Sunday, July 15, 2018

Site allows you to check if your email passwords have been stolen



“Pardon the interruption, your passwords are leaking”.  It’s a kind of incontinence.
   
So Geoffrey Fowler writes in the Washington Post Business, “StolenPassword, Here’s What to Do About It?” 

He gives a site “Have I Been Powned” here. 

One of my emails was found on seven sites that had been breached, but not on any dark web sites themselves.
  
Fowler recommends changing every password every 90 days with 2-step authentication and the use of really long hashed (like MF5) passwords with a professional app.

Tuesday, July 10, 2018

"Dbsync" files with 0 bytes loaded by some adware on some sites



A recent Salon article stalled when I was scrolling in Google Chrome in Windows 10.  When I viewed it in Mozilla, it scrolled fine but Mozilla asked me if I wanted to download called “dbsync” with zero bytes.  I let it go. 

Afterwards I restarted and ran a full scan in Trend Micro and it came up clean.  The file seems like a pivot got adware, which is probably not malicious but would be removed as “bloatware” by some security products.
  
On Google searches, Trend warns of some fraudulent anti-virus products that claim they will removed dysync.

Thursday, July 05, 2018

US Cert would do well to publish more on SQL Injection issues



I wanted to take a moment and gather some material from US-CERT in Pittsburgh on SQL Injection attacks.

The main primer dates back to 2012, and has link here. Note that CERT reports a large number of attacks in 2008 through Microsoft IIS. The recommendations in the paper relate mainly to larger organizations and tend to suggest theft of user PII is the biggest danger.

In 2016 CERT warned that SQL injection attacks might be attempted by foreign adversaries on voter databases, here

NICCS offers tuition-based classes for companies on preventing SQL injections.  Usually these mean employers send tech support staff to cities (like Seattle) for travel for several days.  

The scale of the training required makes security a difficult matter for individual bloggers to handle on their own.  Wordpress and Automattic need to remain aggressive in fixing vulnerabilities that seem to be found at times, and bloggers should upgrade to latest versions quickly when offered. This is more true now than it was a few years ago because of the tense political climate, domestically and worldwide.
  
  
Blogger has never attracted attention for vulnerabilities like this because it uses a totally proprietary database.

Wednesday, June 27, 2018

Wordpress password change on hosted sites needs a little SQL knowledge


If you blog on Wordpress on a hosted platform, the procedure for changing a user password is more complicated than with a free blog. It’s a good idea to do this at some unpredictable intervals.
  
Generally, you go into MyPhPAdmin, look for the database that corresponds to the blog (you need to look in the File Manager if you have more than one), look for the tables, lock for the user table, and then enter a new password and then choose an encryption method (usually MD5) from a drop down. BlueHost is pretty typical.
  
  
The actual physical password is encrypted, not what you enter on the Wordpress login screen.
I don’t get why on thus video you need to regenerate it on Wordpress itself, but I’ll look into it.

Monday, June 25, 2018

Primers on Wordpress and SQL Injection vulnerabilities




There are reports of potential vulnerabilities being found on Wordpress sites for javascript statements with “1=1” parameters (always true) that seem to open the door for possible SQL Injection attacks later.

Here’s a typical story

The statement may occur in a theme, or in the wo/includes directory.

It is unclear how they are put there.
  
Here is a primer on how SQL injection attacks work.

Friday, June 15, 2018

Apple fixes lingering security flaw in iPhone that enables law enforcement investigations on locked phones



My own iPhone updated to IOS 11.4 a little while ago. 


Apple has announced a security fix to prevent hackers from getting into a locked phone, but that would also preclude law enforcement from getting into one. The New York Times story by Jack Nicas is here
  
Tim Cook has always said that allowing anyone but a phone owner to open it post-mortem would be a kind of “cancer”.

Thursday, June 14, 2018

Security companies need more transparency in how they report customer site risk, even to hosting providers



There has been some controversy (since mid 2017) over how security companies like SiteLock mark websites as “high risk” with apparently no transparency as to what the risk factors are.
  
This is also an issue because security companies usually work with hosting providers who do the billing and who might have some concerns over their own downstream liability for customers (as this climate has been changing rapidly, as with FOSTA, for example). 
  
  
Forbes had a piece in August 2017 by Kalev Leetaru, and Whitefirdesign has several articles from 2017, for example this one.
  
There are reports of hosting providers threatening to cut off customers who experience one malware hacking attack.  There are also reports of telemarketing calls selling site security services, which would dilute the credibility of the services if the calls weren’t legitimate.
  
It is not clear whether site risk is based on the technical components (use of specific Wordpress plugins, for example) or its content (whether it is controversial according to the “skin in the game” theory, which has percolated for years while getting very little media attention). 
  
