Tuesday, December 27, 2016

Security odds and ends for Christmas week


Here’s a few odds and ends during Christmas week.

Trend Micro has flashed that it now offers password encryption on all your major sites (which might include websites or blogs you own, as well as social media).  This is another feature besides two-factor identification, and I haven’t looked into it much. It also offers endpoint encryption for business, here.  It’s your own private “ransomware”.

Watch out for some new phishing scams.  There’s a new one for rental house and putting homes on the market.

Webroot reports on a ransomware scam attracting victims with fake credit reports.  Webroot also reports on a new scheme for stealing cars with keyless ignition.  Car thieves also use radio signals to keep car doors from locking.

I had a situation where a garage door got stuck on open.  The garage contractor reprogrammed it.  I think it timed out because I didn’t close it in time, and that there is a firmware issue (in my specific case).  But this sounds like another possibility for hacking and a possible home security issue.

Friday, December 09, 2016

"12 Days of 2FA" from EFF (two-factor authentication)


Electronic Frontier Foundation has a valuable summary by Gennie Gebhart on “2FA” systems – “two factor authentication”, link.
  
The authentication is based on a password, where you are, and what you have.  (That's really three factors.) Sites that make you re-authenticate when on a different computer (even in your own home) are using this practice. 

EFF is sponsoring a “12 Days of 2Fa” event.


  

EFF prefers the use of hardware tokens like Yubikey when possible, as it would be harder for a totally fake copy of a regular site to trick you, and as governments could not track your smartphone use into metadata. 



Update: Dec. 23

Apple says it has turned on 2 factor identification with the IOS 10.2 release.  But Forbes says there are other problems (especially with power shutoff issue at 30%, here). 

Friday, December 02, 2016

Wordpress wants all bloggers on https by the end of 2017


Wordpress (Automattic) has announced that it sill step up work on implementing SSL, with the hope that all blogs will eventually use it (https) by the end of 2017, post here.

Since SSL works by domain name, that means accounts with multiple domains, with an owner and subdomains that actually have their own URLs, would have to be set up in single domains as subdirectories.  This would be a lot of work for a hosting provider like Bluehost and its customers to implement smoothly.

That's also the reason why Google can offer https now on blogs addressable only under "blogspot" but not to custom domains equated to blogs.  People tell me the latter can be done, but it will be a lot of work.

With Trump coming to the Whitehouse, many service providers are on edge now about "national security".

I wonder why Trend Micro has Automattic's rating as gray.  

Thursday, December 01, 2016

FBI gets authority to hack into citizens' computers and phones with much simpler warrant procedures


As of midnight this morning, the FBI gained authority to hack into computers, networks, and phones with simple blanket federal warrants, as explained this morning in a typical story in New York magazine here.

The Senate did not stop this authority.  Previously, multiple local warrants would have been necessary.


 
It’s not likely that this could affect most users (“if you aren’t doing something you shouldn’t be doing”).   It’s unclear if major computer security firewall products will prevent the hacking.  The FBI may want this capability particularly to counter terrorism and recruitment by foreign enemies (ISIS) which Trump is likely to continue.

Friday, November 25, 2016

Fake apps are like to pester companies that don't create their own; stolen identities can use fake social media accounts (esp. less popular ones)


Tonight, on Black Friday, several media sources noted that companies (selling in major box stores) that don't have their own smart phone apps are likely to find that crooks will create phony apps in their name.

The advice is to download the app from the vendor or possibly the retailer but not from an app store.

Another risk is that individuals who do not sign up for a particular service may learn that others have created accounts in their name.  This could happen with Snapchat and Instagram.  When I signed up for Instagram, I found a bogus account in my name with nothing in it, but it had to be removed first.  

Thursday, November 24, 2016

2-step verifications can now use thumb drives as security keys


Google is recommending that users of Google accounts on true laptops or desktops with USB ports, now consider getting security key thumb drives for use in 2-step verification of their Google accounts, rather than use pin codes by smartphone or pre-print.  They also recommend financial institutions offer similar products, which can work with Google Chrome.  The writeup is here.
   
Although the 2-step process now available pretty much stops password cracking, it’s possible for a hacker to entice a user with a duplicate built to look exactly like the original (and presumably use phishing to entice clicks, or misspellings, that today lock up browsers with scare ware.

