Security | SecurePC LLC - Computer Repair, Maintenance and Security

Google Will Get Tougher On Websites Not Using HTTPS

Google is poised to make an important change to its Chrome browser beginning in July 2018.

Here’s the summary from Emily Schechter, the Google Chrome Security Product Manager:

“For the past several years, we’ve moved toward a more secure web by strongly advocating that sites adopt HTTPS encryption, and within the last year, we’ve also helped users understand that HTTP sites are not secure by gradually marking a larger subset of HTTP pages as ‘not secure.’ Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as ‘not secure.'”

All the major browsers already have plug-ins that alert users anytime they’re visiting a non-secure (HTTP) website, but Google’s planned move will likely prompt them to incorporate the notification into their core product as well.

According to Google’s statistics, 81 of the top 100 sites (as ranked by traffic volume) already use HTTPS. In addition to that, Google reports that 68 percent of Chrome users are finding HTTPS when using Android and Windows, and 78 percent of the time when using Mac OS X, iOS, and Chrome OS. Those figures are markedly higher than they were in 2010, when an estimated 40 percent of websites were using the secure socket layer.

If your company’s website hasn’t already made the switch, the time to do so is now. The writing is clearly on the wall, and it’s not hard to imagine that after Google begins “shaming” non-secure sites with the notification, they’ll also start implementing penalties that will hurt their position on search results pages. Even if they don’t, the persistent non-secure warnings will be enough to keep many users away, so it doesn’t matter how well optimized or SEO-friendly your site is, an increasing percentage of users may simply opt out if it’s not secure.

IRS Labeled Email Could Contain Ransomware

There’s a new strain of the “Rapid Ransomware” making the rounds, and because of how it’s being transmitted, it’s destined to have a higher than average rate of infection. The new strain was first discovered by Derek Knight. It is disturbing because it claims to come from the IRS, and will feature subject lines like “IRS Urgent Message-164.”

The body of the email then goes on to say that the recipient owes some amount of money in real estate taxes, and “helpfully” includes instructions for how to settle in the attached file. Inside the zipped file, the user will find a word document. You’ll need to click on “Enable Editing” to see the file, and unfortunately, the moment you do, you’re doomed. “Rapid” will scan the target computer for data files and encrypt them, appending each with the “.rapid” extension.

As soon as the malware finishes encrypting your files, it will automatically open “Recovery.txt” which will display details on how much you’ll have to pay the hackers to get your files back. Unlike most other ransomware strains, this one will configure itself to start every time you login to the computer, so if you pay the ransom to get access to your files again, but fail to completely remove the malware, you’ll be facing the same problem the very next time you use the machine.

Observant users will take note of the fact that the email address is not a .gov and likely not be taken in. Unfortunately, many people will look no further than the subject line and immediately begin following the instructions contained in the email, which is obviously the reaction that the hackers are hoping for.

As ever, protecting yourself from threats like these comes down to two things: Education and vigilance.

40 Percent Of All Login Attempts Are From Bots

Here’s a statistic that is as disturbing as it is frustrating. According to the latest “State of the Internet/Security” report for the fourth quarter of 2017, as published by Akamai, bot-traffic accounts for a staggering 43 percent of all login attempts. As bad as that figure is on its face, it’s far worse for companies in the hospitality industry, where the figure is an almost unbelievable 82 percent.

The reason? Hackers are increasingly using bots to perform “credential stuffing” attacks.

Although human traffic still dominates the web, bot traffic is rapidly catching up. According to Akamai’s estimates, not counting streaming video, bot traffic accounts for 30 percent of the total, and that figure increases every year. In fact, even though bot traffic is still a minority in absolute terms, some industries already see more bot traffic than human traffic.

TicketMaster is a great example of this. The web’s premier site for purchasing concert tickets online is almost unusable by humans these days, because virtually all of their traffic is bot-driven, with bots often being used to buy every available ticket the moment they become available, so they can be resold later at a hefty premium.

Akamai’s Martin McKeay had this to say about the report: “Increased automation and data mining have caused a massive flood of bot traffic to impact websites and internet services. Although most of that traffic is useful for internet businesses, cyber-criminals are looking to manipulate the powerful volume of bots for nefarious gains. Enterprises need to watch who is accessing their sites to differentiate actual humans from both legitimate and malicious bots. Not all web traffic and not all bots are created equal.”

These are wise words, and it bears some consideration. How much of the traffic coming to your business website on any given day is human?

New Apple Update Available for Character Bug Solution

Recently, another “exotic character” bug was found in iOS. If someone sends this particular character (a special character that’s part of the Indian language pack) to your phone via any messaging app, it will not only crash your phone, but cause a variety of messaging apps to stop functioning.

When the bug was initially reported, Apple treated it as a somewhat low priority item and announced their plan to fix it with the release of iOS 11.3 later this spring. The company’s loyal user base, however, had other ideas. Faced with a growing chorus of demands for a more immediate fix, Apple has incorporated it into the 11.2.6 release which is now available.

