Category Archives: Security

Russian botnet master nabbed in Spain, extradited to US

This is a story that has been ongoing for some time. Pyotr Levashov, a well-known and well-established Russian cybercriminal who was arrested in April of last year (2017 if you’re reading this in the distant future – welcome alien overlords!) while vacationing in Spain, has finally been extradited to the U.S. Apparently cybercriminaling does pay well sometimes. The arrest was based on a formal U.S. Department of Justice indictment against him for, among other things, operating the Kelihos Botnet, a long-running, expansive, global botnet that bombarded the world with all kinds of spam for nonsense like get-rich-quick schemes and enhancement medications; if you’re interested, and you should be, you can read the DOJ press release about the indictment and the actual search warrant that allowed for their infiltration of the botnet.

Before we continue, let’s talk about what a botnet is. When malware, or bad software (get it? Mal ware?), is surreptitiously installed on your machine, either through a drive-by attack in which it’s embedded in a Flash ad, or you click on a link or file from a rogue email, or one of many other attack vectors, it will use your machine to carry out tasks without your permission, involvement, or even knowledge. And just to be sure, those tasks it’s carrying out are bad. It can use your machine to send spam, participate in DDoS attacks, store harmful or illegal files, and many other unethical / criminal activities, all without you ever being privy to what’s going on. When that happens, your machine is what’s known as a zombie computer, or more commonly, a bot. Now, imagine hundreds of thousands of these infected machines all acting in unison, for a common goal or under a central control authority. That’s a botnet. Here’s an effective graphic from Reuters that illustrates the architecture of a botnet.

Typical botnet architecture (Source: Reuters)

Typical botnet architecture (Source: Reuters)

I wanted to embed an interactive map from Arbor Networks that shows real time attacks happening right now, and provides historical data, but their embed code which uses iframes doesn’t work on WordPress. I find it strange a security firm would still be supplying iframe embed codes, but who am I to judge? No matter; there are other sites that provide similar information using their own honeypot networks, such as Kaspersky’s real-time threat map and the well-known Norsecorp map. Actually, I had intended to use Norsecorp’s IPViking map, however it is now run under HP’s banner, although powered by Norse, and I simply couldn’t get it to work in any browser. Their map linked above works beautifully, though.

Kaspersky's Threat Map

Kaspersky’s Threat Map

Norsecorp's Threat Map

Norsecorp’s Threat Map

There are several interesting facets to this case: The first is, this guy has been around a long time and was one of the bad actors behind the Storm botnet that first manifested all the way back in 2007. That botnet was eventually dismantled by the combined efforts of Microsoft, malware firms, and the feds, a partnership and collaboration that continues to this day. We’ll come back to this particular botnet soon, because the architecture of these things is going to become important.

By soon, I mean right now! Another interesting aspect to this case is that the botnet was very sophisticated. It used a hybrid structure that is unusual for this kind of thing. Botnets are typically peer-to-peer, in which all the infected machines communicate with each other to coordinate and carry out their nefarious activities, or they use what’s known as a C&C, or Command and Control server, that oversees the whole thing and controls the botnet form a more centralized location. That allows better control and oversight of the bots.

Kelihos, however, was a hybrid, in which there was a C&C server, but there was also a peer-to-peer aspect as there was some autonomy in the architecture that allowed the bots to continuously update among themselves a list of secondary control servers to which they would report, and those would be directly overseen by the main C&C. This is in direct contrast to the Storm botnet mentioned earlier, which was pure peer to peer. A hybrid network also allows for rapid updates to, and distribution of, associated malware.

That leads to the next neat(?) thing about the botnet: It was aggressively and frequently updated. In fact, when a live sinkholing, in which the bots are redirected to to different targets that can then help track the bots or even deactivate them, took place at a 2013 RSA security conference, a new version of the botnet rapidly took its place which indicated that the creators were prepared for just such an emergency and had pre-planned a contingency.