One concern is that with network neutrality gone, telecoms could (with public pre-notice first) block sites rated as risky, either bu anti-virus companies that they acquire through mergers, or even through content delivery security services like SiteLock, Cloudflare, and the like.  We already know that Cloudflare has blocked or closed accounts of some objectionable publishers (so far limited to white supremacy).
  
This is an evolving issue that may change with time and generate new incidents and controversies.

Friday, June 08, 2018

Should you change all your default privacy settings now?



Here is Geoffrey A Fowler’s moral lecture “Hands off mydata: 15 default privacy settings you should change right now”, in the Washington Post.  A Facebook friend shared this piece early Friday, and said he accepted he has no privacy online.
  
Facebook is the worst offender, but even Microsoft and Apple have their sins.
  
  
For most of us, this sounds like paranoia.  But it really depends on how exposed you are to meddling by others, in your personal living situation and employment.
  
It also depends on whether you are in a circumstance where people connected to you can be affected – especially if your online reputation matters in the workplace because you sell somebody else’s ideas.
  
We all depend on surveillance capitalism.

Wednesday, June 06, 2018

Trend Micro loops updating Windows 10 computer with creators updates, after returning from vacation non-use



On one Windows 10 computer, which I did not use for 11 days while on the road, Trend Micro update keeps looping.

I find that if I restart the computer, it says it is active and will let me run a scan.  But the icon that says an update is being installed persists. Of course, until the problem is resolved it cannot keep up with updates.

The computer that I took with me and used every day (also Windows 10 with the same latest features update) does not now have this problem.

There are various links available on Trend Micro Community, dating back to early 2017,  but I believe this could also have something to do with a period of non-use or recent Microsoft updates.
  
I’ll contact Trend Micro if I can’t get this resolved soon.



Update: June 12

A 90 minute support session where Trend applied several hotfixes fixed the problem.  Going not logged on for 11 days was only part of the problem.  tmqa.jp and login.me were used to that the technician could work remotely. 

Sunday, June 03, 2018

New hacking group could threaten industrial control systems



A hacking group called XENOTIME has attracted attention for the capacity to hack and shut down industrial plants, after it did so in the Middle East last year.  The threat was written up by Shannon Varga in Axios here

DRAGOS expanded with more details in a blog post here

There could be dangers to water treatment plants, pipeline controls, and maybe some power plants. 
But it is not clear how they would get into a system off the public Internet.

The name of the group seems to be related to the Pokemon game.

Wednesday, May 30, 2018

Big time malware from North Korea can disrupt businesses, maybe hack sites and capture domain names



US Cert has issued a two-part report regarding the Hidden Cobra Rat worm, as well as the Joanap Backdoor Trojan and Branbul Server Message Block Worm,  summary here.
  
These appear to originate from North Korea and are primarily directed at industrial companies. The description of the Rat worm is exceptionally detailed. Part of the worm includes a powerful password cracker.

  
I am also aware of instances where a domain, perhaps one with political significance, has been hacked and the domain actually removed from registration by hacking, after replacement with malware botss.  This is likely to be foreign and might be related to North Korea. I’ll report more details when they are available. Trend Micro and Windows Defender have reported detecting this problem.

Friday, May 25, 2018

FBI needs home users to learn router programming skills to defeat determined foreign hackers



The FBI is warning consumers about malware that can attack home routers, especially VPN.
   
The Boston Globe has a typical story here

Rebooting the router (from the power button, or by disconnecting and reconnecting, which causes most routers to go through the reboot) usually causes installs of any firmware from the cable vendor.  But for this malware, the reboot install may not be sufficient.
The FBI is encouraging home router users to learn how to sign on and update their routers manually, which normally requires shell scripting skills and operating system knowledge.
   
Comcast, Cox, etc. will soon have comments on this issue.

US Cert has a bulletin on the issue here

Sunday, May 20, 2018

Smart phone tracking and stalking a bigger problem than most people realize



Jennifer Valentino DeVries has a long article in the New York Times Saturday on smart phone stalking and tracking, here 
  
There seem to be dozens of apps that make this possible, at least a short distance.
  
The problem seems to occur the most with domestic abuse.
  
  
NBC Washington also presented a report May 17. Fox stations have also reported it.  

Saturday, May 19, 2018

Chrome will suppress "secure icon", simply call out insecure sites in September 2018


Google Chrome will suppress it’s “secure” icon in September for sites that are accessed through https (have an SSL certificate) but leave the red “not secure” on for sites that are not.

Marietta Moon writes for Engadget here.
  
   
Google really wants to push unsecure content off the web, even when it doesn’t require user signin or collect data, partly because of increasing concerns over “man in the middle” attacks from foreign sources.
  



