Sunday, January 24, 2016

Do most users really need password management systems?

Brian X. Chen, in his column “Tech Fix” for the New York Times today, writes “Apps to manage passwords, so they are harder to crack than ‘password’”.  That sounds pleonastic, like saying “every hour is magic hour.”

Chen raises the idea that its theoretically possible for the company hosting the hacking app to be hacked. I fear more that it would break down, and that I wouldn’t be able to get into anything.
So I have a practice of keeping printed or handwritten sheets of my passwords.  They have to be put away.   I take it with me on trips.  But of course, I can imagine security disadvantages to even this practice.

I have several cloud accounts, but don’t network the machines.  I carry usb backups to other machines and let Carbonite make multiple copies.  And I keep one copy in a safe deposit box.
Today, I got a badly formatted email from Akismet (spam protection for Wordpress) indicating that my credit card had expired.  But when I went to the site myself, I found it had billed successfully this morning (Jan. 24). I saw no usual signs of spam, so I’m still investigating.

One other tip on security for financial accounts:  simply check them often.  At least once a week.  Remember what you did.  Where this gets testy is if you travel off the grid, into remote areas or less secure areas overseas.

Monday, January 18, 2016

Hackers busted in Europe for .NET trojan that can carry ransomware

SC Magazine, for Security Professionals (UK), has reported the arrest in Norway of hackers using Microsoft .NET to propagate ransomware.  Webroot tweeted the story today.

“.Net” is an object oriented application design facility available since Microsoft XP (maybe earlier) aften taught as a desired IT skill.  It was hot in the job market in the early 2000’s, when other skills were down.  It is still frequently a desired skill in many jobs.

It is used by Microsoft Expression Web, which replaced Front Page a few years ago.

Microsoft often does major updates, including security, to its .net platform.  Some of the updates are rather large, but I suspect this story will lead to another large update soon.
The Trojan is called Megalodon HTTP.

Sunday, January 17, 2016

New Year's Resolutions; a warning for people who do their own web hosting

I’ll pass along Webroot’s eleven New Years resolutions for 2016 here.  Most of them are no surprise.  How about 2-step verification?
The “freeze your credit” has an alarming statement.  I haven’t heard of people not being able to get at their own ordinary checking or bank accounts after id-theft.  True, I watch mine petty closely. Credit cards have been closed and replaced, but not underlying accounts.  Also noteworthy is the comment about major companies' ability to protect passwords, even when encrypted.
Last night, I was at a party at a bar in Washington (Maddy’s) for Electronic Frontier Foundation. Some of the guests had attended a conference by Shmoocon.

 More drips and drabs from the conversation will show up soon, but one remarks on Internet safety caught my attention.  People who try to run their own dedicated web hosting servers (without professional hosting service companies) need to be very vigilant about firewalls.  Otherwise, pirated movies, porn, and worse (maybe child porn) can wind up on their servers, creating potentially critical legal exposures.  There was some discussion about Kaspersky Lab, and its ability to protect western consumers despite the influence of Vladimir Putin.  But I've found its security to be the strictest ever. There was also acknowledgement that so far, modern Mac users rarely really "need" anti-virus software the way Windows users need it -- although we keep hearing about more Linux security issues.

Monday, January 04, 2016

Imdb "official site" links may sometimes be corrupt (or directed to malicious sites) as well as expired; safer to look up oneself

Tonight there was an incident when I was on, and went to look up an “Official site” for a small film.  The site seemed to be the name of a director appended with a “.net” and a link saying “Enter” but Kaspersky intervened and warned that another redirection side ending with “.ru” (Russia) might contain malware.

Domain Tools shows that the individual’s name is associated with a .com and a .net domain.  The “.com” looks more credible.  So there is at least a possibility that a malicious party somehow manipulated the link on imdb to go to a different site; or it is possible that the “.net” was intended but itself might have been hacked with some kind of redirect. It would not be easy to tell what is going on until a security company, or security personnel at the hosting site, examined the situation.

Sometimes “full site” links given on imdb no longer exist, or sometimes are found to have been “parked” and are for sale.  In at least two other cases they were overlaid with sites in Chinese that appeared to be legitimate consumer goods sites (women’s wear).  However, there does seem to be an issue with relying on “official sites” on imdb;  it is better to look them up oneself on Google or Bing.

Full Kaspersky scans of my environment (Windows 10) after restarting find no malware.

Kaspersky sometimes intercepts adware on regular news sites and warns about “phishing links”.

I did find this link, 3 years old, on an htaaccess hack in older versions of Wordpress with plugins that cause redirection.

Friday, January 01, 2016

What about PII that is never published on social media but stored in cloud accounts?

The recent story about aggregation of voter data (on the ID Theft blog today) reminds me of another idea:  the possibility that PII of others is aggregated on a personal hard drive, or particularly Cloud space, and could be hacked.

I never post PII on a public space for any reason, and I’m pretty judicious about letting others know my location most of the time.  I don’t announce my trips or events on Facebook.  I don’t have the degree of social connectivity that could use Snapchat, or constant texting of others as I often see in bars.  (That also raises questions about appropriate use of Twitter messaging, as I discussed on the main blog Dec. 4).

I do have PII of a few individuals on various hard-drive files, that get backed up in the Cloud.  It’s not that many.  There may be a few emails with some specific correspondence (outside of official business with banks, for example, where email is secured and encrypted). It’s not that many.  A few relatives, a few other friends, some from the family.

I also have a personal diary file, which is never published, with code names for people and events (although dates are real).  You could say the file is effectively encrypted, and would very difficult even for the NSA to decipher (not that it would particularly want to). So while it is theoretically possible for unpublished PII from my personal hard drives and clouds to be hacked, it would be very difficult for a hacker to know where to begin to look and to make any use of the information.  Also, I don’t network my computers.  I move the data physically and keep thumb drive backups.  (Optical would be a good idea, just in case of EMP).  I even keep some thumb drives in safe deposit boxes.
I do recall, back in the 1990s, the government (in an interview with a former CIA official) claimed that there were ways to get at personal (unshared) data if it really wanted to.

One issue to keep in mind if saving passwords on PC’s, that are left in a house (even with normal home security), particularly when going on a long trip (none are scheduled right now).  That would include PW’s to major social media accounts, bank accounts, and cloud accounts.  Two-step verification is desirable.  It’s also desirable that any PC require a log on with a password to even be used.