Labels

Thursday, October 22, 2015

Facebook Account Hacks

I heard today from two contacts (who do not know each other) and just had their Facebook accounts hacked, and my educated guess would be that there is another Facebook virus link getting circulated.

Here is some background information on how these hacks typically work and my suggestions.  I hope they are helpful.

Background on Account Hacking:

I don't know the specifics of this current hack yet, but two common methods hackers use are:
  1. Hack the user's email account and then reset the Facebook (and other account) passwords.  This is especially dangerous when you think about how many sensitive accounts are tied to your email account (bank accounts, credit card accounts, etc.).
  2. Get you to visit a malicious website link that installs malware on your computer which in turn hands over your Facebook (and other account) passwords to the hackers.
    A very effective way to get you to do this is to put a fake post on a Facebook account that they have already hacked.  They can then infect many of this person's friends.
Another tactic that a friend of mine, Steve, just pointed out is using a fake Facebook account to send you a friend request.  This may be someone you don't really know or it may be a copy of one of your friends.  A "Facebook friend" has the ability to post onto your page and is an easy way to get access to your friends with a malicious link.  Be selective with who you friend.

What to Watch For:

  1. Don't assume that a link in an email from someone you know or a link on a friend's Facebook page are safe.
  2. Give extra caution to links that are click bait.   Hackers will often use a link that is sexually provactive or about tragic news appealing to our darker emotions to get us to click.  If this link seems out of character for the "sender", don't open it.  Contact the alleged sender first.  This will accomplish two things:
    a. It will let the "sender" know that they may have been hacked
    b. You will know if this is a legit link or not

What to Do if You've Been Hacked:

  1. First, don't beat yourself up.  This may have happened because you want to a site you shouldn't have, or you may have done nothing wrong.  Some viruses can be caught by simply being online.  Learn from the experience and move on.
  2. If your Facebook account or other social media account was compromised, delete the posts that are not from you and put a post out there to spread the word about the attack.
  3. If your email account was compromised, send an email blast to your contacts to let them know so they don't inadvertently infect themselves.  It may be a little embarrassing, but these things happen to the best of us.  Help stop the virus.
  4. Check your system for viruses and malware.  Everyone needs to have anti-virus and anti-malware on their devices.
    For Windows and Mac I recommend: Kaspersky for anti-virus:  they are very reasonably priced and offer a free trial
    For Linux, clam-av seems pretty good and is free
  5. After disinfecting your system, get a password manager.  Personally I like and use LastPass, despite their recent acquisition by LogMeIn.  The basic account is free and there is a $1./month fee for premium that lets you use it on your mobile devices.
    A password manager lets you easily create secure and unique passwords without having to remember them and helps to prevent you from entering your password on a fake (phishing) site.  Make sure to use an extremely secure password and set up two-factor authentication on your password manager.
  6. Change your passwords.  If you have been hacked, you should change them all, but especially email, social media, financial or anything sensitive.  I know, its a pain, but just do it.  

Help Keep From Getting Hacked:

  1. Follow the steps in the "What to Watch For" section.
  2. Do steps 4 and 5 in the "What to Do if You've Been Hacked" section if you haven't already.
  3. Consider subscribing to this blog.  I will post security issues that I come across and what to do about them.
  4. Consider using Gmail for your email.  They take security seriously and offer free and easy to use two-factor authentication via text messages.  If you use Yahoo email, my condolences.  If I were you I would switch.  What ever email service you use, make sure to use a secure password.

Links:


Sunday, April 26, 2015

Setting Up a PHP7 Development Environment

Update 10/2016: This is no longer the correct way to install PHP7 now that stable releases are out and published on your distribution's repositories; however, this information is still useful if you want to install the latest bleeding edge versions.


As a PHP developer I am excited about the anticipated stable release of PHP7 coming near the end of this year (2015), but in order to test out its new features it is necessary to set up a development environment using one of the nightly releases of PHP7.  Unfortunately this was not quite as straight forward as I had hoped and hopefully this will help some of you avoid the same frustrations.

This information is accurate as of 04/26/2015 for installation on a *ubuntu (virtual) machine:

The first gotcha that I ran into is that one of the dependencies (libt1-dev) only seems to work on the latest LTS release, 14.04, so if you are running anything newer, even 14.10, it will not install.  You will need to set up your machine for *ubuntu 14.04.