Monday, May 14, 2018

New concerns surface concerning vulnerabilities in email encryption standards



Electronic Frontier Foundation has sent out an advisory regarding vulnerabilities in various implementations of PGP encryption on various email platforms. The article is by Erica Portnoy, Danny O’Brien, and Nate Cardozo. 

Some of the vulnerabilities could enable an attacker to access other encrypted emails you have sent.
A lot of the public may not feel that this issue is as important as some others.  Most of us need to encryption standards when we deal with financial institutions to buy new products (like annuities) or go through real estate closings and need to do a lot of Docusigns.

One problem seems to be that some of the vulnerabilities could be activated merely by opening an email with html enabled, even without opening attachments. 

The IT departments of insurance companies and banks will be kept especially busy

Thursday, May 10, 2018

Apple's new "Black Dot of Death": we need a fix quickly



There is a bug in IOS 11 versions on the iPhone that can cause the message app to freeze.  It has to do with Unicode that overfills a buffer associated with a “black dot” emoji ("The Black Dot of Death"). 
On Andrpid it only freezes WhatsApp. On the iPhone if freezes the entire message app.;  It is rather complicated to fix.

It could be a real problem, for example, if you are waiting for a taxi and getting messages from the taxi company.  (I don’t think it affects Uber.)

Typical story is here
  

It is a little unclear if it freezes the entire phone or just the messages app.  It takes a long time to send.

The demonstrator says it is easy to fix by starting a new messages occurrence.  Fox8 in Cleveland says to use the Siri app. 

The phone can overheat when sending or receiving the message.  Could this become an airline fire hazard?
  
Apple will surely fix this very soon. 

Wednesday, May 09, 2018

Russian hackers impersonated radical Islam, harassed military spouses online as early as 2015, well before Trump's candidacy and election



There was an alarming historical story on AP by Raphael Satter, about how Russian hackers had impersonated ISIS with text messages or other social media contact with military spouses, at least back in 2015. 

At least one of the spouses was part of Military Partners, an association of partners of LGBT service members, active since the repeal of DADT and also since Obergefell.

But the attack appears to have been part of a Russian troll attempt to spread confusion and dissension, even well before the 2016 elections and even before Donald Trump had announced his candidacy. 
   
This story bears watching.

Tuesday, May 08, 2018

Phishing emails asking for payment for fictitious loans



Here’s a new one.  I don’t recall getting an email before about a loan I didn’t make.

But I got an email from “elastic.co” claiming I owe a $19 payment to “accounts receivables”.  There was an attached pdf which I didn’t open. The “.co” refers to Colombia, so that’s suspicious. 

I’ll probably pull credit reports in a few days to make sure there is nothing going on. 

I generally open “suspicious” emails only on the iPhone (apple operating systems don’t seem to be as vulnerable) and don’t open the attachments at all.

“Elastic” does appear, from superficial checking, to be a real company that makes loans. I doubt this email came from them. But I did sent this on to Webroot and to Trend Micro to check further. 
   
I should also mention that I've gotten a few US mail letter offering $100,000 lines of credit (one of them was $500,000).  I've ignored them.  They've never shown up on a credit report. 


Friday, May 04, 2018

Twitter's little password flip; what about Facebook employees and your profiles?



NBC reports both praise and scorn for Twitter:  displeasure of the fact that uncleared workers could access unencrypted passwords at the company, put pleased that the company disclosed it.
  
I changed my own on a Windows 10 computer, and it seemed that it started working automatically on my phone.

In IT workplaces, security teams started to implement the idea of “separation of functions” among employees starting in the late 1980s in mainframe environments.  Programmers normally did not have the right to update production files but users did. But the maturity to respect security protocols, which protect employees, was slow to develop with many people (apparently including Hillary Clinton).
  
There is an issue of Facebook employees being able to access ordinary user private profiles, Wall Street Journal story.

Wednesday, April 18, 2018

Russian router hacks could even target home and small business users


Dan Goodin, of Ars Technica, has a somewhat detailed account of the recent reports from DHS and FBI and the UK’s National Cyber Security Center, that the reports of Russian hacking of corporate routers may well include small business and even some home officer routers, link.
  
The story was released April 16 and was reported on WJLA (a Sinclair station) local news early Tuesday.
  
The Ars Technica story emphasizes homeowners having older firmware and not always maintaining routers properly.  Some security experts say that cable company routers should be restarted once a month to reinstall any firmware, but I find that cable companies usually force maintenance in the early AM hours (leading to brief outages).
  
