Hero Blog - Comments are Welcomed!

_________________________________________________________________

MilkyDoor and DressCode Android Malware.pdf 2

MilkyDoor and DressCode Android Malware

In April of 2017, Trend Micro discovered that the MilkyDoor malware (the successor to DressCode) was posing as 69 unique Android apps. As reported by Trend Micro, MilkyDoor uses and encrypted SSH Tunnel to provide criminals access to your internal networks via Android phones carrying the malware. Port 22 which allows for SSH traffic is not inherently blocked by all routers - especially when they see SSH traffic. MilkyDoor takes great lengths to make its traffic look legit so network scanning tools are fooled while at the same time resulting in no warning messages on the device. Additionally, check that you don’t have an app on the list below. If you do, delete it from your device immediately.

MilkyDoor and DressCode Android Malware.pdf

Evil Twin Router or WiFi Networks

As reported by Luke Dormehl in his article for Cult of Mac, the issue of evil twin routers and wifi hotspots is becoming another way for blackhat hackers or blackhats )Your old Bell POP account on your computer or mobile device cannot communicate properly with Bell’s new IMAP setup. You’ll need to set up a new IMAP version of your Bell email account on every device you currently have it in POP form. Period.


Here's why and how... up to Bell's

Bell Duplicate Email Solution for Mac Users

See this blog for details related to Outlook, but if you are on a Mac or need to create an IMAP account from scratch or on a mobile device, here are the details you need to know. You’ll need to put them in the appropriate places.

Your old Bell POP account on your computer or mobile device cannot communicate properly with Bell’s new IMAP setup. You’ll need to set up a new IMAP version of your Bell email account on every device you currently have it in POP form. Period.

Here's why and how... up to Bell's transition date, they supported the POP (
Post Office Protocol) for email. That meant that when you deleted an email in your Bell Account on your computer, you had to repeat the process on every other device that same account was on. On the other hand, IMAP (Internet Message Access Protocol) is better because with it when you delete or move an email on one device your action is mirrored on the server and so every connected device duplicates that action automatically. That means you don't have to!


Without setting up a Bell IMAP version of your account, your old POP account is trying to talk to Bell's new IMAP server and that's like, well, Apples and Oranges... they just don't speak the same language. So, when your existing Outlook or whatever email software you use pulled your mail down and tried to told the IMAP server that it had the new mail, the IMAP server ignored that since it doesn't speak POP and kept those messages marked as new or unread. The next time you checked mail... you got them again, the process repeated and so here you are with probably thousands of copies of the same messages all marked as new or unread.

Let's get to the steps for Mac users (
Windows users, your instructions are here):

  1. Open Mac Mail, click MAIL then ACCOUNTS.

  2. Click on your old Bell (Sympatico) account in the account list.

  3. On the right side, uncheck “Enable this account” which will stop it from checking for email. When you click anywhere else you may get a screen asking you to save the settings - click “yes" or “ok”.

  4. Go to: https://webmail.bell.net and log into your NEW Bell webmail space. Under your inbox you'll see a folder called "POP" - that's where your emails from the old server are stored. You are now sitting in the new IMAP server. If you want to get rid of any really old emails, you can do that here before proceeding since the less mail you have here, the quicker it will be to complete the syncronization in step #6.

  5. On the bottom left of the account list column, click the plus sign to add a new account, then select “Other Mail Account…” and click “Continue”. Enter your information (name, Bell email address and password), then click “Sign In”.

  6. Next, keep checked the apps you want to use with the account, then click “Done”. Depending upon how much old mail you have and your internet speed, this could take quite some time.

  7. Once you are satisfied that you have what you need from the old Bell POP account, you can delete it and the mail it contained... or keep it for as long as you need to.


Share this with others you know may be frustrated with having received repeated duplicates on their Bell email account.


Until next time!
Bob


Comment on this blog item.

Bell Duplicate Email Solution for Windows Users

Still struggling with the duplicate email issue with your Bell account? Here's the step Bell forgot to mention: create an IMAP version of your account... wait, don't freak out... it's easy to do and will stop the duplicate email issue.

Here's why and how... up to Bell's transition date, they supported the POP (
Post Office Protocol) for email. That meant that when you deleted an email in your Bell Account on your computer, you had to repeat the process on every other device that same account was on. On the other hand, IMAP (Internet Message Access Protocol) is better because with it when you delete or move an email on one device your action is mirrored on the server and so every connected device duplicates that action automatically. That means you don't have to!

