Tuesday, November 14, 2017

Has the NSA made us all targets of foreign enemies?


The New York Times has a long and detailed story of the breakdown of the work of the “Shadow Breakers” at the NSA, and how the tools of the group were taken and used to develop ransomware to target some consumers, especially less secure companies and hospitals last spring.

The booklet-length article by Scott Shane, Nicole Perlroth, and David E. Sanger appears here. 
  
You wonder how safe any computer or website or company will be against an enemy that is determined and combative enough, to infiltrate the NSA through employees or contractors.

  

And EFF has made so much of the surveillance issue over the years. 

Monday, November 13, 2017

Well-known blogging consultant urges everyone to go to https now -- but it's complicated


Ramsay Taplin, Australia’s “Blog Tyrant” has come up with a detailed post on how Bloggers can convert their sites to https, link
  
It’s important to remember that this applies only to specific domains, not to subsites of Blogger or Wordpress.


I wrote a detailed comment.  Since the comment period is time-sensitive, I’ll reproduce my own comment here:

How important is https for a page that does NOT require user logon or collect user info? That does NOT process funds, PII, etc.

I have four domains on BlueHost, which as of now will set up one as SSL (with an enhanced SiteLock passage). I did pick one of the addons (because it is possible to do transactions on it although i do them rarely in practice). In my case that is doaskdotellnotes.com (not the site I have shared most often). I am expecting BlueHost will change things so that all four can be https. Also, Google’s free Blogger will make all free domains https but does not with those that have their own domain names.  That is because SSL is by main domain name (e.g. blogger.com int he case of Google). That also seems true of Automattic  (example) https://jboushka.wordpress.com/ (there’s not much there — that’s a copy of some old stuff). It wo uld be helpful to know if Google, WordPress, BlueHost etc will do anything soon to make this “easier”.
You can navigate to my Blogger Profile.  “Movie Reviews” “Book Reviews” and “Bill Boushka” all resolve to specific domain names and right now do not have https.  The other thirteen are Blogger subdomains.  They can be viewed with or without https.  Some embedded videos from some news sources do not yet work when viewed in https.
Ramsay’s directions are very long and complicated, and I would wonder how many bloggers have the time to do this.  The blogging business paradigm that he advocates generally works with niche blogs aimed at very specific audiences, and often go along with small businesses that actually would use email lists.  This might be very hard for a lot of small businesses to do.
I suspect BlueHost and other providers will make this simpler in the future.  Business persons should also consider hacker security protection like SiteLock.
Electronic Frontier Foundation has long urged all websites to go to https, even those that don’t require logon or do transactions or collect PII.
I’ll come back to this in more detail in the near future (I don’t know how near) on my Wordpress news blog. 

Saturday, November 11, 2017

Criminals can make duplicate house keys from images created by apps


Recently local television stations warned consumers about the dangers to home security posed indirectly by apps that encourage you to photograph your house keys so that duplicates can be made.  Thieves have done this to go ahead and commit burglaries. 

Wired has a typical story by Andy Greenberg from 2014, here.    Some of the apps include KeyMe, KeysDuplicated and KeySave.

One risk is allowing parking valets to have access to house keys.

The reports don't way whether these apps would work with higher security locks like Medeco, 

Thursday, November 09, 2017

School districts come under disturbing attacks from foreign hackers


School districts have come under attack from hackers, including ISIS-related, in a few different ways.  They seem vulnerable because of particular service providers and particular platforms that they use.

Here’s a report from northern New Jersey.

There were also disturbing attacks, some of them threatening, in Iowa and in the Flathead area of Montana (Post story).
  
I didn’t encounter any of this when working as a substitute teacher in northern Virginia 2004-2007, but times have changed. 

Tuesday, November 07, 2017

ABC reports fake Droid apps that can steal pw's to social media, bank accounts


ABC News is reporting an epidemic of fake apps, particularly on Android smartphones, that can steal passwords to social media and bank accounts, even when the phones are not in use.
  
  

The ABC News story is here. WJLA has been carrying the story locally in the DC area, with a demonstration where several volunteers get hacked. 

I do very little in the way of transactions on my own phones.  

Tuesday, October 31, 2017

Phishing attack targets iCloud


Here’s just a small report, on a rather transparent phishing attack.

