Wiz's Computer and Website Security Blog

Dec 31, 2017

Well, 2017 is ending and 2018 is coming on in! Somehow we made it through another crazy year. We fended off all manner of online threats, including a flood of ransomware and bitcoin miners. Many of us had our credit information compromised by the Equifax data breach.

Twenty seventeen also revealed how insecure many of the wireless security cameras and household smart devices are. Called the IoT, these remotely accessible Internet connected devices were often shipped with easily hacked administrator credentials that allowed cybercriminals and hackers to take control over these devices and draft them into huge botnets. In turn, these botted cameras and smart devices were used in gigantic DDoS attacks against Internet service providers, web hosts, cloud services, Governments, businesses and online gamers. Some online cameras shipped with secondary remote access credentials hardcoded into the firmware, rendering any security oriented changes made by the owners moot.

Some of the supposedly most secure organizations in the World got hacked and had invaluable data exfiltrated. These included the NSA, who, through a combination of misplaced trust in their contractors and targeted email scams, had some of the most clandestine espionage tools ever developed stolen by hackers from abroad. Those hacking tools were unleashed on the Internet not long after they were pilfered. Some even ended up in the hands of North Korean hackers and other foreign state actors.

Continue reading "Happy New Year to my readers" »

Posted by Wiz at 3:56 PM | Permalink

back to top ^

It was late 1994 when I bought my first computer. It ran on the Windows 95 operating system and contained a 512 megabyte hard drive and 16 megabytes of RAM, which was a full load in that era. Most programs were loaded by one of the two floppy drives: 3 1/2 inch and 5 1/4 inch, with a few more loading from the 2x CD drive.

That computer was not connected to the Internet until early 1996, but it became infected with a virus nonetheless, in early 1995. That virus was delivered via a floppy diskette with an infected Master Boot Record. Here is how it happened.

One day I decided to buy an inkjet printer ($329.00!). Soon afterward, one of my friends told me about a business card program he had purchased and offered to loan me his setup diskettes (3.5" floppies). I gladly accepted the offer and went about installing the business card program and designing my very first self-made business card. I was going to need some business card paper to print out the cards, so I shut down the PC and went out to find the card stock.

When I got home with the business card stock I turned on my computer. It was then that I got a real mental shock. My Windows 95 contained a rudimentary anti virus program that worked by creating a checksum of every system file, when it was first installed. As the computer booted up, that program began notifying me that "the checksum has changed" in hundreds of system files and the Master Boot Record. Panic set in!

I made a few phone calls to computer stores in my city and one of them had an anti-virus program, on a 3.5" floppy disk, named ThunderByte Anti-Virus. I bought the program for ten bucks, took it home, scanned with it and learned that my PC was infected with the Anti-Exe A virus, whose sole stupid purpose was to make a computer unusable. I followed the manual disinfection instructions to the letter and within one hour my computer was disinfected. However, I had to learn how to reinstall Windows to repair the damaged system files. That was in 1995 and it taught me how to fight the relatively simple viruses of that era.

I kept ThunderByte installed on that and my next computer, until sometime in 1998, when the company was sold and ThunderByte was retired. Without new definitions the program became useless. In addition to using definitions for known viruses, ThunderByte also kept a database with the "checksums" of all scanned good files. So, every time I upgraded a program, or ran Windows Updates and some files were changed, ThunderByte popped up a red warning box and sounded a loud annoying siren alarm tone.

Back in 1995 through 1998, anti virus programs tended to receive updates every week, or at best, every few days. They all worked by scanning hard drives and floppy diskettes for known viruses, removing them, then creating a "checksum" of each good file. The checksums are like fingerprints, with no two having the exact same definition. In those times, new viruses were being written and released a couple times a week, usually by rogue programmers looking for notoriety. It was fairly easy to protect a computer with weekly updates, downloaded over 33,600 baud modems.

My, how things have changed since then!