And this was not just a spamming botnet. Along with pushing spam of both the email and desktop pop-up kind, it also stole bitcoin and targeted banks and other large industry outlets with industry specific malware that could rake in millions of dollars while running undetected. For botnet software, this had a wide range of functionalities, both general and specific, although for all it could do it was not hard to track.

The next interesting aspect of this case is Russia fought vigorously against Levashov’s extradition. Not by attempting to block it, but rather by filing an extradition request of their own based on crimes they say he committed in Russia itself. A smart move, regardless of whether the Russian charges are true or an attempt to protect one of their own, that is a clever way of approaching it. It didn’t work, ultimately, and Levashov is now in U.S. custody, but it was an interesting tactic to counter the original extradition request. Not only that, it has happened before.

A really interesting story all the way around, and I’m curious to see how it concludes. In the meantime, be careful, ensure your OS is up to date and fully patched, be sure you are running up-to-date anti-virus and anti-malware protection, try not to visit questionable sites, don’t activate or respond to emails from unknown sources, use an ad-blocker (uBlock Origin is my preferred choice, and I have no connection to them; purely my own opinion), and just generally practice safe computing.

Intel processors revealed to have major flaw, only addressable by OS updates

Intel

UPDATE: I’ve been trying to find out more, but Intel is now claiming it has a fix for the vulnerabilities affecting its chips that it will be rolling out by the end of next week. Details are slim, and I will hold off final judgment of course, but I’ll be surprised if it’s completely effective; these microcode patches can be tricky – it’s not a straight firmware update as it impacts the fundamental operation of the CPU. Additionally, it appears the fixes only address the last five year’s worth of processors. Better than nothing if it works.

Original post follows:

This is bad. It has been announced that Intel processors going back approximately ten years have a major flaw in how they separate the system and software. The details have not been released, but the general idea of the problem is already understood for the most part. To give a very high-level overview of what is going on and the impact of how it needs to be addressed, there is a component of every operating system known as a kernel, that separates the hardware from the software. When a program needs to open a port or save a file to disk or access a printer, or utilize hardware in any other way, it hands off that request to the kernel using what’s known as a system call, and the kernel completes the request (user mode to system mode). The catch is, the kernel is hidden from the program, even distributed in various memory locations to further hide it so that it can’t be exploited by malicious actors; it has to be loaded at system boot, however, in order for programs to use it.

Intel processors, though, use a kind of predictive processing, similar to client side prediction in games, in which a guess is made as to what will most likely happen next. In the case of Intel processors, they try to guess what code will be run next and load it up in the queue, however they apparently do this without any security procedures. The kernel is kept separate because it can contain confidential information such as passwords (which is why you can’t even get your own passwords back and there is no way to recover them if lost), however if the CPU provides no security check when loading up predictive code, it could, theoretically, run code that would ordinarily be blocked, which could then give savvy attackers access to low-level system processes and data.

But wait, there’s more bad news! Because this can’t be fixed with a firmware update or anything similar, OSs have to be written to address the problem. Linux, Windows, and OSX will all require updates that relocate the kernel in memory. Normally, it’s available to each program in their own process, but that will no longer be the case, and having to go back and forth between user mode and system mode in this manner will incur a possibly-significant performance hit on a PC after these updates, estimated by some to be as high as 30 percent.

Again, the details aren’t yet fully known, and the impact isn’t either, but if proven true it could be the worst design flaw I have ever seen. I’ll update when more is known.

Almost all HP laptops have a dormant keylogger

HP security

If you have an HP laptop like me, you’ll want to read this. For the second time this year, it turns out that (almost) all HP laptops have a deactivated keylogger hidden in their innards. Before, it was a component of the Conexant audio driver and was actually logging keystrokes, while this time it is part of a debugging component for the Synaptics TouchPad software, something most laptops – not just HP – have, so you might want to take a look or inquire with your manufacturer anyway. HP even states on their patch site, linked below, that the driver affects all Synaptics OEM partners, which means there will be a lot more than just HP laptops affected.

