Friday, August 16, 2019

Windows 10 has two new wormable vulnerabilities, fixed with the Aug 14 update


Windows 10 has two major vulnerabilities which the update on Aug. 14 (automatically scheduled) fixes, various sources report.  These vulnerabilities could apparently be unleased with no user action (like clicking on links in emails). Apparently these also apply the the Creators' Update series. 

  
Microsoft describes them as “wormable vulnerabilities in Remote Desktop Services” (CVE-2019-1181/1182).  The problem does not occur in early Microsoft operating systems (7 and 8). 

Thursday, August 01, 2019

Could hackers cause a highway 9/11 event?


Gannett’s Detroit Free Press reports on vulnerabilities that could lead to sudden mass road casualties from a foreign attack on Internet-connected vehicles, especially Jeep Cherokees, story by Eric D. Lawrence.  

  
This is backed up by a Consumer Watchdog report which advocates giving motorists a kill switch.  

My own Ford Focus is not Internet connected as far as I know. 

Tuesday, July 16, 2019

Banks are now experience smart phone sms phishing attacks (breaking SSL) looking for phone PII



There seems to be a new phishing attack using SMS messages rather than email, targeting customer bank and investment accounts.
  
A lot of this is rather recent, but the Better Business Bureau has a typical explanation
  
Tonight, when I logged on to Wells Fargo, I noticed such a message about fifteen minutes later.  I thought it might be related to a long list of payments or maybe checking a secondary annuity site. 

Later I noticed that the message had come at exactly the same time as my first access. The point of such an attack is obscure;  it would make sense only if I carried a lot of data on my phone and I don’t.


If the hacker already had my cell phone, or already had access to the account “they” could have messaged me exactly as I logged in. This implies they were the man in the middle, which shouldn't happen in a bank's SSL environment.  Fortunately, I have relatively little PII on my phone.  The message would link one to an account not secured, which is another red flag. 
  
I’ve had only one other security issue with the iPhone, that is, occasional emails claiming gamer purchases in Indonesia or especially Belarus were charged to my Apple account, when they weren’t.
  
Maybe I do have a doppleganger in the non-western world. I wonder if that could surface if I were to travel abroad in non-western countries.  

Friday, July 05, 2019

Windows and small businesses continue to remain the biggest ransomware targets


Benjamin Roussey of TechGenix has an informative article from April 2019 of the seven top ranswomware threats in the next year or so, link here

He writes that small and medium sized businesses are still the easiest targets.  He notes that many still run on older versions of Windows. Many are not diligent in keeping up patches (individuals tend to do better than small companies).


He also notes that Windows is still much more vulnerable in practice than Linux or the similar Mac OS family.

Health care and doctors or PPO’s have become particularly vulnerable.
  
He also makes an interesting comment about AI.

Thursday, June 20, 2019

Medical clinic will close because or ransomware; why don't small companies, cities have off-site backups?


A Florida City will pay hackers $60000 in bitcoin to get its computer system back, the Washington Post reports.    We wonder why it didn’t have offsite backups.
  
The Citizen’s Council for Health Freedom reports that a clinic in Michigan has closed for good after ransomware destroyed its patient records, leaving patients, even recovering from surgery, stranded.  The case is said to be an example of the problems with requiring electronic records, and it sounds like HIPAA security and privacy didn’t work.
  
One question, why didn’t the doctors have an off-site backup made every day?

Wednesday, June 05, 2019

A brief review of Trend Micro



Here is Trend Micro’s pitch on how it monitors for global cyberthreats, including about 600 million potential ransomware threats a day. 


The service says it now pays particular attention to “cryptomining” or possible threats even to block chain entities.

It also says it can detect laundering and some organized crime.

It says it has 30 years experience (back to 1989 – mainframe companies started installing products like “Top Secret” around 1987).

Right now I have Trend on my Windows 10 computers.  I’ve had Kaspersky (banned in the US???) and Webroot.  Since Webroot bought Sitelock and my hosting provider uses Sitelock, that could be interesting.

I’ve had a problem with two of my Wordpress domains (there are four of them) going back to gray, and I don’t know why.  ThioJoe ought to do a video on website safety ratings. 

Thursday, May 23, 2019

What if we all have a hardware incontinence vulnerability?



Charlie Warzel and Sarah Jeong do a little skit on the New York Times “The Internet Security Apocalypse You Probably Missed”.  It’s a little like Daniel Gruss’s “Microarchitecutral Incontinence” about Intel chips.  This time, it’s Cisco routers.
Suddenly, a possible vulnerability that could target anyone, and that you could fix only with hardware.
  
Three or four years ago, the fear was some sort of massive shutdown by an enemy like North Korea. Now it seems enemies want our social media up so it can manipulate our weaker souls.

