Thursday, April 27, 2017

US Cert warns on state-sponsored malware that could hurt ISP's offering shared hosting

US-Cert in Pittsburgh (DHS) has sent out a detailed bulletin (TA17-117A) about foreign malware, apparently aimed mainly at Unix or Apache servers, that could steal information from customer accounts, particularly in shared hosting environments.

The report is very detailed and technical  and requires a lot of knowledge of PHP and other scripting to understand.

But it suggests that all service providers insist on longer passwords, more frequently hanged, and use 2-step verification from consumers.
The greatest danger, though, would seem to customers who have major consumer data.  And this seems to be a tool that may be of value to state actors in special situations (like North Korea’s Sony hack).  There could develop some political sensitivities about who could become a target in a shared environment, making them harder to secure in general.

Sunday, April 23, 2017

Facebook wants you to recognize your Friends by face for security verification -- a likely story

Facebook is trying a controversial new security tactic: when people use Facebook from computers far away from home, they may be asked to verify names of friends by profile faces.

John Costine has a typical news story on Ad Week here.

Most of us have “Friends”, especially overseas, whose names we do not remember or whom we don’t recognize.  That is particularly the case for users whose posts are public and are often about news stories or rather impersonal.  Possibly the algorithm would ask you to identify Friends upon whose news feeds you frequently give Likes or make comments.  But the policy seems to be self-contradictory, or be predicated on an internally conflicted idea of social media “friendship”.

It's possible that users could mitigate the problem by continually using Facebook while in route by phone.  But this may not work with long plane flights (where cell service is not allowed) to distant destinations.  If driving, of course, you could use it frequently, at rest stops (if you have good nationwide coverage).  It’s also possible that the policy will apply more to overseas travel.

Monday, April 17, 2017

Consumers can be on the hook for fraudulent use their phone accounts (land or cell)

Consumers, both business and home, can be held responsible for fraudulent calls made with their account by hackers, overseas.

Look at this story in the Los Angeles Times about a customer of Spectrum (formerly Time Warner)  The particular customer owns a public relations firm in Brentwood, CA.   She wound up with a $6400 bill for calls to Cuba.  The news story was on WJLA in DC tonight.

Practically all telecom companies put these provisions in their fine print.  However, in practice, most companies have been willing to forgive calls that were obviously fraudulent.

The problems can occur with either landlines (usually digital now with cable providers) or cell.  There would be a logical question if a hack could occur anywhere else but inside the telecom company, which ought to be relevant to any litigation of charges like this.  But consumers may be threatened with termination of service in the meantime.

In the summer of 1995, just was hacking was getting started, one of my Visa cards was suddenly rejected at a supermarket, and I quickly got a call from the bank, about $3000 of calls from Canada placed on the card through ATT.  The charges were all reversed and the card replaced.  The cause of the hack was never explained.

I have not had significant charges for robocalls.

And back in Texas, around 1999, a $4000 payment made to me to settle an old problem over an assumed mortgage was stolen electronically.  But it was refunded to me properly.

Hacking has been around longer than people think, even on older mainframes;  companies have countered them generally by tightening application elevation procedures, a security topic that was all the rage in the 1990s, before Y2K.   There were actually some security mishaps in my workplace in the early 1990s:  a contractor one time stole a server, and another time an operator was arrested for embezzlement, scary stuff if it happens where you work.

Saturday, April 01, 2017

Gaming scams; Federal Reserve phishing attack

Local station WJLA in Washington DC reports on recent phishing scams involving gamers wanting to move to a next “level” in the community operated by a game.  Since I don’t “game” I’m not sure how it could work.  But people whose accounts have been fraudulently manipulated will find them canceled by gaming manufacturers.  Symantec has an article here.    I wonder if this applies to Second Life.

It would be like having a USCF chess rating fraudulently raised.

There is also a new phishing scam of “embargoed news” from the Federal Reserve.

Friday, March 10, 2017

Can my iPhone have viruses?

Yesterday, while browsing a supposedly mainstream news site on my iPhone 6, a popup claimed I had six viruses on my phone.  It took a little trouble to make it go away, but it finally did.
This does appear to be the old “fake anti-virus software” problem well known to Windows users from a decade ago.   I don’t see any evidence of tampering with any financial sites accessed from the phone (as I check them on varied environments frequently), and I don’t see any evidence of infection in any images or videos I moved to a windows machine for use (I did a full Trend Micro scan).

Nevertheless, I did a little check on the latest advice on iPhone and Mac malware, and here is a good article (although from 2012).   The article has some interesting discussion of past security problems in the java language and virtual machine, which was all the rage fifteen years ago.

You may be able to get rid of an “adware” message from Safari by going to airplane mode and closing and reopening Safari (video above).  This is similar to getting rid of a fake “system message” scareware browser hijack on a Windows machine.

