Public WiFi Hotspots - The Risks

Ah, the public hotspot: oases of connectivity in airports, coffee shops, bookstores, town centers and at chains that range from Starbucks to Barnes & Noble to McDonalds.

It’s a way of life to rely on WiFi access to get connected when out and about, but unfortunately consumer security practices aren’t keeping up. More than a third of users take no additional precautions when logging on to public WiFi, according to the Kaspersky Consumer Security Risks survey.

Global public WiFi hotspot numbers are set to grow from 1.3 million in 2011, to 5.8 million by 2015, marking a 350% increase in just four years, according to the Wireless Broadband Alliance.

“Nowadays it's easy to get online – in addition to cellular networks and broadband cable communication networks, there is often at least one hotspot which can connect computers and mobile devices to the Internet,” the Kaspersky noted. “It's almost second nature now, whiling away a few moments online using a WiFi hot spot. But hooking up to the network can carry hidden risks.”

At issue is the fact that many if not most of these hotspots skimp on protection for users – and many users are unaware or unconcerned about the potential problems this can cause. The survey showed that 34% of users said they took no special measures to protect online activity while using a hotspot, while 14% were happy to bank or shop online using any network that came to hand. Only 13% take the time to check the encryption standard of any given access point.

The security firm also raised the specter of a potential man-in-the-middle attack.

“You never know what that guy with the laptop at the next table might be doing,” it explained. “Maybe, like you, he's checking his email or chatting with friends. But maybe he's monitoring the Internet traffic of everyone around him – including yours.”

Unlike most home networks, the data flowing around a public hotspot is usually unencrypted. And because of its hub-and-spoke architecture, any WiFi access point is a window to the internet for all the devices attached to it. Every request from a device goes via an access point, and only then reaches the sites that users want to visit. Without any encryption of communications between users and the access point, it's a simple task for a cybercriminal to intercept all the data a user enters. That might include data sent to a bank, or an online store. 

MITM attacks aren’t the only threat though. The Lifestore blog laid out all the ways a hotspot hacker can hurt consumers, including sniffer software, which allows a hacker to monitor the traffic traveling to and from a computer that's connected to a public network. Address Resolution Protocolor (ARP) spoofing redirects the network traffic to the hacker, modifying it or blocking it altogether without being detected.

Session hijacking, meanwhile, happens when a hacker sniffs a hotspot user's web session. That information is used to clone the user's account, allowing the hacker to do anything the user can do while logged into a website. Evil Twin attacks use a fake access point that is designed to look like a real hotspot. But when users log in to them, they unknowingly expose their passwords and other sensitive information to hackers.

Rogue ad hoc networks, which usually have names like Free Public WiFi, can turn up wherever there are public WiFi hotspots and can be used to trick unsuspecting users into connecting to them. “Not all ad hoc networks are created by hackers,” Lifestore noted. “But it's impossible to distinguish the real ones from the fakes. So to be safe, you should steer clear of them all.”

Critically, most users assume that if a hotspot is password-protected, then they are working securely. But MITM attacks are possible even if the hotspot is password-protected and a secure https-connection between the required site and the user's browser is established.

So how do users protect themselves?  Use a trusted VPN service..how does a VPN protect me?

 

High Desert Technology has you covered with OURPIRVACY.ORG.  Get protected today using our VPN service!!

WordPress - Why it is important to update/patch on a regular basis

The issue of hacked WordPress sites continues to persist, as evidenced by one victimized URL being used to host links to thousands if not millions or billions of shady pharmaceutical sites without the knowledge of the owners.

Security firm Blue Coat recently discovered that the storm.ca site, which belongs to a Canadian internet services company, was being used to host links to more than ten thousand pages of scam sites. After reporting the issue to the storm.ca team, the company quickly addressed the hack and shared some of the details behind it as an object lesson for others.

The sheer scale of the issue is notable: Blue Coat Malware Lab architect Chris Larsen determined that the number of pages that the site was hosting in the background was somewhere between ten thousand and ten billion. “Dozens of pages I tested between 1 and 10001 resolved, but page 9999999999 did not,” he explained in a blog.

The issue is that these kinds of hacks are all too common, given the penetration of WordPress as a content management system. “Even a well-run site can fall victim to hacks focusing on WordPress, which seems to have a lot of weak links -- at least, judging by the amount of compromised sites we see in our logs each day,” Larsen said.