  1. Download a current nightly release from http://php7.zend.com/
  2. As shown in the installation instructions, you will need to install PHP7's dependencies:
    apt-get update && apt-get install -y \
    libcurl4-openssl-dev \
    libmcrypt-dev \
    libxml2-dev \
    libjpeg-dev \
    libfreetype6-dev \
    libmysqlclient-dev \
    libt1-dev \
    libgmp-dev \
    libpspell-dev \
    libicu-dev \
    librecode-dev
    This also proved to present some problems with permissions, even when using sudo.  I'm not exactly sure why, maybe because I'm still a linux newbie, but this is what I did get it done:
    sudo apt-get update
    sudo apt-get upgrade
    sudo apt-get install libcurl4-openssl-dev
    sudo apt-get install libmcrypt-dev
    sudo apt-get install libxml2-dev
    sudo apt-get install libjpeg-dev
    sudo apt-get install libfreetype6-dev
    sudo apt-get install libmysqlclient-dev
    sudo apt-get install libt1-dev
    sudo apt-get install libgmp-dev
    sudo apt-get install libpspell-dev
    sudo apt-get install libicu-dev
    sudo apt-get install librecode-dev
  3. Move into the directory that you downloaded the PHP7 nightly into, probably Downloads and then run the next command to unpack the file and place it in the root.
    Note: If the second command doesn't find the file, just start typing php7 and hit tab and it should auto-complete.
    cd Downloads
    sudo tar xzPf php7*.tar.gz
    PHP7 should now be installed in your /usr/local/php7/bin/ directory and PHP cli should be operational.  You can test it by typing:
    /usr/local/php7/bin/php --version
  4. If all you need is the cli, you should be good to go.  To use with Apache keep going.
    Important: If you have another version of PHP installed (like PHP5), you will need to uninstall it first.
    sudo apt-get install apache2-bin
    sudo cp /usr/local/php7/libphp7.so /usr/lib/apache2/modules/
    sudo cp /usr/local/php7/php7.load /etc/apache2/mods-available/
  5. You will then need to open up /etc/apache2/apache2.conf as root (replace "leafpad" with your editor of choice),
    sudo leafpad /ect/apache2/apache2.conf
    add the following lines to the end of the file and save.
    <FilesMatch \.php$>
    SetHandler application/x-httpd-php
    </FilesMatch>
  6. Run these last commands from your terminal:
    sudo a2dismod mpm_event
    sudo a2enmod mpm_prefork
    sudo a2enmod php7
    and you should be done!
I hope this helps someone.

On a related note, I will be speaking on May 13th at the Fox Cities PHP Meetup about PHP7 scalar type hints, scalar wrapper classes and PHP7 return type hints.  If you can't make it, I will be posting my talk and the slides here on my blog.

Happy PHPing and Go PHP7!

Tuesday, February 24, 2015

More Bad Fish

In light of the recent news that Lenovo was bundling Superfish, which can really only be fairly described as malware, a host of similar threats have been found in popular Windows software, including big names in anti-virus AVG and Comodo.


There are very good write ups here and here so I won't bother going into details, but suffice it to say that companies that should have known better, and placed themselves as authorities of trust, have put profits ahead of their customers best interests.

So what is a Windows user to do?

Note: At this time it appears this only affects Windows users, but it doesn't hurt to check the site even if you use a different operating system.

First, go to this website: https://filippo.io/Badfish/
If you have Superfish or any of the similar HTTPS-Hijacking malware installed on your machine, this check will probably find it.  It is quick, safe and you do not need to install anything.
If you do have a vulnerability on your machine, it will help you with instructions on how to remove it.

Second, if you have AVG anti-virus by LavaSoft (which I have previously recommended) or Comodo PrivDog, I am recommending that you uninstall them.  In my opinion, they are no longer trust worthy programs.
As a good replacement at this time, I am recommending MalwareBytes.  They have a free version for home users that will cover the basics and and a premium version for a reasonable fee.

And finally, a couple good reminders for us all:

  1. Even if you have anti-virus/anti-malware software installed, you still need to be careful downloading software from the internet!  Most of these tainted programs were available from Download.com and CNET, which are not inherently safe.
  2. When visiting sites that should be secure (financial, heathcare, etc) type in the URL yourself. NEVER click on a link in an email to take you to a sensitive website.  This exploit has taught us that we can not place complete trust the padlock icon in our browser.  A good password manager such as LastPass can also help you from falling for fake URLs.

Related:  If you are fed up with Windows, give some thought to making the switch to Linux.  It is a lot easier and familiar than it used to be.  Watch for future posts detailing my transition.  My current operating system of choice is Lubuntu.