Thursday, November 10, 2016

Beware of scams in new shopping apps for smartphones


Now the latest warning is to be careful of  scamming“shopping apps” from your smartphone.



Be wary of apps that don’t have any or many reviews, or that link to other apps.  Most of the rogue apps seem to come from China.

(To view the NBC News embed, turn off the https and use http.  To have to say that seems ironic on a blog about Internet security.)

Wednesday, November 02, 2016

Microsoft to patch "Fancy Bear" vulnerability on Election Day, but Adobe seems to have done all necessary patches to Flash


Microsoft plans to patch a vulnerability in its Windows operating systems from 7 to 10 on Nov. 8 (Election Day, ironically), a bug known as “Strontium” or “Fancy Near”.  The “Strontium” name seems to refer to loose nuclear waste in former Soviet republics (especially Georgia).  A British security site Itpro has a good explanation here.

The zero-day vulnerability seems to be spread by phishing attacks, especially those appealing to the “It’s free” mentality, and seem to affect Adobe.  There is some suggestion that the vulnerability originated in Russia and is intended to sabotage political campaigns.

Adobe also is warning users about the vulnerability “CVE-2016-7855” (story)

 An attacker could gain control of a user’s system when viewing an infected flash file.  Almost any operating system could be affected, but Adobe says its fixes will work on all systems.

Adobe has a blog posting on the matter here.

When I visited the download center  in Windows `0 it told me that Chrome will automatically download any new versions when needed.

Recently I did get a warning from one site that I actually thought looked suspicious.

Google has a security blog entry describing the problem here.

Some sources say that Microsoft’s Malicious Software Removal Tool (which takes a long time to update, always) already protects users.
 


Some older YouTube videos (including some embedded by me) invoke Adobe Flash, and Mac systems seem to block these by default.

Trend Micro says that it’s latest builds protects Windows users from malicious exploits possible from the vulnerability, here.

Thursday, October 27, 2016

Fed Ex spoofed in a phishing scam; other reputable sites have malvertising issues; Windows 10 update today causes a temporary crash in Trend Micro


Tonight, for the second time in two weeks, I got a phishing email on a failed delivery of a FedEx package.  The other one had come when I was expecting a package.  The giveaway is that it had a zip file attachment.

It's a good idea if you have a UPS store address to have it email or text you when it receives a package, so you know what is legitimate.

DHL has had similar issues.



Tonight, when going to a non-existent blog posting on a reputable site (tech republic) an ad (for a "for-profit university" was served, as well as a bizarre xyz domain registration page.  The trace showed loading of an ad service platform tnctrx (located in Loudoun County VA).  No harm was done, but the site seems to have a little "malvertising" resulting in adware that went bad when loading.  Trend Micro did not find any problems (processes or files) or flag anything.

Also, today, a Trend component coreServiceShell.exe was found to have crashed after finishing a routine full scan successfully (windows 10).  Trend worked normally upon restart of Windows 10, which had just done a scheduled update cycle today.  

Wednesday, October 26, 2016

How should home router owners protect themselves from potential downstream liability issues?


Parents, or people who take on roommates or housemates, or rent out rooms in a home, or who even may offer more radical services like housing asylum seekers, might be concerned about the possibility that others could misuse their routers for illegal purposes.  These could result, for example, in getting warnings from an ISP about copyright infringement or, in more extreme cases, child pornography, which can be detected automatically by places like NCMEC.

Most abuses, if they happen, are likely to have occurred through P2P file sharing or services like BitTorrent.

Can property owners protect themselves by monitoring router traffic?

This sounds like a topic about which there is mixed advice around.

ISP’s like Xfinity certainly have a record of all the IP addresses accessed by your router, but they don’t appear that easy to get at, at least according to this article.

Xfinity now sends combined router-modem units that take about an hour to set up.  The process does work if you follow the directions exactly.  You should wind up with a strong password (which you should save off line even in hardcopy) and WPA2 security standards.  This is supposed to be OK.

You can implement a modern anti-virus package that screens websites.  Right now, Kaspersky and Trend seem to be the strictest in protecting users from drive-by sites.  But “the best” changes every year, with every visit to Best Buy and Geek Squad.

One idea could be to install OpenDNS (and here).  But this does not appear to be possible at the router level if you have a combined unit. However it can be installed on individual computers, and may offer  more protection against illegal activity than standard anti virus.