In this case, the intrusion took place when someone uploaded a PHP file manager script via a hole in the "wp_mailinglist" plugin. From there, the attackers could upload anywhere the "nobody" user was allowed to write.

“This way, the attackers didn't need to literally load 10,000 or more junk pages onto the server -- that's the sort of thing that gets noticed! “ Larsen said. “They could simply generate the pages as needed.”

The pages redirected visitors to pages for presumably bogus online pharmacies, which typically offer drugs like Viagra without a prescription.

Pharmacy scams – which, ironically, often feature “discount” prescriptions from Canadian online drug stores – typically attempt to separate desperate consumers from their money on a number of different fronts. Most offers selling medicines or drugs are designed to steal credit card details or to download damaging files (like spyware and key-loggers) onto a computer. Some just take the money and don’t deliver the goods. And in some cases, product is delivered but isn’t the real thing. In some cases, the medicines or other products may even damage the victim’s health.

As a guide for other sites, the storm.ca team shared its remediation (and on-going maintenance) steps: it removed or disabled unused plugins, and modified its Apache configuration to not allow the PHP engine to run on any files within the wp-content/uploads tree, so even if someone can upload arbitrary files in there, they won't be easily executable.

The team also disallowed write permissions on the wp-contenttree as well as the allow_url_fopen and allow_url_includein php.ini. “It's convenient to allow WordPress to be able to self-update plugins, but not at the cost of having the whole directory tree forced to be writable by the server,” Larsen noted.

And, the team recommended the common-sense step of upgrading WordPress and all plugins to their latest versions.

Site operators should take note. Pharmacy scams are tried and true, Larsen pointed out: BlueCoat’s first internal blog post more than five years ago dealt with a hacked website (belonging to the government of Ghana) which was hosting links to, among other things, pharmaceutical sites. “However, the good old Viagra-SEP networks haven't gone away,” Larsen said.

Law Enforcement using Malware to SPY via Webcam

 

The Federal Bureau of Investigation, or FBI, controls a computer team, which uses malware to keep tabs on suspects, and has the ability to secretly turn on a webcam, according to a report about the agency’s search of a man called “Mo,” who is said to have used different forms of Internet communication to issue bomb threats across the United States last year.

Court documents showed that Mo, allegedly an Iranian, used to communicate through e-mail, video chat and Internet-based phone services without revealing his true identity, and was adept at covering his tracks. To zero in on such suspects, the FBI decided to call on its hackers to put together a piece of malware that was then delivered to Mo’s Yahoo e-mail account. The goal was to obtain information about Mo’s Internet usage and help investigators find his location, the Washington Post reported.

“We have transitioned into a world where law enforcement is hacking into people’s computers, and we have never had public debate,” Christopher Soghoian, principal technologist for the American Civil Liberties Union, told the Post. “Judges are having to make up these powers as they go along.”

According to the Post, the most common delivery mechanism is a simple phishing attack. When the suspect hits a link sent to his inbox by the FBI, it connects to a computer at the agency’s offices in Quantico, Va., and downloads the malicious software that allows the authorities to spy on the suspect through his webcam even without its indicator light turning on.

In Mo’s case, however, the FBI-backed hackers could not turn up much about him. Mo did click on the link that was sent to him, but the tool malfunctioned and “never actually executed as designed.” The only key information that the investigators managed to obtain was that Mo appeared to be in Tehran.

Meanwhile, as the Post noted, such types of online surveillance have pushed the boundaries of the constitutional limits on searches and seizures. According to the report, critics compare it to a physical search that seizes the entire contents of a home, rather than just those items that could be linked to a particular crime.

“You can’t just go on a fishing expedition,” Laura K. Donohue, a Georgetown University law professor who reviewed the court ruling on FBI surveillance software in Mo’s case, told the Post. “There needs to be a nexus between the crime being alleged and the material to be seized. What they are doing here, though, is collecting everything.”

While a federal magistrate in Denver approved sending the malware to Mo’s computer last year, another federal magistrate in Houston rejected an FBI plan in April to send surveillance software to a suspect in a different case, on grounds that it was “extremely intrusive” and could violate the Fourth Amendment.

