A few previous blogs/posts on Windows 10 privacy and security. Using collected data to enhance your on-line experience is not a bad thing, but you should be aware of the data collected, how it is used, and where it is stored. A few more items for your consideration:
Edge is getting better and the ability to store browsing history to speed searches, recall history, and other functions as a result is of some value. An issue is that that data is at the same vendor as Windows, OneDrive, Microsoft Store, etc. Consider using Brave or others as a browser for sensitive sites. Microsoft updates and other events may reset your default browser to Edge.
OneDrive is a feature handy for accessing data across devices. For this feature to work that data lives in the cloud. Any/Someone can call Microsoft and have your passphrase reset and thus access this data at OneDrive. OneDrive data is accessible to you, thus accessible to ransomware. OneDrive is a feature to use for multi-platform access, selective sharing, protection from accidental modifications, etc. Since the files and folders are in the cloud, use care with what data is entrusted to that cloud.
OneDrive is engrained in Windows. Using a Microsoft account to login enables OneDrive access.
To limit the files and folders stored at OneDrive go to Settings -> System -> Storage -> Change where new content is saved. Uninstalling OneDrive may cause problems, but disabling can be done by unchecking Start OneDrive automatically when I sign in to Windows. To stop OneDrive right click on the OneDrive icon in the system tray and use the Unlink this PC. OneDrive is a useful function, ensure the facilities of the function are as you intend.
Cortana. A lot of personal data is collected by the personal digital assistant - as it should be as a personal digital assistant. Again Cortana is engrained in Windows now. It is not easily removed or even deactivated. You can limit its use by right clicking on any blank space on the taskbar then check Hidden on Cortana. When you need to search for files, use File Explorer. To search for web sites, use your browsers.
Microsoft Account. Again cloud based and data is collected. Handy for collecting and using collected data to enhance the user experience. Not so for privacy. You can use both local accounts and the online services accounts. If you do not have local accounts it is not so easy to create now. Use Settings -> Accounts as an Administrator enabled username.
Note: In my experience using a NON Administrator account for day-to-day activity is the best method of reducing the chance for malware infection. See other Cyber Security SIG blog posts for further information.
Start -> Settings -> Family and other people -> Add someone else to this PC.
Then at the How will this person sign in? Select I don't have this person's sign-in information
On the next screen use the Add user without a Microsoft account. Fill in the username, password (passphrase) and click Next. Not an easy process. The local accounts will be able to login without a network connection and have less data collected in the Microsoft cloud.
Privacy options Start -> Settings ->Privacy
A lot of settings and thus control of your data here. Also the ability to clear the data collected for your on-line Microsoft account so far. Most of these settings will be a personal choice. The more important one is under Feedback and diagnostics in my opinion. I recommend using Basic. It is not possible to turn off everything Microsoft collects and sends to their servers. Turning off some settings may limit applications or cause applications to not behave as before. The stop getting to know me setting in Speech, inking, and typing is another personal choice. For more control of privacy options see the Cyber Security SIG blog post W10privacy application details.
Sync your settings Start -> Settings - Account allows your settings to be synced to other devices wit the same Microsoft on-line account. A useful feature for convenience, not so for privacy. In addition to being synced to other devices those settings are in the Microsoft cloud.
Privacy is a personal choice. Some of the above may not be your personal choice. Some may want to go even further with control.
Monday, May 22, 2017
DocuSign Warning!!
DocuSign is a company that offers a document signing service. Real estate transactions, wills, and other documents can be signed with a digital certificate.
Recently the database of DocuSign customers was stolen. As a result customers are receiving emails that appear to be from DocuSign with an attachment. The attachments may contain macros that require the user to enable macros (if not enabled by default). The result may be malware infections.
If you receive these emails, check with DocuSign to ensure they are from DocuSign.
If you have received these emails, and enabled macros or have macros enabled by default, run a malware scan as advised on the Sun City Computer Club's web page under the MALWARE HELP link.
