Tuesday, March 29, 2016

What is the point of Wordpress spam commenting?


Akismet did update Wordpress sites yesterday, but just before the update, I found one bizarre spam message in my inbox, shown above.  It was odd how it referred to topics I have blogged about (like the Minnesota Orchestra).  I don’t really see the point of it.  There were some spammy links at the bottom. It's hard to imagine how this could make anyone money.
 
I couldn’t get Wordpress to pull up the action boxes normally.  I was able to get rid of it by scanning all comments for spam.  Very odd.

Monday, March 28, 2016

Medstar Health suffers major hack, probably ransomware


The FBI is investigating a major cyber attack on Medstar Health Hospitals, a major hospital chain especially around Washington DC and Baltimore.  Most IT systems in these hospitals were shut down, and many users could not log in.  Apparently physicians had to keep track of prescriptions by hand.  It’s not clearly how this has affected patient care.  The Baltimore Sun has a story by Andrea K. McDaniels and Ian Duncan.

Although not completely confirmed yet, this appears to be a case of big time ransomeware.
 
Hospitals lag behind other kinds of businesses on tight IT security, even given changes from HIPAA.

The Washington Post has a detailed story March 29 by Matt Zapotosky and others, showing Washington's own Medstar Washington Hospital Center, near Catholic University, which is a major trauma center and also treats sports teams a lot. It is also a major general surgery center. The Post also links to a story about how the entire town of Plainfield, NJ fell to ransomware.

Thursday, March 24, 2016

Ransomware demands are often smaller, to enable payment, but scouting out of targets gets more sophisticated.


A hospital in western Kentucky has been hit by ransomware, according to a CNN Money report.

The ransomware was submitted by email, that got past spam filters and anti-virus software.  The demand for payment in bitcoin is relatively low, about $1600.  It is thought that lower demands increases the likelihood of payment.

The hospital has refused to pay and had apparently backed up everything off line frequently.  But could patient care be compromised?

However, on March 21, Matt Zapotosky and Ellen Nakashima reported on some very large hacks of hospitals and local governments, where hackers had staked out the facilities for some times and tried to compromise the backups.   However, any organization could make daily backups that are completely offline (much harder with incrementals).



In my own mind, there would be a question as to whether Carbonite backups could be affected, because they are shown as virtual drives to Windows.  But Carbonite’s own discussion of the issue sounds reassuring, link.

Still, it’s a good idea for home users to keep backups on totally detached physical devices.  The safest possible solution is optical (electromagnetic devices like thumb drives could be destroyed by some kinds of neighborhood vandalism, but that hasn’t been reported).


Update: March 31

US Cert offers a detailed explanation of ransomware in a bulletin today.

Tuesday, March 22, 2016

FBI may be able to unlock iPhone from San Bernadino without help from Apple


The FBI is saying early Tuesday that it may not need Apple’s help in unlocking the San Bernadino terrorists’ iPhone, which the FBI now says was in use right up to the end.  The New York Times has a typical story by Katie Benner and Matt Apuzzo

The Wall Street Journal, in a story by Daisuke Wakabayashi, reports that an outside company will help the FBI.  The process is likely to be extremely labor intensive and take some time.  Later reports suggest that the process consists of copying the chip thousands of times, and trying all possible combinations on a sequence of copies.


 
So for now, the back door, that Apple says can ultimately endanger everyone from subterfuge, already exists.  Former security honcho John McAfee says the FBI should let him try the hack.

Update: March 28

The latest news is that the FBI has unlocked the data and the DOJ has dropped legal action against Apple.

Tuesday, March 15, 2016

Bitdefender advertises comprehensive home smart device and router security as well as conventional computer protection


A company named “Bitdefender” has been advertising today that it protects not only conventional PC’s and laptops, but also mobile, cloud storage, router traffic (that is, possible redirection threats and external abuse) and smart devices in the home (appliances, security systems, baby monitors, thermostats), conceivably, eventually, medical devices.  As a general matter, routine router firmware updates and security needs more attention.



The plans are available in various packages for different businesses and homes.

Saturday, March 12, 2016

Some notes on (my) website safety ratings from various sources





Recently, I’ve checked into the website safety tags posted by a couple of Internet security programs on my own sites.  There are a few issues which I will look into, but let me summarize what I see so far.

