Thursday, November 26, 2015

EFF compares digital security encryption to home security systems, in opposing government calls for back-door decryption to combat terroris,

Cindy Cohn, of Electronic Frontier Foundation, left a compelling essay for Thanksgiving Day, "Stronger Locks, Better Security”, link here.

The piece is motivated by the idea that tech companies should provide a “back door” decryption for the federal government to use in anti-terror investigations, albeit under court supervision.  This would be accomplished by Apple and other companies keeping “highly secured” copies of decryption keys put on mobile devices somewhere in an Iron Mountain (or Cheyenne Mountain) facility, maybe to be secured in a manner comparable to NORAD.

Cohn offers an analogy to homeowners installing sophisticated home security systems and installing pick-resistant deadbolt locks.  The latter, made mainly by Medeco, became popular in the 1970s, first with apartment dwellers in New York City.  If the government required homeowners install less secure physical perimeter security, homeowners, especially those who live alone or where both spouses work or travel heavily, would be unacceptably vulnerable to crime and even become uninsurable.  So the same analogy holds for security of one’s computing environment and one’s own social media accounts, websites, and particularly mobile communications.  If one is forced to deal with weaker mobile security, inevitably (especially for women) stalkers and criminals would present an unacceptable risk even if police could more easily intercept major plots.

So the overview is that security is really morally a matter of personal responsibility.  That sounds fine for libertarians, and suits the 2nd Amendment lobby.  But sometimes the whole is more than the sum of its parts.

Tuesday, November 24, 2015

Norton Firewall squawks on an older MacBook

I got out an older MacBook this morning (from 2011), with the Mac OS 6.8, and tried to give it some maintenance use and found the Norton Firewall blocking access to updating Adobe Flash, and for a while to Blogger postings.  It had never done that before.

Not sure that it means anything, may have something to do with an outdated operating system.

It is getting difficult to keep computers more than four years old up to date and running properly.

Monday, November 23, 2015

ABC sponsored story from Norton raises an iceberg: drive-by website infection, maybe steganogrpahy

Monday, ABC News offered a sponsored story from Norton, about the risk of getting malware from “drive-by” sites, where merely opening the page can load malware (or “scareware”).  Some of these may be misspellings of well-known commercial sites, especially news sites (like when “news” is miss-typed as “bews”).  Commercial anti-virus vendors don’t always catch all of them (especially the “scareware” which doesn’t load an executable).

One possibility is for sites to be hacked, as has happened even with news sites.  Recently, a major church had its site hacked and replaced by Viagra ads, with the attacker traced to Russia.

 Unfortunately, the church had not backed up everything off-line, and apparently was running its own server rather than using a professional hosting company.  It has changed that practice, and now will use FourSquare (which is pretty good about warning about unusual volume or possible DDOS).  Webroot has written about this possibility, mostly in the area of SQL injection attacks.  There is the imagined possibility that illegal content could be loaded this way, posing legal risks to owners perhaps.

Shortly after 9/11, security experts expressed a concern that enemies might hack sites (even small amateur sites) to send “stegonographic” instructions to other operatives.  Discussion of that possibility in the media pretty much had stopped by the end of 2002.  But in April 2002, two pages on an older legacy site of mine were hacked with material related oddly to nuclear terror and Finland.  This was reported to the FBI.  But the incident has not recurred, and no real-world attack related to the contents of the hack has ever happened.

The possibility of steganographic attacks could lead to the idea that websites with low volumes or infrequent updates by the owner should not be allowed to stay up.  On the other hand, such an attacker risks being discovered if the owner regularly and randomly checks the site even if it isn’t update a lot (including checking directories for unlinked files).  It’s at least conceivable that an attack could be detected in advance any time a public web page is involved.  So that’s a natural deterrent.

The recent events in Europe seem to have been coordinated with off-the-shelf encryption products installed on the mobile devices themselves – private conversation that is pretty much the cultural opposite of publishing and steganography. The main debate now seems to be whether tech companies should be required to keep copies of encryption keys (the “back door”) so that law enforcement could intercept terror attack plans, with court supervision and proper warrants or subpoenas.
Still, there’s a chance that the old 2002 debate will return.

Thursday, November 19, 2015

Kaspersky squawks about new routers from Xfinity; has Microsoft turned the corner on security with Windows 10?

I did install the new Comcast-Xfinity Arris modem-router for higher 5G speed yesterday.

I note that Kaspersky gives me a warning on it in Windows 10, but other packages (Webroot and Trend) to do not.

The MacBook says it does meet WPA2 standards, so I don’t know why Kaspersky flags this (it flags a lot of things, and Windows 10 sometimes encrypts images I want to see).

Nick Wingfield has a detailed article in the New York Times on Wednesday, “Microsoft sheds reputation as an easy mark for hackers”,  It does seem that Windows 10 has gone to some lengths for security.

However, YouTube shows some detractors.

On the router, I "redacted" the evidence just the way the CIA would.
and this is what the Mac says.

Wednesday, November 18, 2015

Anonymous helps Internet companies infiltrate ISIS misuse

NBC News has republished a major Reuters story this morning (and put it on Facebook’s news feed) about Anonymous and its own attempt to snarl ISIS with “ethical hacking”, rather like the character “Q” in recent James Bond movies.  The story is here.  The story also links to another account of new cybersecurity in Britain.