  
But some observers see this report as sinister.  Compromised routers could facilitate “man in the middle” attacks, and could provide some of the push for all websites (even those without requiring login to sell anything) to use https.  They could provide ways for hackers to steal financial data or trade secrets or to stage novel new kinds of terror-like attacks targeting ordinary people, although this doesn’t seem to have happened.  But the North Korea attack on Sony in 2014 might be a paradigm to follow.

Tuesday, April 17, 2018

More on fixing legacy webpages for https everywhere



Here is some more information on the progress to enabling https, at least on my domains.

On Blogger, the three custom domains automatically convert to https if you enter http.  The thirteen other blogs as “blogspot” simply accept https.  I suspect that Google will force these to redirect before July for the Chrome68 implementation.

My four wordpress custom domains through Wordpress all accept https.  They can be accessed with http, but will work with “Let’s encrypt”.  Bluehost offers pingbacks when you make hyperlink referenes among these domains.  Pingbacks generated after the https certificates were implemented and propagated (as positive SSL) become https.  Older pingbacks right now are still http.  If you want to review the pinged site you have to enter https yourself in the browser, then you can see it under SSL (I just tested it).  This is not ideologically perfect, but I suspect this will be OK in July.

I haven’t gone through the Wordpress blogs and converted all the internals to https, although there really aren’t that many, fortunately.  Right now the user can insert the https on older links.
   
Google’s link (mentioned April 1) recommends that users deploy an Open Source tool called Lighthouse  to “clean up” their web pages.  This might take a long time for bloggers with a huge inventory of legacy pages, as I have.  Ramsay Tamplin (“Blogtyrant”) made similar recommendations with a different technique that I linked to here on November 13.

I have purchased a positive SSL certificate for my verio legacy doaskdotell.com domain.  So far it has not been propagated.  There is a massive number of hardcocded links within this very old site.  They could be changed by gang edits to relative links (as here).  I don’t think I will get to this right away, however.  I’ll keep everyone posted.

It is also worthy of note that Google Blogger no longer will publish posts with video embeds that include http (as opposed to https) code. 

Friday, April 13, 2018

All my blog custom domains (Wordpress and Blogger) now have https enabled



I have updated all four (the three remaining) Wordpress blog domains and the three Google custom domains.
  
The Google domains were easy. You just check a box in settings for each corresponding Blog, wait about an hour for propagation, and then check a second box to autoconvert all accesses to https.
   
For Bluehost Wordpress hosting, now you can do multiple domains within one cPanel.
  
One of the domains had minimal SiteLock protection, and that one took the free SSL certificate. Two others, that are newer, have SiteLock CDN (similar to Cloudflare). For these, you have pay for Positive SSL (about $5 a month) and assign a new IP address for the domain (or remember to ask the support technician to do so – not everyone knows this yet).  You then wait for the new IP to propagage. You can check the progress of the propagation on “whatsmydns.net”.  It helps to reload it a few times;  that seems to prompt progress.  The site will go to your BlueHost panel as a redirect or give database errors on https until the entire propagation all over the world is done.  During the propagation, it is possible for foreign servers, especially, to reject your IP address, but this will not prevent the rest of the locations from working.  There seems to be at least one server for every telecom company around the world.  There are many server sites in non-democratic countries.

I hope later that SiteLock will cause the automatic conversion to https to happen.  I am told it is supposed to.   
  
 China blocked one of my domains (the movie reviews).  Maybe that’s retaliation for Trump’s tariffs, or maybe that’s because I had reviewed some films about dissidents (Weiwei).  I don’t think I threaten Xi Jingping’s being god-king for life. 

I've noticed that Trend Micro, at least, does not automatically mark https versions of green http sites as green; it seems to view them as new domains.  This seems illogical. 

Sunday, April 01, 2018

Google Chrome orders publishers to get SSL on all their sites by July 2018, "or else"



Google is now advising web publishers that its browser Chrome will start marking sites as “unsafe” (so to speak) if they so not have security certificates accessed with https, in July 2018, as in this story.   Google's own link is here
  
The Search Engine Journal offers analysis on Chrome use compared to other browsers.  But it would sound reasonable to wonder if other browsers intend to do the same.

The story (with a sublink) offers a guide for migrating a Wordpress site.  This looks like a time consuming process, but many blog sites probably don’t use a lot of the features of concern. 
  
Google says that the conversion is important even for sites that don’t do ecommerce or require user login.  This seems debatable.  But one problem is that sometimes unencrypted sites allow actors to insert ads (or even scareware) or possibly illegal content into the stream sent by a user, and this may not be picked up by an antivirus product.  It would be a good question whether Microsoft Windows 10, for example, could come up with other ways to disallow man-in-the-middle attacks.
Google first started talking about this in 2014, but the concern has really picked up since about the end of 2016.
  