Wednesday, March 08, 2017

CIA's Vault 7 does sound like a Roadside Attraction, to me at least

There’s a lot on the Internet now about the CIA’s Vault 7 “scandal”.  Milo Yiannopoulos carried the most bombastic story on his own beefed-up conservative news site (since he left Breitbart, but he presents very similar stories to Breitbart), here.

CNN has answered Milo by finally putting up a detailed story on how Wikileaks got the scoop, here.

This probably doesn’t matter to Internet users in the US much (except maybe those doing illegitimate stuff overseas on the Dark Web -- the CIA "normally" cannot "legally" spy on people at home).  But it does show that hackers could likewise compromise “the Internet of Things” and conceivably spy on people through smart TV’s (even when off but plugged in).  In the very worst circumstances, voyeurs could spy on women or children.  It also shows that in extreme circumstances, foreign hackers (like in Russia), maybe state supported, could spy on high profile Americans at home.

Young OAN correspondent Trey Yingst, 23, asked Sean Spicer about Vault 7 in a White House briefing Tuesday, and Spicer refused to comment.  I was watching (at home on CNN -- I don't have WH access, at least not yet).

This is almost the stuff you would need if you thought aliens from other planets could masquerade as Clark Kent clones among us. What would Donald Trump do about real aliens?  You can't deport somebody 40 light years away.

Saturday, March 04, 2017

Webroot warns of new IRS, Paypal phishing attacks

Webroot is warning users about fraudulent IRS W-2 emails, in this article.    The IRS won’t send you emails (except to verify that returns have been accepted – thru HRBlock).  State tax departments (like Virginia) often send business customers legitimate emails (like when sales tax reports are due).

And PayPal users are often targeted in phishing attacks (lately through Gmail), as in this Webroot story.   Since some small non-profits take Paypal but not credit cards (to help “unbanked” clients), most people need Paypal (which can be connected to a credit card for replenishment).

Tuesday, February 28, 2017

Fair use may help Internet and smart device users protect themselves from hackers

Kerry Sheehan has an interesting essay at Electronic Frontier Foundation, “Fair Use as Consumer Protection”, link.
As you read through the examples, it’s apparent that most of the uses given would help consumers protect their devices from hackers, even perhaps protect home routers from illegal use by others.  It’s possible to imagine that Airbnb would find some of this interesting.

Tuesday, February 07, 2017

Spam comments try to lead to fake Internet security links

I have become aware of the practice of some spammers to send spam comments to blog postings about various Internet security companies with links to fake sites pretending to be the security company   This is a variation of the usual email phishing, where the spammer tries to put spam comments on blogs with fake links.

Comment moderation (or use of services like Akismet) should stop this.

In one case, Google comment moderation warned me on a comment with a hidden link to “webrootsupportphone dot com”.  I have reported this to the company but it appears not to be legitimate.
This probably happens with all major security companies.

Tuesday, January 31, 2017

Trump postpones cybersecurity EO, but has specifically mentioned power grid security, which is unusual

President Trump postponed signing an executive order related to cybersecurity today, with no reason specified, according to NBC News, story here.

The president talked to some tech security companies today, and made a brief statement.  It is interesting that President Trump mentioned the power grid as a possible target, as so well documented in Ted Koppel’s book “Lights Out”.   I have actually tweeted "RealDonaldTrump" directly on this issue.

The president could tighten rules about network topology that even allows it to be possible to access the power grids or other infrastructure, or that makes components (like transformers) vulnerable to sabotage.

Sunday, January 01, 2017

"True Key" from Intel, provided facial recognition sign-on, seems to come with a recent Windows 10 update

I recently had problems with an install of a Microsoft update KB3206332 of Windows 10 after the cumulative upgrade last August, on a Toshiba satellite that had been converted from Windows 8.1,

I kept getting repeated errors "0x80070564" after very slow installs ("preparing to install, 1%, then 20%.  Also, when booting up, Trend Micro would take a long time to start, prompting warnings.

Geek Squad got it installed, but said it found malware (with Webroot) that Trend Micro had missed. It thought the errors were due to the malware.

But the adobe flash, which had updated before, now offers a "True Key" option rather than password for log on.  (It has not done this on my HP Envy with the same update.) I tried to use it, and I could not get it to take my picture properly.  Maybe my Comcast Internet wasn't strong enough (it has been shaky recently).  Eventually I had to opt out and go back to regular log on.  True Key will tell you to use your Microsoft password, but actually you have to use the password for that computer, which can be different.

Here's the link for True Key. But curiously that site (which displays the Intetl trademark has a gray rating from Trend, but there is another green link on Intel's site here.  Bleeping Computer says the original link is OK (answer to question here),