Recently the database of DocuSign customers was stolen. As a result customers are receiving emails that appear to be from DocuSign with an attachment. The attachments may contain macros that require the user to enable macros (if not enabled by default). The result may be malware infections.
If you receive these emails, check with DocuSign to ensure they are from DocuSign.
If you have received these emails, and enabled macros or have macros enabled by default, run a malware scan as advised on the Sun City Computer Club's web page under the MALWARE HELP link.
Friday, May 12, 2017
This is sure to make evening news WannaCry/WanaCrypt0r 2.0
Large corporations are being hit with a strain of ransomware.
Apparently spreading using MS17-010 which was issued months ago. If you've not patched or are still using XP you may get hit. The security community is trying to get and stay ahead of this one by black holing domains as they appear. If you experience delays from large corporations they may be attempting recovery.
Apparently spreading using MS17-010 which was issued months ago. If you've not patched or are still using XP you may get hit. The security community is trying to get and stay ahead of this one by black holing domains as they appear. If you experience delays from large corporations they may be attempting recovery.
Some HP PCs may be logging user's keystrokes
The software logging keystrokes has been found on HP PCs so far but to be safer check for a file:
If found remove this file. The application that does this key logging is designed to control audio features. Not a good idea and the application appears to be poorly designed and not malware.
HOWEVER malware may use the key strokes logged in this file for nefarious purposes.
To keep the application running and protect yourself, remove the file, create a new file with the same name and set permissions for more restricted access.
C:\Users\Public\MicTray.logIf found remove this file. The application that does this key logging is designed to control audio features. Not a good idea and the application appears to be poorly designed and not malware.
HOWEVER malware may use the key strokes logged in this file for nefarious purposes.
To keep the application running and protect yourself, remove the file, create a new file with the same name and set permissions for more restricted access.
MacOS users - Have you seen or done an update to Adobe Flash
You may have installed a backdoor malware that have infected Windows and Linux machines in the past. Flash is installed or updated along with the malware strain known as Snake, Turla, or Uroburos.
The malware install obtains the administrator password then is able to steal data like account usernames and passwords. The signing certificate was revoked, but a new certificate is a possibility now that the malware has been modified to infect MacOS. Users who ignore the certificate error will be infected.
MalwareBytes can detect and remove the infection. Use the Sun City Computer Club MALWARE HELP link then the MAC MALWARE PREVENTION/REMOVAL instructions or the Sun City Computer Club Help Center. I have seen this often the past few days on my MACs and it has been around on Windows and Linux in the past.
It is good practice to have applications updated along with the operating system. If possible have application updates Ask before applying updates and DO NOT click through certificate errors.
Thursday, May 4, 2017
Do MACs need anti-virus?
In the Mac Users Group (MUG) SIG meting today 5/4/17 a video was played. As a cyber security professional I agree with every point made in the video.
The issue in my mind is semantics. Word meanings. What is a computer virus? In a human analogy a computer virus "injects" or "infects" a running process or application. A virus is just one type of computer malware. Others include worms, trojans, denial of service, etc. A too long list. Most anti-virus products have morphed to anti-malware suites with anti-virus protections a part of the suite.
I could argue the first discovered virus had MACs as its target.
MacOS and Windows have different qualities for applications. MacOS is based on Linux/UNIX and has cheap process creation. To develop an application each function feeds its output to another function. Thus each function calls or creates a new process. Windows is more developer friendly. Applications inject code into other applications to make application development easier. In a human analogy: A police investigation application. MacOS the details of the investigation needed to be worked by another person/department is sent to that person/department. The results are sent back of or to the next person/department until the process is complete. In windows the person/department is asked to sit at the desk of the current investigator and use that desk/resource pool to process the investigation. Thus code injection is how Windows works. So virus on Windows in common and needs anti-virus. Anti-virus can be based on a "signature" or heuristics.
Another point made "There are currently no known MAC viruses". Again semantics. A more accurate statement "There are no known unpatched MAC viruses".
To prevent infections by any new MAC viruses the video advised to keep patches current (excellent) and to keep up with security news so you can take actions before the virus infects. The latter is almost impossible.