There is a product called the Unified Communications Certificate (UCC) which Godaddy, for example, explains here, for multiple domain names.  But Comodo systems explains other concepts such as Multi-Domain SSL and Wildcard SSL here.  It appears as of this writing that such a product on BlueHost would still require separate cPanel’s for each domain, but I will check further into this.
I usually announce my own plans on a secured Wordpress “doaskdotellnotes” blog (it has https).  I would anticipate trying to have my other three wordpress domains secured by the end of June, 2018. 

There is a lingering question on Blogger why Google custom domains (when equated to Blogspot blogs) cannot have these certificates.  Will Google change this before its new Chrome policy goes into effect?
  
See the notes at the end of the Jan. 8, 2018 post here

Friday, March 30, 2018

I'm getting random "scareware" attacks from MSN on Windows 10; Trend doesn't show them



On two occasions in late March, when I have gone to an MSN story displayed by Microsoft Edge, on a Windows 10 computer with the latest fixes (and Creator’s Update) I’ve gotten a red page and “Internet warning” which demands payment for tech support.

The screen goes away by merely closing the browser.  I have always restarted the machine. Trend Micro screens do not show malware, nor do they show a block of the page.  Edge history does not show the page.

Both stories appear to the with “http” (not https) so it is possible that this is an interception and a “man in the middle” attack.

I have Cox as the telecom provider now.  In a previous location I had comcast.  On a few occasions I got such screens from random sites on Google Chrome, which I believe were always http.  The problem always went away with closing the browser and restarting, on this same HP Envy machine.  But I believe that Trend reports in those cases noted a blocked site.  

Not all news or media sites use or enable https for ordinary browsing yet.  I just checked Time and it does not.  But I have not tried to see if MSN can enable “https everywhere”. 

One other interesting observations about the MSN stories:  they are always derived news stories from other sites.  It is usually possible to just go to the original news site, which may be “safer”.
Windows 10 should be able to intercept this sort of attack.
  
Tuesday, while on an Amtrak train, an ASUS laptop with Windows 10 updated Trend and required a restart.  But then it required a second restart when I got home.  I’m not sure if Trend was working properly during the “Crypto Party” in Philadelphia, but I didn’t notice anything.

If it happens again I'll have the presence of mind to take a photo of the screen.  But the natural reaction is to close the browser instantly.



Update:  March 31 (Major)

I find that if I key in "https://www,msn.com" first then all their news comes up https.  So far doing that the problem hasn't recurred. So far, I can't get abcnews and time to come up with https, but I'll keep experimenting.

There's more.  On another machine, an ASUS originally built with Windows 10 and not converted from 8.1, the MSN automatically comes up as https without having to be told do so.  Are there some security problems for older machines converted to W 10 with Edge added after the fact?  It looks like it.  

Wednesday, March 28, 2018

US Cert reports on password spray attacks



Here is a report on US=Cert advisory TA18-086A “Brute Force Attacks Conducted by Cyber Actors”  with what CERT calls “password spray attacks”.

The attacker will conduct algorithmic password cracking attacks against a long list of related customers of a particular site, returning to all the customers in cyclic fashion, rather than be rejected after repeated attempts on just one.

  
GitHub has a similar writeup here.

Monday, March 26, 2018

Facebook could have logged Android users' SMS messages from users who accidentally gave permission




Media sources are reporting that Android phone users may have unintentionally given Facebook permission to log their calls and messages “behind the scenes”.  This is not allowed on the iPhone.  Here is FB's own link

Qz has a critical story here.   NBCNews has a story here.
  
NBC News has a simpler tutorial on how to protect your Facebook data if you think you need to.
  
   
I had an android phone from late 2011 until, as I recall, early 2014.  When I got messages it would growl "Droid" in the night. I think I had the Facebook app, so it is conceivable that I could have been logged. 

Saturday, March 24, 2018

Guides on how to fasten down your privacy on Facebook after Cambridge; could Facebook make itself more like Snapchat?


It’s time to pass along some of the expert advice on how to set Facebook privacy settings to prevent misappropriate of data.

Here is Electronic Frontier Foundation’s, by Gennie Gebhardt. 
  
Wired has a more detailed guide here.  Facebook and other companies seem to track you even if you don’t have an account with them!  But they don’t listen to the mike on your smartphone or watch the camera on your laptop.

It may be difficult to completely remove yourself from Facebook, if you really want to.
  

If you want, you can delete your posts from Facebook history, to make it more like Snapchat.  
  
