoting website.  But when spent twenty minutes on the phone, I found out it was legitimate. 

But you can see how hacking and phishing attacks are causing businesses and individuals to become suspicious of even legitimate offers or communications.  Remember, phishing attacks trying to take over domain names have indeed occurred. 
  
Then there was another little scare.  Back in 2002, two files on the precursor to this site (at the time, on an Unix server with the old “hppub.com” domain name) had been hacked.  The hack actually had started in the middle of a preview of an essay that discussed 9/11, that would become a chapter in my DADT-II book (2002).  The particular passage where the hack started dealt with “suitcase” nuclear weapons as possibly a weapon of future terror.  The hack had spilled onto one other file.  It turned out that the ISP had left a “Site command” backdoor open, a major security lapse that was plugged quickly.  The hack would never occur again to this day. (The overlaying material seemed to be bizarre jibberish about Russia and Finland.)

I found that while the site was down, I could view cached copies from Google through Chrome very easily.  But these two files, even in cache, could not be found.  (That was true of a few other larger files.)  I wondered if there was something sinister.  For a moment, I thought about calling the FBI. Then, I discovered that if you actually entered the title of the web page as a search argument first, the cache copy really would come up, so it did have something to do with the coding of Google’s caching algorithm, and no other sinister meaning.  Fortunately, about that time, the outage would get fixed.
   
We’ve heard a lot about hacks of social media accounts of celebrities, much more on Twitter than anywhere else (so apparently Twitter needs to do more work on its security, relatively speaking).  We’ve heard about hacks on individual accounts, where 2-step verification is seen as the major security improvement and prophylactic.  It remains to be seen if service providers and web hosts are still vulnerable directly, and the implications of any such security weakness have the potential to be quite chilling.
  
One thing to remember, coincidences do happen and can make an incident appear worse than it is.  That incident when I was substitute teaching back in 2005 gives a good example. 
    
I’ll review the book by Flemming Rose as soon as I finish it, on the books blog. It seems very important.  But religious extremists may not be the only enemies of global free speech and willing to go to any lengths to stop it.  

Friday, January 16, 2015

News site misspelled domains lead to drive-by malware


There is a Trojan activated apparently by mistyping the name of a legitimate news site, that is “nbcbews” for “nbcnews”.  It may well happen will most major companies that have sites ending in the word “news” (like fox, abc, cbs). 
  
In Windows 8.1, the computer beeps and tells you that you have a “Trojan detected”.  It seems to be trying to get you to download a fake antivirus.  Curiously, the beeping doesn’t stop if you turn off the machine and turn it back on in Windows 8.  But it does let you Restart the machine completely.  When the machine completely restarts (and resyncs the Windows register) it stops and the machine works normally.
  
A Webroot Secure Anywhere scan did not show any threats. 

Update:

I was using Google Chrome on an HP Envy when this happened.  I am told that the "freezeup" is likely to be a browser problem and not a true threat.  I will check further with Webroot, Google, and possibly CERT for more information on the problem.  I didn't try this on other browsers, but it may not be reproducible according to what I was told.  One interesting observation: after Restart, Chrome didn't say it was improperly shut down, as it often does.  But after Restart, and closing everything and reopneing. everything worked normally.

The "web page" may well have been associated with a "tech support" scam where the consumer is supposed to call an 800 number to unlock a computer (but paying in bitcoin sounds rather unlikely).  I've gotten repeated landline calls from one number in India known to be associated with a "tech support" scam.  I don't answer robocalls.  

Friday, January 09, 2015

Several major sites served ads with ransomware affecting users with older browsers (the Kovter trojan)


CNN Money, in a story also run by The Washington Times and the Webroot Threat Blog, is reporting malware in ads served on Huffington Post and AOL’s network, was well as the men’s magazine FHM, the Los Angeles Weekly and the Houston Press. 
  
Apparently the infections started in October and were detected by a computer security firm Cyphort around Jan. 3.  It seems that the affected sites had removed the ads by Jan. 5.  The malware is called Kovter.
  
Reports indicate that computers could be infected even if the ads were not visited, merely by the way they flash embedded images and videos (which are implicit “visits”), changing servers quickly and difficult for anti-virus software to detect.  However, it appears that only older browsers are affected (through Internet Explorer 8).  It appears that newer versions of Firefox and Chrome block the malware). 

The symptom is that the computer is locked, with mouse and keyboard not working, and a warning that the computer contains child pornography, and a demand to pay ransom in Moneypak or something similar like bitcoin. 


Anyone who visited AOL or the Huffington Post during the first week of January (as I do) would have been exposed to the virus, but would not be affected if using a modern browser.
   
It’s unclear if the newest Microsoft security updates would stop all such malware from working.  The CNN story by Joe Pagliery is here.  It includes a video about CoinVault or CryptoLocker-type malware.

Advertising forms the “business model” backbone for all the free content we get on the Web today, as well as for services that support user generated content – social media and blogging platforms.  
  
Theoretically, an ad on one of these could have caused an infection on an older computer or browser if not detected first by the service provider.  I haven’t seen any statements yet from Facebook, Google, or similar companies on new security measures they will have to take to screen ads for malware problems before offering them on their networks, but they surely must see this as a serious issue. 
  