While the keylogger is not activated by default, it could be if someone has administrator privileges and knows which specific registry key to edit, a task that is itself no small matter, as anyone who has done registry edits will know. Interestingly, in an odd take on the situation, some in the security field have noted that if someone has administrator access to a machine, they won’t need to modify a registry key to activate a dormant debugger-based keylogger as they could simply install an actual keylogger. The counterpoint is that the driver-based keylogger, because it’s actually part of an integrated debugging / tracing function, would be harder to detect and leave less of a trace than a full-blown logger, so it would be a less intrusive and more opportune choice for those looking to listen in; there’s a built-in excuse for why it might be doing what it’s doing.

That’s assuming it’s detected, of course. The fact is, detecting them is notoriously difficult. Things have gotten better, but even the best antivirus program has trouble identifying them, and that’s even more true of one that’s operating at the system level – you might want to try a scanner that looks for keyloggers specifically. Since nothing is easy, those types of programs are few and far between because of the difficulty in detecting the logger in the first place. The one most often recommended is KL-Detector, but I’m not convinced of its effectiveness and definitely uncertain of the last time it was updated, which is critical in security software. While it will run on Windows 10, the only systems it explicitly confirms are Windows 2000 and XP, not something that gives me confidence as to its currency. Plus, it’s not a removal tool, only a detector. I don’t know why it’s so often recommended.

Physical keyloggers are easy – check where your keyboard plugs into its port. No additional device, no keylogger. Honestly, these are practically obsolete and were mainly used when keyboards still plugged into PS/2 ports, but don’t be fooled – USB physical keyloggers are out there, but are not commonly used because the chance of discovery is high.

It must also be noted that while there are obvious nefarious uses for keyloggers and that is why we generally hear about them, they have valid uses as well. If you are a parent who’s concerned about what your kids are doing online, a keylogger might be one option, especially these days. If you’re conducting a legitimate investigation, a keylogger is an option and has been used in the courtroom, both successfully and unsuccessfully. And, as alluded to above, they have valid testing and debugging uses. It’s similar to peer-to-peer sharing software; we mainly hear about how it’s bad, but it can also be very useful.

In a way it’s better than the previous time this happened because the keylogger is not active, but it’s worse because so many more models are impacted.  HP acted right away and issued a patch, although if you received a Windows Update in the last couple of days you should be fine as well. If you’d like to be doubly sure, you can check HP’s patch site to download a patch for your model. There are a lot of links, so you’ll need to know your exact model.

It finally happened

Uh oh

I have the feeling this story could get convoluted. Let me sum up right at the beginning: I have finally received a threatening letter accusing me of copyright infringement, from the Entertainment Software Association (ESA). Some background:

I have been playing vanilla WoW, off and on, for months on a private server known as Elysium-Project. I wrote about the experience not too long ago right here on this site (we’ll get to Felmyst later in this post). The thing about this server is that in order to download the client you have to do so through a torrent, which right away gives the impression of impropriety. I had downloaded it once before, using the uTorrent client, to use on my desktop, and everything seemed above the board.

utorrent client - I probably shouldn't have started it again for this shot

utorrent client – I probably shouldn’t have started it again for this shot

Recently, though, I downloaded it again, using the exact same torrent client, however this time it was on my laptop. Immediately, even before the file finished downloading, I received the following email from my ISP, Cox Communications:

Dear Customer,

We are forwarding a notice received by Cox Communications which claims that someone using your Cox High Speed Internet service has violated U.S. Copyright law by copying or distributing the copyrighted work listed in the attached complaint.  THIS COMPLAINT IS FROM A THIRD PARTY AND NOT FROM COX COMMUNICATIONS.  We have included a copy of the complaint, which identifies the party making the claim, the title or work they claim was infringed, and the date of the alleged infringement.