Are anti-virus only applications for MAC unnecessary? Probably if they cost money. Are anti-malware suites/applications unnecessary? In my opinion NO.
The recent security incident this week OSX/Dok worked by:
1) Clicking on a link in a phishing email or in a WEB page visited. Anti-malware suites can contain both white listed and black listed WEB sites and email addresses.
2) Dokument as an application was loaded. At first the application was signed by an Apple issued certificate. No defense in that regard.
3) Apple revoked the signing certificate for the application. Both anti-malware and MacOS warned the user of the signing certificate problem. If the used clicked the Open button the application was loaded. Please do not do that. The warning is there for a reason.
4) A zip archive then loaded a lot of Linux/UNIX utilities. Some anti-malware would have caught this and issued a warning.
4) the current logged in user was made an Administrator if they were not already. Again, some vendors will warn, others not.
5) the sudo file was modified to allow further infections to proceed. Some suites will alert.
6) An overlay page that is an exact copy of the Apple update page is displayed while the rest of the exploit is loaded.
7) The page asks for the administrator password. That password is sent to the attacker
8) A command line tool loads TOR and SOCAT. Some vendors may alert.
9) a rogue root level certificate is installed.
10) The system sets up a proxy so all WEB based traffic can be sent to the attacker's system. At his point all traffic/communications are able to be viewed AND modified by the attacker.
TO BE CLEAR all encrypted traffic to your bank, broker, shopping, etc can be captured and/or modified. Account names, passphrases, ALL Traffic.
Would anti-malware suites prevent this infection. Probably not at the time the infection was first deployed. Most suites might have alerted on several of the trip points, but the user would have to recognize and taken actions.
There are several ransomware strains that infect MacOS. One is very bad since it never gets to send the encryption key back to the attackers so users will never get the key even after paying the ransom.
Most ransomware signatures are in good anti-malware suites for MacOS.
The issue in my mind is semantics. Word meanings. What is a computer virus? In a human analogy a computer virus "injects" or "infects" a running process or application. A virus is just one type of computer malware. Others include worms, trojans, denial of service, etc. A too long list. Most anti-virus products have morphed to anti-malware suites with anti-virus protections a part of the suite.
I could argue the first discovered virus had MACs as its target.
MacOS and Windows have different qualities for applications. MacOS is based on Linux/UNIX and has cheap process creation. To develop an application each function feeds its output to another function. Thus each function calls or creates a new process. Windows is more developer friendly. Applications inject code into other applications to make application development easier. In a human analogy: A police investigation application. MacOS the details of the investigation needed to be worked by another person/department is sent to that person/department. The results are sent back of or to the next person/department until the process is complete. In windows the person/department is asked to sit at the desk of the current investigator and use that desk/resource pool to process the investigation. Thus code injection is how Windows works. So virus on Windows in common and needs anti-virus. Anti-virus can be based on a "signature" or heuristics.
Another point made "There are currently no known MAC viruses". Again semantics. A more accurate statement "There are no known unpatched MAC viruses".
To prevent infections by any new MAC viruses the video advised to keep patches current (excellent) and to keep up with security news so you can take actions before the virus infects. The latter is almost impossible.
Are anti-virus only applications for MAC unnecessary? Probably if they cost money. Are anti-malware suites/applications unnecessary? In my opinion NO.
The recent security incident this week OSX/Dok worked by:
1) Clicking on a link in a phishing email or in a WEB page visited. Anti-malware suites can contain both white listed and black listed WEB sites and email addresses.
2) Dokument as an application was loaded. At first the application was signed by an Apple issued certificate. No defense in that regard.
3) Apple revoked the signing certificate for the application. Both anti-malware and MacOS warned the user of the signing certificate problem. If the used clicked the Open button the application was loaded. Please do not do that. The warning is there for a reason.
4) A zip archive then loaded a lot of Linux/UNIX utilities. Some anti-malware would have caught this and issued a warning.
4) the current logged in user was made an Administrator if they were not already. Again, some vendors will warn, others not.
