Category Archives: Internet

NSA-Themed Ransomware

Any time something catches the attention of huge numbers of Internet users, there’s a possibility that nefarious persons will try to make money from it. A famous actor has their phone hacked, a celebrity dies, or a whistleblower exposes the extent of NSA snooping, and the spam in your inbox suddenly has a new flavour… or worse.

Zscaler and other security researchers are reporting an increase in ransomware threats that are built on recent revelations of the NSA’s activities.

Ransomware works like this: you visit a web site that has been compromised and is serving malicious code. The code infects your computer, after which it becomes impossible to use your computer. Instead you see a full page threat from what appears to be the NSA, claiming that you have participated in unlawful activities (usually downloading copyrighted materials). You are told that you can pay up or face legal action.

If this happens to you, do not follow any of the instructions shown by the ransomware. Hire a professional to remove the malware or reinstall your operating system.

How to determine whether a warning is fake and ransomware:

  • No legitimate agency would use this tactic (at least not yet).
  • Awkward language and spelling mistakes in the warning.
  • Payment methods use third-party services.

Techdirt has additional details.

Internet speed tests

I’ve tried a lot of different broadband speed tests. Up until the last year or two, they usually agreed fairly closely when measuring my connection. Recently, the reported speeds have been much more diverse.

Why do the results vary so much? Is there a truly accurate test out there?

It turns out that most of the speed tests offered by Internet Service Providers (ISPs) are actually using the same Flash-based test, provided by a company called Ookla. I’ve read that Flash-based tests are all currently unreliable due to technical limitations in the current versions of Flash. Here’s an excerpt from the TestMy.net web site:

There is buffering between the application and the browser and throughput bursting due to CPU usage. Flash based tests need to make adjustments for this… rough estimate adjustments of up to 40 percent. How can the test be accurate if it’s being adjusted by 30-40% to offset an unknown variable.

Emphasizing this problem with Flash-based tests is my recent experience with very slow speeds from my provider, Shaw. Shaw’s own test showed results that match exactly what I’m paying for: 25 Mbps down; 2.5 Mbps up. This made no sense, since even basic web surfing was painfully slow. I reported the problem; Shaw eventually found the cause and fixed it. Everything went back to normal: web surfing was extremely fast again. But what did Shaw’s Flash-based test show? The same results as when speeds were clearly slow.

So I started looking specifically for non-Flash tests. I’ve found two HTML5-based tests that seem to be much more reliable and accurate than the Flash-based tests: SpeedOf.Me and TestMy.net. Both of these tests avoid the problems inherent in Flash-based tests. Both also offer additional features, such as comparisons with previous tests and other test results in your region and from your ISP, and graphs that show previous test results.

But my overall favourite is SpeedOf.Me, because it comes closest to showing the actual speeds I’m experiencing at any given time.

Here’s a list of the speed tests I’ve looked at:

The perils of saving passwords in your web browser

Web browsers want to make your life easier, which is why they all offer to store web site userids and passwords. But if you thought this was a safe way to store passwords, you’d be wrong. Still, some browsers handle this better than others.

Lock Your Computer

First of all, regardless of which web browser you use, if a person has access to your computer while you are logged in, and you allow your browser to store passwords, you should assume that the person now knows all your web site passwords. Simple techniques can be used to trick any web browser into displaying otherwise obfuscated (e.g. ‘*****’) passwords as plain text. This is yet another reason – as if you needed one – to always lock your computer when you walk away from it. Most operating systems have a setting that locks your computer for you after a period of inactivity. This is the only way to be at all secure; access to your logged-in computer potentially gives intruders access not only to your passwords, but also to all of your documents.

Password saving features in web browsers

Given the above, does it even make sense to worry about how your web browser handles saved passwords? There are arguments for both points of view. From my perspective, security should be layered: getting past one security hurdle shouldn’t open up everything. So if you allow your browser to save passwords, you should consider using the browser’s settings to secure those passwords. The four browsers I use handle passwords with varying degrees of security:

  • Firefox: Prompts to store passwords. By default, shows your saved passwords to anyone who looks in the settings. You can set up a master password to control access to the stored passwords; you will be prompted for the master password once per session, and when you try to show your passwords.
  • Opera: Prompts to store passwords. Doesn’t show passwords anywhere. You can set up a master password to control access to the stored passwords, which you will be prompted for once per session and at set intervals.
  • Internet Explorer: Prompts to store passwords. Doesn’t show passwords anywhere. No master password.
  • Google Chrome: Prompts to store passwords. Shows passwords to anyone who looks in the settings. No master password.

Google Chrome stands out in this list, since it both shows your passwords, and has no master password feature. Elliot Kember recently wrote about this, describing Chrome’s password handling as ‘insane’. I’m not sure I would go that far, but Chrome clearly needs a master password feature.

I’d like to see all web browsers show a prominent warning to any user who uses a password saving feature: “WARNING: saved passwords can be retrieved extremely/relatively easily. Always lock your computer when you leave it unattended.”

Update 2013Aug11: Here’s Google’s response.

Update 2013Aug25: Tim Berners-Lee (the person who invented the World Wide Web) weighs in. tl;dr – he agrees that Chrome should at least have a master password.

Web advertising networks: the next malware attack vector?

Researchers speaking recently at the Black Hat Briefings in Las Vegas showed that the Javascript used by most advertising networks could be compromised by a malicious third party. The malicious code could then run in any web browser configured to allow advertising.

Hold on. Wouldn’t the people responsible for the advertising networks and the associated Javascript notice the problem and fix it? Possibly. But not always. If you’re like me, you’ve seen more than a few messed up web ads. A seriously broken web ad can prevent a web page from displaying properly or cause it to load very slowly. It’s one of the many reasons why people use script blocking technology like NoScript.

It’s difficult to predict whether malware purveyors will start using the ad networks like this. But if they do, you can bet we’ll see a surge in script and ad-blocking software installations. Since advertising is the primary source of revenue on the web, this will get the attention of the advertisers, who would hopefully then institute better quality control.

The back-room wrangling that dictates your online experience

Okay, so this isn’t exactly news, in the sense of being new. But it is interesting. And it most definitely does matter, to anyone who uses the Internet.

If you’ve ever wondered why Youtube videos are suddenly buffering, or why that download is taking so long, you probably assumed that the server was overloaded, or your Internet provider was having infrastructure issues. But there may be a deeper cause.

A handful of organizations – mostly commercial in nature – provide the backbone of the Internet: the network hardware that makes up the core of the net. Since its inception, these organizations have engaged in negotiations about how they move data amongst themselves. When the commercial web got off the ground, these negotiations began to involve large amounts of money. As with all negotiations, all parties try to get what they want for the least amount of effort and expense. The difference is that in these negotiations, when one party is unhappy with the results, they can make their feelings known by downgrading the service they provide.

All of these negotiations happen without much fanfare, and the fights ebb and flow according to changing technology and the rise and fall of the fortunes of individual companies. The net effect for Internet consumers is inexplicable changes in Internet speeds.

Ars Technica has a terrific overview of this process and its ramifications. It’s a long read, but well worthwhile. Maybe you can read it while you’re wating for that Youtube video to finish buffering…