If you’re set up to automatically receive OS updates, there’s nothing for you to do, and if you haven’t already encountered this issue, you never will. If, on the other hand, you are in the habit of manually applying OS updates, this is one you won’t want to miss. While the chances of someone sending this exotic character to you are quite low, there’s nothing to be gained by exposing yourself to needless risk.

Long time users of Apple’s products will recognize a trend here. This is hardly the first time an exotic character or other unusual event has caused iOS to crash. Just last month, there was a similar (though less serious) issue with another special character. Last year, it was discovered that a properly formatted URL could crash any system running iOS. Not long after that discovery was made, a five second video went viral that, if watched on a device running iOS, would crash it.

In any case, the user base spoke and Apple listened. Grab the latest update and you won’t have anything to worry about. At least until the next unusual crash bug is discovered.

Android Ransomware Infections Declined in 2017

Android users have a reason to cheer. According to the latest report by ESET, the number of ransomware attacks targeting Android devices declined in 2017. The decline represents a bit of an anomaly, given that in 2017, the most common type of malware attack (by a wide margin) was ransomware. Given that security researchers can’t name a particular reason for the decline, it’s important not to read too much into the data. Whether there are declining figures or not, ransomware attacks still played a prominent role in last year’s threat landscape across a whole spectrum of devices. This year is shaping up to be no different.

Where Android-based ransomware attacks were concerned, several old standbys were still seeing frequent use, including both Charger and SimpleLocker. The most prominent new player in 2017 was DoubleLocker, which was first seen in the wild last October. It is unique in that it was the first Android malware to take advantage of a vulnerability in the Accessibility service to gain admin rights and infect users.

Interestingly, Android-based banking Trojans have been abusing the Accessibility service for literally years. It’s not immediately clear why hackers didn’t begin using it as an attack vector where ransomware was concerned until the appearance of DoubleLocker. Now that it’s on the scene, we can expect to see an increasing number of similar attacks.

In any case, given the fact that ransomware is poised to dominate the threat landscape in 2018, all users would do well to stay on their guard. The slight decline in ransomware attacks against Android users, (while a welcome sight), is probably going to be short-lived. If there’s one thing you can be sure of, it is that 2018 will be another record-breaking year where hacking attacks are concerned.

Google Calls Out Microsoft For Security Issue

Depending on who you ask, Google’s Project Zero is either the thing that’s going to singlehandedly save the internet, or the bane of many companies’ existence. It’s easy to see both sides of the argument.

On one hand, by uncovering previously undiscovered bugs in all manner of software and handing that information over to the authors, Google is undeniably performing a valued public service. The problem has never been with the “carrot” side of the equation, always with the stick.

The stick is this: Google gives each company 90 days in which to address the bug. If they take no action during that time, then Google will announce the existence of the bug to the world, which of course, means that hackers everywhere immediately have access to a new exploit.

This approach often accomplishes what contacting the vendor privately does not. Once the bug becomes common knowledge, the company in question is essentially forced to fix the problem, thus making the internet safer.

It should be noted that Google does allow exemptions to the 90-day rule. If a company is hard at work on a fix and needs more time, Google has been known to delay their announcement. In a similar vein, if a bug is simply catastrophic in scope and scale, the company has been known to make the announcement to help deploy resources of multiple companies toward addressing the issue.

More than 90 days ago, the Project Zero team discovered a pair of security flaws in Microsoft products. One in their Edge browser, and the other in the Windows 10 OS. One of the two got fixed. The other did not, and Google called them out for it.

Needless to say, Microsoft is not pleased, and they have hit Google back for such behavior in the past. They scored a PR victory last year when Microsoft engineers discovered a flaw in Google’s Chrome browser, and contacted the company privately so they could fix the issue and then bragged about their more responsible approach after the fact.

It will be interesting to see what Microsoft does in this instance.

RottenSys Malware Has Infected 5M Android Devices Since 2016

There’s a new threat on the horizon, according to security researchers from Check Point. A group of hackers in China are busy building a massive botnet that so far, totals almost five million Android smartphones. The hackers are quietly taking control of these devices using a strain of malware known as “RottenSys.”

While the malware is flexible and can be adapted to any number of purposes, in its present incarnation, it’s being used to display copious numbers of advertisements. This generates a healthy revenue stream for the hackers, but that could be just the beginning. The researchers have found evidence that the hackers are gearing up for a campaign that could be much more far-reaching and damaging. According to Check Point: “This botnet will have extensive capabilities, including silently installing additional apps and UI automation.”

RottenSys is fairly new to the malware ecosystem, first appearing in September 2016. So far, the hackers have spent most of their time simply spreading their creation to more devices. At current count, the number of infected Android phones stands at 4,964,460, and it grows by the day.

It wasn’t until last month that RottenSys got an update that gave its owners the ability to take direct control of all the devices. Prior to that, they were happy to simply rake in ad revenue, which is estimated to exceed $350,000 a month.

Currently, the malware hasn’t spread beyond the confines of China, but that could easily change as the hackers seek to add an increasing number of devices to their already massive botnet.

