Wednesday, May 27, 2015

Glitches (involving non-standard characters in text messages) and WiFi hacks can disable iPhones


Recently, some Reddit users discovered a major bug in the iPhone iOS that causes it to crash and reboot (accounts are varied) if it receives a specific sequence of non-Latin and Arabic characters in a text message.  Since this is so unlikely by chance, it’s apparent that pranskters could target specific users. CNN money link is here. The Guardian has a similar story here.   Some experts recommend disabling the preview of text messages (which appear on your film when you hear a bing). Some say the iMessage is wiped out, but messages can be sent with the iPhoto app.  Temporarily, iPhone owners can disable notifications of messages (not too convenient in a disco, and maybe not when waiting for a cab or for flight status).  

  
Another report says that a WiFi hack can disable all iPhones and iPads in a particular area, link here
   
Apple is working on fixes for these problems and updates should be expected soon.  Another problem with iMessage was already fixed.


Update: May 29

Apple has announced a temporary fix here.  You need to read its linked explanation of Siri, which I have never used.  Don't know it this works on iPad, too. 

Tuesday, May 26, 2015

Latest phishing attack: jobseekers (and "volunteers")


Here’s another little spammy phishing scam to watch for.  Emails that send resumes to individuals that don’t actually operate a company that employs people.  The pattern is that they offer to “volunteer” or “intern”.  In the cases I have seen, the email address shown doesn’t match what the mouse drag shows, and there is usually a Word attachment, which probably delivers malware.

I have to say, too, that the tone of a lot of these emails is rather childish and patronizing.

There's another scam trying to get sites to join Ebay.  
  

Wednesday, May 20, 2015

Upcoming browser fixes for TLS LogJam vulnerability could make some websites inaccessible


The Wall Street Journal is reporting, in a Business and Tech article by Jennifer Valentino-DeFries, that a planned fix to a bug in the Transport Layer Security  called LogJam (previously known as Freak) could make some websites (up to 20000 of them) inaccessible.  The link is here.

Firefox and Google Chrome (and presumably Internet Explorer and Safari) will implement the fixes soon. Firefox may have the fix even this week, and will update when you open it.  It is believed that only sites with certain kind of security would be affected, but this is not yet entirely clear. 
  
Recently, on two separate episodes where I got “connection refused” or “reset” for about twelve hours, one of my sites (on Windows Server only) was inaccessible on two occasions earlier this Spring.  I don’t know if a problem like this could have been involved, because the ISP has not told me what the problem was other than “server issues”. 

 

Monday, May 18, 2015

Newsweek reports on Russian malware, and the danger of "air gaps" to critical infrastructure otherwise off the web


Newsweek seem to be staying in print, with some startling issues, including May 15, 2015, with a big color story by Owen Matthews, “From Russia with Malware”, illustrations by Oliver Munday, link .
  
The most startling concept discussed in the article is the idea of an “air gap”.  This would allow a hacker to access a facility (like the control of an electric utility, even a nuclear reactor) otherwise totally isolated topologically from the public Internet, through wireless routers in the facility.  It would seem that workspaces around critical infrastructures need to be hard-wired and not depend on wireless.  It’s not clear whether employee cell phones could even provide some kind of point of entry.
Concerns like this come up in protecting the power grid, as well as transportation systems (like aircraft, and even remote controls on trains becoming more critical, as in relation to the recent Amtrak accident).
  
However, “amateur” or “lone wolf” ideologically inspired hackers are unlikely to have these kinds of skills.  They are more likely to be hired out by states, like Russia, China, and particularly North Korea.  But ISIL might be able to acquire this capability.

Sunday, May 17, 2015

Hacker claims to be able to access airplane's control system from his laptop


CNN, in a story by Evan Perez, is reporting that a hacker, Chris Roberts, claims he could hack into a plane’s flight control system, from a laptop with a USB cord into the airliner’s entertainment system. The CNN story is here. The FBI has a search warrant on Roberts in New York State here  regarding items seized from Roberts in Syracuse in April.
    
The story could be significant because some administration officials have hinted that at some point passengers might be prohibited from bringing all electronics onboard.  That could force passengers to ship their electronics ahead by UPS. Could the same thing be possible from an Amtrak train?  

 

Friday, May 15, 2015

Fake survey pop-ups appear designed to load bloadware, adware


This evening, when I went to a somewhat shaky news site, there was a popup (in Chrome) inviting me to take a Comcast survey.  This sounded fishy.  
  
I noted in the Chrome history that “homepage-web.com” had been accessed, and found in the literature mention of a “homepage-web.com” hijack, here.  This appears to be “bloatware” or unwanted adware, which replaces default search engines when certain free apps are loaded. 
  
I am checking with Webroot on the issue.  However a scan (after a complete Restart) showed no threats.  It is possible for a zero-day threat to exist, which means another scan should be run some hours after Webroot has had time to examine my question. 
  
