Friday, February 19, 2016

Major uptick in ransomware attacks on large organizations; Why does Microsoft even let this happen?

Microsoft has provided a detailed writeup on Ransomware in its Malware Protection Center.

There is a lot of attention to Crowti, the most prevalent infection in 2015.  Data cannot be recovered without paying “ransom” in bitcoins.

The second-most prevalent s FakeBsaod, which seems to be “scareware” because it can be avoided by using the Task Manager.

Microsoft says that its MSRT (Malicious Software Tool), which typically takes a long time to install, will disable these items.

But what seems a mystery is while Windows would still be vulnerable to this kind of attack from an executable in the first place.

They are most often encountered in phishing attacks, or sometimes with redirects on malicious websites (sometimes by keying in misspelled names of popular sites, especially “bews” for “news” which often results in scareware attacks.  Some are “browser hijacks” that don’t load executables. To avoid this problem, it's safer to enter news site names into search engines first to check spelling.

CBS News is reporting a dangerous escalation in ransomware attacks, as in this story, which reports on a major infection of the data center of a California hospital.  In some cases, companies, hospitals and even local government agencies have "paid up".

Here's a video on how Cryptolocker "works".

Wednesday, February 10, 2016

Norton warns me on a sales site that all major security packages pass on

Today, a particular site that I use to promote one of my books gave me a security warning when I checked it on a different computer, at a car dealer’s, while my car was being serviced.'

The environment was Windows 7 with Symantec Norton as the security product.  I do not use that on Windows at home.  However, the same web page was all right at home when re-checked in Windows with Kaspersky, Trend Micro, and Webroot.  I’ll check it soon on an old Mac with Norton.

It seems more common for some security packages to warn on sites for “phishing” or malware even when they seem not to be guilty.  They may be depending just on user reports.

Update: February 13

I checked the site with Norton on an old Mac (OS 6.8) and did not get the error. 

Thursday, February 04, 2016

Microsoft Edge browser in Windows 10 warns me about one of my own legacy domains; Chrome unnecessarily encrypts some images in W-10

Today, I tried my “” legacy site in Microsoft Edge under Windows 10, and kept getting a warning to verify (with a captcha) that I knew the site and that it is not a phishing domain.  It kept repeating the warning and verification despite my verififcation. Internet Explorer is not doing this in other versions of Windows, and other browsers are not.

This behavior happened only on the home page, not subordinate pages.

I have checked stats on the domain and not found it had sent any email.  I normally do not use its email.
From late Saturday, January 30, until around 6 PM EST Monday, February 1, the site was down because of an unspecified Windows shared hosting problem.  Outages are rare.  I kept getting “ERR_CONN_RESET”.  That normally means that the checksum at the transport layer doesn’t match the actual data count on the page.  Apparently, the server had stopped sending checksums, maybe because of a local hardware or firmware problem.  “Tracert” showed that the domain could be reached.  The outage did not appear to be related to malware or a DDOS.

But I don’t believe the problem is related to “Edge” behavior now.  This seems like something new in Windows 10.

The issue might occur because there is now a ".org" domain for the name belonging to a non-profit organization, whereas I am an individual (and maybe Windows 10 and Edge checks for this);  but I have used the domain since Dec, 1999 and have it paid for until 2021.  In the more distant past, the ".org" has been a parked domain.

I continue to have an issue in Blogger that it seems to “encrypt” images in a Windows 10 environment when logged in to the app (forcing me to go into native html to fix), and sometimes even when viewing postings (in Chrome).  This does not happen in previous versions of Windows.  This is more likely with images that seem to have some embedded text.

Monday, February 01, 2016

Wordpress vulnerabilities seem to invite "ISIS-related" hacks

There are numerous reports on the web that Wordpress sites have been vulnerable to hacks, especially related to radical Islam (for want of a better name), that is, ISIS.

Nick Fogle has a detailed post (no date) of how he solved one hack, and the technical knowledge required is considerable, although a lot of it is basic Unix, link.

In fact, on April 7, 2015 the FBI posted an advisory about Wordpress vulnerabilities lead to hacks of some sites purported to be by ISIS, but likely to be domestic imitators.  Many of the vulnerabilities are related to “themes” and maintaining security updates from Wordpress (even automating them) is considered essential.  Wordpress often puts out new versions of the basic engine to fix possible vulnerabilities, just as Microsoft does.  Wordpress sites are different from Blogger in that a copy of Wordpress lives on the customer’s rented space.

Zdnet has a story explaining which obsolete plug-ins are most vulnerable, and says that Google has blacklisted about 10000 sites from its engine because of malware.

The Huffington Post has a story on some purported attacks.

 A real attack from an overseas enemy (as with the North Korean hack on Sony) could have national security implications, even if it seems improbable for an average small user.  After 9/11, there were concerns that enemies could place steganographic instructions on amateur websites, but this has not happened much.  I haven't heard of prosecutions of website owners "framed" for possessing some sort of unlawful content (whether child pornography or support for a foreign enemy) but it sounds like something a determined enemy could conceivably pull off.  The idea of "mens rea" could possibly be critical.

Update: February 3

eWeek explains the security fixes in the new WordPress 4.4.2 update here.  Wordpress has its own explanation here.