I’m trying to find out how well modern security products (Webroot Secure Anywhere, Trend Micro, Kaspersky, etc) detect Kovter and all other ransomware products right now.  Again, it would seem that Microsoft should be able to stop scripts like these from running automatically from ads or embeds.  Microsoft has a page on Kovter here.  Damballas has an account here. Expect a bulletin from CERT on this soon.

Tuesday, January 06, 2015

Web hosting companies can warn website owners about possible DDOS attacks, but false positives can happen



Most modern web hosts now have tools in place to detect possible distributed denial-of-service attacks (DDOS attacks)in progress against a customer’s domain.  But some hosts may be overdoing it. 
    
There were questions on the “Squarespace.com” host about seeing the “unusual traffic detected” message on the “Domain Tools” WHOIS entry showing the site title (here).   I’ve noticed this on a couple sites myself, but the same message does NOT appear when the site is queried on “Network Solutions” WHOIS.   It would seem that a site that normally has very low traffic might generate this warning if one user, in a short time, generates even 20-30 page requests, which could hardly cause a DOS situation or result in a bandwidth overage charge.
  
There are tools to block or bounce traffic from specific IP's, to interrupt a detected DDOS, or sometimes to stop invalid clicks on sponsors.  
    
Note that domain name hosts often, for sites with private domain name registration, produce warnings to inquirers about abuse or excessive lookups.
  

Sunday, January 04, 2015

New York Times reports a typical home "ransomware attack"


Alina Simone has a detailed story in the Sunday “New York Times”, “How My Mom Got Hacked”, a real life account of a home infection with CryptoWall 2.0, link here.  The article describes a particular family that did not know safe computing (particularly about opening email phishing attachments), probably didn’t keep anti-virus software maintained well, and didn’t keep flash backups or cloud backups.

It also describes the psychology of criminals overseas, who brag about their shadowy world, but are forced into by economies (especially in Russia and former Soviet republics) that doesn’t give them jobs.  And combatting them would require the US to get Putin to extradite them!  It’s easy to imagine this as a form of “class warfare”.  Noam Chomsky is on to something.

The article also describes the practical difficulties for most people in making payments in volatile bitcoins.

So far this type of ransomware lives only in Windows environments, but it could be developed for the Mac or for mobile devices.  On the other hand, why is Microsoft Windows so vulnerable to this kind of hijacking?  Why can’t Microsoft fix this vulnerability?
  
Along with this observation about Microsoft, note that Windows Defender and Malicious Software Tool are not considered adequate substitutes for full-blown anti-virus software.  Do all the major companies (Webroot, MacAfee, Norton, Sophos, Trend Micro, Kaspersky) catch CyrptoWall 2.0 if it is on your machine or tries to run now?  

Saturday, January 03, 2015

Webroot warns of anti-viral product "storms" with pre-cloud services


Webroot has tweeted an advisory on the danger of “anti-viral” storms, where scheduled anti-virus updates and scans degrade server performance, especially in multiple workstation envrionments, article here.

Webroot’s solution, as is some other companies’, is now cloud based signature checking (in Secure Anywhere). 
  
Back in 2001, I can remember that weekly McAfee data signature updates could take hours to download (back the at 56 baud) and install.  The process remained a nuisance well throughout the 2000’s on older machines.
  
When I was working in a “conventional” environment at ING-ReliaStar, every workstation PC had its own security, I think through Norton.  In 2001, right before 9/11, there was an outbreak of the “Magister virus” which I did not get, but many people did.  

Thursday, January 01, 2015

"Dark Web" v. "Deep Web": a distinction with a difference


This is not the most specific post of all time, but it’s well, on New Year’s Day, to note Vox Media’s explanation of the “Dark Web”, which is something different from the “Deep Web”, link here, story by Timothy B. Lee.
  
Much of the Dark Web concerns mechanisms to shield users from surveillance.  These may be users with good motives, in authoritarian countries, or they could be drug traffickers or those selling counterfeit or pirated goods (the “Silk Road”), where enforcement operations often nab “innocent bystanders” and can bring down whole sites. An important component is TOR, the “onion router”, which EFF has been saying every sincere Internet user should learn to use and support – to help those in authoritarian regimes.  Facebook is now going to allow its use in some situations.
  
The Dark Web is also associated with Bitcoin, which is popular for those who want anonymity in their transactions, but which doesn’t provide the shielding from authorities some people expect. Nevertheless, most “ransomware” demands payment in bitcoins.  There is debate as to whether most people should have at least a small bitcoin account – just like most people may need PayPal occasionally for smaller sites that no longer want to deal with the security problems of taking credit cards.
  

The “Deep Web” is different, and is a concept that applies to “online reputation”.  It refers largely to content that doesn’t get indexed by search engines, including most social media postings.  acebook and twitter posts normally don’t get indexed, but blogs normally do; (and I think Myspace used to). Lee says that some regular sites don’t get indexed, but in practice it seems that most do.  In the earlier days, sites would have forms for submitting sites for indexing, but it turned out this was largely unnecessary.  (Oh, I just discovered now with a Bing search that someone is “pirating” and plagiarizing my movie reviews “for profit”.)