 

The Next Question is..Will anti-malware software discover and remove LAW ENFORCEMENT sponsored malware?

 

Since we learned that the NSA has surreptitiously weakened Internet security so it could more easily eavesdrop, we've been wondering if it's done anything to antivirus products. Given that it engages in offensive cyberattacks -- and launches cyberweapons like Stuxnet and Flame -- it's reasonable to assume that it's asked antivirus companies to ignore its malware. (We know that antivirus companies have previously done this for corporate malware.)

My guess is that the NSA has not done this, nor has any other government intelligence or law enforcement agency. My reasoning is that antivirus is a very international industry, and while a government might get its own companies to play along, it would not be able to influence international companies. So while the NSA could certainly pressure McAfee or Symantec -- both Silicon Valley companies -- to ignore NSA malware, it could not similarly pressure Kaspersky Labs (Russian), F-Secure (Finnish), or AVAST (Czech). And the governments of Russia, Finland, and the Czech Republic will have comparable problems.

Even so, I joined a group of security experts to ask antivirus companies explicitly if they were ignoring malware at the behest of a government. Understanding that the companies could certainly lie, this is the response so far: no one has admitted to doing so.  Original post by Bruce Schneier @ https://www.schneier.com/blog/archives/2013/12/how_antivirus_c.html

Up until this moment, only a handful of the vendors have replied ESET, F-Secure, Norman Shark, Kaspersky, Panda and Trend Micro. All of the responding companies have confirmed the detection of state sponsored malware, e.g. R2D2 and FinFisher. Furthermore, they claim they have never received a request to not detect malware. And if they were asked by any government to do so in the future, they said they would not comply. All the aforementioned companies believe there is no such thing as harmless malware.

 

 

90,000 Patients Data Compromised

 

The University of Washington Medical Center (UW Medicine) was breached in October, with data of up to 90,000 patients of the Harborview Medical Center and University of Washington Medical Center affected. No medical data was stolen, but SSNs may have been lost.

UW Medicine announced last week that up to 90,000 patients may have had personal data stolen. It stressed that health data was not involved. "Based on the results of an internal investigation, it is believed that patient information was not sought or targeted. However, the malware accessed the data files of roughly 90,000 Harborview Medical Center and University of Washington Medical Center patients."

Nevertheless, what was stolen is rich pickings for identity thieves: "name, medical record number, other demographics (which may include address, phone number), dates of service, charge amounts for services received at UW Medicine, Social Security Number or HIC (Medicare) number, date of birth."

The attack occurred in early October (2 October according to the Seattle Times) when an employee opened an email with a malicious attachment. "The malware took control of the computer, which had patient data stored on it. UW Medicine staff discovered this incident the following day and immediately took measures to prevent any further malicious activity."

UW Medicine has referred the matter to the FBI (although it doesn't say when it did so). It began mailing the affected patients last week, and notes that "patients may be contacted by the FBI as part of its investigation." On the basis of this announcement, it has taken around eight weeks from learning of the breach to notifying patients – and it made the notification one the eve of Thanksgiving, one of America's most important holidays.

King 5 News reports on the reaction of one patient to the UW mailing. "'The delay in letting us know is appalling, if it happened October 2nd why are we just being notified the day after Thanksgiving", Patricia Shiras said." The letter indicates that social security numbers and financial information were not compromised. The website, however, specifically includes SSNs. “I think my social security number and financial information are compromised and they're trying to cover it up” said Shiras.

Komo News also quotes an unhappy patient. Susan Phillips, whose last contact with the hospital was in 2008, received one of the letters. "I opened it up and I read this and I just got furious," she said. "I don't have a word for it right now... Waiting until the day before Thanksgiving to do a bulk mailing?"

According to the Seattle Times, UW Medicine spokeswoman Tina Mankowski said it had taken more than a month "to analyze the activity and figure out which patients are most at risk of identity theft." She also said that it is "UW policy that if more than 500 accounts are compromised in an identity-theft attempt, the UW reports the incident to the media."

Are SMART TV's Watching You?

Is your internet connected TV sending your viewing habits over to the manufacture? The post below illustrates just that. Not only are the channels you’re watching being sent, but the filenames on any external media (USB stick) are also sent. The findings below pertain to an LG SMART TV.  The illustration below shows the preference screen....

