Wednesday, September 30, 2015

Watch for new Facebook hoax; more on mobile privacy


There is a hoax on Facebook, telling users to post legal jibberish to protect their privacy, according to the Newsy site, story here.  It's called the "pay for privacy" hoax, almost a kind of scareware. . 
  
Tuesday, the Today show reviewed location privacy recommendations for smartphone users.  For some people with inherent security problems (corporate executives, persons in bad relationships with a stalking risk) these are serious.  Apple’s own privacy recommendations are here

There is a pertinent question as to whether international politics (and terror) could increase the possibility of targeting ordinary citizens who would have been off the radar in the past

Sunday, September 27, 2015

Microsoft BSOD error in Windows 8 underscores a vulnerability that could lead users to unkowingly get unwanted content and malware from everyday apps


Last night, while returning from a trip, I happened to look at a tweet with attached images from a particular person, and I decided to save one of them “for my own use” on the hard drive on a Windows 8.1 machine that I use primarily when playing on the road.  When I tried to enlarge it by clicking on it (as is normal in Windows Explorer) the machine (a 2014 Toshiba Satellite) displayed the Blue Screen, saying it had to restart because of a “Bad Pool Caller” (Microsoft link ).  The machine restarted OK (taking a while).  Google Chrome said it had not been shut down, and brought up the tweet on restore, and this time the click worked all right.  I saved the image.

Later I noticed, in explorer, that Windows had saved a whole subdirectory of this Twitter user’s images, about 130 of them.  The images were innocuous (a few were thumbnails of other users).  But what catches my intention is this is one way unknown content can be stored on an unsuspecting user’s PC, even without P2P. 

This occurs to have happened because of a coding issue, either in Twitter or Microsoft or both.  Instead of loading just one object, it loaded an entire class of objects.   It is rather like loading an entire array instead of a single member of the array, as indexed (like in a mainframe application in an older procedural language like COBOL). 

Bugs like this do happen when a subscript or index is left out, or not properly initialized, or when they “run away”.   This appears to be the result of some “unsafe code” and not malware.

But this kind of vulnerability could allow an attacker to load undetected objects, like malware, onto a user’s machine, even through a well respected app like Twitter.  It could, at least theoretically, even load other illegal content (like child pornography) on an unsuspecting user.

I have noticed that other software packages sometimes create folders with miscellaneous objects when loaded.  This is true with CD’s from instant cameras (as in drug stores) or when Blogger content links are saved manually.  Some of the embedded objects do get backed up into the Cloud by Carbonite, for example.  This has never caused a direct problem, but it could expose users to security risks from unknown or unwanted content. 
  
 I did run Trend Micro quick scan and it showed no threats. I tried to full scan before going to bed and found it would not run while the machine went to sleep, so I'll have to try it when I have time to monitor it for three or four hours.  




Monday, September 21, 2015

Apple iPhone hack reported, many relatively obscure apps affected


iPhone users have suddenly learned that they could have been affected by  a hack that allowed fake apps to be installed.  BGR has a list of infected apps at the end of this article, link here.  The app that caught my eye was Win-Zip, but I haven’t actually downloaded any apps on the shortlist. In the past, the iPhone has been viewed as more closed and more secure than Droid (which I had from 2011 to 2014).
   
CNN has a similar story reporting that over 225,000 iPhones have been hacked, and that iTunes products can be stolen from compromised phones, link here
   
The story has a video showing some iPhone security tips, including expanding the character set for pin codes, and ways to hinder advertisers from tracking you.
   
I have not really found it practical to do a lot of work on the phone.  I usually do banking from a laptop or PC with standard firewalls and security software in place.  Blogging from just a phone has not been practical (although Facebook and Twitter are OK).  Almost no product or service is as easy to use on a phone as on a well-equipped modern laptop with fast processor and connection.

 

Friday, September 18, 2015

Safe Internet access when playing on the road (and needing to get through the bottom of the ninth)


The site Newsy has a valuable resource on use of public Wifi spaces.

This advice using a private VPN if possible, and specifically disabling file sharing.  (I’m not sure if that matters if you don’t have P2P software downloaded.)

It also recommends using 2-step identification whenever possible, and “forgetting” networks when signing out.

It also recommends using only networks that require signon.


The idea that someone will eavesdrop on a conversation in an ordinary hotel room seems improbable to me.  But you have to think about some factors; one hotel in NYC has given me the same room whenever I’ve been there.  I’ve found that Bluetooth connections (like on Ultrabooks) are less stable in hotels than at home because of signal distraction.
  
Maybe the simplest tip in the smartphone era is to use your smartphone as a hotspot.  It seems to work pretty well – but your carrier needs to have a strong signal in the location where you travel. Verizon seems to have the largest coverage area in the US.

 

Thursday, September 10, 2015

Russian state-sponsored malware hosted from servers in poor countries, hidden in satellites


This story, tweeted by Webroot today, may not seem too relevant to home users.  It seems as though the Kremlin is using satellites to store hidden methods in its cyberespionage, which could affect some American companies (such as computer vendors).  The cyberespionage is served from malware hosted mostly in Africa, especially in poor countries like Somalia or the CAR.  The story is here.

Although tracking this activity should be something the NSA knows how to do.  But not without spying again on American companies and sometimes users.
   
I guess we can ask, is Vladimir Putin a psychopath. 

Wednesday, September 02, 2015

Another silly Chrome hijack scareware attack; also, Mac offers a big security update to OS 10.10


Late last night,  on my HP Envy under Windows 8. 1, I observed another Chrome hack, when I was on a troubleshooting site called Wikiguga, investigating a spurious error when I installed a new iMovie on my Macbook (for what it’s worth, the iMovie still works OK).  All of this, by the way, came as a supplement to Mac OS 10.10.5, OS Yosemite, which included a new iTunes, and is supposed to have major security improvements, possibly to address issues covered last month.; the whole process took about 30 minutes and did consume some of my time! 
I suddenly got one of those red-and-white “System Error” web pages (on the Envy) with a female voice (sounding like a hooker) advising me to call the 800 number at the bottom to release the page lock (and pay on a credit card, to be sure).  The History trace shows that the Wikiguga got redirected to “adcash.com” (an apt name), and then to “jz1sf.internet-security-alert.com”.

The rest of the computer worked OK, just Chrome was locked.  So I pressed the power button twice and “restarted” Windows 8.1.  This time, when Chrome came up, Chrome, curiously, did NOT say it had not been properly shut down, and Chrome did not invite me to visit the fake site again
Why doesn’t Google Chrome fix the browser so it can’t be hijacked by a malicious website redirect?

A Webroot Secure Anywhere scan (after a full “correct” restart) was clean and showed no executables had been loaded.

So this is a very transparent and silly kind of hack (probably from Russia or eastern Europe) that would work only on the most gullible. I don’t know if the FBI dedicates any resources to stopping these. Maybe it’s part of Vladimir Putin’s way of getting young Russian dads some income.