Category Archives: Internet

A depressing look at the future of the Internet

If you’re feeling strong, Ars Technica has a report on the possible futures of the Internet. Tl;dr (aka ‘executive summary’): it’s not looking good; the scenario with the highest probability is this one:

The Internet becomes just like every physical domain of human existence: turf to fight over. Crime, espionage, embargoes, and full-blown nation-on-nation conflicts extend into the Internet.

Bleak.

Reporting hack attempts, phishing and spam

Over the years, I’ve tried to be a good Internet citizen and report abuse (hack attempts, spam, etc.) This can be a daunting task, and the results are often less than satisfactory. For most people, the time wasted on spotting and deleting spam is bad enough; the extra work of reporting spam can seem like a tedious chore.

Reporting abuse can produce wildly varying results. Here are a few examples from my own recent experience:

BT Italy

Over the past couple of months, one of the WordPress sites I manage has seen a steady stream of ‘admin’ login attempts from computers in Italy, most of which connect to the Internet via the ISPs albacom.net and fastweb.it. Literally thousands of different albacom.net and fastweb.it IP addresses were being used in the attacks.

Since the majority of these login attempts were from albacom.net, I initially focused on Albacom. I discovered that most of the devices at the other end of these attacks were Aethra BG1242W ISDN modem/routers. These appear to be the standard modem/router provided by Albacom to their customers. I was horrified to find that I could log into these devices via their web interface. Clearly Albacom’s dedication to security is severely lacking. Of course it’s difficult to know for sure whether the attacks were coming directly from these (presumably hacked) routers, or from (also presumably hacked) computers connected to them.

Apparently, British Telecom (BT Italy) is in the process of acquiring Albacom. This is undoubtedly creating some confusion there, but that’s really no excuse for any of this.

I tried various methods for reporting this to Albacom:

  • sent email to the abuse address on record for albacom.net, but every attempt bounced, saying that the user’s mailbox was full;
  • sent email to the technical contact on record for albacom.net, but this was ignored;
  • tweeted about the problem on the main BT Twitter account, but my tweets were immediately deleted.

This is a terrific example of how not to handle abuse reports. I don’t know what’s going on with BT ITaly, but clearly they are having serious issues.

I also reported this on the Wordfence support forum, to see if anyone else might be seeing this problem. Wordfence is an excellent WordPress security plugin, and it was Wordfence that was detecting (and blocking) these login attempts. Sure enough, several other people reported seeing this problem on their sites.

A few weeks later, the login attempts from Italy stopped – for my own site and for others. Then they started up again for some sites, but luckily not for mine.

SpamCop

I recently signed up at SpamCop.net and started submitting the numerous spam messages I receive daily for one particular address. SpamCop’s submission process analyzes submitted email and makes recommendations about where to report it. Note: you must configure your email client so that you can see the entire message source, including all headers, for this to work.

The submission process is well explained at each stage, and provides useful warnings to the submitter about making sure that the submission is actually spam, and so on. A lot of technical information is displayed with the analysis, but much of that can be hidden if you prefer to concentrate on the basics.

SpamCop uses spam submissions to create a block list, which is used in conjunction with similar lists from other sources, by ISPs and other mail providers, to help filter out spam before it reaches user inboxes.

If you’re willing to put in the effort, I highly recommend signing up.

Moonfruit

A few days ago, I received this (admittedly very lame) phishing attempt in my inbox:

Your mailbox is full of, 00.1 GB, Please reduce your mailbox size.
Delete any items you don't need from your mailbox and expand your
email quota (size) with the below web links: CLICK HERE
http://REMOVED.moonfruit.com/
Thank you for your understanding.
©2015 Helpdesk

I went to the site in question (with NoScript enabled and blocking all scripts) and confirmed that this was indeed an attempt to con me into entering private information into a form.

A bit of searching revealed that Moonfruit is a web-based service that allows clients to set up web sites with minimal effort. It’s a totally legitimate company. Customer web sites hosted by Moonfruit have URLs like this: whatever.moonfruit.com. Whoever set up the phishing site just happened to use Moonfruit as the host.