It purports to come from “Support iCloud” and says that your Apple ID has been blocked.  But it’s easy to tell it didn’t come from Apple.

Curiously, I signed onto iCloud in the normal way on my Windows 10 and the site asked some extra security questions. 
There had been a week where I didn’t update the iPhoto cloud because I have new WiFi (from Cox) in the condo and I hadn’t connected the smartphone to it yet. 

Tuesday, October 17, 2017

"Krack" attack can compromise WPA2 wi-fi security


Rapid7 has reported a serious security flaw in wi-fi routers in homes and businesses that would appear when external enemies are in close proximity, such as in adjacent apartments, hotels, or public wi-fi connections.

Alyssa Newcomb on NBC News reports on it as the "Krack Attack".  It bypasses WPA2 standards.

Users should apply forthcoming Windows and Max fixes and firmware from router companies as soon as possible,  Firmware usually gets updated be restarting a router once a week. 

Thursday, October 05, 2017

Phishing attacks try to intercept real estate sales with wire fraud


Persons approaching purchase of property in real estate transactions should become wary of phishing attacks that submit wire transfer instructions which turn out not to be from the real title company.

People should only wire money to accounts that they can confirm separately really to belong to the title company. 

Monday, October 02, 2017

Bluetooth security vulnerabilities are reported


Webroot is warning users of the risks of Bluetooth devices as possibly attracting hackers, as in this article   Webroot advises users to turn off devices when not in use.  This appears to apply to wearable devices, which could provide a portal for hacking personal information from phones.

  

I’ve noticed that the Microsoft Action Center, on at least one computer, recommends resinstalling a Bluetooth driver after the Creators’ Update of Windows 10.  But there don’t seem to be any symptoms.  I wonder if this relates to the same possible vulnerability. 

Saturday, September 16, 2017

Phishing scam tells you your Facebook account is suspended


Here's the most recent phishing scam.  You get repeated emails telling you to restore your Facebook account with one click.  It comes from "facebookmail dot com".

So just log in to Facebook yourself and check for yourself.  

Another scheme is to misspell Facebook and take you to a survey page.  

Monday, September 11, 2017

More sophisticated phishing scheme pretends to warn of invalid overseas iTunes purchases


There is a clever phishing scheme now where the attacker sends an email that purports to be from Apple advising you of an overseas purchase of a game from iTunes for about $50.  There is a PDF of the receipt and a link to challenge it.  Previously, there may have been another email without attachments advising of the purchase. If you run the cursor over the sender, it doesn't have Apple in the domain name.

This scheme is a little more complex than a lot of them.  You can forward it to "reportphishing" at apple.com  

Friday, September 08, 2017

More concerns about Kaspersky and Russia in NY Times


The New York Times has an article today, “The Cyber Insecurity Company”, or with online title, “The Russian company that is a threat to our security”.  That’s Kaspersky Labs.

Best Buy and Geek Squad today favor Trend Micro, but before they have bounced between Webroot and Kaspersky. But the article notes that companies that use Kaspersky will have their networks exposed to servers in Russia.


That probably doesn’t matter to home users, no matter how paranoid you are about Putin or Ukraine or Chechnya.  But it would matter to most international companies, or to anyone that keeps user PII on his servers. 


DOD is no longer allowed to use Kaspersky.   

Thursday, August 31, 2017

FDA issues warning about pacemaker vulnerability to hackers


Now, if a threat "From Russia without Love".
The FDA has issued an alert concerning 465,000 pacemakers because of a software vulnerability, which could endanger patients. WJLA has the story here.

The FDA's own firmware update page is here.

It takes a visit to a cardiologist's office to get the firmware updated.

Pacemakers can prevent sudden death from cardiac arrest in people with certain arhythmias.

Friday, August 25, 2017

Op-ed in WSJ argues expansion of the Safety Act of 2002 to expand ransomware defenses


Brian Finch has a disturbing op-ed in the Wall Street Journal, p. A15, Thursday, Aug. 22, 2017, link.  Finch writes “while a systematic cataclysm is possible, targeted hacks against businesses do more harm.”
  
The writer says that even poorly written ransomware attacks can damage whole businesses, even large ones.  He argues that the Safety Act of 2002, which provides liability protections to companies that take up defensive strategies, should be expanded. 

Businesses are more vulnerable to phishing than many individuals, because attackers can emulate the actual business trademarks in their headers. 

