Jeff Rivett has worked with and written about computers since the early 1980s. His first computer was an Apple II+, built by his father and heavily customized. Jeff's writing appeared in Computist Magazine in the 1980s, and he created and sold a game utility (Ultimaker 2, reviewed in the December 1983 Washington Apple Pi Journal) to international markets during the same period. Proceeds from writing, software sales, and contract programming gigs paid his way through university, earning him a Bachelor of Science (Computer Science) degree at UWO. Jeff went on to work as a programmer, sysadmin, and manager in various industries. There's more on the About page, and on the Jeff Rivett Consulting site.

All posts by jrivett


Adobe, Patches and updates, Shockwave

Adobe Shockwave 12.2.5.195

Leave a comment

At some point in the last couple of months, Adobe produced a new version of Shockwave: 12.2.5.195. There may have been an announcement, but I didn’t see it.

There’s no mention of the new version on the Shockwave 12 release notes page, so it’s difficult to know what changed. It would be handy to know whether Shockwave 12.2.5.195 includes any security fixes.

Meanwhile, the main Shockwave download page serves up version 12.2.5.195, and the Shockwave checker definitely detects earlier versions and recommends installing version 12.2.5.195.

So Adobe is just being lazy with version announcements, release notes, and other web-based resources. Thanks for nothing, Adobe.

Patches and updates, Vivaldi

Another poorly-documented update for Vivaldi

Leave a comment

Another new release of Vivaldi appeared earlier this week, with no announcement or anything resembling release notes on the Vivaldi web site. The announcement blog is full of details on developer snapshots, which are of no interest to regular folks.

As with the previous release, I only became aware of the new version when I ran Vivaldi and an update dialog appeared. According to that dialog, the only change in Vivaldi 1.4.589.38 is a new version of the Chromium engine.

Hardware, Internet crime, Mac, Malware, Mobile, Security, Windows

Infosec highlights – October 5, 2016

Leave a comment

Cryptocurrency-mining malware known as Mal/Miner-C is targeting specific Seagate Central Network Attached Storage (NAS) devices. The malware locates the devices when they’re exposed to the Internet and installs a special file in a public folder. Unwary users try to open the file, which installs the malware on their Windows computer. Once installed, the malware uses available resources to mine the Monero cryptocurrency. There are about 7000 of these devices globally.

It’s standard practice to tell users to lock their computers when they walk away from their desks. A locked computer presents an obstacle to anyone with physical access who’s interested in poking around or stealing data. But in reality, once someone has physical access to a computer, there are ways to gain full access, even when that computer is locked. Now there’s a new technique that simplifies this task. A specially set up thumb drive is inserted in the target computer (Mac or PC), and 20 seconds later, the intruder has valid login credentials in their hands.

Two Factor Authentication (2FA or MFA) is an increasingly-common way to bolster your security when using Internet-based services and web sites. It adds a second step to the login process, which usually involves entering a special code. Many sites and services that offer 2FA send codes to your registered cell phone via SMS text messages. Unfortunately, that specific method (codes via SMS) can be co-opted by attackers who already have your password (which is increasingly likely with all the recent breaches). If you’re using SMS text for 2FA, you should look into more secure methods. Google Authenticator generates temporary, time-limited codes using an app on your smartphone. Duo Security has an app that receives special ‘push’ messages from the site you’re trying to access, and all you have to do is click a button on your cell phone to get in.

Bruce Schneier wants everyone to stop blaming the user for security problems and create systems that are more inherently secure. As things are today, the user gets most of the blame when something goes wrong. Clearly, using weak passwords, re-using passwords, and generally being vulnerable to phishing and other manipulation point to the user as the weak link. But Schneier thinks pointing at the user isn’t helpful, especially when that link is unlikely to ever change. Instead, he wants to limit the involvement of the user; to create fewer security pitfalls. He points to current efforts along those lines, including automatic security updates, and virtualization. Which are both great ideas, as long as us techie folks have a way to bypass those things.

Hardware, Internet crime, IoT, Linux, Security, Things that are bad

Confirmed: record-breaking DDoS attacks using IoT devices

2 Comments

Another week, another huge DDoS attack, this time against French web hosting provider OVH.

Analysis by security experts has now confirmed that these attacks used a huge network of compromised devices, mostly security cameras and Digital Video Recorders (DVRs). These devices are typically vulnerable out of the box, and unless they are configured properly, they remain vulnerable. Most of the devices in question run a version of BusyBox Linux.