Generally, one should not respond to popup surveys that purport to come from major companies but may install malware or bloatware.  There is a survey that gets loaded if you misspell “Facebook” and loads bloatware; there is another one that loads if you mistype “bews” for “news” in several major news sites.  Some may try to sell “fake” anti-virus software.


Update: May 16

Today, I found that while Bing comes up as a default web page in Chrome, but the "homepage" at the top was "homepage-web.com".  It also showed up in Chrome history again.  I was able to get rid of this by following the instructions in Chrome help (go to Settings), and then doing one more Windows 8.1 Restart.  So this appears to be a minor "bloatware" infection that got past Webroot at first.  I'm checking to see if this should be flagged during screening.

Update: May 19 

Webroot says that it does not flag these as threat, but as PUA's, "potentially unwanted programs". 

Tuesday, May 12, 2015

Phishing still seems to be the biggest vector of malware; identify "cyberscum"


The Denver Post has a nicer primer on staying ahead of cyber “scum” here, tweeted yesterday by Webroot. 
  
Note the emphasis on not falling for simple phishing attacks, and the simple explanation of how phishing works.    This article makes phishing look like the main source of malware, still.
   
I’ve noticed that some phishing emails are better able to mimic a legitimate sending address, such as one yesterday claiming to be from Apple iTunes.
  
I’ve seen emails that are pretty silly.  No, you can’t get a (legitimate) service of process by email.
   
Since I have email spam filters and comment spam filters, I could miss messages that law enforcement sees as significant.  For example, a threat by email probably would be filtered out automatically and never be read by the recipient, and the same is true of comments on most blogs. 
  
   
Above is Trend Micro’s primer on phishing scams.



Sunday, May 03, 2015

Security experts more concerned that news and non-commercial sites face increasing hacking and snooping risk unless they start using encryption everywhere


Recently, there has been more attention to the idea that unencrypted web traffic can be dangerous to users in ways other than just the obvious risk inherent in sites that you have to log on to (for credit card or financial transactions or for conveying any PII). 
  
It is possible for ordinary video to be hijacked, with users redirected.  DNS redirection is possible, and of course viewing habits can be spied on by governments, as discussed in this Freedom Press blog article by Kevin Gallagher, here.
  
Tim Lee, on a story for Vox media, reports on a grim-sounding attack on Github, after posting materials supposedly censored by the Chinese government.  Code from Baidu was used without Baidu’s consent to insert malware, knocking the Github site offline, link here.  News media report random hacks (sometimes from religious radicals) on a few scattered small business sites around the country (but these seem to have been commercial and would normally have been encrypted).  A few small newspaper or television stations have experienced hacks.  But major corporations, retailers and governments have also experienced hacks (despite having encryption).  And of course the Sony data breach was huge, and involved non-commercial areas, but may have been an “inside job” of some sort involving administrator privileges leaking.   It’s possible that an attack could occur not on the site itself but through the PC used by the business owner to maintain the site. 
  
  
I experienced a bizarre attack on my old hppub.com site (now doaskdotell.com), when it was on a shared Apache server, in early April 2002.  The Unix “site command” had been left open, and I don’t think that the hack was similar to the Github one.  This hasn’t happened since, but the material is on a Windows server now, which could pose its own risks. 
  
After 9/11, security experts expressed a concern that foreign terrorists could hack amateur websites with “steganographic” messages to launch attacks. But this sort of event has not been reported as actually having happened.
  
Recently, my “doaskdotell” site has experienced two 12-hour-plus outages (within three months), in a shared hosting environment, when there had been none for years.  I have not gotten any feedback that security concerns were involved, however. 
  
The idea of requiring all of the web, even non-commercial sites, to be encrypted is being discussed now in some places, and the feasibility (for me at least) is something I will take up on my main blog very soon. But encrypted sites, even news and non-commercial sites not requiring log-on or even not carrying advertising, could be more resistant to foreign terrorist hacking or malice. 
   

This is surely a developing story.  

Saturday, May 02, 2015

Users should consider Chrome extension to protect Google password use on non-Google sites


Webroot is recommending that Google Chrome users download the new Chrome extension that warns them when their Google account passwords are used to sign on to non-Google sites, as in this story.  It's not clear whether 2-step logon would occur.  Google's own explanation is here. 
      
I’ve noticed that it is common for many sites (like ticket vendors) to allow users to sign on with their Facebook or Google accounts rather than specific accounts for those vendors.  Maybe that’s a little dangerous (first of all, it can announce when you won’t be home).  On the other hand, when you buy a ticket to a film festival showing, you always get directed to a ticket vendor, and sometimes you don’t even remember you have an account and have trouble getting the password back. 

Friday, May 01, 2015

Microsoft warns that Macro viruses are back


Microsoft is warning that macro viruses are back and constitute the “new future of malware”, according to a story in the UK register, here.

  
I recall the controversy over macro viruses back in the 1990s, even the so-called “Concept” virus in 1996 that did nothing but caused companies to clean their servers.  And I would get irritated when people kept sending Word attachments.  I though, put it on the web in html and send me a link.  That was safer then, not necessarily so now.