Wednesday, August 23, 2017

Cell phone numbers get stolen to empty virtual wallets


The New York Times reports on thefts of phone numbers by people calling major telecom providers and finding vulnerable agents. 

The usual targets are people with large virtual wallet accounts, often in digital currency, who have talked about it in social media. 

It seems as once virtual money is stolen this way, it cannot be recovered, as it usually can for a little while with a bank account.

There are proposals that virtual wallet transactions need more time delay.


The New York Times has a story Tuesday by Nathaniel Popper, here 

Tuesday, August 22, 2017

Most modern laptops, tablets, phones and storage now seem immune to magnetic disturbance


I’ve written on this blog before (July 28) that individuals and small businesses should consider making optical backups (CD’s) as well as Cloud and regular disk copies, but I may have “spake” too soon (even in a message to Webroot).  It looks like modern flash drives (which are now in the last laptops instead of ordinary harddrives) have very little vulnerability to magnetism.  Here’s the article by Simon Hill on Digital Trends.  This may be relevant to the debate on the damage that can be done by enemy electronmagnetic pulse (EMP).

I’ve wondered if living very close to electric utility transmission towers could affect electronics (because of induced magnetic fields) but it does not appear so.

But users really should buy only the Single Layer Cell drives, which are the fastest and the most expensive, but you get what you pay for here  (Datarecovery article).  They last much longer.  It’s like diamond needles vs/ Sapphire playing vinyl.
  
Companies and even homes should pay attention to the possibility that environmental hazards could affect defibrillators or life-saving equipment, or in some cases people with pacemakers (NIH).



Update: September 3

I've watched a video that does confirm the idea that the E1 stage of an electromagnetic pulse from a nuclear explosion could affect solid state electronics (as in  car or modern phone or computer) even though ordinary magnets do not.  I will have to check on this further (and talk to Geek Squad).  This is a developing story.  The E3 phase (which also happens with solar storms) will not normally harm home electronics. 

Tuesday, August 15, 2017

DOJ requests IP addresses of visitors to Innauguration Day protest site


A shared hosting provider DreamHost (which specialized in Wordpress) has resisted a federal DOJ demand for the IP addresses of over 1.3 million visitors to a website “DisrruptJ20.org” set up to coordinate violent protests against President Donald Trump on Inauguration Day in Washington DC.  Ellen Nakashima has the detailed story in Economy and Business in the Washington Post on Tuesday August 15, 2017 here. The company is resisting those demands. 

  

It’s not clear how much protection https would offer, although it would prevent investigators from seeing what had been viewed.  But this the sort of situation that has led the Electronic Frontier Foundation to suggest that users learn to use TOR, even in the U.S.  

It's possible for people to be implicated in crimes using evidence from browser visits.  I don't know whether this could go further, monitoring behavior of people who might be believed to present s future threat, like to minors.  Even visits to certain Facebook pages could be interesting to some investigators, even in civil situations.



Update: Aug. 24

A federal judge in Los Angeles has ordered DreamHost to provide email addresses (probably IP addresses) of visitors to Disruptj20.org, Washington Post story by Keith Alexander here.

Here is Disruptj20's appeal to the public.

Monday, August 14, 2017

Techie who stopped WannaCry arrested for earlier hacking activity, which may have been legitimate


Marcus Hutchins, the 23-year-old Brit who helped stop WannaCry with a  kill switch, has been arrested y the FBI for supposed participation in spreading Trojan Horse Kronos  malware (from 2014-2015) through phishing or Word documents that can compromise bank accounts, story    This earlier activity is unrelaed to WannaCry.


But activity researching malware could be confused with actually spreading it.  US hacking laws are set up in such a way that prosecution for legitimate research is possible.  This sounds a bit like the “downstream liability” debate.
  

Hutchins was arrested at a conference in Las Vegas. 

Thursday, August 10, 2017

2-step verification: there are controversies within


There is controversy over which sub-method for two-step verification is safer.  Is sending an SMS message, common with Google and banks, and simpler for many users, less safe that an authentication app which does not require another message over the Internet?


Security Stack Exchange provides a detailed discussion from 2016 here
  
Ars Technica also reports on a special app for 2-step verification for Whats App, and the user rules are quite strict.


