Tuesday, June 28, 2016

New kind of ransomware dangerous because of its "simplicity"

Luclan Constantin writes on PC World about a new kind of ransomware, so far coming only in email attachments with javascript, called “Bart” (like the subway in San Francisco) doesn’t need sophisticated encryption to lock user files in “password protected ZIP archives”.    Bart is said to resemble Locky.

It’s not clear how effectively all the major anti-virus vendors detect the malware yet.

I still think the prevalence of ransomware makes it hard for small businesses to build e-mail lists, the way blogging consultants advocate.  

Monday, June 27, 2016

2-step identification could have a loophole with texts

An article in Wired by Andy Greenberg encourages companies to use methods other than texts for 2-step identification, link here.  There seems to be a potential loophole with Sim-spoofing, and SMS spoofing as well (won’t try to explain how it’s done – leave it for Hollywood – a kind of “Now you see me 3”).  There is recommendation of the development of secure smartphone apps for 2nd level verification. 
“Blogtyrant” tweeted this story, shortly after announcing Brexit (one of the first Friday night).  I’d like to see his take on “https everywhere”.

Tuesday, June 21, 2016

Https for news sites? for multiple domains and multiple blogs? Still a confusing topic

I am working on the https issue with my Bluehost Wordpress sites.

SSL certificates and the capability to “convert” to https for end-end encryption is managed by a few companies (like Commodo) which seem to always work at the domain name level only.

This means that in most hosting companies, a user can have only one domain name (which can be “main” or “add-on”) with https enabled per hosting account.

For many small businesses, this is fine.  A typical business has an e-commerce facility, product information, news, and one blog.  In niche marketing (which “Blogtyrant” Ramsay Taplin advocates), this doesn’t create too many problems.  Many authors set up their own sites this way.

I have an issue because I have multiple blogs.  Typically, a domain has one blog with one install of Wordpress.  However, it is possible to set up subdomains and put separate blogs with separate installs of Wordpress in the subdomains.  This would be a clumsy process for most users, and it’s not clear how SEO would work.  A webmaster could purchase separate domains and then equate them (with A records or C-main records) to the subdomains.

Bluehost business hosting effectively does this with add-on domains (there is a subdomain concept behind the scenes in the CDN) but right now still offers https only on one of the domains at a time, which would be logically a domain with e-commerce.  It’s fairly complicated and a bit pricey.  There are less expensive ways to use a common SSL with severe limitations (on image size, for example).
Wordpress and Blogger (Google) can now offer free https on “free” blogs not hosted precisely because they go to just one domain (wordpress.com or blogspot.com).  So far, Google has not offered an effective way to offer https to its “Goggle domains” equated to blogs.

“Https everywhere” for news information (not processing credit cards or anyone’s PII for commerce) has not been considered necessary until more recently.  It would seem to be important in non-democratic parts of the world where users (with good reason) fear snooping police or governments.  So it would be important for webmasters who know that many of their visitors come from authoritarian countries (and when they present issues like free speech, voting, or gay rights, or even religion).  About 10% of my visitors come from these countries, in my own experience (that has included China despite bans, and particularly African and Middle Eastern countries; same for many social media followers).

BlueHost and other hosts offer collaborative security with SiteLock, which is fairly complicated in the way it works.  Usually an https domain requires premium SiteLock, which pro-actively looks for threats.

The security culture is changing.  In the future, there may be much more attention to the possibility that “small” bloggers could be hacked for ideological or political motives as well as just to steal PII with possibly severe consequences for those targeted.  I can imagine how this could play out in a Trump presidency.  So it’s desirable that hosting companies make https as “easy” as possible, and right now it’s complicated because of its nature (being shared at the root domain level).

>br /> I’m a little miffed about how Electronic Frontier Foundation’s own https everywhere extensions for Mozilla, Android, Chrome and Opera can work.  EFF points out that many news sites don’t have https for news content (the Washington Post does).  Why not the New York Times?   It shouldn’t be hard for a large company.

Friday, June 10, 2016

Twitter hack seems focused in Russia

The AP has a story, on NBC News, of a massive leak of Twitter passwords.  But Twitter has not been breached so far, and it seems that most of the accounts involved are in Russia or nearby countries.

However, a few old Twitter accounts of celebrities, including Mark Zuckerberg’s, were recently attacked, possibly as an indirect result of a hack on a different site, LinkedIn.
Internet users should not use the same passwords in multiple accounts.  

Wednesday, June 01, 2016

Do cloud backups protect you from ransomware? Debate on Twitter now

There’s a debate today on Twitter over whether cloud backups are vulnerable to ransomware sicne they are often “mapped” as logical drives. Webroot has joined the discussion,

Webroot says they can be infected, but higher-end products have the ability to sync with earlier backups.  Home users need to make sure they have this higher level of service enabled.

Carbonite has a more recent article on beating back a ransomware attack here.

It’s still a good idea to keep rotating usb or Seagate drive backups (the latter typically take about 90 minutes on a modern W10 machine), organized and in different locations. Keep your photo San disks, too.  Keep one copy in a safe deposit box.  Another idea is to leave at least one or two laptop computers unnetworked.  It's even better if you have both Mac and PC and use them both, frequently (including tablets). But this takes effort, and resources.  Not every family can deal with all this.