OpenDNS at the router level, if possible, could protect the homeowner from incidents where someone outside the home somehow hacks into the router.  This may be more of an issue in apartments and condos (as has resulted in arrests of renters in Florida and New York State on at least two rare occasions).  In detached homes, good home security goes along with cybersecurity:  enforcing parking regulations, for example, in the neighborhood.

The downstream legal liability that a router owner could have for misuse, especially if the router owner was careless about security settings or did not install the router properly, is still a troubling and uncertain area.

This is a rapidly evolving topic.



Update: Jan.14, 2017

Further checks show that it can be done at the router level, but not all routers supplied by cable companies allow it.  It's possible to "piggyback", and it may be possible in a guest account.  I'm looking further.  The same concerns will exist for disabling P2P.

Friday, October 21, 2016

Major DDos attack against DYNDNS leads to outages for many US users; many telecommunications companies had workaround


A Major DDoS attack against a company(s) “DynDNS”  (or maybe Dynatrace -- I've seen both companies named, not sure if this is different)  that provides DNS routing disrupted Internet connections for many Internet users in the US, especially the northeast, early Friday.  Curiously, the company(s) does (do) not seem to have a press release for the incident yet.

Major platforms such as Twitter, Reddit, and Amazon were affected for some users.  But I experienced no issues starting at 9:30 AM EDT today and watched a movie on Amazon Prime.  I found out about the outage at first from Facebook user “Survival Mom”.  I did experience a 5-minute DNS holdup on my Bluehost Wordpress domains this evening that could conceivably be related, but the outage was very short.


There have been at least three attacks today, that DYN and some other companies (like Amazon especially) have spent the day repelling. 

Some users did not experience difficulties because their telecommunications providers (Xfinity and Verizon in my case – I tried both) use other services, or because their own computers cache the DNS information (which I believe Windows 10 and later Mac OS’s do). 

The DDOS came from botnets of “Internet of things” devices with malware called Mirai.  Well secured PC’s (Windows, Mac’s) with modern anti-virus protection would not have been vulnerable to becoming compromised.  But separate webcams and digital recorders (which I have but which haven''t been connected recently) could have been infected. 

Wired has one of the best stories, by Lili Hay Newman, "What We Know".
  
There are some claims on Twitter that Wikileaks engineered the attack in conjunction with the treatment of Julian Assange.  But it sounds plausible that it came from Russia or North Korea.  

Update:  Oct. 25

Dyn has a statement on the attack here

Monday, October 10, 2016

Windows 10 suddenly installs unrequested game, causing Chrome to blot out Windows icons and requiring power reset


While I was on a PBS site in Google Chrome, Windows somehow loaded bloatware “Candy Crusg Doda Mash” (which Trend marks green), and the Google Chrome screen filled up completely, making the normal windows taskbars inaccessible, and forcing hitting of the power button to get it back.

A Trend quickscan did not show any problems after full restart.

Thursday, September 22, 2016

Malvertisers apparently use "popads" and "content locking"; another Facebook phishing scam


I got this comment to the last post, “Are you looking to make cash from your visitors by popounder ads  In case you do, did you try using PopAds?  Then another comment, “Did you know that you can make cash by locking special pages of your blog/website? All you need to do is to join Mgcash and use their current locking tool.”  I marked both as spam (see the comment I wrote).  It seems this is the heart of “malvertising”, forcing users to open ads which might contain malware (even ransomware) just to view legitimate content.  Publishers should be wary of accepting ads that might try to do this.


Also, there seems to be a new phishing scheme using Facebook, taking “Friends” names and making up website names from their names and spoofing sender addresses, so that the user doesn’t suspect it’s a Facebook scam.  You would be leaded to go to a tiny url website which probably delivers malware. 


Wednesday, September 21, 2016

Spoofy news site offers bloatware behind the scenes, which security software seems to allow


Today, a site called "The Real Strategy", which tends to feature more supermarket-tabloid like stories sometimes, and which offers pop-ups, had a story on putative life on Europa, a moon of Jupiter. The story, about the subsurface ocean, is valid and is backed up by many more mainstream news sites. The site is marked "green" by Trend-Micro.  When you try to read the entire story, you get interrupted by a bloatware site saying your browser software is out  of date and offering a download.  You could not read the article without the download.

Of course, I canceled.  The Chrome history shows only a loading of "ay.gy" and offering the viewer to get paid for unpacking tiny url's.