 

 

After some investigation, a rather creepy corporate video advertising their data collection practices to potential advertisers was found. It's quite long but a sample of their claims are as follows:

LG Smart Ad analyses users favourite programs, online behaviour, search keywords and other information to offer relevant ads to target audiences. For example, LG Smart Ad can feature sharp suits to men, or alluring cosmetics and fragrances to women.
Furthermore, LG Smart Ad offers useful and various advertising performance reports. That live broadcasting ads cannot. To accurately identify actual advertising effectiveness.

In fact, there is an option in the system settings called "Collection of watching info:" which is set ON by default.  This setting requires the user to scroll down to see it and, unlike most other settings, contains no "balloon help" to describe what it does.

 

It turns out that viewing information appears to be sent regardless of whether this option is set to On or Off.  A unique device ID is transmitted, along with the Channel name "BBC NEWS" and a unique device ID. This information appears to be sent unencrypted and in the clear to LG every time you change the channel, even if you have gone to the trouble of changing the setting above to switch collection of viewing information off. Not only is the channel your watching sent to LG but the the filenames of any files stored on an external USB are sent.  While is it understood why LG wants to display ads and gather "viewer watching data", it is hardly understood why LG wants to know what is on your USB media???

 

Original research and more information is found @ http://doctorbeet.blogspot.co.uk/2013/11/lg-smart-tvs-logging-usb-filenames-and.html

Police Agency hit with CRYPTOLOCKER virus

One of the most-dreaded computer infections out there is ransomware, which locks up one’s system and renders files unusable until a set amount is paid to the hackers responsible for it. In other words, it amounts to little more than extortion, and law enforcement generally recommends that infected users simply bite the bullet and move on rather than pay the ransom. On

 

Nov. 10, the Swansea, Mass., police department decided to eschew best practices, ponying up a significant payment to criminals.

 

Recently afflicted with the notorious CryptoLocker ransomware, the department paid two Bitcoins to liberate its files, which was the equivalent that day of $750.

Swansea Police Lt. Gregory Ryan told the local Fall River Herald Tribune that no files were compromised and that the police report/booking software was unaffected by the attack. However, the lack of cyber-education was clear in his other comments: “It was an education for those who had to deal with it,” he said. “[The virus] is so complicated and successful that you have to buy these Bitcoins, which we had never heard of.”

The Swansea Police Department was hit on Nov. 6; and it bought the key and decrypted the files on Nov. 10. Since then it has improved its anti-virus protection, but Ryan noted that he believes “there is no foolproof way to lock your system down.”

CryptoLocker differs from earlier types of ransomware, which could be cleaned off of machines fairly easily by professionals, so that files could be recovered. This virus offers essentially no remediation path without time-consuming and painstaking efforts. Ingeniously, it uses a public key to encrypt a variety of file types such as images, documents and spreadsheets, on all drives and in all folders it can access from the compromised computer.

The malware then offers to trade money for a private, machine-specific key to unlock the encrypted files. A pay page with a countdown clock pops up, giving victims a limited time to buy back the private key for the data.

The two-Bitcoin ransom seems to be the norm for the malware, which, as an online currency, has a fluctuating valuation. Last month two Bitcoins were worth half of what they are this week. But regardless of the amount, if left unpaid, the criminals will destroy the private key after the time specified, meaning that it’s lost forever, and that the files are incapable of being recovered through typical computer software techniques.

On the other hand, there’s no guarantee that the perpetrators would honor the payment in any event. Though in Swansea PD’s case, they did.

CryptoLocker is spreading rapidly, and was recently reported to be hitting millions in the UK via a spam vector. More locally, Matt Fernandes, owner of local Somerset, Mass.-based computer shop WaveOne Technologies, told the Herald News that he’s seeing five to 10 customers come in per week with the infection. He called the virus the “worst I’ve ever seen.”

 

Here is our story dealing with a local business that was infected..

 

We're making TOO MUCH CASH, say CryptoLocker scum in ransom price cut. 11/25/13

Subscribe to our Newsletter

Search ALL Articles

Managed V. Non-Managed

 
NON-MANAGED=REACTIVE
MANAGED=PROACTIVE
 
 

ourprivacy.org

US-CERT Latest Warnings

Latest US-CERT Released Warnings

Posted Articles