Updates 2017-05-16

Hi, Folks!

It’s not Patch Tuesday, but Apple, Microsoft, Adobe, Google, and more have released updates today.

If you haven’t heard of “WannaCry” then you’re living under a rock. WannaCry is the closest current equivalent to the Code Red worm in the last 15 years. This ransomware uses a known vulnerability for which a patch had been released (three months ago!), to infect computers, encrypt their contents and the contents of network locations, and sell access back to the victim – while also infecting other vulnerable network devices. If you’ve installed your updates within the last three months you’re not vulnerable to the specific network-level vulnerability in SMB that it uses to propagate, but that doesn’t mean you can safely open phishing messages, email attachments or random downloads. The UK NHS was hit hard by this malware primarily because they take almost 6 months to patch their PC hardware that they do support. Some single-purpose devices (MRI machines, for example) are simply never maintained, but are still granted network access. Sigh. Don’t do that.

The vulnerability exploited by WannaCry was first divulged by Shadow Brokers when they released a trove of hacking tools created and used by the NSA. In fact, one of the tools WannaCry utilizes is the same ETERNALBLUE exploit directly from the NSA toolset. This is not a coincidence. These tools were written specifically to be universally effective and able to be repurposed at will for additional access. It should come as no surprise that when a government agency is hacked, the tools they created are released and the public suffers as a result.

If a positive side to this event can exist, it’s that Microsoft actually released a security update for Windows XP to address the vulnerability. Since XP has been End-of-Life for years, this is really surprising.

The lesson everyone should take from this event, but particularly businesses and government agencies, is that the turnaround time for malware authors is much lower than they think. Delaying or even ignoring security updates because “it won’t happen to us” is foolhardy at best and welcomes disaster. You should have sufficient skilled IT staff to be able to fully test and roll out any security updates within days, not months. If that’s not possible, you should at least hire a good PR firm and have the releases prepared in advance so you can spin your incompetence in the news when you are inevitably hacked later.

Okay, back to our regularly scheduled program.

The typical computer should see approximately 300mb of updates. Let’s get started.

Microsoft released updates for Windows and .NET, including Windows XP!

Apple released macOS 10.12.5, Security Update 2017-002, iTunes 12.6.1, Safari 10.1.1, and iCloud for Windows 6.2.1. Use the Apple App Store or Apple Software Update to install the most current versions.

Apple iOS 10.3.2, watchOS 3.2.2 (and 3.2.1), and tvOS 10.2.1 are security updates. Use Settings, General, Updates to install the most current version.

Google Chrome OS 58.0.3029.112 is a security update. Use Menu, Help, About to install the most current version. A reboot is required.

Don’t forget to check your mobile devices, too! Many updates will also apply to your tablet, phone, kindle or television – so check your device-appropriate App Store and install updates.

Important Notes

Everything above this section should be checked by everyone on every computer. Chances are good that close to every single computer you touch will be affected by those updates. This is not the case with the items below, though you should still check each line item below to see if it applies to software you have installed.

Please remember that while I list many different applications within these updates, most people should ONLY install updates for a program if they already have a previous version of that program installed.

It is essential to maintain all the applications you have installed on your computer, but often you can minimize the time investment and the potential for exploitation simply by uninstalling software you do not need.

Also note that using the applications own “check for updates” function, when available, will best preserve your current settings, and often avoid any crapware that might come with a fresh installer. Use this option if it’s available to you.

Finally, if you’re sick of doing this all yourself, let me! Call or email me any time, and we can set you up with subscription SaferPC updates which will be installed each month whenever necessary. Click, call or email for more details:

Internet Updates

One or more of these are likely to be of interest to everyone.

Skype improves quality and resolves several bugs. This version also imposes a requirement for a newer MSVCRT, which may trigger problems on any OS prior to the Windows 10 Creators Update (1703). If you receive an MSVCRT error upon running Skype after updating, download the current version of the MSVCRT.

BrowsingHistoryView 2.05 adds ability to load history from remote device when full admin rights exist to remote device.