We ask that you review the complaint and, if you believe it is valid, promptly take steps to remove or disable access to the infringing material (typically movies, music, books, or TV shows).  If other parties are using your account, such as through your WiFi connection, you should ask them to disable file-sharing in peer to peer applications such as BitTorrent, or delete the copyrighted works.

If you disagree with the claims and believe that no one using your Internet service could have been the source of the alleged infringement, please do not contact Cox Communications to resolve this matter.  Cox is simply forwarding the notice to you.  However, if you have WiFi, please make sure your WiFi connection is secured with a strong password to prevent unauthorized use of your Internet service.  In addition, make sure anti-virus software is installed and up to date to help prevent malware infections.

PLEASE NOTE:  THE ATTACHED NOTICE MAY CONTAIN A SETTLEMENT DEMAND FOR MONEY OR OTHER TYPE OF OFFER FOR YOU TO CONSIDER.  YOU MAY WANT TO CONSULT WITH AN ATTORNEY REGARDING YOUR RIGHTS AND RESPONSIBILITIES BEFORE CLICKING ON ANY LINK OR VISITING A WEBSITE LISTED IN THE NOTICE.

The material that you share online or make available for sharing is your responsibility.  Cox encourages responsible Internet use, but we do not monitor nor control the information you transmit.  We have a policy, however, consistent with the Digital Millennium Copyright Act, to take steps when we receive notifications of claimed infringement.  We also have a policy of terminating repeat infringers in compliance with the Digital Millennium Copyright Act Safe Harbor for online service providers.

If we continue to receive infringement claims notices for your account, we may in appropriate circumstances suspend your account, disable your Internet connection, and/or terminate your Internet service.

For information about Cox’s Acceptable Use Policy, including copyright infringement, please refer to:
https://www.cox.com/aboutus/policies.html

To learn more about your responsibilities concerning copyrighted material, please refer to our help article at:
https://www.cox.com/copyright

General information & FAQs about DMCA notices:

http://www.respectcopyrights.org/

http://www.riaa.com/toolsforparents.php?content_selector=resources-music-copyright-notices

If you would like to reply to this email, please keep the subject line intact for tracking purposes.

Sincerely,

Cox Customer Safety

— Original Message —

[Part 0:0 (plain text)]

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

2017-10-07T03:15:10Z

Entertainment Software Association
601 Massachusetts, NW, Suite 300, West
Washington, DC 20001 USA

Attention:
Intellectual Property Enforcement
Website: http://www.theesa.com/wp-content/uploads/2014/12/DMCA-FAQs-Updated-12-2014.pdf
E-mail:
dmca@theesa.com

Cox Communications

Re: Copyright Infringement by Cox Communications Subscriber

Using IP 98.164.255.62 on 2017-10-07T03:14:58Z (the “Subscriber”)
Reference Number c7ed1b3845618ac0d707

Dear Cox Communications:

The Entertainment Software Association (“ESA”) is the U.S. trade association that represents the intellectual property interests of companies that publish interactive games for video game consoles, personal computers, handheld devices, and the Internet (hereinafter collectively referred to as “ESA members”).
A list of ESA members can be found at http://www.theesa.com/about-esa/members/.
Under penalty of perjury, we affirm that ESA is authorized to act on behalf of ESA members whose exclusive copyright rights we believe to have been infringed as described below.

ESA is providing this notice pursuant to the Digital Millennium Copyright Act (“DMCA”), 17 U.S.C. section 512, to request that you take immediate action with respect to infringement of ESA member copyrighted works by your Subscriber.
Using the IP address on the date and time referenced in the subject line of this notice, the Subscriber or someone using their account employed a peer-to-peer service or software to distribute one or more infringing copies of ESA members’ games, including the following title:

Warcraft (franchise)

Courts in the United States have held consistently that the unauthorized distribution of copyrighted works using peer-to-peer or similar services constitutes copyright infringement.
E.g., MGM Studios, Inc. v. Grokster, Ltd., 545 U.S. 913 (2005); BMG Music v. Gonzalez, 430 F.3d 888, 891 (7th Cir. 2005); Arista Records LLC v. Lime Group LLC, 2010 U.S. Dist. LEXIS 46638, *49 (S.D.N.Y. May 11, 2010

This Subscriber should understand clearly that there are serious consequences for infringement.
The Copyright Act in the United States provides for statutory damages of up to $30,000 per work infringed, and up to $150,000 per work for willful infringement.
17 U.S.C. section 504(c).