Tuesday, August 08, 2017

Conventional wisdom on complicated passwords changes


Here’s an interesting piece challenging the conventional wisdom on password security in the Wall Street Journal , by Robert McMillan.

The piece does not recommend forcing people to use special characters and random combinations of numbers and letters, upper and lower case, and to change passwords often. The problem is that when people change them, they don’t change them enough.
  
The other idea is that you don’t need to change a password unless you have reason to believe it is compromised. 

Monday, August 07, 2017

Phishing emails appeal to job skills I've never said I have


Here's another interesting phishing scam.  Emails that say they are interested in my "selling background".  How many times have I said that I am nor a huckster?  I've never sold insurance or mortgages.  I've worked on the IT systems supporting them.

Oh, maybe I'm treating "sales" and trolling consumers (which is how you generate leads) beneath my dignity.

There are also reports of a phishing scam imitating the Better Business Bureau.

I've also gotten one phish claiming a "relative" is in jail overseas/ 

Saturday, August 05, 2017

Odd dns link seems to try to load with some Wordpress pages in Windows 10 Creators Update ("incapdns")


I’m noticing odd behavior of my Wordpress blogs in Windows 10 Creators Update environment.
When I go to a specific page, in Chrome or Firefox (so far), sometimes the page tries to load from “incapdns.net”, which seems to be some ad-serving network judging from Google searches. Yet the blog post right now does not serve ads. It is conceivable that it comes from am embedded YouTube video which does have ads.

I’ve messaged Trend Micro to ask if this is acceptable behavior. A full scan does not find malware.
The Trend security report shows no problems.

I’ve also noticed that in Windows 10 Creators Update the sound can fail and YouTube will not play, and the problem clears with a Restart.

Update:

Apparently I get the same result on another computer with an earlier version of Windows 10.  Will try Windows 7, MacOS tomorrow.

I'm wondering now if this has to do with BlueHost's  "add-on" structure for hosting accounts.  This may be the domain that converts the physical url's to logical one's with dns resolution.  This process could eventually prove useful in a strategy to implement "https everywhere".

But I had found some negative links about the site online and sites that claimed to remove it.

Monday, July 31, 2017

Comcast Business gives another reason not to pay ransomware


Comcast Business is advising customers never to pay ransom for "ransomware" attacks, because often files are merely "deleted" but not encrypted, and can be recovered.  Here's the article from today.

Here is US Cert's latest on Petya, link.

Friday, July 28, 2017

Home users and small businesses may want to consider protecting their digital data storage from EMP attacks (which can be local)


I’ve mentioned this before, but I thought this is an opportune time to reinforce the idea that small business and home users need to rethink more their strategy in protecting their own data.
  
We’ve certainly heard a lot about novel ransomware attacks this spring, but for the most part home users and small businesses were not affected, because large businesses are more easily impersonated bt attackers (especially overseas).  But another danger is physical attack which could include knocking out the power grids and electronics.


The recoverability of power is a controversial topic, but the US certainly is vulnerable in its inability to replace transformers quickly (or even transport them).  But another issue is that EMP electromagnetic pulses (which don’t require nuclear blasts – there are microwave flux weapons, not well known, that can do this in smaller areas) can destroy electronics, including modern auto ignition systems and data on hard drives and thumb drives.  Furthermore, cloud backup services could be compromised.  No one has written much on how well major data storage services (or publishing platforms or hosting companies) can secure their facilities from electronic damage from pulse-type weapons. 

Users could consider making optical CD backups of critical data as well as building or acquiring special “Faraday” cage devices. CD backups were more popular a decade ago than they are now. 
  
The military has these today, and I suspect major financial institutions have them.  But little has been written yet my mainstream media sources.  It needs attention.  

The 2009 novel "One Second After" depicts the pileups on an Interstate in North Carolina when most car ignitions fail suddenly.  Frankly, there is suddenly more attention to this idea because of North Korea's threat, which James Woolsey says can be launched from a satellite today.

As far as I know, coronal mass ejections from solar storms do not cause this threat to devices, even though they can short out power grid transformers. .


Thursday, July 20, 2017

Cell phone "smishing"


Here's a warning from Fortune (also on NBC Nightly News tonight) about smart phone smishing scams.

I have yet to get one that I recall.  But you should not respond to unexpected SMS financial messages;  you should go into the financial institution's website yourself (just as with email phishing).