The practical harm to most people is probably very little or none.  Large scale identity theft is much less likely than with, say, Equifax, because essentially no real PII was taken and kept.  There can be online reputational issues for people in sensitive workplace or family situations (or living in authoritarian countries).  Some people may want to consider deleting posts, even though I personally wouldn’t need or want to, at least as a retired person. .  Some observers question the effectiveness of deleting posts. There's a good question:  should Facebook offer an automatic delete, after, say, 1 hour or 1 day?  

Friday, March 16, 2018

Russians target US power companies and other infrastructure with creeping malware; reputable journals jacked with malware placed



US Cert has sent out a major advisory TA 18-074A warning on how the Russian government is targeting power companies and other infrastructure components (like pipelines, water systems) with phishing attacks. Here is the basic link
  
The report incudes the disturbing story that articles in some legitimate academic or professional journals seem to have been hacked and compromised with malware.  These sites would have been rated as safe by security companies and generally have SSL (https) access already.


This time the malware seems to try to steal credentials, rather than use brute force (like ransomware)or play some kind of targeted psychological warfare online.

Bloomberg has a detailed story by Dlouhy and Riley. 

Wednesday, March 07, 2018

Cortana could allow a major security hole (Israeli research)



A site called Motherboard on Vice reports that Israeli researchers have found a hole in Microsoft’s assistant Cortana whereby an attacker could bypass normal security with voice commands.

Furthermore it is possible to use supersonic commands (what the Chinese call a “dolphin attack”).

Microsoft normally sends voice requests through web pages through Bing.

  
The idea of doing things only with voice (common in automated telephone customer service) poses some obvious security hazards in business processing online in traditional IT shops, and there were circumstances in my own career where this could have been very dangerous.

Tuesday, March 06, 2018

"Porting" of smartphones seems to undermine 2-step verification



Smart phone holders may now need to add a port validation feature to their accounts.  At this moment, I’m not sure how you do this. 
  
Marshall Zelinger at 9News in Denver reports on several cases of cell phone number theft by “porting” with subsequent theft of bank accounts even with 2-step verification.
  
  
One case in detail with MetroPCS and a T-mobile was described in detail.  It appears that the customer got his money back but lost a day of work and plans to sue T-mobile.
  
It’s not clear how the C-number porting was done so easily.  This story needs to be followed.

Tuesday, February 27, 2018

Very odd Captcha from SiteLock; does it mean anything?



Today, on one of my sites protected by SiteLock, I got a bizarre captcha when I tried to access it, reading “V1 SHUTDOWN On 2018/03/01”.  I also got an advisory that I can opt-out of the warning, and thar getting means that SiteLock has detected the symptoms of possible botware or malware on your computer.  I do get intercepted occasionally by SiteLock normally. 

Trend Micro virus scans never find anything, and this happens once in a while, but I’ve never gotten a captcha message like this.
  
Maybe it has to do with a Google anti-spam service like this.


Thursday, February 15, 2018

EFF offers tips on shielding personal data from telecoms and maybe hosting providers



I wanted to share Electronic Frontier Foundation’s page on protecting your privacy from your telecom provider, by Amul Kalia, here. There is a lot of discussion of VPN’s and (especially overseas) TOR.  There is also a list of smaller telecom’s, not available everywhere, that seem less interested in monetizing your personal information.

Likewise, one could ask questions about hosting companies, who from my experience generally keep hands off.
  
Nevertheless, there are automated tools in use that might be able to detect (by digital watermark) illegal content when it is backed up in a cloud (I know of at least one arrest in Maryland (of a school employee) over this possibility).  Likewise Google searches attachments to emails, which has resulted in at least one arrest in Houston, TX.  There are cases where there could be legal issues with intentionally viewing some social media images or video portions out of context, and this might be detectable.

Monday, February 05, 2018

EFF warns users: keep your software up to date, even when vendors rudely interrupt you


Electronic Frontier Foundation has a valuable advisory paper today reminding visitors that they should always install software updates promptly. The advisory appears as a Security Education Companion from Surveillance Self-Defense.

The article maintains that updated systems are much less likely to be targeted by malware or known enemies because they are much more “expensive” to attack.

It also advises that notification normally does not come by email but within the product itself, so subverted updates should be extremely rare.

It also admits that there is a small risk with an update of failure, but an older system is already “broken”.

I have to admit that secondary backup computers (for travel) don’t get updated as option, and that may be one reason a Lenovo ultra table that I bought in early 2015 with Windows 8 became unusable this year.

I’ve also been unwilling to rock the boat with a 2011 Macbook and Sibelius, because there is so much music that is working there that way now. But that could be one reason why I’ve had trouble with iCloud recently.

I might also take exception to this idea when Microsoft pushes operating system replacements on users with older hardware.  I burned up a Toshiba laptop in 2014 going from 8.0 to 8.1; the motherboard just got too hot. 
  