I restarted the Windows 10 Anniversary-update computer and Trend Micro found no problems with quick scan.  I did not download anything, but Real Strategy did link to the "ay.gy" site without the user permission.  ay,gy converts to adf.ly, a "URL shortener that pays you".
 


Users should not download advertised "free" software for computer speed-up, etc., without checking the vendor separately.  It is true, there are some registry cleanup products from reputable companies.  Normally, users should stick to manufacturer, operating system provider, major browser, and major application software downloads from well-known and reputable companies which users can check out first.  Users should not download "free" software on impulse.  Some of this bloatware also comes on some YouTube ads.




Tuesday, September 20, 2016

New phishing scam offering an American Express PSK reported


Joseph Steinberg warns users about a new phishing scam pretending to offer an American Express Personal Safety Key (PSK). 

His article in “Inc” offers rather stern advice for users who realize they have clicked on risky links in emails or on malicious websites:  disconnect from the Internet, run a scan, turn machine off for several days, run another scan with an updated database.

If I am suspicious of any place I have visited, I restart my machine (Windows 10 with Anniversary Update), run a quickscan in Trend Micro and then a full scan (or on Webroot, on one machine).  Trend’s full scan takes about 40 minutes, not too long.  It’s a good idea to do at least one per week. 

Saturday, September 10, 2016

A "telephony denial of service" attack could flood a 911 emergency network (concept)


911 systems, run by states, could be hacked by a telephony denial of service attack, according to Kim Zeiter, in a story by Kim Zetter on p. A10 of the Washington Post today.

The hacker would infect a large number of mobile phones, in the firmware, which would then send bogus 911 calls, possibly with spoofed numbers making them impossible to blacklist.

Researchers have found malware in both iPhone and Android apps.  Curiously, author Edmund Contoski in Minnesota had described such a possibility in his 1997 novel "The Trojan Project".
Recently, on a Sunday morning in August, the 911 system in part of Washington DC was disabled for about 90 minutes by a cabling error by  technician. There were no critical missed responses as a result.

"Blogtyrant" (Ramsay Taplan, in Australia) predicts the development of security products to protect vehicles and smart home appliances from malware soon. 

Friday, September 02, 2016

New kind of ransomware targets Linux servers


Trend Micro is warning small businesses about a new kind of ransomware called "Fairware" which infects Linux servers.  If a business did not have its data backed up offline, it could lose everything, and the ransom extortionist could threaten to disclose consumer PII if the business did not pay.

The story is here. I don't know how well other services, like SiteLock, can protect against this hazard.

Since Linux is targeted, it sounds feasible that a similar kind of malware could be developed for MacOS.
 
Webroot is offering a seminar on encrypting ransomware on Sept. 7, online, for corporate IT security people, here

Thursday, September 01, 2016

Fake Food Lion coupons slip past Facebook''s screening and get on the network


NBCWashington and other media sources report that Facebook accidentally accepted a fake ad for Food Lion, a supposedly printable coupon with unbelievable discounts.  The link apparently contains spyware or “malverstising” ware.  This would be a trademark infringement also.  Presumably, Facbeook is removing the ad, but this one got past them. Food Lion is telling customers to be wary of this ad.  Major newspapers, including the New York Times, have had some issues with malware ads getting through.  

Sunday, August 28, 2016

Hacking a home's smart appliances


Is it really a good idea to tie all your home appliances to a smart grid?

Webroot describes a proof-of-concept ransomware attack for a home thermostat here.

Where I would wonder about this is whether elaborate home security systems could be hacked, including devices to alert you by smart phone when anyone rings your doorbell or even appears at the door.  Of course, you can’t use these when driving or in a no-phones area.

In the worst scenarios, hacking could even start home fires.  Homeowners, especially those who live alone and travel for long periods, need to contemplate the safety of any devices inadvertently left on (including power strips or surge protectors).

Tuesday, August 23, 2016

DHL package service trademark misused in phishing email scam loading adware and spyware Trojan


Many users may get spam email purporting that the user has a package from DHL, and needs to enter a delivery address and other info.

Windows users can get infected with the Troy/Bredo-AGB Trojan Horse.  It seems to get passed by opening the attached zip file

Sophos has a story, here.