Without setting up a Bell IMAP version of your account, your old POP account is trying to talk to Bell's new IMAP server and that's like, well, Apples and Oranges... they just don't speak the same language. So, when your existing Outlook or whatever email software you use pulled your mail down and tried to told the IMAP server that it had the new mail, the IMAP server ignored that since it doesn't speak POP and kept those messages marked as new or unread. The next time you checked mail... you got them again, the process repeated and so here you are with probably thousands of copies of the same messages all marked as new or unread.

Let's get to the steps (Mac users your instructions are here):

  1. We need to stop your old POP account from trying to pull mail. To do that, open your Outlook, then click FILE then OPTIONS then ADVANCED.

  2. The screen you should see is "Outlook Options". On the right side, Scroll down until you see the "Send/Receive" button then click it.

  3. The screen you should see is "Send/Receive Groups". Click "Edit" and now you should be looking at "Send/Receive Settings - All Accounts." Find your existing Bell Sympatico account on the left side, click it once then on the right side uncheck "Include the selected account in this group", then click "OK", then click "Close" and finally click "OK" as you back yourself out to the main Outlook screen you are used to seeing.

  4. Go to: https://webmail.bell.net and log into your NEW Bell webmail space. Under your inbox you'll see a folder called "POP" - that's where your emails from the old server are stored. You are now sitting in the new IMAP server. If you want to get rid of any really old emails, you can do that here before proceeding since the less mail you have here, the quicker it will be to complete the syncronization in step #6.

  5. Go to your Outlook, then select FILE then ADD ACCOUNT then E-mail Account. Enter your name is you want it to appear, your full Bell email address and your password from step #1.

  6. You'll get a couple of questions asking your permission to automatically setup the new account... select "ok" or "yes" and if you've done everything correctly, within a minute, you'll have your new Bell IMAP account setup and it'll start to pull mail. Depending upon how much old mail you have and your internet speed, this could take quite some time.7. Once you are satisfied that you have what you need from the old Bell POP account, you can delete it and the mail it contained... or keep it for as long as you need to.


Share this with others you know may be frustrated with having received repeated duplicates on their Bell email account.


Until next time!
Bob


Comment on this blog item.

Mac Flashback Trojan - The Death of Mac Invincibility

I'm going to start by referring you back to the opening line of my blog Macs can be infected AND be carriers of malware where I said, "Yes, Macs CAN be infected. Period." That was Mar. 21, 2012 (16 days ago). Today, even the staunchest of "Macs can't get viruses." believers find themselves staring into the eyes of a colossal 620,000+ gorilla of an "I told you so."

Here's the executive summary:

A Trojan is a computer infection that enters your computer by pretending to be something else. In this case, Flashback pretends to be an update for the Adobe Flash Player. Reports started 4 days ago and were confirmed today - Fri., Apr. 6, 2012 - by Kaspersky Labs. The full report is here: 
http://goo.gl/6zLzv.

Using some complex reverse engineering techniques, the smarties at Kaspersky Labs watched as 620,000+ unique computers logged into the pretend Flashback mother-server they created. They know the count is close to accurate because Flashback uses each computer's unique ID in the process. In a nutshell, the breakdown appears to be:

flashback-trojan-15
flashback-trojan-14


So, let's cut to the chase... what to do? Here we go... step-by-step:


Step #1: Run Apple Software Update.

Step #2: Disable Java in Safari and or Firefox.

Step #3: Determine whether your Mac is infected.

Step #4: What to do if your Mac is NOT infected.

Step #5: What to do if your Mac IS infected.


Until next time!
Bob


Comment on this blog item.


Phishing Scams Without Borders - From Germany With Love

Okay, I know I've already blogged about email phishing scams, but this one was close to home, so I thought I’d share. I received an email this morning, supposedly from ScotiaBank… NOT. Let’s review…

  1. banks NEVER send requests for confidential information by email; and
  2. banks aren’t going to make spelling and grammar mistakes on professional communications to clients.

So, here’s what the email looked like, marked up with the appropriate comments:

scotiabank-phishing-01


And how did this phishing scam of an email find yours truly? It took 6 jumps:

  1. it originated in Germany
  2. made a short visit to France
  3. then to another server in France
  4. it hopped across the Atlantic landing in Boston, Massachusetts
  5. it scooted up to Burlington, Massachusetts
  6. zipped from the east coast over to the west landing in one of Apple's servers in Cupertino, California
  7. and finally was delivered to my Apple iCloud account from which my mail program pulled it down.

