Friday, March 30, 2018

I'm getting random "scareware" attacks from MSN on Windows 10; Trend doesn't show them

On two occasions in late March, when I have gone to an MSN story displayed by Microsoft Edge, on a Windows 10 computer with the latest fixes (and Creator’s Update) I’ve gotten a red page and “Internet warning” which demands payment for tech support.

The screen goes away by merely closing the browser.  I have always restarted the machine. Trend Micro screens do not show malware, nor do they show a block of the page.  Edge history does not show the page.

Both stories appear to the with “http” (not https) so it is possible that this is an interception and a “man in the middle” attack.

I have Cox as the telecom provider now.  In a previous location I had comcast.  On a few occasions I got such screens from random sites on Google Chrome, which I believe were always http.  The problem always went away with closing the browser and restarting, on this same HP Envy machine.  But I believe that Trend reports in those cases noted a blocked site.  

Not all news or media sites use or enable https for ordinary browsing yet.  I just checked Time and it does not.  But I have not tried to see if MSN can enable “https everywhere”. 

One other interesting observations about the MSN stories:  they are always derived news stories from other sites.  It is usually possible to just go to the original news site, which may be “safer”.
Windows 10 should be able to intercept this sort of attack.
Tuesday, while on an Amtrak train, an ASUS laptop with Windows 10 updated Trend and required a restart.  But then it required a second restart when I got home.  I’m not sure if Trend was working properly during the “Crypto Party” in Philadelphia, but I didn’t notice anything.

If it happens again I'll have the presence of mind to take a photo of the screen.  But the natural reaction is to close the browser instantly.

Update:  March 31 (Major)

I find that if I key in "https://www," first then all their news comes up https.  So far doing that the problem hasn't recurred. So far, I can't get abcnews and time to come up with https, but I'll keep experimenting.

There's more.  On another machine, an ASUS originally built with Windows 10 and not converted from 8.1, the MSN automatically comes up as https without having to be told do so.  Are there some security problems for older machines converted to W 10 with Edge added after the fact?  It looks like it.  

Wednesday, March 28, 2018

US Cert reports on password spray attacks

Here is a report on US=Cert advisory TA18-086A “Brute Force Attacks Conducted by Cyber Actors”  with what CERT calls “password spray attacks”.

The attacker will conduct algorithmic password cracking attacks against a long list of related customers of a particular site, returning to all the customers in cyclic fashion, rather than be rejected after repeated attempts on just one.

GitHub has a similar writeup here.

Monday, March 26, 2018

Facebook could have logged Android users' SMS messages from users who accidentally gave permission

Media sources are reporting that Android phone users may have unintentionally given Facebook permission to log their calls and messages “behind the scenes”.  This is not allowed on the iPhone.  Here is FB's own link

Qz has a critical story here.   NBCNews has a story here.
NBC News has a simpler tutorial on how to protect your Facebook data if you think you need to.
I had an android phone from late 2011 until, as I recall, early 2014.  When I got messages it would growl "Droid" in the night. I think I had the Facebook app, so it is conceivable that I could have been logged. 

Saturday, March 24, 2018

Guides on how to fasten down your privacy on Facebook after Cambridge; could Facebook make itself more like Snapchat?

It’s time to pass along some of the expert advice on how to set Facebook privacy settings to prevent misappropriate of data.

Here is Electronic Frontier Foundation’s, by Gennie Gebhardt. 
Wired has a more detailed guide here.  Facebook and other companies seem to track you even if you don’t have an account with them!  But they don’t listen to the mike on your smartphone or watch the camera on your laptop.

It may be difficult to completely remove yourself from Facebook, if you really want to.

If you want, you can delete your posts from Facebook history, to make it more like Snapchat.  
The practical harm to most people is probably very little or none.  Large scale identity theft is much less likely than with, say, Equifax, because essentially no real PII was taken and kept.  There can be online reputational issues for people in sensitive workplace or family situations (or living in authoritarian countries).  Some people may want to consider deleting posts, even though I personally wouldn’t need or want to, at least as a retired person. .  Some observers question the effectiveness of deleting posts. There's a good question:  should Facebook offer an automatic delete, after, say, 1 hour or 1 day?  

Friday, March 16, 2018

Russians target US power companies and other infrastructure with creeping malware; reputable journals jacked with malware placed

US Cert has sent out a major advisory TA 18-074A warning on how the Russian government is targeting power companies and other infrastructure components (like pipelines, water systems) with phishing attacks. Here is the basic link
The report incudes the disturbing story that articles in some legitimate academic or professional journals seem to have been hacked and compromised with malware.  These sites would have been rated as safe by security companies and generally have SSL (https) access already.

This time the malware seems to try to steal credentials, rather than use brute force (like ransomware)or play some kind of targeted psychological warfare online.

Bloomberg has a detailed story by Dlouhy and Riley. 

Wednesday, March 07, 2018

Cortana could allow a major security hole (Israeli research)

A site called Motherboard on Vice reports that Israeli researchers have found a hole in Microsoft’s assistant Cortana whereby an attacker could bypass normal security with voice commands.

Furthermore it is possible to use supersonic commands (what the Chinese call a “dolphin attack”).

Microsoft normally sends voice requests through web pages through Bing.

The idea of doing things only with voice (common in automated telephone customer service) poses some obvious security hazards in business processing online in traditional IT shops, and there were circumstances in my own career where this could have been very dangerous.

Tuesday, March 06, 2018

"Porting" of smartphones seems to undermine 2-step verification

Smart phone holders may now need to add a port validation feature to their accounts.  At this moment, I’m not sure how you do this. 
Marshall Zelinger at 9News in Denver reports on several cases of cell phone number theft by “porting” with subsequent theft of bank accounts even with 2-step verification.
One case in detail with MetroPCS and a T-mobile was described in detail.  It appears that the customer got his money back but lost a day of work and plans to sue T-mobile.
It’s not clear how the C-number porting was done so easily.  This story needs to be followed.