And a few of these scams can infect phones with malware. 

Wednesday, July 12, 2017

Verizon contractor leaves 14 million cellular customer records open to compromise, but no evidence of actual misuse so far


Media reports indicate a breach in the data records of up to 14 million international Verizon customers, including pin data, because a company that facilitates customer service calls left certain intermediate data not properly secured.
 
The Verge has a news story here.

But there is no evidence that any data has actually been taken, but it is impossible to prove that it wasn’t.  That’s why strict audit trails and access control and elevation integrity are important to data centers.
 
These kinds of lapses were quite common in the mainframe world until the early 1990s.

Friday, July 07, 2017

Facebook phishing scam based on former Friend who is deceased


 Be careful of a new Facebook scam. I just got an email Friend request from a former Facebook friend who has deceased. The FB email was spoofed but there was no request on my account. This seems like another kind of phishing scam, possibly on deceased persons.
 
Be aware also that misspellings of "Facebook" can take you to phony imitation sites that ask for surveys and then connect you to FB (or go into an endless loop, requiring restart).

I have found that I attract a number of people from poor countries as Friends.  This may be related to my blogging about immigration and asylum issues.  Sometimes there are requests for money, help with employment, medical expenses, or charities (or even coming to the U,S., which will not be legal right now -- immediate ICE detention).  Obviously it is normally very difficult to determine which if any of these requests are genuine.


 

Thursday, July 06, 2017

Milo's first printing sells out, already tempting "Dangerous" phishing scams. Always check your account on Amazon yourself.


Here's a word to the wise.  Milo Yiannopolous's next book "Dangerous" sold out in its first printing (100,000) and my Amazon order wasn't soon enough to be in the first stock.  OK, I ordered Kindle as a stop-gap for $2.99.  But then I get a fake message saying it has shipped, and to click for directions.

So I go to the Amazon site, and see it still hasn't shipped.

So "Dangerous" may have invited some phishing scams already.  

Wednesday, June 28, 2017

Pentagon may be prohibited from doing business with Kaspersky, Moscow-based security software popular on home computers in the U.S.


The U.S. Senate is considering a bill prohibiting the Pentagon from doing business with Moscow-based Kaspersky labs, NBC News story.

Geek Squad has often sold Kaspersky, and I have used it on at least two Windows computers. Kaspersky seems to be one of the most pro-active companies in warning about possibly dangerous websites.  It also tends to give amateur sites lower safety ratings than do many other companies.



Update: July 23

The Washington Post reports on local governments using Kaspersky in an article July 23 by Jack Gillum and Aaron C. Davis, link here .

Tuesday, June 27, 2017

Major ransomware attack spreads from Ukraine, related to Petya/eternal blue, locks up boot drive rather than individual files, Microsoft may have patch already


Here is the New York Times story on the latest ransomware attack, called “Petya”, which seemed to spread quickly from the Ukraine this morning   It is also related to a malware scheme of hacking tools called “eternal blue”.

So far, a few American companies, including pharmaceuticals and one law firm, and smaller hospitals have been affected.

Trend Micro has a detailed writeup as of 12:30 PM today.

Heavy.com has a detailed story.

It is not clear if users who had installed previous Microsoft vulnerability patches are protected.

It is not clear if the latest Microsoft systems are less vulnerable.  It also spreads through Port 445 (for Microsoft shares).  This virus seems to affect master boot records rather than encrypting files.

 The Microsoft page published today June 27 says that Windows Defender Antivirus removes the threat so it should not be hard for all antivirus companies to do this.

Malware Tech has a good explanation that novices can understand, here.

Eweek has a self-innoculation idea of creating a file called perfc, no extensions or content, in Windows\folder (story).


Thursday, June 22, 2017

Curious phishing email from "Apple-ID" imposter when i walk into an Apple store for a Genius Bar consultation


Just as I checked in an Apple store for genius bar support for an issue I have with my passwords, I got a phishing email from “Apple ID” claiming I had just purchased “Clash of C;ans”, “Box of Gems”.  

There were no credit card transactions in my accounts matching this purchase.

Apple was perplexed, saying this was a phishing email and is checking into the security issue.

Saturday, June 17, 2017

Phishing trojan in Microsoft documents has mouseover vulnerability


Trend Micro reports a version of malware possible in Microsoft documents (specifically PowerPoint) where infection is possible merely by passing a cursor over a link in the document without clicking it.