Spywareremoval has a “baby talk” removal guide here. The Trojam reportedly is hard to detect with some standard anti-virus packages.  It appears that it steals credit and bank card information for possible fraudulent charges or account drains later.

The operation almost certainly happens overseas (maybe Russia) otherswise DHL could have stopped it on trademark violations.  Countries like Russia don't have many legitimate jobs for teen and twenty-something male programmers.  This is part of Vladimir Putin's strategy to attack the West.

Monday, August 08, 2016

Tiny url link to "come-on" sensational news story leads to scareware; why don't Chrome and W10 block these on their own?


Today, I clicked on a Twitter tiny url about Steven Johnson's Syndrome (a catastrophic skin disease, rare, in some young children -- look it up in Wikipedia or on Mayo Clinic) leading to “Viralplanet”, which led to a series of frames for successive pages and pictures.

The site was not marked suspicious by Trend Micro, but generally sites that behave this way to serve more adware may be riskier.  Suddenly, I was sent to ‘njyde.com” and got one of these browser (Chrome) hacks that locks up the browser, sounds a beeper, and locks the machine and demands you call an 800 number to pay ransom.

I simply hit the power button in Windows 10 to bring up Windows 10.  Chrome came up clean.  I ran the quick scan, and then the full scan (about 30 minutes) on Trend, and both came up clean.   So this does not seem to load an executable, or constitute real “ransomware”.



This seems like a very transparent hack, that not many people would fall for.  It seems it is done out of desperation, from countries with bad economies and few jobs for programmers (Russia).

Security companies should investigate “njyde”, which may be a deliberate misspelling of a legitimate site.
 
But why can’t Google Chrome and Windows 10 just block this behavior?  Why is opening a web page “dangerous”?  Chrome's pop-up blocker blocks too much.  Why is it hard for them to intercept malicious javascript?

Thursday, August 04, 2016

Flaw could enable crooks to bypass debit card chips


New credit and debit card chips could be defeated by malware that causes the reader to believe the card has only the conventional old magnetic strip and not the chip. CNN has a report here.

Others say that back end retail systems would still reject any such transactions.
 
Most retail establishments now seem to have the new readers, which had been common in Europe previously.

Wednesday, August 03, 2016

New hack of https reported: are financial consumers safe (as per "Marathon Man"?)


Dan Goodin of Ars Technica has a disturbing article about a new way to intercept https secure transactions with no need for a “man in the middle”.  The link for the story is here.
 
The attack involves some intricate programming methods called HEIST, BREACH and CRIME.

A very determined hacker could seem to be able to raid almost any bank account.  Users should regularly monitor all their accounts during normal business hours and be prepared to contact their institutions quickly.


 
A good question is how this could affect the “https everywhere” debate.

Monday, July 25, 2016

Evidence mounts that Russian malware exposed the DNC's emails "overprotecting" Hillary Clinton


Numerous stories have erupted in the past few days about emails that leaked, after a hacking attempt, that seem to suggest that the DNC would go out of its way to help Hillary Clinton get the nomination instead of Bernie Sanders. The AP has a story in the NYTimes about the FBI investigation.  The emails were posted by Wikileaks .

But technical publications claim that the hack shows evidence of specific malware from Russia, going by monikers “Cozy Bear” and “Fancy Bear”.  There is a suggestion that Vladimir Putin would like to embarrass Hillary Clinton further to help Donald Trump get elected.  But Julian Assange denies that Wikileaks took advantage of malware.



There is also an important piece on Techcrunch about the unreliability of “digital signatures” and about how large organizations are using “predictive analysis” to buttress their security.  .

Brian Ross of ABC News reports that "beyond a reasonable doubt", it's shown that Russia was behind the hack.  "Cute" young intelligence analyst Michael Weiss on CNN had some fun with this on twitter.

Saturday, July 23, 2016

Forbes paid content loads ads that lock Google Chrome browser


Today, I went to a paid content article from Forbes (linked from CNN) on the “10 best states to make a living”.  OK, #10 was Minnesota, with a picture of Minneapolis – and when I clicked to see #9 I got a full screen ad from an email marketing company.  I was able to back out of it, but when I tried it again, Chrome would not let me back out, or get back to the computer.  I had to power off the machine and “quick start” Windows 10.  I restarted it fully, and ran a quick scan on Trend Micro, which found no problems.  I’ll restart one more time and run a full scan soon. (Done now.)

