Friday, April 29, 2016

A note on website safety ratings from Webroot (mine, at least)

Webmasters who wonder how Webroot, among other security companies, assesses the safety of websites, can visit this resource  and enter the domain name.
I showed the results for “” and “”.

It does appear that newer sites with low popularity are “penalized” because many malware sites are new and pop up like mushrooms.  But that sounds like saying that a statement proves its converse (it doesn’t – it does prove its contrapositive).

It appears that the “.me” redirection (from the “billboushka” blogspot blog) got penalized because it is less conventional (Montengro).  Google assigned the name because the “.com” is in use with Verio, a small domain that may soon be removed (material to be consolidated elsewhere).

It seems that free custom subdomains of Blogger (Google) and Wordpress (Automattic) get higher safety ratings than redirected personal domains.  (Tumblr may be similar.)  That's partly because of the popularity and direct supervision of security by large, well-known companies.  It also appears that it is easier to put in https on subdomains.  But subdomains don't have the reputation of being as "professional" and offer less support if there are problems (like incorrect marking of spam blogs).  Webroot may be writing about this problem more soon on the Threat blog; I've chatted with them about this on Twitter today and asked them to talk to EFF, too.

Friday, April 15, 2016

Note on DrDOS

US Cert (Department of Homeland Security) has a major advisory about vulnerabilities to DDOS (or DrDOS) (distributed denial of service) attacks and especially distributed reflective denial of service), through exploits of the User Datagram Protocol (UDP).

Small businesses that use shared hosting usually expect their hosting providers to apply these advisories.  Users would be concerned about Denial of Service because of possible bandwidth charges, as well as the possibility of a site being zombied to attack others.  Doing this on one’s own involves a lot of serve side programming skills.

Tuesday, April 12, 2016

Wordpress automates https for its own custom domains; not sure yet what happens on Blue Host and similar providers

Wordpress has recently announced “Https everywhere”, that is “Encryption at all sites”. The link is here but may require a Wordpress account to view. 

The encryption will protect custom domains hosted on, but it is not clear if this includes domains on shared or dedicated domains offered by companies like "Blue Host" and "Dream Host."
In the recent past, I’ve read that Bluehost encryption is fairly complicated and limits the size of images.  I hope there is improvement in this issue.  You should be able to get the same level of encryption (and same blogger and end user convenience) on paid hosting for your own domain (with a separate copy of the blogging software) as on a “free” content host as a subdomain.   I may call Bluehost soon about this. 

Blogtyrant’s Toolbox recommends StrongVPN but does not yet mention SSL or https for the blog itself.  I’m hoping Ramsay Taplin will write about this issue soon.  We may see more written about this subject soon at EFF, and at blogs run by security companies like Webroot and Trend.   
It would appear relevant to allow the end user to choose whether she needs to use SSL by entering https herself, rather than defaulting. 

Tuesday, April 05, 2016

Blogger will automate https; but how important is https for blogs, really? Some surprising questions surface

Recently, Blogger has notified its users that https will be available to all visitors who key in “https” for all Blogspot blogs, in late April, 2016.  Blog owners will no longer need to enable https on their profiles.

But there seem to remain some questions.

The first question concerns blogs that redirect to custom domains set up by the Blogger (Google domains can be as inexpensive as $12 a year).  Blogger’s announcement does not yet address that question, but right now https is not available for custom domains.  However, “Nitecruzr”, that is “The Real Blogger Status”, hints that it will be available in the reasonably near future for custom domains.

Wordpress also offers https, as explained here.  Hosting companies like Bluehost offer it, although setting it up is a bit complex, explained here.

There is some controversy over the wisdom and necessity of https for “amateur” blogs.  One claim is that without SSL, hackers could change Blogger content (for example, with jihadist content, or perhaps inserting malware) before it reaches end users, without the knowledge of the Blogger.  I have not yet heard of this actually happening.

Some sources say https is more important if you actually use public WiFi spots to update your blogs (instead of an iPhone hotspot or home—hotels might be a little riskier).

One disadvantage seems to be that it slows down access when images are included, because each image needs its own SSL tag.  In fact, Bluehost limits embedded images in SSL blogs to 100 KB, which is not very adequate, because most higher quality photos require more space than that (reasonable cell phone pictures are typically around 200K -- and I can ask why Facebook and Twitter can process larger images under https, or could consider just embedding from Instagram).  In fact, there were some problems accessing Google products from Comcast Xfinity from late February to early March. Loads seemed to stall and give checksum errors for multiple Google components each requiring validation of an SSL layer.  The problem seems resolved now.  It’s possible that the problem could be related to changes and upgrades in Google security, themselves initiated over “Malvertising” and preventing new hacking or malware threats discussed yesterday, a problem that had become much worse right after the Super Bowl.

Another good question occurs to me.  Right now the New York Times doesn't use https but the Washington Post does.  And the Times was apparently hit with the malvertising scandal in March 2016. Connection?

At this point, it is difficult to say whether (or when) bloggers need it. I don’t see an obvious answer on “Blogtyrant”, but I just submitted a question on Ramsay’s Facebook page.  I’ll report what I find out.

Monday, April 04, 2016

"Malvertising" attacks on major publishers right after Super Bowl and again in mid-March might be connected to ransomware incidents

Webroot’s Threat blog has a very disturbing article by Nathan Wyman, dated March 14: “Malvertising, when ads go rogue”.  So do some other technical blogs, and the major news media has been a but mum about this problem so far, with confusing reports. 

The article explains who criminal networks are getting malicious ads posted even on supposedly reputable sites, possibly by hacking into networks or by entering fraudulent contracts.
It’s not clear how dangerous an ad can be if it merely displays without being clicked.  It’s also not directly clear from the article whether fraudulent ads have actually delivered ransomware, but, for example, the Guardian indicates that this may have happened with the New York Times, BBC, AOL and  NFL right after the Super Bowl .   A company called Malwarebytes has details on the malware served by advertisers on various major sites and how they were served   Trend Micro (March 16) also discusses the growing threat of the "Angler Exploit Kit" here with more details here. Kaspersky's article seems older (2014) and the company ought to provide a new article on the March 2016 incidents. 

But a few sites allow intrusive ads that pop up and are hard to get rid of to get back to the site.  This happens a lot in mobile sites.

The articles generally recommend using “do not track” and keeping Adobe Flash up to date (Silverlight is obsolete.)
Reuters has a rather alarming YouTube video, dated March 16, 2016, saying the problem has increased a lot since the start of 2016.

But it’s apparent that malicious ads can undermine the whole idea of user generated content online, which is paid for by ads.  That would be particularly true if most users avoid clicking on ads out of “fear”.

I rarely negotiate online ads myself.  The last time I remember doing so at all was after a car was totaled a year ago and I was in the market to replace it with insurance, quickly.

A story by Carrie Milhacik on CNET indicates that a major attack on advertising networks happened in mid March and that some ads could infect computers, especially with outdated Flash or Silverlight, without being clicked.  

I had one incident a week ago on a book publisher’s association site where Kaspersky, in Windows 10, blocked one blog link because it detected malware on the page.  This might have been connected to this attack.