We ask that you work with us to protect the intellectual property rights of ESA members by:

1. Providing the Subscriber with a copy of this notice of copyright infringement, and warning the Subscriber that his or her conduct was unlawful and could be subject to civil or even criminal prosecution.
2. Promptly taking steps to stop the Subscriber’s infringing activity.
3. Pursuant to 17 U.S.C. section 512(i)(1)(A), as appropriate, terminating the account of the Subscriber if your records show that he or she is a repeat copyright infringer.

ESA has a good faith belief that the Subscriber’s reproduction and/or distribution of these copyrighted works as set forth herein is not authorized by the copyright owners, their agents, or the law.
The information in this notification is accurate.
Neither ESA nor its members waive any claims or remedies, or their right to engage in other enforcement activities, and all such claims, rights and remedies are expressly reserved.

If your Subscriber has additional questions about this notice, we would encourage them to visit http://www.theesa.com/wp-content/uploads/2014/12/DMCA-FAQs-Updated-12-2014.pdf to learn how to delete the infringing material and avoid receiving future notices.

Thank you for your prompt attention to this matter.

Sincerely,

Intellectual Property Enforcement
Entertainment Software Association
Website: http://www.theesa.com/wp-content/uploads/2014/12/DMCA-FAQs-Updated-12-2014.pdf

– ————- Infringement Details ———————————-
Title:        Warcraft (franchise)
Timestamp:    2017-10-07T03:14:58Z
IP Address:   98.164.255.62
Port:         33768
Type:         BitTorrent
Torrent Hash: 2b32e64f6cd755a9e54d60e205a9681d6670cfae
Filename:     World of Warcraft 1.12 Client.rar
Filesize:     5197 MB
– ———————————————————————

<?xml version=”1.0″ encoding=”UTF-8″?>
<Infringement xmlns=”http://www.acns.net/ACNS” xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance” xsi:schemaLocation=”http://www.acns.net/ACNS http://www.acns.net/v1.2/ACNS2v1_2.xsd“>
<Case>
<ID>c7ed1b3845618ac0d707</ID>
<Status>Open</Status>
<Severity>Normal</Severity>
</Case>
<Complainant>
<Entity>Blizzard Entertainment, Inc.</Entity>
<Contact>IP-Echelon – Compliance</Contact>
<Address>6715 Hollywood Blvd
Los Angeles CA 90028
United States of America</Address>
<Phone>+1 (310) 606 2747</Phone>
<Email>p2p@copyright.ip-echelon.com</Email>
</Complainant>
<Service_Provider>
<Entity>Cox Communications</Entity>
<Email>abuse@cox.net</Email>
</Service_Provider>
<Source>
<TimeStamp>2017-10-07T03:14:58Z</TimeStamp>
<IP_Address>98.164.255.62</IP_Address>
<Port>33768</Port>
<Type>BitTorrent</Type>
<SubType BaseType=”P2P” Protocol=”BITTORRENT”/>
<Number_Files>1</Number_Files>
</Source>
<Content>
<Item>
<TimeStamp>2017-10-07T03:14:58Z</TimeStamp>
<Title>Warcraft (franchise)</Title>
<FileName>World of Warcraft 1.12 Client.rar</FileName>
<FileSize>5450407230</FileSize>
<Hash Type=”SHA1″>2b32e64f6cd755a9e54d60e205a9681d6670cfae</Hash>
</Item>
</Content>
</Infringement>
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1