This may be a Chrome security vulnerability, that it allows an ad to take over the browser and not let you out (unless you sign up).  Google could fix this.

This is obviously a security problem Trend should catch, and that Chrome should not allow.  It does not appear to be ransomware.

I think this little incident gives pause to consider how difficult it is today for some people to make a living, that they are trying silly marketing schemes out of desperation. Make America great again???

Monday, July 18, 2016

A little bit of experience with SiteLock


I did see how SiteLock works last night.  I had put two major postings and made many small revisions to one of my Wordpress blogs yesterday.
 
Later, when I went to look at the blog I got interrupted by Sitelock and had to enter a captcha.  Then it let me back in. Subsequent accesses did not throw the captcha.

Friday, July 01, 2016

Spam emails threaten companies with DDOS attacks; security companies say, don't open them


Media sources and security companies have been advising people that they could get emails threatening DDOS attacks and “requesting” ransom in the headers.  The emails come from a group that calls itself the “Armada Collective”, but the email senders may be spoofed.  Webroot says that group is no longer active, and that other criminals are spoofing them.  The wording of the emails can be quite brazen, rather suggesting that “might is right” and revolutionary in tone. 

The Verge has a story on the matter here

Email providers should mark these as spam, and users should not open the emails, but mark them as spam if they show up.  There could be a risk that clicking on any embedded link would lead to more ransomware (and most security packages would probably block).
 
AOL particularly seems to have trouble marking emails with certain sender spoofing as spam. 
   
People with landline digital voice may sometimes find extortion-style messages in their missed-call queues.  Some of them, besides threatening tax liens, may mention “federal investigations”, knowledge of home and movements, or make other threats.  Such messages, when captured by providers (like Comcast) should be sent to the FTC or FBI as appropriate. 

Tuesday, June 28, 2016

New kind of ransomware dangerous because of its "simplicity"


Luclan Constantin writes on PC World about a new kind of ransomware, so far coming only in email attachments with javascript, called “Bart” (like the subway in San Francisco) doesn’t need sophisticated encryption to lock user files in “password protected ZIP archives”.    Bart is said to resemble Locky.

It’s not clear how effectively all the major anti-virus vendors detect the malware yet.

I still think the prevalence of ransomware makes it hard for small businesses to build e-mail lists, the way blogging consultants advocate.  

Monday, June 27, 2016

2-step identification could have a loophole with texts


An article in Wired by Andy Greenberg encourages companies to use methods other than texts for 2-step identification, link here.  There seems to be a potential loophole with Sim-spoofing, and SMS spoofing as well (won’t try to explain how it’s done – leave it for Hollywood – a kind of “Now you see me 3”).  There is recommendation of the development of secure smartphone apps for 2nd level verification. 
  
“Blogtyrant” tweeted this story, shortly after announcing Brexit (one of the first Friday night).  I’d like to see his take on “https everywhere”.

Tuesday, June 21, 2016

Https for news sites? for multiple domains and multiple blogs? Still a confusing topic


I am working on the https issue with my Bluehost Wordpress sites.

SSL certificates and the capability to “convert” to https for end-end encryption is managed by a few companies (like Commodo) which seem to always work at the domain name level only.

This means that in most hosting companies, a user can have only one domain name (which can be “main” or “add-on”) with https enabled per hosting account.

For many small businesses, this is fine.  A typical business has an e-commerce facility, product information, news, and one blog.  In niche marketing (which “Blogtyrant” Ramsay Taplin advocates), this doesn’t create too many problems.  Many authors set up their own sites this way.

I have an issue because I have multiple blogs.  Typically, a domain has one blog with one install of Wordpress.  However, it is possible to set up subdomains and put separate blogs with separate installs of Wordpress in the subdomains.  This would be a clumsy process for most users, and it’s not clear how SEO would work.  A webmaster could purchase separate domains and then equate them (with A records or C-main records) to the subdomains.

Bluehost business hosting effectively does this with add-on domains (there is a subdomain concept behind the scenes in the CDN) but right now still offers https only on one of the domains at a time, which would be logically a domain with e-commerce.  It’s fairly complicated and a bit pricey.  There are less expensive ways to use a common SSL with severe limitations (on image size, for example).
 
Wordpress and Blogger (Google) can now offer free https on “free” blogs not hosted precisely because they go to just one domain (wordpress.com or blogspot.com).  So far, Google has not offered an effective way to offer https to its “Goggle domains” equated to blogs.