What makes RottenSys notable is the fact that it has managed to spread to so many devices in such a short period of time. As it turns out, the secret to the hackers’ success has to do with the code it’s built around, which includes both “Small”, (an open source virtualization framework) and “MarsDaemon”, which is a library that keeps apps “undead,” which ensures that the malware’s processes continue to operate even after users close them. This ensures that the ad-injection capacity cannot be disabled.

Only time will tell what the hackers have planned, but it can’t be anything good. They’ll have a formidable botnet to do damage with. Stay tuned.

Remote Desktop Flaw Affects Every Windows Version

Researchers at Preempt Security recently discovered a critical flaw in Microsoft’s Credential Security Support Provider protocol (CredSSP for short) that impacts every version of Windows in existence. It could allow a hacker to remotely exploit Windows Remote Desktop to execute malicious code and steal any data stored on the machine.

The flaw, logged as CVE-2018-0886 would allow a hacker to execute a man in the middle attack, (provided that they had Wi-Fi or physical access to the machine) and steal authentication data via a Remote Procedure Call attack.

Yaron Zinar, a lead researcher at Preempt, had this to say about the flaw:

“An attacker which has stolen a session from a user with sufficient privileges could run different commands with local admin privileges. This is especially critical in case of domain controllers, where most Remote Procedure Calls (DCE/RPC) are enabled by default. This could leave enterprises vulnerable to a variety of threats from attackers including lateral movement and infection on critical servers or domain controllers.”

This is a big deal because Windows Desktop is hands-down the most popular means of performing remote logins. In addition, business of all shapes and sizes make regular use of RDP for a variety of purposes, making them vulnerable until the flaw is patched.

Microsoft released a fix for the issue as part of their March 2018 Patch Tuesday, but security professionals close to the issue warned that simply applying the patch is not enough to provide protection. You’ll also need to instruct your staff to make a few configuration changes (explained in the documentation surrounding the issue), including limiting your use of privileged accounts as much as possible and use non-privileged accounts whenever possible.

The March 2018 patch release was a hefty one, and included patches for a number of products including Core ChakraCore, PowerShell, Microsoft Office, Windows (OS), and both the Edge browser and Internet Explorer.

Another Google Service Is Going Away

If you are a fan of, and regularly use Goo.gl (the URL shortener service), brace for impact. The company has announced that as of March 30, 2019, the service will be shut down for good. Long before then, beginning April 18th of this year, only existing users will be able to shorten links via goo.gl. No new signups will be allowed.

The company had this to say about the recent announcement:

“The URL Shortener has been a great tool that we’ve been proud to have built. As we look towards the future, we’re excited about the possibilities of Firebase Dynamic Links, particularly when it comes to dynamic platform detection and links that survive the app installation process….FDLs are smart URLs that allow you to send existing and potential users to any location within an iOS, Android or web app.”

Fortunately, we’re not actually losing a service as much as we’re seeing one swapped out for something better and arguably next generation. It is worth mentioning that Google does not have any plans to auto-migrate goo.gl links to Firebase Dynamic Links. If you opt to use the new system, you’ll have to export your short links and then import them manually into Firebase.

Given this, it’s expected that at least some percentage of goo.gl users will simply opt to shift to other URL shortening services such as Bit.ly or Ow.ly.

Although Google is not ending support for the service to make life more difficult for hackers and spammers, that’s one of the unintended consequences of the move. Both spammers and malware authors regularly make use of goo.gl. Sadly, legions of Marketing departments and other legitimate users do too, and many aren’t thrilled that although Google is offering an ostensibly better and more robust alternative, they’re not offering any means of auto-migration to the new platform.

MyFitnessPal User Information Data Breach Affects 150 Million

Another week, another high-profile data breach. This time, it’s Under Armour in the hot seat. Under Armour acquired the MyFitnessPal app back in February 2015, and the company recently announced that their new acquisition was hacked in late February 2018.

So far, the company is taking all steps we’ve come to see as usual in these circumstances. They’ve notified their user base about the scope and scale of the attack, which impacted a hefty 150 million users. In conjunction with the announcement of the event itself, they assured their users that the theft of data was limited to user names, email addresses and encrypted passwords.

Although the stolen passwords are encrypted with bcrypt (which is a highly secure solution), the company is still recommending that all of the app’s users change their passwords immediately, just to be safe. Under Armour also assures its MyFitnessPal users that no credit card information was exposed.

In a departure from the routine we’ve come to expect in situations like these, the company is also warning users to be aware that since their emails were stolen, they may be subject to phishing scams in an attempt to get more of their personal information.

That announcement, in part, reads as follows:

“Please note that the email from MyFitnessPal about this issue does not ask you to click on any links or contain attachments and does not request your personal data. If the email you received about this issue prompts you to click on a link, suggests you download an attachment, or asks you for information, the email was not sent by MyFitnessPal and may be an attempt to steal your personal data. Avoid clicking on links or downloading attachments from such suspicious emails.”

While Under Armour’s handling of the incident has been solid so far, one has to wonder how many more of these incidents we’ll see before companies start taking data security more seriously.