iQEcBAEBAgAGBQJZ2Ea9AAoJEN5LM3Etqs/WBF0H/jpN7FftxC1K3kUH9j6jG4IZ
A7abndRK8UZISWGRCmT0Tj7+itlRmvzwo9/ggZl9RxiuIPR8KCr/cHTgIbcimjni
ycdjkB6kLOi6FHOA8FybJCVdLK/hMlVvKum/WG4j4oaYBf0LEtowXM1DT1XU7GEy
0F8gUaL5waoJjXuZsA/p88LUhb3Wpmx4BQ6CpzXo96We/JDd+rIApkUsEq56m71s
4Qy5gK3VQVvd3DxqEFZEfU984RBYB3j8i3RCRrHssLUUa4L02Gp3AYpc0szmcOQ8
ZZAtJTOjkCmBUllxo9LNCwgDDQwtybL/QedED4+amO2h7tlLoYfZtuH6qRshpLM=
=iSCJ
—–END PGP SIGNATURE—–

There’s a lot there, but essentially what it is saying is that I committed a copyright infringement not by downloading the Warcraft client, but by also allowing it to be seeded and therefore distributing it. It’s like drug enforcement; the dealers are the problem much more so than the users.

I also have to say I find some amusement in the otherwise serious nature of this email, in that while the complaint from the ESA was very serious and implied significant fines, federal crime, even possible jail sentences, the portion from Cox essentially says “Hey, this is what we were told, now keep us out of it.”

The fact that it came in late on a Friday night while the file was still downloading also makes it quite clear the whole process was automated, both the email to Cox and their forwarding it on to me.

I blame myself for part of this as I never thought to switch off seeding, and when I tried to connect to the private Elysium server after the client download was complete, I neglected to modify what’s known as a realmlist.wtf file to point to Elysium’s server as opposed to the stock Warcraft server. That means that I was attempting to connect directly to Blizzard at first. That’s not what the complaint was about, it was about the redistribution of their client via torrent, but the fact I made that connection error at first was not lost on me.

I don’t anticipate any major problem from this. The second the file was done downloading I deleted the original torrent file and shut down the torrent client. I don’t like to use my limited bandwidth to seed the downloads of others, and I don’t have anything they would want anyway, especially not on my laptop.

So I am ignoring it for now, and in fact I have done what they asked (demanded) I do. It also leads to an interesting legal issue: If you read my previous post about my early experiences on Elysium, you would know that there had been another private server, Felmyst, that was shut down on its very first day, apparently because they were distributing the client along with the game files (or something like that). Elysium, on the other hand, is able to stay up and running because they don’t distribute the client, and therefore no copyright violations are taking place. That seems strange to me since we are playing on a server that uses entirely Blizzard-created assets, but who knows. A quick Google search indicates I’m far from the only one experiencing this, and the issue of monetary gain versus non-profit can have serious implications and Blizzard’s perspective isn’t always so black and white. They’re both very interesting reads.

What I can surmise is, and as I stated earlier, using the client/game once downloaded, even downloading the client itself, is not illegal; it’s the redistribution that’s the problem.

Don’t redistribute clients via torrent, people.

I am completely OK with this

The emojis will be with you, always

Now this I have no problem with whatsoever, although it hints at a larger issue. Researchers at University College London have discovered a dormant but massive Twitter botnet comprised of an estimated 350,000 fake accounts that does nothing but tweet out random quotes from Star Wars novels.

(Full report here)

They discovered it quite by accident while taking a pure random sample of English-speaking Twitter accounts. It’s important to note the importance of this sampling method, as other methods of sampling might bias the results in favor of those accounts that are more active or have more followers. Their one percent sample resulted in approximately six million accounts.

Once their random sample was complete, they plotted the geographic distribution of these users, and they discovered something curious. Many of the tweets formed an almost perfect rectangle along latitude/longitude lines, including open, uninhabitable places like frozen tundra and bodies of water. They conjecture the shape was deliberate to mimic where English-language tweets are most likely to originate, and hide them within the clutter of legitimate Twitter users Tweet flood.