It may be advisable to look into the issue of whether you “use” all the services you have with an account you have, or someone else could hack them without your knowledge.  Then I don’t know who would be legally liable. You don’t hear this idea discussed very often. 

Saturday, February 03, 2018

Apple and iCloud phishing attacks continue; AOL seems unable to identify certain phishing scams;security companies not up to speed on this


I continue to receive strange emails claiming signon to my iCloud account and purchases overseas, especially in Indonesia and former Soviet republics.  I have marked them all as spam and forwarded them to Apple’s reportphishing@apple.com.  AOL does not seem to catch these as spam (nor does it catch emails that say your own AOL mailbox has been closed). 

I am also getting emails claiming my iCloud account has been canceled, with the sender addressed spoofed well enough even when tested by mouse-over to appear to have come from Apple. But the iCloud id and pw still work so that appears to be phishing. These also have been forwarded to Apple.
  
Yet security company Webroot is not aware of a specific problem with phishing involving iCloud.  
  
 However employees at an Apple store told me there has been a problem.

So far there is no evidence of invalid charges or of fake accounts overseas in my name.  But it is conceivable that someone could get arrested overseas if a fake identity had been created and the person went to that (third world) country. It is conceivable that fake accounts could result in judgment attempts.
 
Another possible risk could be that a hacker could place illegal content in an iCloud account. Users should always periodically spot check all online accounts that they have for possible abuse. 
   
This does seem to be a very large and bot-automated phishing attack probably from parts of the former Soviet Union. 

Monday, January 29, 2018

ChromeBooks offer sandboxing, which some experts say make them safer


I don’t know if there is some partnership between Vox and Google behind this story. But Vox Creative has a story on how the Google Chromebook runs every application in its own Sandbox.  That means malware from a website can’t infect anything else on the machine. 

This could mean that the Chromebook is a good choice for travel, especially long air trips, maybe overseas.


I don’t know how this compares to up-to-date security on modern Windows 10 or Macbook laptops.  There are opposing viewpoints on YouTube.  
  
I don’t know if the current concerns about chip security matter here. 

Wednesday, January 24, 2018

How many email addresses should you use? What about the proliferation of unused ones?



Since I do have domains on several platforms but need only two email accounts (AOL and gmail), I have no need for the email addresses that often come with web hosting providers, who assume that clients will run entire businesses off their platforms.

I have wondered if unused capabilities (meaning they are never looked at) could present a hidden security vulnerability. But the same capability could occur for non-existing social media accounts.  When I opened Instagram, I found an account already existed but it had no content.

Nevertheless, most pundits recommend that webmasters use different providers for email than for their sites, which is especially likely because of the popularity of Google’s gmail.

Here are a couple of typical advisory links:  carrier, and “nuts and bolts”.

There is some justification for multiple emails, however.  Many sources advise using separate emails for credit card charge verifications, orders, and travel itineraries, for example.  When I was “working” in a regular job, I always had a work email that was employer business use only. 

Tuesday, January 16, 2018

Trend Micro website safety ratings -- some questions (controversial news site rated "Dangerous")


I am noticing some confusion in Trend Micro’s website safety ratings.

The Site Safety Centeuses the color Blue for untested and gray for Dangerous.  (I know, quoting Milo.)  But in actual practice, if a site gives a gray circle with a question mark it means untested.
I find that Trend slips between green and gray on my two newer Wordpress sites (“billsmediacommentary” and “billsnewscommentary”).  I think that this is because Blue Host treats these as “addons” and Trend’s scripts have trouble navigating addons.  If I convert to subdomains (which I would have to do for https anyway) these problems go away, but that is a complicated and difficult and potentially disruptive conversion effort.  (The "Is it safe?" comes from the dentist scene of "Marathon Man".)

There is a discussion site yabberz which Trend rates as red (“Dangerous”, like Milo's book) and will not let me open. I haven’t tried it on the Mac.  Norton rates Yabberz as safe.   I have sent a Twitter message to Trend to ask them why this rating, A Facebook friend is writing on it. Does controversial content matter?  I hope not.  There could be issues with the site is navigated.
  
Website safety ratings could become more critical for publishers to remain connected after the rolling back of network neutrality.

Tuesday, January 09, 2018

"Typosquatting" scams


Here’s a risk I’ve mentioned before, “typosquatting”, as NBC News explained last night. 

The most common result is “scareware” where a site takes over your browser and freezes a Windows machine, and demands you call and pay them. This happened one time with “nbcbews.com”.  The cure is to power off the machine, power it back on and bring it up, and then when you go to the browser, click “No” on restoring it. 


“Https” doesn’t seem to stop the scam. 
  