“Https everywhere” for news information (not processing credit cards or anyone’s PII for commerce) has not been considered necessary until more recently.  It would seem to be important in non-democratic parts of the world where users (with good reason) fear snooping police or governments.  So it would be important for webmasters who know that many of their visitors come from authoritarian countries (and when they present issues like free speech, voting, or gay rights, or even religion).  About 10% of my visitors come from these countries, in my own experience (that has included China despite bans, and particularly African and Middle Eastern countries; same for many social media followers).

BlueHost and other hosts offer collaborative security with SiteLock, which is fairly complicated in the way it works.  Usually an https domain requires premium SiteLock, which pro-actively looks for threats.

The security culture is changing.  In the future, there may be much more attention to the possibility that “small” bloggers could be hacked for ideological or political motives as well as just to steal PII with possibly severe consequences for those targeted.  I can imagine how this could play out in a Trump presidency.  So it’s desirable that hosting companies make https as “easy” as possible, and right now it’s complicated because of its nature (being shared at the root domain level).

>br /> I’m a little miffed about how Electronic Frontier Foundation’s own https everywhere extensions for Mozilla, Android, Chrome and Opera can work.  EFF points out that many news sites don’t have https for news content (the Washington Post does).  Why not the New York Times?   It shouldn’t be hard for a large company.

Friday, June 10, 2016

Twitter hack seems focused in Russia


The AP has a story, on NBC News, of a massive leak of Twitter passwords.  But Twitter has not been breached so far, and it seems that most of the accounts involved are in Russia or nearby countries.

However, a few old Twitter accounts of celebrities, including Mark Zuckerberg’s, were recently attacked, possibly as an indirect result of a hack on a different site, LinkedIn.
  
Internet users should not use the same passwords in multiple accounts.  

Wednesday, June 01, 2016

Do cloud backups protect you from ransomware? Debate on Twitter now


There’s a debate today on Twitter over whether cloud backups are vulnerable to ransomware sicne they are often “mapped” as logical drives. Webroot has joined the discussion,

Webroot says they can be infected, but higher-end products have the ability to sync with earlier backups.  Home users need to make sure they have this higher level of service enabled.

Carbonite has a more recent article on beating back a ransomware attack here.

It’s still a good idea to keep rotating usb or Seagate drive backups (the latter typically take about 90 minutes on a modern W10 machine), organized and in different locations. Keep your photo San disks, too.  Keep one copy in a safe deposit box.  Another idea is to leave at least one or two laptop computers unnetworked.  It's even better if you have both Mac and PC and use them both, frequently (including tablets). But this takes effort, and resources.  Not every family can deal with all this.

Saturday, May 28, 2016

Linked-in pw security breach; Microsoft account scam


Various sources report that Linked-In passwords were compromised by a security breach in 2012 which has affected many more users than first reported.  CNET has a detailed story from May 26 here. All passwords that have not been reset recently should be changed, and CNET recommends 2-step verification.

Furthermore, users should be concerned if they used this password on other sites, and consider changing them on those sites, too.

There is a telephone and phishing scam where the caller claims that your Microsoft account is disabled (it's not) and unbelievably leaves an 800 call back number.  These programmers in Russia are pretty desperate for $$ because of Putin's pro-natalist economy. 

Tuesday, May 24, 2016

Wordpress releases Securi report on website hacks


Wordpress has released a third-party security report by Securi on website infections, which has the disturbing conclusion that Wordpress was the most commonly hacked platform.  The company studied 8900 such attacks.  Most attacks seem to be related to plugin vulnerabilities and inadequate security maintenance by webmasters (many who self-host) or hosting companies.  The symptoms and vulnerabilities seem to vary widely.

Most of the attacks seem to be somewhat automated, probably motivated more my money than politics.

I am looking more into the question of expanding https and expanding services like SiteLock (which I already have).  The best practices for sites hosted by large companies still seem obscure, and I’ll look into this further.  The “https everywhere” issue is evolving quickly. EFF offers a browser plug-in to simulate it now. I’m still waiting to see more material by blogging gurus (like “Blogtyrant”) on security topics.

Thursday, May 19, 2016

Hospital medical equipment (as well as medical records) is vulnerable to malware from hackers


Kaspersky has a recent and detailed blog post on vulnerabilities that many medical devices that deliver treatment to patients (including chemotherapy and radiation, as well as vital electrolytes) can be hacked.
   