Upon further investigation, the researchers found another surprise. All these Twitter accounts did was tweet out random passages from Star Wars novels. They also never retweet, they send out very few tweets (around ten total) and list ‘Twitter for Windows Phone’ as the tweet source. As much as I hate to say it, that is also likely a ploy to get them to stay under the radar as much as possible because of that platform’s significantly low user base.

It’s not Twitter, but Darth Vader actually posted this on Instagram. Seriously.

It’s not Twitter, but Darth Vader actually posted this on Instagram. Seriously. He doesn’t even care about that stormtrooper behind him.

Using a machine-learning word association approach (a ‘classifier,’ although classifiers are not limited to word association), it found that actual users had a very wide distribution of word choice, while the bots used words almost entirely related to Star Wars. Additionally, the platform percentages were evenly distributed for the most part among real users while the botnet was one hundred percent Twitter for Windows Phone. When the numbers are examined, the botnet is easy to see.

The authors then discuss the implications. Clearly, a dormant, low-activity Star Wars-themed Twitter botnet is not a big deal. However, if the creator decided to reactivate the botnet in order to create a spam network, send malicious messages, or use it for other nefarious purposes, they could. I personally don’t believe that will happen as it likely would have already, however as the authors also note, the botnet went out of its way to stay under the radar.

One of the things I find most interesting about it all is that the authors hint they found another, even more massive Twitter botnet using the same approach, which they will be reporting on at a later date.

Really interesting stuff, and touches on the impact of social media, machine learning and AI, cybersecurity, and geolocation/geotagging just to start (as well as the curious motivations of this particular botnet’s creator). I very much recommend giving it a read.

Destroy your stuff with just a USB stick

usb killer

Hey, now this sounds fun! Want a simple, effective, and inexpensive way to destroy your expensive stuff and all the data on it? Well do I have good news for you! Now, with just a simple USB stick you can blow up damn near any digital device with a front-facing USB port (meaning publicly accessible, it doesn’t actually matter which direction the thing is actually facing. An important distinction).

The USB Kill will charge itself from the USB’s power supply, then discharge itself back into the port, over and over again until the host device is broken. Of course they say don’t use it for malicious purposes, but come on…why else would we want one of these things? Oh right – ‘testing’ purposes.

To be fair, everyone knows USB ports are a haven for malicious attacks, they’re the mosquito-breeding stagnant pond of digital devices, a very easy way to infiltrate a system or exfiltrate (steal or lose) its data.

It’s a pretty nifty device, in and of itself, and another interesting point they make is that only Apple devices are protected against this type of attack out of the box. Everyone else, well, look out (also, it might not destroy the data, and if it doesn’t, then NSA-approved bulk erasers are for you!).

WordFence to the Rescue!

Over the weekend, I added WordFence security to the site. WordFence is a free (with premium option) service that provides backend security and monitors a WordPress site and prevents all sorts of bad things from happening. It has a slew of options and services that can be configured in any way a user would like, providing some peace of mind.

As you can see, the services and options it provides are many:

WordFence options

WordFence options

It has, for example, a firewall that prevents unwanted actors from gaining access to your site, however as with any good firewall you can whitelist sites or block sites as you see fit. It also claims it learns as time goes on, however I’m not able to test that at this time.

WordFence firewall

WordFence firewall

I’ve had this site for several years now, so as you can imagine with all the posts and photos and links there are a lot of potential hazards, and the service did a complete scan to be sure everything was on the up and up. It found a potentially malicious link in one of my posts from two years ago, and although the link was simply giving credit for a header image and not actually malware, I deleted it anyway. It scans everything for malware, the aforementioned malicious links, and any other problems and ranks what it finds in terms of its severity. I’m glad to say this site, to paraphrase Tangina Barrows, is clean.

Clean!

Clean!