Continue reading "How viruses and malware have evolved since 1995" »

Posted by Wiz at 1:41 AM | Permalink

back to top ^

Takeaway:

Do you know what your employees are doing online, on company time? How can their online activities impact not just productivity, but also your company's bank accounts? Are you or your admins monitoring your employees' online activities to find out what they are doing that could negatively impact your company?

As an administrator or a security professional your job is greatly dependent on information. Both of these professions require that you stay on top of things and are always aware about what is going on throughout your network. There are different ways to acquire the information required to effectively do the job and to gather the type of information one is seeking.

By monitoring internet usage the following information can be ascertained:

1. Internet Usage: This may be stating the obvious but information on internet usage is essential for an administrator and/or a security professional. With this information one can find out:
   • How much time users spend browsing
   • How much bandwidth is being consumed and for what
   • Which sites people are visiting the most.
2. Policies adherence: A good Internet usage monitor will give you reports on which internet usage policies users have tried to breach, how often they have attempted to breach them, and how many users have attempted to breach these policies. This information can then be used to identify the reasons for these attempted breaches. Is it because the policy is too strict and it stops people from doing their job? This analysis can help identify any changes required to make the policy less restricting without compromising the underlying security reason for it. It could also be the case that people don't understand the reasons for a particular security policy so this would be the perfect opportunity to educate your users.
3. Bandwidth: When you use an internet usage monitoring solution you can get a clear picture of which websites are eating up a lot of bandwidth and those users whose activity online is consuming excessive bandwidth. If your bandwidth is being used by employees who are streaming media that has no relevance to the business, you can proactively limit bandwidth use through quotas or by blocking certain sites altogether.
4. Threats: It's very important to know if and when users try to access malicious sites, because if a sudden increase is seen it can be an indication that someone is either targeting your organization or some other security mechanism has failed - for example the anti-spam solution is no longer catching phishing emails and users are clicking on links which they should not. This information can also potentially pinpoint troublesome employees. If you see a user trying to access sites that are infected with Trojans and other malware it should raise a red flag and you should investigate why that user is accessing those sites.

With a good internet usage monitoring solution you can keep an eye on what is happening within your organization enabling you to be proactive on issues that you would otherwise not be aware of.

This guest post was provided by Emmanuel Carabott on behalf of GFI Software Ltd and edited by Wiz Feinberg. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. Learn more about why you need to monitor internet usage.

Posted by Wiz at 11:43 AM | Permalink

back to top ^

I want to wish all of my friends and readers a happy, safe and prosperous New Year and hope for all the best for all of us in 2011. Whatever you do, do it well. People appreciate those who try hard. I believe good efforts will be rewarded, so do good deeds and keep a positive outlook for the future.

I have security stuff that I'll be writing about on Sunday, but for now, it's time to relax, reflect and refill!

Happy New Year Y'all! I'll be back in 2011!

Posted by Wiz at 6:25 PM | Permalink

back to top ^

This is a short post to let people who need replacement batteries for digital devices, that I have posted discount encoded links for them on my laptop parts page. The discounts apply to batteries for laptop computers, PDAs, cellphones, digital cameras and mp3 players, plus, AC adapters for laptops. If you are planning to replace old, or failed batteries, or a broken AC adapter, now is your chance to do it and save some moolah.

The coupon code savings range from 5% to 10% and are good until the end of business on September 30, 2010 (PST). This is also where I buy my own replacement laptop batteries and AC power adapters and I have no complaints yet.

Use my coupon code encoded links on my laptop parts page, to save on batteries and power adapters.

Posted by Wiz at 4:05 PM | Permalink

back to top ^

I recently became a member of the online service known as Twitter. Ok, you all know about Twitter and are already members for a couple of years. I am the last one in, so what?

I like Twitter because of its limitations. One is only allowed to post messages, known as Tweets, of no more than 140 characters. This includes spaces and punctuation marks. You really have to be able to think small to say anything meaningful in no more than 140 keystrokes. Try to add a hyperlink and you can easily go over the limit. Twitter just cuts off anything past the 140th character and posts the first 140 key strokes.