It's trip took only a couple of minutes start to finish.

scotiabank-phishing-02

I'm going to split into two directions now: for those that don't want to know how I traced this back, stop here and take with you five things:

  1. if you receive an email from someone you don't recognize, DON'T OPEN IT, instead delete it
  2. if you open an email and it's asking you to click a link... READ the email... did you order the product or service it's about? If not, delete it
  3. if an email is asking you to click a link... hover over - DON'T CLICK - the click and check the URL in the yellow tool tip against what is displayed - if they aren't the same or at least look like they're going to take you to the intended website... you guessed it, delete it
  4. governments, banks, cell phone companies, and pretty much EVERYONE doesn't use email to verify personal/private/confidential information because email is largely UNENCRYPTED and NOT SECURE - if you get an email asking ANYTHING to do with personal/private/confidential information, delete it
  5. if you want to report the phishing attempt to the organization the attacker's email is pretending to be from, check the organization's website or call them since most have an abuse@ or phishing@ email address that you can forward the email to and they'll attempt to track the source and take appropriate action 


How did I trace the source of this email phishing scam?

If you've hung on to this point, then you want to know how I traced this email to its origin, so here we go. Every email has a header... the part at the top that contains the "From", "To", "Subject", "Date", information. What you don't realize is that there's WAY more in the header than just what we normally see.

Our email programs are set to display the "friendly" headers we are used to seeing. In fact, the header of each email contains its routing information that accumulates as the email travels from its origin to its destination. Spammers and scammers rely on the fact that most people don't know about the routing info in the headers, how to access it and how to use that information to trace the origin of their phishing emails.

Let's pick apart the detailed header of this email so you can see how I traced the path of this Geschenk (gift):

scotiabank-phishing-03


The only extra step was in #4... 10.20.15.2 and 10.20.13.1 are internal network IP addresses, so I had to look up the external IP address of the eigbox.net domain. This is where the link from my info@ address to my @me.com address took place.

To look up the IP addresses I used WhatIsMyIPAddress.com and for looking up the hostname to get the IP address in step #4, I used the hostname to IP address lookup page from the same website. This website also has a page that will attempt to trace the source of an email automatically by allowing you to paste the full header of the offending email into their webpage - what I did the long way - but in my case it wasn't able to figure out the route. You may want to try this before you roll up your sleeves and do it my way.


How do you display the full header information on your email program?

To set your own email program to display the full email headers, follow the instructions for your program by checking your help file. Here are the instructions for some of the more popular email programs borrowed from the Google Email Support Page:

Gmail

  1. Log in to your Gmail account.
  2. Open the message you'd like to view headers for.
  3. Click the down arrow next to Reply, at the top of the message pane.
  4. Select Show Original.

The full headers will appear in a new window.

Hotmail

Yahoo! Mail

Apple Mail

Mozilla

Outlook

Outlook Express


Until next time!
Bob


Comment on this blog item.

URL Shorteners - Not Just for Tweetaholics!

When you post to Twitter you only have 140 characters per Tweet… so EVERY character counts. What chews up your Tweet allotment the fastest? URLs or Uniform Resource Locators which is a synonym for “web addresses”.

So, what’s a Tweetaholic to do? Cue the fanfare… doo-doo-doo-dooooo! URL shorteners to the rescue! These services take your holy-crap-that’s-never-going-to-fit web addresses and squish them down to approximately 18-23 characters… a lifesaver of precious Tweet space! Now this isn’t just good for Twitter… if you look around you’ll find shortened URLs all over the place. They stand out because they start with the name of the shortening service followed by what looks like goobledegook.

For example, both of these will take you to my blog about avoiding bogus emails (a.k.a. phishing scams):

the actual URL comes in at a lengthy 61 characters: http://www.digitalhero.ca/hero-blog/avoid-phishing-scams.html or… shortened to a Twitter-friendly 19 characters: http://goo.gl/RsbQA

How do URL shorteners work? Each service takes the holy-crap-that’s-never-going-to-fit URL you throw at them, then create an entry in their database of the actual URL while generating a unique, short version of it. When someone clicks that shortened URL, it goes to the URL shortener’s website, the shortened URL is looked up, its actual holy-crap-that’s-never-going-to-fit version is located and sent to your browser along with a redirect command routing you to that web page.

Here are some of the top shortener services listed in no particular order, but oddly enough… shortest to longest URL:

Each of these allows you to use their service as a "guest", but if you opt to create an account, you are able to see how many times your shortened URL has been followed.