There are many, many, many options. This kind of thing can often result in a performance deficit, although I haven’t noticed any slowdown at all. On a curious side note, I was asked to download my .htaccess file before WordFence scanned my site and implemented itself which I thought was strange. If you’re not familiar, .htaccess is an Apache-specific file placed in a directory of a website that specifies some site functionality, such as redirects or even password access without having to modify the server settings; WordPress itself states that it “uses this file to manipulate how Apache serves files from its root directory, and subdirectories thereof,” and .htaccess functionality cascades to all subdirectories (it can be overridden with another .htaccess file in a subdirectory, but that’s for another post). Why they wanted me to download that they never specified, but I did and ended up not needing to worry.

Another interesting thing about the .htaccess file is that it has been around FOREVER!

So with that sidetrack out of the way, the site is now more secure than ever, WordFence is running in real time, and I’ve already received some emails telling me about the login attempts they’ve blocked (from both Germany and France – I’m worldwide!) and how smoothly my site is running. I’m very happy with it so far. If you have a site and are interested, it’s very easy to install and can be done from the ‘install plugins’ section of the WordPress backend.

Nice try, but I have WordFence!

Nice try, but I have WordFence!

A huge mistake, and disaster averted

Yep

Other than not being a woman, I know just how that lady feels. Today was a bad day, and her expression was my exact expression earlier. You’ll notice over to the right, on the twitter feed, the words “OR DON’T.” That was the header image to a post I had written about two separate attacks this month that targeted remote access software. One attack on June 1st compromised TeamViewer, a program I use myself, and the second, more recent attack targeted GoToMyPC, hence the OR DON’T. Get it? Anyway, both were based on password reuse, so change your passwords if you’re affected. Or even if you’re not.

However after I posted it, I noticed that the LightBox functionality was not working on recent posts. LightBox is the function that causes an image to expand when you click on it while darkening the background. It’s only not working on recent posts, for older posts it works fine. I didn’t know why, and started to investigate.

New ransomware method to worry about

Image Credit: makeuseof.com

(Header image credit: makeuseof.com)

Over on security blog Bleeping Computer, there is a post about a new type of ransomware that presents a triple threat. Known as RAA, what makes this one different is that instead of using an .exe attached to an email which would pop up an alert when a user tried to run it, this one is written entirely in JavaScript, a language often used to encode and provide functionality for web pages, and if a user runs something written in JS it likely would not pop up any alerts, and the damage would be done before you knew it.

Enjoy the Internet while you can

This has been in the cards for a long time, but ICANN, the Los Angeles-based organization that has its fingers in many aspects of how the Web operates, will no longer be managed by the United States, but – according to this article in the Washington Post –  by “an international body made up of technologists, businesses, governments and public interest advocates.”

This is a mistake. While I don’t have an inherent problem with a nebulous international body overseeing the continued development of the operation of the Web, what I DO have a problem with is that this will allow oppressive regimes who have no interest in freedom of expression or the open standards and ideas that the Web is built upon, and they could very well turn back the Internet clock, as it were.

I’m not being facetious when I say this could change the way the Web works forever. It could cease being the glorious, anachronistic Wild West that it always has been, and instead be regulated according to the demands of those who wish to stifle it and the free exchange of information it represents. Some governments, who have expended huge amounts of money and effort to limit what their citizens can see on the Internet, have been salivating over this moment for decades; we can all imagine why.

You’ll notice on page six of the transition assessment (.pdf here) states “This model encourages all parties—including businesses, technical experts, civil society, and governments—to participate and to reach consensus through a bottom-up process.” The problem is, governments will have ultimate decision-making capabilities and will overrule other stakeholders. I’m astounded there is not more attention being paid to this, or that the news isn’t covering it and, frankly, that people aren’t rioting. If they’re so willing to riot over the G20, which is *also* a multinational gathering – why not this? We should be very careful about who has influence over the future growth of the Web.

So enjoy the Web while you can, it could be changing soon.