Twitter Tweets can be placed from computers, or cellphones equipped with web access plans and mobile web browsers, or email readers. Tweets are done in text only, with no graphics other than the author's uploaded photo (for now). They post fast and display fast, on computer monitors and cellphones alike. Some cellphones let their users set a special ringtone for incoming text messages, or email notices about new Twitter messages and followers.

I have taken a liking to Tweeting, because it makes me think small. I tend to ramble on in some of my blog postings, giving you all as much information as possible, as though I'm getting paid for my thoughts. I wish! I make squat from this blog! Still, I publish my alerts, reports and updates about spam and malware issues and solutions, in the hopes that they will help some of you avoid falling victim to the scams and attacks launched against you in spam emails, browser and plug-in vulnerability attacks and attacks on your shared hosting websites or dedicated servers.

While my blog articles are like short novels in some cases, Twitter Tweets are like news bulletins over a wire service. They're like telegrams, START using few wrds to imprt important msgs, w/abbreviations everywhere STOP. After joining Twitter I discovered that they offer website "widgets" to display one's public Tweets on a web page. If you look at the right sidebar of this blog you will find my Twitter Widget. It contains a lot of my Tweets and a scrollbar on the right edge, to scroll through them. I am using this widget and my 140 maximum character posts to get information out to you, in the most concise and reduced fashion. Please take a few minutes to read these Tweets before you move on to other places. You may find something of great importance to you.

Many of my Tweets contain links to full articles; some posted here, some elsewhere. I shorten the links using TinyUrl, or place them in plain text. There are no hostile links in my Tweets. Some lead to articles I have previously posted on my blog over the past several years. Using a link in a Tweet to a blog article I posted three years ago will save you a lot of time searching for it by keywords (in my blog's search box).

Most of my Tweets are currently dealing with malware threats, vulnerability alerts, Botnet activity, spam issues and some SEO matters. I hope you find them useful. If you are a member of Twitter you can "follow" me and get my Tweets in your Twitter account, in the "Home" section. Twitter members can also reply to my posts, or re-tweet them. All I ask is if you quote me, do it accurately, not out of context.

You will also see me replying to, or referring to others in the security or SEO fields. Use the links in my posts to their Twitter profiles to see their posts and follow them also. There are some major players in these groups and more coming in all the time. It's helps us all to coordinate our findings and research, on a small scale per Tweet.

Posted by Wiz at 1:32 AM | Permalink

back to top ^

Many of my regular visitors to this website (www.wizcrafts.net/) are aware of the fact that I maintain and publish, for free, various IP address blocklists. In fact, a lot of you are using one or more of these lists to protect your websites and forums from scammers, spammers, content thieves and exploits. If you are benefiting from using my blocklists I could sure use your help, in the form of PayPal Donations, in any amount you can afford.

All of the blocklists come in two forms: Apache .htaccess and Linux iptables. I'll discuss the differences later in this article. Note, that there is no real difference between a "blocklist" and a "blacklist" and while some people interchange them, blocklist is the correct technical term for ip and "host name" lists used to block access to a web server. Also, my IP blocklists are specifically formatted for use on Linux or Unix (or equivalent) operating systems and Apache web servers. The Apache web server is totally free and is the most widely deployed web server on the Internet.

It is my understanding that websites hosted on Windows IIS Servers can import the IP ranges into a special IIS configuration file, possibly only line by line, but I don't know the details. Ask your web host or server administrator if they can convert long .htaccess or iptables blocklists into Windows IIS format.

My earliest and most famous blocklist is the Nigerian Blocklist, which I began compiling during the summer of 2005. It came about as the result of me being a member of a specialty interest group buy and sell forum that was invaded by Nigerian 419 scammers. Soon there were wholesale reports of multiple daily scam messages being received by sellers on that forum. I asked the owner a few technical questions about the server and proceeded to begin compiling a flow of forwarded-as-attachments scam emails from the members, which contained the originating IP addresses of the scammers, in the headers. I researched each address to trace the ISP to which that IP was assigned and then discovered the full CIDR assigned to them. These IP CIDRs were accumulated into what soon became the Nigerian Blocklist, for use as a .htaccess file, on the forum's Apache-based server.