So I decided to try reporting this to Moonfruit support. I easily found the contact page on their web site and submitted a general query about the phishing attempt, including the text of the email. I wasn’t sure this would amount to anything, especially since I’m not a Moonfruit customer. I immediately received a confirmation of my submission, and was then delighted to receive the following response from Moonfruit, within an hour of my submission:

Thanks for bringing this to our attention.
We have closed the site and the associated accounts, and banned the user.

Now THAT’S how you deal with abuse reports. Nice work, Moonfruit!

Superfish/Komodia update

News about the recent Lenovo/Superfish/Komodia security issue keeps getting worse.

The Komodia software at the core of Superfish is even more of a security concern than was originally thought. Not only is its root certificate’s password trivially easy to crack, and common to all Superfish installs, it engages in some certificate validation trickery by which invalid certificates are simply deemed valid – without any warning to the user. Worse still, Komodia hides itself using rootkit techniques normally associated with the worst kinds of malware.

To top off this tale of ever-increasing woe, Komodia has been discovered in at least twelve more applications, including some that are supposed to make users more secure, like Comodo’s PrivDog and Lavasoft’s Ad-Aware Web Companion.

The companies involved in this mess are still scrambling. Lenovo has apologized for their actions, and has published Superfish removal instructions. Superfish is still denying there’s a problem. Komodia’s web site is off line, supposedly because of a DDoS attack, but that may be a smokescreen. Lavasoft has provided information about its use of Komodia, and will be issuing an update for Web Companion that will remove Komodia.

Stay tuned; this is likely to get much worse before it gets better.

Update 2015Feb27: The EFF has uncovered evidence showing that Superfish-related attacks have already occurred. Meanwhile, a hacker group briefly took over a Lenovo domain, causing corporate email to be misdirected. This was apparently done in the spirit of revenge against Lenovo for its actions in relation to Superfish.

Update 2015Feb28: Lenovo is now fully in damage control mode. They just released a statement patting themselves on the back for handling this problem so well, and they are promising to include less crapware on future computers. I wonder how long that promise will last.

Update 2015Mar08: It looks like Lenovo hasn’t done nearly enough to resolve this issue. It’s still possible to buy a new Lenovo laptop with Superfish installed.

Google beefs up protection against unwanted software

A recent post on Google’s Online Security Blog describes security improvements to the Chrome browser, Google’s search engine, and Google’s advertising platform. The changes should make it easier for users to stay away from web sites known to contain unwanted (and presumed harmful) software.

Chrome now detects when you are about to visit a web site known to contain unwanted software, and displays a large red warning message.

Google’s search engine now decreases ranking for sites known to contain unwanted software. That means these kinds of sites should be less likely to appear in the first few pages of Google search results.

Google now checks all advertisements provided by its AdWords system, and disables any with links to sites with unwanted software. Additional details are available on Google’s Advertising Policies site. Google’s primary source of income is AdWords, so it’s comforting to see that they’re willing to take a financial hit (however small) to protect users.

Analysis shows people are using stronger passwords

A recent post on Ars Technica provides an interesting look at the strength of passwords.

People seem to be getting the message about using strong passwords, because the worst passwords are being used less frequently. For example, the notoriously bad password ‘123456’ was used in less than 1% of the sample data, down from 8.5% in previous studies.

But while these findings are encouraging, it’s important to recognize that the data is likely skewed, because it is mostly obtained from public dumps of data taken from compromised systems.

A warning to Lenovo PC users

PC manufacturer Lenovo has been shipping PCs with an extraordinarily nasty piece of adware called Superfish.

The basic concept is bad enough: Superfish watches your Internet activity and injects advertisements into web pages. But Superfish is much worse than that, since in the process of hijacking your web sessions, it opens your PC to ‘man in the middle’ attacks.

Lenovo has been downplaying the risks involved, while analysts continue to demonstrate just how bad this situation really is.

Affected models include:

  • G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45
  • U Series: U330P, U430P, U330Touch, U430Touch, U530Touch
  • Y Series: Y430P, Y40-70, Y50-70
  • Z Series: Z40-75, Z50-75, Z40-70, Z50-70
  • S Series: S310, S410, S40-70, S415, S415Touch, S20-30, S20-30Touch
  • Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 14(BTM), Flex2 15(BTM), Flex 10
  • MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11
  • YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11BTM, YOGA2-11HSW
  • E Series: E10-30]

You can confirm that your computer is affected using the Superfish CA test (offline as of 2016Jan06).