One final note: beware of “Twishing Attacks”… yes, if you read my blog about bogus emails (phishing scams), then you’ll recognize the term “Twishing”… from Twitter and phishing. Although not as prevalent in its original form: back in 2009 Twishing attacks tried to lure Twitter users to bogus Twitter look-alike websites with the intent of stealing their username and password.

Many social media lovers use the same/similar username and password for their various accounts so once they were tricked into entering them on the bogus site, the attacker could use them to get control of any social media accounts they were used with.

Combat Twishing attacks by:

  • keeping your anti-virus/anti-malware software up todate
  • reading tweets, emails and any communication carefully BEFORE clicking on links they contain
  • using the techniques from my blog about bogus emails (phishing scams) to help spot fake web links, if they haven't been shortened... what works in attackers favour is that you can’t tell whether shortened URLs are legitimate by looking at them and comparing them against the link displayed in the tool tip when you hover over them… so make sure you trust the source of the message that contains them

Until next time!
Bob


Comment on this blog item.

Macs can be infected AND be carriers of malware.

Yes, Macs CAN be infected. Period.

Granted that because of the way their operating system is built (largely thanks to the UNIX core it draws from) it is more difficult to infect them, but none the less they can be infected. More importantly, your Mac can be a carrier for malware spreading that malware to others you email, etc.

One reader of my blog sent me an email they received, apparently from PayPal, telling them that a payment had been deposited into their account. Fortunately, after reading my earlier blog item about avoiding bogus emails and phishing scams, they were able to recognize the warning signs. First, they didn't recognize the person who had supposedly paid them. Second, they hovered over the links and none of them matched their displayed counterparts.

They wanted me to check out this phishing scam and forwarded me the offending email. When I received it, my anti-virus immediately kicked in and grabbed the attachment. Here's the payload that was trying to launch before I even opened the email:

macs-can-carry-malware-01


Notice the "370163.emlx" piece... that was the attachment this email contained. As soon as the attachment was touched by my Mac's operating system, to write it to the hard drive, Kaspersky... my anti-virus-of-choice grabbed it allowing me the privilege of hitting the "Delete" button and bringing this potential nasty to a swift end. By the way... you can set your anti-virus to automatically deal with malware when it's detected. Don't think you need to be bothered every time one is found... I like to know because it's my business.

Here's what this malware was trying to do to my Mac:

macs-can-carry-malware-03


I contacted the reader and told them to immediately update their anti-virus definitions, run a complete scan of their computer and told them what to look for. Sure enough, the outdated definitions had allowed the malware to run. Fortunately, the scan was run soon enough after that the compromise was stopped.

The moral of this story?

  • Mac users still clinging to the old paradigm that our computers are invulnerable... wake up and smell the malware, baby! Stop being harbingers of malware for everyone you electronically connect with and throw down some anti-virus protection for your Mac. Here's a couple of the best choices: Kaspersky and Intego's Virus Barrier family of products. The latter is especially good right now because the app is also available for your Apple mobile devices. The tablet version of Kaspersky is being worked on for the iPad (no release date available), but currently they cover only Android devices.

Until next time!
Bob


Comment on this blog item.

Multifunction Copiers - Protect Your Privacy When Their Lease is Up

multifunction-copier01

Let's cut to the chase on this one... if your company owns or especially if it leases a multifunction copier, make certain the hard drive inside that copier is left with you or destroyed BEFORE the device leaves your premisses.

Multifunction copiers use a hard drive - exactly like the one in your desktop computer - to store every copy, scan and fax that goes through them. The result? Once that copier leaves your premisses, you have no idea where that copier will wind up and who will have access to the data its hard drive contains.

Watch these two videos... they reference American investigations, but can be easily applied to Canada, too. They are worth the time.



If you have electronic waste (E-waste) you can contact Paul at Artex Environmental... tell him that Bob Kyriakides of Digital Hero sent you!

Until next time!
Bob


Comment on this blog item.


Home   |   About Us   |   Testimonials   |   Services   |   Hero Blog   |   Sense of Humour   |   Contact Us   |   help@digitalhero.ca   |   905-717-5498
Privacy Policy: All services are rendered with the strictest of confidence. Your personal and or business information will never be shared with, or sold to, any third party.
Terms and Conditions: Prices may change without notice. Shipping, additional costs as a result of client-requested changes and taxes are extra.

© Bob Kyriakides 2017