5) the sudo file was modified to allow further infections to proceed. Some suites will alert.
6) An overlay page that is an exact copy of the Apple update page is displayed while the rest of the exploit is loaded.
7) The page asks for the administrator password. That password is sent to the attacker
8) A command line tool loads TOR and SOCAT. Some vendors may alert.
9) a rogue root level certificate is installed.
10) The system sets up a proxy so all WEB based traffic can be sent to the attacker's system. At his point all traffic/communications are able to be viewed AND modified by the attacker.
TO BE CLEAR all encrypted traffic to your bank, broker, shopping, etc can be captured and/or modified. Account names, passphrases, ALL Traffic.
Would anti-malware suites prevent this infection. Probably not at the time the infection was first deployed. Most suites might have alerted on several of the trip points, but the user would have to recognize and taken actions.
There are several ransomware strains that infect MacOS. One is very bad since it never gets to send the encryption key back to the attackers so users will never get the key even after paying the ransom.
Most ransomware signatures are in good anti-malware suites for MacOS.
Wednesday, May 3, 2017
GMAIL Massive attack underway today
Mostly hitting GMAIL email accounts, but other WEB mail users are being targeted as well.
If you get an email with a link to Google Docs DO NOT click on the link.
If you have clicked on the link, or suspect you have go to Google's My Account page and remove the Google Doc application
If you get an email with a link to Google Docs DO NOT click on the link.
If you have clicked on the link, or suspect you have go to Google's My Account page and remove the Google Doc application
Google and personal privacy
https://myaccount.google.com/activitycontrols
If you have not visited the above site/page at google you should. By default Google logs and stores every place you have been when interacting with google, every application run on your android phone, everything you have dictated or asked by voice (hey, google and dictation of emails, texts, etc.), every YouTube search AND videos watched and more.
You can not turn this collection off. Only Pause.
The site indicates the collections help Google make your experience better. The site indicates only you (and Google) can see the data in all of these collections. Only you and anyone who guesses your password/passphrase.Only you and anyone who resets your password/passphrase. Only you and anyone who uses your logged in sessions anywhere.
If you wish to turn any of these collections off (Pause is the only available option) you will need to check every device you use to interact with Google.
To "Pause" move the slider to "Off"
THEN to remove all past history of data in these collections Click on MANAGE ACTIVITY.
Click on the "DELETE ACTIVITY by" link
Now select "All time"
Some may argue "I have nothing to hide" and this history of Google interactions may be useful.
If not, use the site to suit your personal privacy desires.
.
This information is what Google discloses.
If you have not visited the above site/page at google you should. By default Google logs and stores every place you have been when interacting with google, every application run on your android phone, everything you have dictated or asked by voice (hey, google and dictation of emails, texts, etc.), every YouTube search AND videos watched and more.
You can not turn this collection off. Only Pause.
The site indicates the collections help Google make your experience better. The site indicates only you (and Google) can see the data in all of these collections. Only you and anyone who guesses your password/passphrase.Only you and anyone who resets your password/passphrase. Only you and anyone who uses your logged in sessions anywhere.
If you wish to turn any of these collections off (Pause is the only available option) you will need to check every device you use to interact with Google.
THEN to remove all past history of data in these collections Click on MANAGE ACTIVITY.
Some may argue "I have nothing to hide" and this history of Google interactions may be useful.
If not, use the site to suit your personal privacy desires.
.
This information is what Google discloses.
Monday, May 1, 2017
MacOS Newly discovered malware allows attackers access to victim communications
A zip archive named Dokument.zip was signed by Apple 21-Apr-2017, since revoked.
Now the warning:
If the user opens the application anyway
according to blog post from Checkpoint. If the fake OS X update is installed the user is infected with TOR and SOCAT. From that point on the attacker can control the victim's communications.
If you have been so infected take action via posts from Malwarebytes or Checkpoint
Now the warning:
If you have been so infected take action via posts from Malwarebytes or Checkpoint
Subscribe to:
Posts (Atom)