Today, about three and a half years later, webmasters around the World apply my Nigerian Blocklist to their .htaccess file, or iptables firewalls, keeping Nigerian and other African 419 scammers from conning their members out of their money and sometimes goods, as well. Many of these scams targeting sellers involved overpayment with a counterfeit cashiers' check, or Postal Money Order, with the seller refunding the difference by Western Union. It wasn't usually until two weeks had passed that the banks began notifying victims that they had deposited counterfeit checks and the victims were responsible for repaying the full amount to their bank. Yes, it really can take that long to find out if a cashiers' check is counterfeit, or drawn on a closed account.

Continue reading "Call for donations from my blocklist users" »

Posted by Wiz at 2:17 AM | Permalink

back to top ^

Today is my 59th birthday and I want you all to have a beer on me! Bottoms Up! Had I known I was going to live this long I would have taken better care of myself! Not really ;-)

Posted by Wiz at 12:32 PM | Permalink

back to top ^

After several failed attempts to claim my blog as a new Technorati member I finally grokked the solution, applied it to my server, and claimed my blog officially! If you are a Technorati member and use Movable Type, or a similar self-installed blog, and are having trouble getting the Technorati spider to recognize and claim your blog, and your website is hosted on an Apache based server, and you are able to upload files to your server via an FTP client, read on for my solution.

I went through several failed attempts before I figured out what the problem was. Like many other bloggers who install their own blog, I installed mine to a sub-directory off the web root, not to a sub-domain. My index page is named index.html and is in that sub-directory. The path to the blog, exemplified, is: http://www.examplified-domain.com/blog

This path is not a problem for any of the search bots as they all index my posts without a hitch. All except the Technorati spider used to "claim" a blog. After reading the access logs over and over I finally figured out that the spider was having a problem because of the way my server was redirecting the request for the index page, and because of the way Technorati strips out all information appended to the end of the path you give it in your profile. E.g. if you try to tell Technorati that your blog's index is at http://www.examplified-domain.com/blog/index.html, it will strip out the last forward slash and the name of the index file, leaving this as it's search: http://www.examplified-domain.com/blog . Your server, if it is setup like mine, will append a trailing slash to that requested URI, then redirect it to the index.html file, without revealing that file name. The stupid spider thinks that is is anywhere but where you told it to go and your claim fails!

Here is what I did to help the Technorati spider get it right. Using notepad, or any other plain text or html editor, create a new plain text file with the following contents:

Options +FollowSymLinks
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_URI} ^/(blog|blog/)$
RewriteCond %{REQUEST_URI} !^/blog/index\.html$
RewriteRule (.*) /blog/index.html [R=301,L]

Note that the $ are dollar signs, using the shift key and the number 4 key on a standard keyboard.

Now save this file with the filename " .htaccess ". If you cannot save it with that name, save as htaccess.txt instead and rename it on the server. Next, upload the file to your server, to the directory where your blog index file resides. If you had to change the name, rename it on the server, to .htaccess . Your eyes are not deceiving you. There is no prefix, just a period, followed by htaccess. This is a special server control file used by Apache servers. If you use FTP software to upload and download files to the server, you may have to set the remote "file mask" to -al to view this normally hidden server control file, after uploading it.

With this .htaccess file in the same directory as the blog's index file go back to Technorati, login, and begin the claim process again. If you did everything the same way I did you should succeed in Claiming your Blog!

I hope this helps somebody else, as from what I have been reading, Technorati is not able to help a lot of people who use Movable Type blogs on their servers.

Good luck MT bloggers!
Wiz Feinberg
http://www.wizcrafts.net/

Posted by Wiz at 4:47 PM | Permalink

back to top ^