ThioJoe explains this as "microarchitectural data sampling" (incontinence), with examples like "Zombie Load" and "Fallout" and "Meltdown".

CPU vendors will eventually issue "bios updates" which average users won't know how to do. 

Sunday, May 19, 2019

Wanna Cry ransomware could come back to older systems given new Microsoft bog



Dan Goodin has an article on Ars Technica explaining again how many Windows exploits (variations of Wanna Cry) and ransomewares, continue to exploit governments and installations that don’t have the nimbleness of individuals to go to newer releases or apply patches
 .
  
Some Windows servers are affected, which can affect hosting companies that find managing Windows application pools difficult, resulting in outages or 503 errors.

Saturday, May 11, 2019

Local governments are particularly vulnerable to ransomware


Local governments seem particularly vulnerable to ransomware attacks, largely because of their bureaucracy.

Right now, Baltimore has a serious problem.  A year ago, Atlanta did.  Recently a town near Fairbanks AK was targeted.


It is much easier for individuals to defend themselves than organizations, as their backup is usually a lot simpler. Individuals can also be much more wary of phishing attempts.
  
There have been cases where payrolls could not be run, putting affected employees in the same situation as a government shutdown without pay.

Tuesday, May 07, 2019

Robocalls may tempt users to spend money on callbacks to international 900 numbers


Security consultants are advising consumers not to return “one ring” calls, which are likely robocalls from 900 numbers that will result in steep charges when calls are returned.

Many calls come from Mauritania, but are spoofed as to appear to come from within the US.  Most recipients are in New York State or Arizona.


Consumers might consider having their providers block international calls if  they don’t normally make them.
  
CBS News has a typical story, by Sarah Min, 

The objection to robocalls, while very prudent and understandable, undermines legitimate activity, like raising money for political causes or candidates or for charities. 

Monday, May 06, 2019

New phishing scam claims your package was not delivered by UPS


I received a fake UPS delivery message today that claims that a package sent from my UPS store location was returned because of an address mismatch.  It named a UPS store as the source.
  
The scam is based on the idea that the consumer probably doesn’t remember “their” UPSW store member.  I gave a box at the store in Ballston in Arlington VA.  It turns out that this email address corresponded to a store in Rock Hill, SC.


The most recent site I can find discussing a delivery scam is here.

But this is the first time I have heard of  fake missdelivery email.

I had opened the email but not gone to any links on the computer.  I opened the link on a phone, assuming that iPhone is not as vulnerable. The link named as ups store was actually Microsoft One Drive. It invited me to download a tracking document and download an app to view it.
  
I did show the email to the local store and asked them to show the scam to UPS corporate security.
   
I did restart the computer and run a quick scan and will run a Trend Micro full scan later this evening.

Monday, April 29, 2019

How should journalists report info gathered by hacking and sent to them?



Margaret Sullivan has a nuanced piece in the Washington Post style section Monday, “How should journalists report on data hacks?” “Journalists can’t ignore hacked data meant to disrupt elections.  But here’s what they can do.”

The article is rather non-specific, but one standard is on the relevance of the information, as about the stolen emails om 2016.

  
I always thought it was about context. Since I had a mainframe IT background, I was aware of the controversies surrounding bringing work home or using your own hardware (which comes up with home customer service agent jobs).l 

Saturday, April 20, 2019

Trend Micro website safety ratings can revert back to Gray for no reason; Sitelock scans



I noticed Friday that suddenly the green check from Trend Micro on my two WP style 26 blogs (billsnewscommentary and billsmediacommentary) had gone back to gray, which Trend says means the site has not been reviewed.

But it had been.  I noticed the problem Friday morning when the site expanded in Twitter.

My HP Envy computer (Windows 10) has these notifications turned on. I haven’t done this on the ASUS.

The issue becomes more important in that some day, telecom providers might check safety ratings to even allow sites to be connected (esp, after loss of net neutrality). 

Also, on a coordinated story today on my main “BillBoushka” blog I discussed a tech company organization called GIFCT.  Browsers are likely eventually to refuse to load sites with harmful content (as they do today with “unsafe” sites having malware).

But there are no standards today as to how website safety is evaluated or how content markers would be set.
  
Sitelock’s scans give some clue as to sites can be evaluated for safety.  There are separate Malware, Smart, and Application scans.  The latter will detect problems  (like the "1=1" problem) that creep into Wordpress themes and facilities and typically can only be fixed by regular Wordpress security updates.

Tuesday, April 09, 2019

Local DC station WJLA advises consumers on avoiding cell phone spoofing



The new newscast today on WJLA talked about the problem of cell number spoofing, and how it was used by scammers calling and demanding people pay them money to avoid arrest, even going to ATM terminals.