The group says it has helped close down ISIS-related Twitter accounts (could it get some of this wrong and close down a legitimate user?) and has posed as possible recruits to gain access to Dark Web sites and encrypted messaging apps, which are becoming controversial.

As noted yesterday, it appears that terrorists use off-the-shelf messaging apps (like Telegram) and “go dark” before an operation starts.  There is controversy over whether a mandated back-door (for NSA or other law enforcement access) would open ordinary users to more crime, or to government intrusion not related to terror (for example, taxes).  A major issue seems to be that Apple has placed the encryption tools on the phones themselves but does not keep copies of them for subpoenas.

Saturday, November 14, 2015

"See Something, Say Something" can result in bizarre findings on the Internet (like supposed Muslim body-shaving); maybe a bizarre DDOS side-effect?

I’ve encountered a very bizarre issue in Windows 10, that may or may not be content-related.

Following up on the news stories about the horrible events in France, I was looking at some old material on 9/11 late last night, and was curious about stories that the 9/11 hijackers had shaved their bodies in their motel rooms the night before.  (This may have been just in Boston.)  I found a Slate article that gave me a “forbidden” error 403.  Then Windows 10 hung, and I had to restart it with the power button.  When Windows came back up, I entered just “” and got the story and link.

Today, I got the error 403 again and the system seemed to slow down.  So I restarted it, this time “legally”.  I tried the link on an older Windows 7 machine and it worked fine.  But in the past, Slate (and a few other big news sites, especially Major League Baseball) could cause Windows to hesitate momentarily on Windows 7 (it doesn’t now).

It’s possible that the error happens because of Kaspersky, too.

It is possible for an Apache server to deny public access from a specific IP address, which is a tool used to control DDOS attacks.  Possibly the server thinks my address is compromised (if it has experienced a DDOS recently), but only in the Windows 10, Kaspersky environment.  This is rarely done with ordinary users.

Of course, the content of the article is provocative.  It is conceivable that another passenger (particularly a gay male) might have noticed this about the men who would turn out to be the hijackers while in the airport terminal.  Should he have said something?  Apparently the ritual has some religious significance, and could indicate that the practice expects to end his life.  That definitely fits into the “see something, say something” idea.

It is possible for “ordinary bloggers” to get tips on the Internet.  I got a few in the first few years after 9/11.  In fact, some people got a bizarre email on Sept. 1, 2001 that was thought to be spam or malware (I remember seeing it on my old Compaq laptop computer in a motel, as I was away in Canada Labor Day weekend that year, living in Minneapolis.)  I believe I got what looked like a warning about another Indonesia bar attack in the fall of 2002, and called authorities (and indeed there was a bust three days after I called).  The most recent such message came in 2005, concerning the history of OBL, and I did spend about 20 minutes talking (by cell phone) to an FBI agent in Philadelphia about the email.  These have become less common as social media has taken over, while emails like this are more likely to be just spam (or malware) than they used to be

Friday, November 06, 2015

Washington Post examines growing concern for security of Linux kernel

The Washington Post has a huge front page story about the Linux kernel by Craig Timberg today (Friday, November 6, 2015), along with the strange history of its creation and author, Finnish software engineer Linus Torvalds, link here.
The unusual business model (or lack of model) for the way this product evolved as open source is quite remarkable.

There is a long discussion of the relative security of various operating systems, how Windows has been viewed as less secure and less stable even though it is the most versatile on personal computers.  (Some Apple fans will question my assessment of  “versatile”).  The Linux server (as opposed to Unix) has become rather standard for industrial and commercial servers.

So there is concern whether this introduces a strategic vulnerability to our entire infrastructure, especially the power grid.  Torvalds says, simply don’t connect the power grid directly to the Internet (which seems to be part of his answer to Ted Koppel’s book “Lights Out” which I’ll review soon).  He also indicates that his creation of the system was personal in nature and motive. Tordvalds also says,  If he had to worry about the theoretical possibility that someone will be mean enough to circumvent any possible security strategy, he could never get anything done.  I echo that sentiment.

I recall that a co-worker from the 1990s, Tom Oehser, created a version of Linux that fit on one floppy (popular at the time, in the days before USB drives).  It’s still available here.

 I tried it once when living in Minneapolis, maybe in 1999, with an old Everex laptop.  Tom believes in self-teaching, and once told me he ran an early Internet server back in 1994 from a 386 machine in his own home.

Tuesday, November 03, 2015

Kaspersky is very quick to block advertisers on mainstream news sites

Here’s something interesting about Kaspersky.  It blocks pop-ups from some advertisers on major established news sites (like CNN) as “phishing” sites.  But it does seem to cast a very wide net, not giving any advertiser the benefit of the doubt.

With most major corporate sites, Kaspersky still sometimes seems to expect “https” to be offered, and will flash a warning about security certificate even if I simply key in the domain name (with no http).  This does not happen with sites that have converted to all https (Washington Post, Electronic Frontier Foundation).

Kaspersky seems to have the strictest environment for Windows that I have ever encountered.  Wikipedia says that the company is headquartered in Moscow, with holding company in the UK.   I wonder how it survives in Vladimir Putin’s country, whose whole economy seems to be predicated on worldwide Internet crime.
I’ll note here today that I am reading Ted Koppel’s “Lights Out” about the way weaknesses in corporate security for power companies could bring down major parts of the US grid (especially vulnerable to rogue state enemies), and will discuss in a book review soon.