As with the power grid, there is a question as to why the devices would be accessible through the public Internet (a subject of Ted Koppel’s book “Lights Out”), but they could be hacked from the other side of the world.



And we’re talking about actual treatment devices, not “just” the medical records that have already been lost to ransomware at several hospitals.

A security business owner was interviewed by WJLA-7 in Washington. He inspects hospital devices for DHS, and finds serious vulnerabilities in most of them.  He opens them up and examines the firmware.  (Story aired tonight, not yet online).

Thursday, May 12, 2016

Microsoft's Malicious Software tool may be annoying slow to install, but seems important to security strategy


Last night, on a Toshiba Satellite recently converted to Windows 10 (from 8.1), it took over an hour for a “malicious software tool” to be installed, before the other operating system security updates installed, those taking a few minutes.  Closing all apps and windows seemed to help it finish.  It would help if Microsoft would provide a progress bar on this specific “install” because it takes so long.

But now Microsoft pops up an explanation that the tool will scan for computer for specific malware (probably including ransomware) with its own engine.  This may be what takes so much time (as an ordinary third party scan from Webroot, Trend or Kaspersky takes over an hour).  It says this does not replace the need for a third party product, but does give a second opinion.  So an extra malware scan does seem to come with periodic automatic updates (which happen usually the second and fourth Tuesdays of the month).
   

In the Mac environment, the need is not so clear, to supplement XProtect. 

Wednesday, May 04, 2016

Webroot describes the "service industry" behind malware, and the disturbing facts about people "employed" by writing it (blame Putin)


The Webroot threat blog discusses the concept of “Malware as a service: as easy as it gets” with a March 31 posting by Marcus Moreno, Webroot Threat Analyst .
 .
What’s disturbing is the way rather talented people look at it as a way to make a living.  This may sound comparable to making a living growing marijuana, in the day before some states gradually started legalizing it.  But malware harms people (I’ll leave aside the debate on marijuana, alcohol, tobacco) and businesses (small ones especially).

Much of the activity by “elite” programmers probably occurs largely in non-democratic countries, especially Russia and China (and former Soviet republics), simply because of poorly managed economies and poor legitimate job markets.  In fact, Vladimir Putin seems to look at exporting malware as a way to humble western consumers and businesses. Having just written this, I do have to ponder how one of the leading security vendors (Kaspersky Labs) comes from Russia.
 
But some activity occurs in the west because legitimate employment is not
 as stable as it used to be, except for the most talented.

Friday, April 29, 2016

A note on website safety ratings from Webroot (mine, at least)


Webmasters who wonder how Webroot, among other security companies, assesses the safety of websites, can visit this resource  and enter the domain name.
 
I showed the results for “billboushka.me” and “doaskdotellnotes.com”.

It does appear that newer sites with low popularity are “penalized” because many malware sites are new and pop up like mushrooms.  But that sounds like saying that a statement proves its converse (it doesn’t – it does prove its contrapositive).

It appears that the “.me” redirection (from the “billboushka” blogspot blog) got penalized because it is less conventional (Montengro).  Google assigned the name because the “.com” is in use with Verio, a small domain that may soon be removed (material to be consolidated elsewhere).

It seems that free custom subdomains of Blogger (Google) and Wordpress (Automattic) get higher safety ratings than redirected personal domains.  (Tumblr may be similar.)  That's partly because of the popularity and direct supervision of security by large, well-known companies.  It also appears that it is easier to put in https on subdomains.  But subdomains don't have the reputation of being as "professional" and offer less support if there are problems (like incorrect marking of spam blogs).  Webroot may be writing about this problem more soon on the Threat blog; I've chatted with them about this on Twitter today and asked them to talk to EFF, too.

Friday, April 15, 2016

Note on DrDOS


US Cert (Department of Homeland Security) has a major advisory about vulnerabilities to DDOS (or DrDOS) (distributed denial of service) attacks and especially distributed reflective denial of service), through exploits of the User Datagram Protocol (UDP).


 
Small businesses that use shared hosting usually expect their hosting providers to apply these advisories.  Users would be concerned about Denial of Service because of possible bandwidth charges, as well as the possibility of a site being zombied to attack others.  Doing this on one’s own involves a lot of serve side programming skills.