A good writeup on the problem by Elliot Volkman appears on phishlabs from 2018.  A user should always call back and use a number published by the company (although make sure you are looking at the real website.)


Ajit Pai of the FCC has warned that carriers need to do more about this problem, Verge story by Chris Welch. 

The FCC has its own page on the problem, dated Feb. 2019.

Tuesday, April 02, 2019

Security recommendations for protesters



Electronic Frontier Foundation has a comprehensive list of security precautions to take when attending a protest, particularly in developing countries.  But the piece also mentions the way US laws work.

The piece goes quite far with its recommended measures, such as purchasing a prepaid, disposable phone, and keeping your data encrypted, and using Signal.


It also recommends not driving to an event, although in many big cities public transportation is obviously the best choice.
  
I also wonder about the issue of attending a protest to report and blog about it but not participate. Unless you are a journalist known to the protestors, this may sometimes elicit anger or indignation from participants focused on solidarity and the idea of “no spectators” (like Burning Man).

Friday, March 29, 2019

Home routers, for your network and for perimeter security, can be hacked; firmware is supposed to be updated regularly



Can home security systems be hacked?

Kim Zetter had looked in detail at the problem in 2014 in a Wired article.

One danger would be the possibility of generating false alarms, as well as intercepting an inadequately encrypted signal.  Another would simply be hacking the router controlling the system and interfering with the signaling.  Another is simply cutting a cable outside a house; a cellular wireless signal is much safer.  

Similar problems has been reported with routers that control cable television and Internet access, but those are often separate devices, connected to a home computer network.  A security router may be a separate device.
  
All of these devices have operating systems that can be programmed, usually with some sort of Unix or Linux-like kernel. 
  
Security experts have advised turning off and restarting routers and modems once a month, to make sure that firmware security updates get done (on restart); however most cable providers send scheduled firmware updates at scheduled times late at night.  There were cases of Russian hacks of home network routers in 2018.  But typically security devices are never supposed to be turned off, and are kept always on by high capacity batteries.

Saturday, March 09, 2019

Why "ji32k7au4a83" is a bad password



Here’s another password tip.  Beware of character strings that appear random in English or European languages but that make sense as a code for Asian languages, like Chinese. 
  
The Verge has a story about “ji32k7au4a83“ which translates to “my password”.



Note that there are thirteen dialects of Chinese which don’t communicate well with one another (China won’t admit this). 

Thursday, March 07, 2019

Google Chrome zero-day vulnerability patch update recommended now



Users are advised to update Google Chrome today to fix a zero-day vulnerability reported recently.

To update, look to see if the more (three vertical dots) button on the upper right has a rainbow color.

Of your computer is properly configured it should have updated automatically.




The security flaw could allow a hacker to read non-public files (like passwords stored) from your computer memory.

Monday, March 04, 2019

Some severe Wordpress plugin vulnerabilities have been fixed



Fremius has patched a “severe vulnerability” in a library used by developers for many Wordpress plugins, especially related to monetization and analytics.  This issue could have become more significant in a world with so much social and political polarization. I presume that WP 5.1 has the necessary code included.

WPTavern explains the patch here.




There is a further explanation from a Plugin security outfit, that believes hackers have already been placing vulnerabilities on sites using these plugins.  Persumably these would be detected by the Sitelock monthly application scan.


By the way, here is a critique, that seems constructive, of Sitelock. The service will charge extra fees to fix pages on which malware is found.

Picture: Daytrip to Barrett mountain (and Page Valley behind it) in Maryland, maybe the last snow of the year (no relation to article).

Thursday, February 28, 2019

Curious story in the Verge about "thunderclap"



I’m not familiar directly with Thunderbolt computers, but here’s a story on vulnerability to certain external drives and devices to thunderclap. 

I think this vulnerability could be of concern to utilities and infrastructure computers (pipelines, water treatment) to prevent “jumping” across “air-gaps” as a deep cybersecurity threat.

Just a warning note.

Friday, February 08, 2019

Youtube copyright strikes scam reported and fixed



Motherboard Vice, in an article by Jack Hauen, warns about a new scam to extort money (bitcoin) from YouTube channel creators with false copyright strikes, based on a flaw in the way YouTube handles DMCA takedown requests.  


The video above reports a similar scam using Comcast.
  
YouTube has restored the affected accounts and hopefully has closed the loophole.  

Tuesday, February 05, 2019

Lawsuit in Texas could set a precedent allowing copyright trolls to remove Internet access entirely from "pirating" consumers



Lior Leser (Sept. 2018) described a lawsuit by some media companies against an ISP in Austin, TX for not suspending the Internet access of some people who made illegal downloads by Bit Torrent.