So far, Kaspersky has left all my sites as gray, as apparently it doesn’t rate “amateur” sites.  On one Windows 8 machine, I have Trend Micro, and Trend right now is not showing ratings (maybe I haven’t tweaked enough).  McAfee has always rated me green.  Most of the time MyWOT is OK, but I do show a lot of unknowns.

My legacy sites (“billboushka.com”, on Unix and doaskdotell.com, on Windows Server, both on Verio) come up as fully “green” on Webroot (“very low risk” or “malicious links” or “payloads”). 

 These sites are not updated often now, and that could be an issue.  The “billboushka” has an old Wordpress blog which has not been updated, so I am surprised that doesn’t get flagged.
  
Of my 16 blogs on Blogger, the blogs that are not connected to an external URL come up as green. 

However, two of the three (books and movies) come up as grayed-green, which means a slight risk of malicious risks or payloads.  The “Bill Boushka” blog which has the name "billboushka.me" comes up orange, which means a more enhanced risk (I’m reminded of the NCOA classifications for risk of severe storms – “marginal”, “slight”, “enhanced”, “moderate”). Furthermore, both Wordpress sites (“billsmediareviews.com” and “doaskdotellnotes.com”) show a grayed-green (essentially “slight”) risk, which is not as good as very low risk.

I cannot explain these risks definitively.  But one idea that seems consistent is that Webroot does not like site redirection of blogs to other URL’s.  Another is that it also looks with suspicion on the international “.me” suffix (Montenegro).  I used domain names that “Google domains” would automatically assign me.  Since “billboushka.com” is an existing (if not currently updated) domain, it had to give me an international (slightly more expensive) TLD for that blog name.

However, on the Wordpress, I checked a friend’s site with a similar setup and found Webroot had marked it green.  But that person was using Dreamhost as a service provider, whereas I use BlueHost.
As far as I know, my two modern Wordpress domains do have the latest versions of Wordpress and plugins with all security enhancements.  I have Askimet to scan for comment spam.  A few spammy-looking comments are allowed, and I have allowed a few to be published that contain ordinary links to commercial household products (from overseas).  Maybe I shouldn’t do that.  One just one occasion, about eight months ago, one spammy pop-up comment got published without moderation, which I had to remove.  I think the vulnerability that allowed that to happen has been fixed.

I am seriously considering making major simplifications to my domain name setup, including consolidating many blogs or sites into fewer, with more material on Wordpress.  I will look into all these matters further, particularly to see if one hosting company has better security than another, or if there is an issue with the multiplicity of my own names. 

It does not appear that the website safety insists of offering “https”.  Of course, this is mandatory if doing e-commerce, which I may do myself in the future (right now it is all out-sourced).  It is significant that Blogger, when redirected to a domain name, does not offer https (but it does when staying within Blogger).  I hope Blogger can fix this. 

It does not appear that the use of Adsense affects safety ratings.  But third party ad-ons available for Blogger might, as could some issues with various Wordpress plug-ins and templates.

I tried a few of my sites in Norton Safe Web, and found they had not been rated.
 
None of the sites give warnings (from Webroot, Trend, or Norton) when I go to them.  However, I know of one incident where a book publisher's site gave a phishing warning from Norton,, only on older versions of Windows, that turned out to be false.  

Tuesday, March 08, 2016

First ransomware incident reported on Mac OS by Palo Alto researchers


Claude Xaio and Jim Chen report a type of ransomware that can infect Mac OS transmitted through Bit Torremt, from Palo Alto Networks, in this blog posting. They dub the malware “KeRanger”. The product lies silent for three days after installation and then starts encrypting files.
 


This seems to be the first ransomware documented on the Mac.  Andrea Peterson also reports on it in the Washington Post March 7.

XProtect has been updated to stop the malware, according to Appleinsider. The virus doesn't seem to spread by websites or phishing attacks.

XProtect is apparently automatically part of all Mac OS since 2009, and has led users to believe they do not need other third party anti-virus products (How-to article ).

Saturday, March 05, 2016

"Locky Ransonware" spread through MS Word Macros, can encrypt even unmapped network shares


Webroot is reporting (post by Nathan Wyman Feb. 22) a new kind of ransomware, called “Locky Ransomware”, which seems to be transmissible (so far) only through Microsoft Word Macros – so it can be avoided by not opening unknown Word documents.

The malware encrypts (with an “AES” algorithm) all file types, even on network shares, even if unmapped.  That statement would make me wonder about neighboring servers or cloud backups, which are attached, although that sounds hard to believe.



Sean Gallagher has a similar story on Ars Technica Feb. 17 here.