It’s called OTLARD/Gootkit.  It seems to be spread mainly by phishing attacks to companies where employees are likely to be fooled by official-looking emails.  

Friday, June 16, 2017

iPhone popup malvertising adware claims I have "4 Virus", tries to sell fake removal software


Today, while visiting a Guardian article on anti-gay attitudes in Indonesia on my iPhone6, I kept getting popup urging me to download anti-virus softeare and claiming my phone was “28.1% infected” by the “4 Virus”.  It claimed I had visited adult web sites (I hadn’t).  That’s a dangerous claim. That could be related to other malware claiming you have child pornography.



Note the misuse of the Google trademark, also.



It’s a little concerning because I had popups turned off.  It happened only on this site, and I deleted the cache and cookies afterward.

Interesting article is here,  Here’s something more directly related.

Friday, June 09, 2017

Facebook scam claims the service is no longer free, demands a Ponzi payment


I had an incident Thursday where a Facebook “Friend” who seemed to live in a violence-prone area of the southern Philippines messaged me claiming that Facebook would no longer be free and that I had to pay into some Ponzi scheme.  The message was in poor English.
 
This is another obvious scam to be aware of.  I did report it, but Facebook has not responded directly.

Wednesday, June 07, 2017

WannaCry now has a chain-letter Ponzi scheme implementation


Now, there is a version of ransomware in the “WannaCry” family that aims at creating a Ponzi scheme,  The target can get her data back and avoid paying the ransom if she infects at least two other computers  It really sounds like the ultimate chain letter, or multi-level marketing scheme.  Always Be Closing, indeed.

Or, to get your data back, become a criminal, "like us".  Break the law.  Resist???
 
Sheea Frenkel has the Business Day story in the New York Times today, link here.

Tuesday, June 06, 2017

CERT warns of SNMP vulnerability for workplaces


DHS Cert in Pittsburgh is warning of a vulnerability in SNMP, Simple Network Management Protocol, which can be compromised to again unauthorized access to network devices.

This is not as likely to affect individuals or very small businesses, as larger organizations.  It would be possible to target a particular employee, for example, for blame.  So this advisory sounds more like a workplace issue.
 


That reminds me of the warning back in the early 1980s at a credit reporting company that associates must always sign off when not at the terminals and keep passwords secret, and could be terminated for misuse of their accounts by others.
 
Workplaces also have a problem in that spammers may imitate the employer’s trademarks and look in phishing attacks that would not work against home users.

Tuesday, May 30, 2017

Mortgage company sites get hacked, siphoning payments from homeowners with phishing schemes


The FBI Office in Minneapolis is warning consumers about “mortgage phishing”.  Before closing, a mortgage company’s database is hacked and the criminals send phishing emails to accept payment, with a fake website and emails to fool the consumer into believing she is paying the mortgage company.

NBC News has the story here.

Back in 2000, I was paid a settlement from Texas that was stolen this way, but I got repaid anyway.

Sunday, May 21, 2017

Be wary of Facebook friend requests from existing friends


Be wary of Facebook friend requests from people who are already friends.

Kim Komando has a page on the problem here , and WJLA-TV will have a story about it Monday night, May 22.

There have been cases of people creating duplicate fake profiles to divert friend requests. 
Fake requests could also solicit personal information.

A fake profile of someone could be used as a ploy to call for money, claiming a need for bail or arrest in a foreign country.  That’s a common scam.  In my case, my friends would probably be very suspicious.

I had one fake make of mine a few months ago (with no posts) which a friend (who knows my books well) reported and it was deleted by Facebook before I found out about it.  She said it had happened to her once and that it is a fairly common scam, probably from overseas hackers.  



Update:  May 24

Sinclair Broadcasting's ABC affiliate WJLA 7-on-your-side has a video on the problem, aired May 22, here

Friday, May 19, 2017

Property insurance companies start to cover ransomware, sometimes bundled with home and auto; is this always a good idea?


NBC News is reporting that several insurance companies, including AIG (from 2008) are offering new cyberinsurance, against identity theft and specifically ransomware losses. The story and video are here.

Homeowners’ policies today often cover identity theft now, but the ransomware payments and recovery seems to be new.   Usually this coverage has to be requested as an add-on endorsement for about $100 a year.