Anyone who owns or uses one of these models should follow the Superfish removal instructions or ask their IT/support person to look into it.

Update 2015Feb21-1: Lenovo is may be starting to recognize and admit their mistake. Meanwhile, Superfish (developers of the adware) remains defiant, and Komodia (who develop spyware that is apparently at the heart of this issue) is saying nothing at all.

Update 2015Feb21-2: Microsoft has added Superfish detection and automatic removal to Windows Defender.

Update 2015Feb21-3: Lenovo’s CTO is still in denial, saying the vulnerability is ‘theoretical’.

Update 2015Feb21-4: Ars Technica takes a closer look at the Komodia software and the risks related to the way it was used by Superfish.

Update 2015Feb21-5: Superfish (the company) has a history of annoying people with their intrusive technologies. That hasn’t stopped them from making a ton of money, however. The company’s CEO is insisting that they did nothing wrong, but doesn’t address the specific technical concerns.

Netgear routers vulnerable to attack

Several popular wireless routers made by Netgear are susceptible to attacks using a recently-discovered vulnerability in their firmware.

From the original report, posted by Peter Adkins on the Full Disclosure mailing list:

Platforms / Firmware confirmed affected:
—-
NetGear WNDR3700v4 – V1.0.0.4SH
NetGear WNDR3700v4 – V1.0.1.52
NetGear WNR2200 – V1.0.1.88
NetGear WNR2500 – V1.0.0.24

Additional platforms believed to be affected:
—-
NetGear WNDR3800
NetGear WNDRMAC
NetGear WPN824N
NetGear WNDR4700

Anyone using one of these routers should immediately confirm that its web interface is NOT enabled for access from the WAN/Internet. If possible, it should also be configured to restrict access to the admin interface to specific IP addresses on the LAN.

A CVE number has not yet been assigned to this vulnerability. Hopefully Netgear will release firmware updates to address this flaw in the near future.

SANS upgrades Infocon threat rating to yellow

SANS Internet Storm Centre has upgraded their Infocon threat rating from green to yellow, in response to the recent zero-day vulnerabilities in Flash. From the associated post:

“Our reasoning is that the Adobe Flash Player is very widely installed, the vulnerability affects multiple platforms, remote code execution gives the attacker complete control of the system, the patch is not yet available, it affects both organizational IT systems as well as home or soho users, a crimeware kit is actively exploiting the vulnerabilities, people might mistakenly believe that the patch from yesterday fixes all of the issues, and last but not least mitigation through the use of EMET or other tools/means is not normally feasible for home users or quick deployment in enterprise environments without testing. In short, the high impact of these vulnerabilities being exploited warrants raising the Infocon from now until Monday.”

The Infocon rating is displayed in the left sidebar of this web site.

Even the crappiest computer is worth hacking

If you’re like a lot of other typical users, you may believe that nothing on your computer makes it a worthwhile target for malicious hackers. You may even feel that this means you’re relatively safe from hackers. Think again.

To a malicious hacker, the Internet is a vast, mostly untapped ocean of computing resources, ready for them to compromise and put to work in numerous ways to help them and hurt you.

Brian Krebs created and posted the image below to remind people of all the ways their computers can be secretly used for nefarious purposes. Although the post is a couple of years old, it’s still relevant.

Hackers can use your computer for dozens of nefarious activities.
Hackers can use your computer for dozens of nefarious activities.

The problem with Tor

Tor is a collection of software that allows its users to access Internet-based resources anonymously. There are a lot of legitimate reasons why a person might want to remain anonymous on the ‘net. Unfortunately, Tor (as well as other proxy and anonymizing services) also allows unscrupulous persons to hide their illegal activities. A recent study shows that a large proportion of attacks against banking sites arrived via Tor.

As a result, major web sites are increasingly blocking access from Tor nodes, in the hope that this will reduce the overall amount of access by those seeking to do damage or obtain private information. The problem is that Tor users with no evil intent are then also prevented from using such sites.

The Tor developers are aware of this problem, and are working to keep Tor relevant by working with site owners to find ways to prevent improper access without blocking Tor completely.

So far there doesn’t appear to be a good, long-term solution to this problem. However, it may be useful to recognize that Tor is just a tool, and like all other tools, it can be used for good, evil, or anything in between. A better approach to security than wholesale blocking is to improve security on the host.