Thanks for reading and be safe out there.  The internet is a wild place!

Alex

Alex Fraundorf is a web application programmer and web security consultant with Snap Programming.

Disclaimer: The advice in this blog is safe and checked to the best of my ability, but it is provided AS-IS with no warranty expressed or implied.  That's why it is free!  Unless otherwise noted, all opinions are my own, do not reflect those of my employer/associates and have not been influenced by any form of compensation.


Thursday, February 19, 2015

Bad Move Lenovo

Shortcut: If you just want to see if this is something you have to worry about for your computer, skip down to the heading "So here is what to do to see if your device is vulnerable" near the bottom.

If you own a Lenovo brand laptop, you might have a problem.  If you are thinking of buying one, stop and read this first!

Recently Lenovo decided to pre-install their laptops with a program called Superfish, which in a nutshell acts at the guard dog telling you that a website's secure certificate (the thing that makes the "https://" in the address bar) is legit.

Normally this is done by a trusted authority, usually the company that issued the security certificate, but Superfish is intercepting the normal protocol and doing this itself.

So the question is why would Lenovo and Superfish go through the effort and expense to do this?  The answer is good old fashioned greed.

Lenovo wants to "enhance" your search results with brands that happen to pay them advertising dollars.  It works like this:
  1. You go to your search engine and search for an item.
  2. Your search engine returns the results to your browser (giving preference to their own paid advertisers).
  3. Superfish intercepts the page and throws in its own ads (which will probably not get caught by your ad blocking software).
  4. The edited page is sent to your browser (by the way, it makes no difference what browser you use).
This is irritating, but why is it anything more than that?  Lets jump back to the secure certificates.  When you go to a (reputable) search engine, it uses encryption (https://) to encrypt your connection and prevent hacking of your connection.  If Superfish didn't take over as the certificate watch dog, you would get a warning in the padlock section of your browser telling you that the data was altered after it was sent to you.  Superfish prevents this from happening.

Alright, so this is irritating and I don't know if my search results are legit, but is there more?  Sadly yes.  It appears that the developers of Superfish were a bit sloppy and left their program open to being hacked and abused, so what this really means is:

If you have Superfish running on your computer is it possible to have ANY "encrypted" website is being listened in on or altered without your knowledge!

Think online banking, stock trading, healthcare.  Not pretty.


So here is what to do to see if your device is vulnerable:

1. Go to this website: https://filippo.io/Badfish/

It will tell you if your computer has Superfish installed.  If you do, it will help you with instructions on how to remove it, hopefully without having to reinstall Windows.

2. Send a message to Lenovo that you don't appreciate their actions.  You can use their website, the hashtag #Lenovo (they're listening) or better yet, with your wallet the next time you buy a computer.



Additional resources:
http://arstechnica.com/security/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/
http://www.forbes.com/sites/thomasbrewster/2015/02/19/superfish-need-to-know/



I hope that this was helpful.  Be safe out there, the internet is a wild place!

Alex


Tuesday, February 17, 2015

Finally

So I have been thinking that I should start a blog for some time now.  Up until now, I have used my social media accounts for passing on tidbits about web security issues, my proud moments as a father, insights into life and my Christian walk, etc., etc.

The plan for this blog is to provide short and concise articles that fall in to a few broad categories:
  1. Web Security Issues
    I subscribe to A LOT of technical emailing lists.  When I come across an issue that affects the web population at large, I will post a summary of the threat, the best known way to counter-act it, and links to other relevant resources.
  2. Technology
    I will be posting notes and brief tutorials on things I learn regarding the technologies I work/play with or what ever I am interested in at the time.  Mostly these are just notes to my future self so I don't have to rediscover things later, but hopefully they will be of use to others as well.  Typically they will be about PHP, MySQL, JavaScript, CSS, HTML, Linux, *ubuntu....at least that is what I am into now.
  3. Personal
    Some of my posts will be about my personal life, including my thoughts and views about being a Christian, a husband, a father and simply a human with struggles like everyone else.  Since this is a public forum, I won't be sharing too much detail and photos will be limited.  If we actually know each other, please make a friend request on facebook and you will be privy to my shared photo albums.
  4. Book Reviews
    Occasionally I am asked to read and review a web technology book that falls under my "area of expertise".
That's it for now.  I anticipate that my postings will be sporadic, sometimes a couple a week, sometimes a lag of a month or two, but I'll always come back eventually.

As always you can find my relevant links and contact me through AlexFraundorf.com

Thanks for reading!