Brian Krebs posted a list of manufacturers that produce hardware known to be affected, based on his research. But his list is only a starting point, and much more work is needed.

Adding to this nightmare is the news that the source code for Mirai, the botnet used for the recent, massive attacks, has been released to the public. We can (and should) expect more attacks in the coming weeks and months.

What can be done to stop this? The best solution would be to complete the work of identifying vulnerable hardware (make and model), and contact the owners of all affected devices with instructions for securing those devices. In practical terms, the first part is relatively straightforward work. The second part is problematic. Who is responsible if a device is being co-opted in DDoS attacks? The user? The service provider? The manufacturer? Many owners of these devices have no idea they are being used like this.

Eventually, the current crop of IoT devices being used in these attacks will be secured. But more new ‘smart’ devices are being manufactured and connected to the Internet every day. Until manufacturers stop shipping unsecure-by-default devices, we’re going to keep seeing these huge attacks.

Microsoft, Patches and updates, Windows 10, Windows 7, Windows 8.x

Windows 10 upgrade nagging removed from Windows 7 & 8.x

Leave a comment

Now that Microsoft’s offer of free Windows 10 upgrades for Windows 7 and 8.x users is over, it makes sense that we should stop seeing those annoying reminders everywhere. Sure enough, an update for Windows 7 and 8.x became available last Patch Tuesday (September 13) that removes the ‘Get Windows 10’ feature. The update is identified as KB3184143, and has the (surprisingly meaningful) title “Remove software related to the Windows 10 free upgrade offer”.

If you’ve been using the third-party software GWX Control Panel to keep those annoying Windows 10 upgrade messages away, and you’ve installed KB3184143 on your Windows 7/8.x system, you might be tempted to remove GWX Control Panel. Unfortunately, there’s no reason to assume that Microsoft won’t re-enable the ‘Get Windows 10’ feature again in the future. I plan to leave it running on my Windows 7 and 8.x computers.

Of course, knowing Microsoft, if they decide to start pushing Windows 10 on us again, they’ll probably develop something completely new, in which case GWX Control Panel probably won’t help.

Ars Technica has more.

In related news, at least one consumer group is calling for Microsoft to offer compensation to users and organizations that were harmed by unwanted Windows 10 upgrades.

Internet crime, Things that are bad

Brian Krebs site dumped by Akamai due to massive DDoS attack

Leave a comment

In what can only be viewed as a victory for the attackers, content delivery provider Akamai has dropped Brian Krebs’ web site krebsonsecurity.com in the midst of a record-breaking DDoS attack against the site.

Krebs and his site have been the target of DDoS, SWATting, and other attacks in the past, in response to his reporting on various illegal activities – and the people behind them. But this most recent attack, which began on Tuesday, is the largest in history.

Akamai provides services that limit the effectiveness of DDoS attacks. According to Krebs, Akamai was providing their services for krebsonsecurity.com at no charge. He doesn’t fault Akamai for dropping his site, but their doing so raises some interesting possibilities.

The most likely explanation is that Akamai could no longer justify providing their services to Krebs for free; dealing with such a large attack would have involved a lot of time and effort. Akamai may have offered to keep supporting krebsonsecurity.com, but at their normal price. Those prices are typically only paid by large corporate clients, and Krebs probably just can’t afford them.

As a result of all this, krebsonsecurity.com is offline, and likely to stay that way until the attackers lose interest. Once the attacks subside, I’m sure the site will return.

Although Krebs doesn’t blame Akamai for dropping him, it’s hard to see how Akamai can come out of this without their reputation being harmed. There will always be questions about exactly what happened. Was Akamai actually overwhelmed? I’m sure Akamai’s competitors will be looking at picking Krebs up as a client.

And finally, this is a clear win for the attackers. They now know that they can take down even high profile web sites, although perhaps not those owned by companies with very deep pockets.

Ars Technica has more, including speculation that the attacks involved hacked ‘Internet of Things’ devices.

Updates 2016Sep25: krebsonsecurity.com is back up, thanks to Project Shield, a free program run by Google to help protect journalists from online censorship. It will be interesting to see how well this service protects Krebs’ web site from inevitable, future attacks. And how will Akamai spin this?

Meanwhile, Krebs also thinks that poorly-secured ‘Internet of Things’ devices made the record-breaking size of this attack possible. And despite the site only being down for a few days, he feels that this kind of attack is a new form of censorship, referring to the effect as ‘The Democratization of Censorship‘.