Bundling cyberinsurance with property insurance (auto and home) in umbrella (“rain shield”) insurance may not always be in the best interest of consumers.  It could lead to companies’ being nosey about consumer online reputation and habits.  This does not need to complicate covering your home from a tornado or car from a drunk driver.

The report mentioned threats against consumer cloud accounts (maybe bogus, by phishing). Consumers should always watch their bank and investment accounts online diligently. And don't click on attachments or links from sources you don't know.  Verify that the mail really came from (or would come from) the company in the header.  There is such a thing as safe computing. 

Thursday, May 18, 2017

New covert malware attempts to mine for bitcoin on your computer


There are reports of a new “invisible” malware, It’s called “Adylkuzz” and it seems to be designed to get karma points toward bitcoin mining. CNN has a story here.

It apparently offers the dubious”benefit” of blocking other malware (maybe even ransomware) while it runs.  Of course, ransomware usually demands payment it bitcoin.

Friday, May 12, 2017

Massive "WannaCry" malware hits Europe, Russia; Edward Snowden had found it


There are plenty of news accounts of the “Shadow Brokers” attack on many systems around the world, revealed today, hitting Spain, Russia, and the British NHS pretty hard.  Here is a New York Times story.

And the Washington Post story. The NSA has known about the vulnerability which was apparently exposed by Edward Snowden,

Microsoft updated its systems in March but another patch is said to have been released this week. It is unclear if the latest updates Tuesday (to Windows 10, including 1703 Creator’s Update) has all the fixes. My systems updated this week and show up-to-date.

The UK NHS (single payer healthcare) infection apparently occurred with zip file attachments.  But the media reports that the WannaCry  malware could be spread by infected ODF files.

Webroot, in a tweet, directed me to read this Microsoft bulletin about SMB MS017-010 here.  UK Computing has a story here. Infection seems much more likely through Server and through network shares, it seems less likely at home.

Timothy B, Lee of Vox has a detailed explanation here.



Update: May 13 

US Cert's analysis of the problem.

This worm can spread from computer to computer within a network with a different user clicking on a phishing link or dangerous site.  It's not clear it can get through a firewall.

A 22-year-old programmer in Britain (or was it Indiana) disable the current malware by buying an unregistered domain used as a pivot in the worm.



Microsoft has a new update.   Windows 10 computers are not affected. However earlier computers still running Windows 8 or earlier may be vulnerable if not updated after May 13, particularly if connected to network shares.  Here is the latest I can find. I find their advice problematic;  older computers to not run Windows 10 very well.

Ars technica discusses Port 445 exposure (not requiring user interaction) here.



Update: May 16

Here's a blog post from Kaspersky about the Lazarus Group and possible ties to North Korea.

Update: May 17

Trend Micro offers a Folder Shield, which provides one more layer of protection against a designated folder, in the Data section.  It also offers users with earlier Windows OS to check to see if they have all the necessary patches against WannaCry.

Tuesday, May 09, 2017

Chrome browser said to be enforcing https standards


A site called “Nestify” is advising web users that Google Chrome will apparently mark all non “https” sites as unsafe, and also mark certain https sites as unsafe if they don’t pass certain standards. The article, shared today on Twitter, is here

It’s obvious that sites that require you to log in need encryption and SSL.  It’s less clear if you’re browsing and the website owner doesn’t require you to log in.  But the business climate of most webmasters today is that most of them need to sell something (however rarely) to some visitors, so an all https environment seems more credible.

Generally, newspapers having a paywall (as more do all the time) are starting to use https for all access (now the New York Times does). Vox does not require login but has installed SSL (maybe because Timothy B. Lee works there and influenced the company to do so).  But some news broadcast networks don’t yet, as they all have totally “free” content.

The article mentions Wordpress sites.  Right now I have four Wordpress blogs on Bluehost, under one account with three add-ons.  Blue Host allows one site per account to have SSL right now.  Since BlueHost has a subdomain naming structure internally, it would sound plausible that they could offer it to all addons on a hosting account at some point with more “programming” or re-engineering of how some routing works.  But that could be hard to install without interfering with access. 

My native Wordpress blog  (URL)  I’m putting some old archived material there) is SSL, as are 13 of the 16 Blogger blogs.  The three that are equated to domain names are not https because SSL is based on domain name (“Blogspot.com”).