The lawsuit could set a precedent requiring ISP’s to terminate consumers accused of piracy by media companies, requiring all access to the Internet merely based on allegations from a copyright troll.

This case is very disturbing and it needs to be followed in more detail.

In the future, cloud examination could develop more evidence of piracy. 
  
Defeating SOPA in 2012 didn’t prevent this.

Friday, February 01, 2019

Google wants to eliminate the URL, turn the world into mobile apps?



What?  Google wants to eliminate the URL? 
  
So Lily Hay Newman writes in Wired. 

Where as a fixed, static web address works well for individual consumers and small companies and bloggers, it seems to complicate things (that is, security and immunity from consumer database hacks and breaches) for enterprises. 

But it’s hard for me to imagine how this would go away.
  
But the tendency for companies to encourage you to use their apps on smartphones rather than go to a conventional URL is a start.

Then the app stops working and doesn’t work again until you turn off and restart the phone, or get another iOS update.

This story reminds me of the big scare in 2008 on DNS that led to a big security conference held by Microsoft after a Finnish researcher found a vulnerability (ID blog, Aug, 9, 2008). 
  
Here’s a list of the 12 most dangerous malware outbreaks in history. 

Tuesday, January 29, 2019

"The Young People Will Win", at least in busting Apple for a bug (not the NRA this time)



The Young People Will Win (“TYPWW”).  In Arizona, a 14 year old, Grant Thompson, found a vulnerability in Apple’s Face Time, which would allow it to watch a party called even if “they” didn’t pick up.  In the days of party lines, this was called "listening in." 
  
Heather Kelly has the story on CNN here

  
Apple will issue a fix this week to all iPhones with an update, which is likely to come as early as Wednesday.  That could fix problems with some other apps (like AOL mail which was dropping connections).
  
We have 18 years old’s who bust the NRA. 16 years olds who have to navigate perilous personal encounters that go viral given social context, and 14 year-olds who bust Apple.  But another 14 year old developed a fusion reactor and 15 year old invented a new cancer lab test.  I’ve seen other less public things, like a 16 year old direct a church play. 

Sunday, Cal Newport had written a piece in the NYTimes indicating that Steve Jobs had never intended us to be so addicted to our phones with constant social media, news and email.  I didn't have Internet on mine until 2009 as I remember (on a Blackberry then). 

Monday, January 28, 2019

Two-factor authentication is not foolproof



Josephine Wolff in the New York Times warns today that “two-factor authentication might not keep you safe.” 

The main scenarios are phishing attacks with convincing replicas of real sites.
 
  
But now industry is moving toward the idea of a physical stub with a rotating access code to be inserted into a UBS drive.

Monday, January 14, 2019

What does browser incognito mode accomplish? What about TOR?



Do you really need to “worry about” using ingonito mode on your browser (when your spouse uses it)?  

Here’s a good answer from Quora.

Yes, if you look up information on how to commit a crime, on porn, on terrorism, on fetishes – one of the respondents says, “I’m a writer, what can I say?”


Maybe that’s a relevant answer in this area where independent content creation is coming under attack from radicals on both sides.

It’s possible that in the future law enforcement will scan cloud backups even more than it can today.

The other objection is that it will lead to the serving of ads on your “family computer” that you don’t want your spouse or the kids to see.
  
Thorin Klowowski gives a discussion of what the use of a TOR browser (“the Onion browser”) accomplishes for the average user.  It does provide “anonymity” but not real “security”.  And it is possible for very determined law enforcement (or the NSA) to crack it, so overuse of it could call attention to illegal motivations and weaken a claim of credibility should improper online behavior come to notice in other means (especially in civil cases).  Electronic Frontier Foundation has encouraged ordinary bloggers and vloggers to learn to use it, however, even in democratic, western countries. 

Monday, January 07, 2019

Verizon hotspot and microarchitectural incontinence



On an Amtrak train, my laptop connected to somebody else’s hotspot before connecting to mine.  It even offered an automatic connection, which it should not do if I’ve never supplied a correct pw.  A flaw in Verizon software?  In Windows 10 security? 

Train was at a station, might have been someone’s house near the tracks. Maybe they didn’t set a pw?

No, I do not hack.

Some “microarchitetural incontinence”, as Daniel Gruss would say.



Wednesday, January 02, 2019

HP makes a short "horror" film about printer security


Hewlitt-Packard sent out a tweet this morning about printer security, with the main link here

It’s pretty understandable if you use your printer as a 3-in-1 and send old-fashioned faxes. 
   
But this seems to be more about enterprise printers on small business networks.


Here is their little short film, “The Fixer: The Wolf’s Next Meal”.

Business film does keep some independent filmmakers employed.  I remember that in the 1990s a friend wrote an article called "printer therapy" in a tech magazine.