Most major sites register common and deliberate misspellings of their names.  Legally, these are trademark infringements, but it would be impractical for companies to go after overseas (often Russian) offenders.  North Korea might even be trying this now. 

Monday, January 08, 2018

More on "https everywhere" (for me, at least; what I have found out so far)


Following up on my earlier post on doing https everywhere on all my blogs, I did a chat session with BlueHost today.

What I have found so far can be summarized in these two links:

With addons, you can have only one SSL certificate per hosting account, as I was told in early 2016.  

That is still true now

This one explains the differences between addons, parked domains, and subdomains. The information on this link is very critical.

The addon concept does not seem to keep the internal structure of the addon as a subdomain of the primary. A “WHOIS” at domaintools on one of my addons (like “billsmediacommentary.com”) does not mention that the site has an “owner” (“billsmediareviews.com”) so apparently this does not fit the meaning of a subdomain in the normal sense of SSL.

It would seem desirable to be able to equate a parked domain to a subdomain (so that the user doesn’t have to go to it) but I don’t see any statement that this is possible.
  
Another Bluehost link indicates that you can purchase a Postive Wildcard SSL for subdomains. 

Here is a discussion of how the subdomain concept applies at Godaddy.  

At this point, it would appear that if had been set up with addons, you would need to do a “conversion” of the addons to subdomains, which would require setting them up and copying the content from the addons after installs of Wordpress to each subdomain.  I haven’t had a phone call with tech yet on this (just chat), but putting this all together and “connecting the dots” this is how it looks.  You would have to write script (or have a tech write one or supply one) to do the copies.  I don’t know what that would cost.   There may be tools on the cpanel that enable this.

In the past, the need for SSL did not seem acute for sites that did not require user logon, and people could use Paypal or other platforms without requiring storing of consumer PII to process payments. The addon idea that only one domain needed https sounded reasonable. Today, the politics seems to be changing.  Https is seen as a sign of professionalism and that you “belong” online and can be taken seriously, and that you respect the vulnerabilities of some of your readers (especially overseas).  Telecom companies could eventually insist on this as net neutrality goes away, as could website safety ratings.  Yet, the concern seems somewhat political.
  
Most major newspaper sites have gone to https for all content.  Broadcast media is mixed. NBC and CBS news sites have gone to it, but CNN, Fox, and ABC have not yet.  But the “climate change” on this issue seems real. 

Update: Jan. 9

Here's a start on how you copy a Wordpress blog from a root site to a new subdomain.  You need to be comfortable with the plugins and have some knowledge of Wordpress internals, it seems.



Update: Jan. 23

Bluehost now indicates you can convert add-ons to separate cPanel accounts, and each one can have https.  To do every one of them (in my case, up to five of them) with Sitelock could be expensive, and take some work.  Here's the link.  I'll follow up on this.

Update: April 3

I'm told now that you can put free SSL's on multiple Wordpress domains, apparently on one cpanel.  In Bluehost you apply it from the Cpanel, and then go to Settings-General on your dashboard to change to https.  Expect some downtime (< 1 hour usually).  I may try this soon and will try to do a little more fact finding myself on the Cpanel issue. Bluehost reference.   This will allow "Let's encrypt" to work but is probably not as good as separate panels.  This sounds like a "Crypto Party" topic.

Update: April 8

Blogger now iinforms us that https is available on custom domains.  I will test this very soon. 

Friday, January 05, 2018

Anti-virus vendors, PC manufacturers have to cooperate with Microsoft to fix Meltdown, Spectre; users confused; mainstream media coverage is shallow and misleading


Trend Micro has provided instructions to its customers on how to receive the Microsoft “Project Zero” (Meltdown and Spectre) patches, at this link. 
  
But Microsoft Knowledge Base KB4072699 advises customers that the automatic update is offered only to consumers whose security products that have a particular registry key patch.
Judging from these two posts, it appears that Trend is releasing updates that will set this key, and after that the Microsoft automated update will be offered.
Users of computers other than Microsoft Surface will need to get firmware updates from their hardware vendors, also.  Generally these can be installed in any order.

Users can attempt to do the patch manually on their own, but the posts above don’t show enough information for users who don’t already know how to code Windows 10 Internals. 

Users should check the status of their Internet Security product.  The very act of checking when connected to the Internet for sufficient time may cause the registry key to be updated properly within the anti-virus product automatically (may require one extra restart before doing the Microsoft update).

Zdnet has a comprehensive explanation here.

Peter Bright has an explanation here on Ars Technica. 
  
Google’s own Blogspot discussion.

Update:  Jan. 16

Here's a master story on both Meltdown and Spectre from the source.

Here's a story on how Daniel Gruss hacked his own computer in finding the defect. Like Magnus Carlsen, he rather looks like a model.