Media Updates

These are unlikely to be of interest to most people.

iTunes 12.6.1 is a security update. Use Apple Software Update to install the most current version.

Office Updates

One or more of these are likely to be of interest to most people.

Notepad++ 7.4 adds document peeking, bug fixes, and reliability improvements.

Security Software Updates

One or more of these is likely to be of interest to most people.

Wireless Network Watcher 2.12 improves reliability on devices with multiple wireless network adapters. This is not a security update.

RogueKiller 12.10.9 adds detections. This is not a security update.

Converter Updates

These are unlikely to be of interest to most people.

DVDFab adds support for newer protections, incorporates BDInfo. This is not a security update.

Utility Updates

These are unlikely to be of interest to most people.

GSmartControl 0.9.0 resolves several bugs, improves reliability and stability, adds newer hardware support, and improves drive type detection. This is not a security update.

Everything resolves several bugs, and adds pause/resume capability. This is not a security update.

CCleaner 5.30.6063 improves cleaning, SSD detection, and resolves several bugs. This is not a security update.

Rufus 2.15 improves compatibility with Windows 10 v1703, updates libraries, resolves several bugs. This should be treated as a security update.

WinScan2PDF 3.46 improves hardware support. This is not a security update.

ProcDump 9.0 adds multiple dump sizes, and Kernel Dump process association. This is not a security update.

Autoruns 13.71 adds Microsoft HTML Application Host (mshta.exe) as hosting image so it displays the hosted image details, and now doesn’t apply filters to hosting images. This is not a security update.

BgInfo 4.22 honors applocker policy for VB scripts specified as the source of field data. This is not a security update.

LiveKd 5.62 is now signed with a certificate trusted by Win7. This is not a security update.

Process Monitor 3.33 resolves several bugs, and is now signed with certificate trusted by Win7. This is not a security update.

Process Explorer 16.21 resolves a bug with VT support, and is now signed with a certificate trusted by Win7. This should be treated as a security update.

Web Package Updates

These are likely to be of interest only to web developers.

SMF 2.0.14 is a security update. This version also changes PHP requirements, so if the upgrade will not complete try upgrading PHP first then upgrade SMF.

TinyMCE 4.6.1 resolves several bugs. This is not a security update.

WordPress 4.7.5 is a security update.

That’s all for now folks. Keep it clean out there. ūüėČ


Shawn K. Hall

Another Reason Why You Need a Password Manager

This Wordfence article is a great demonstration of why using a password manager is so important.

The message the author is pushing is “these browsers suffer because it’s easy to phish them” when the reality is that the specific “vulnerability” is actually the way the Internet is designed. The weakest link for all phishing is always PEBCAK – aka, “Problem Exists Between Chair and Keyboard”. Phishing is not your typical security problem, because it’s not the computer the attacker needs to convince, it’s the person.

Don’t get me wrong, I’m not saying that there should not be some visual and functional indication for IDN domains, but the user is still going to be the weakest link. Any indicator would go unnoticed or misunderstood by most people anyway.

A better solution is to use a password manager such as RoboForm. RoboForm bypasses this issue by preventing you from authentication to the forged domains. RoboForm (and most other password managers) authenticate only to trusted domains, so even though the IDN domain may visually appear to be the same, it will not be treated as the real domain within the password manager.

See how RoboForm addresses this problem. In the first image you can see the emboldened stored credentials which will only appear if the domain is a match for the stored login.

Demonstration of RoboForm Domain Match

RoboForm Domain Match

Here we have the punycode IDN variation, which, since it is actually a different domain, has no match in RoboForm.

Demonstration of RoboForm Domain Mismatch

RoboForm Domain Mismatch

While the specific issue at hand is phishing for ways to trick the user into authenticating to a domain that appears to be the real thing using a specific cosmetic effect, there are many other ways that domains can be made to look like the real thing, and each of them still works well after this particular issue is addressed.

Using a password manager is the best and easiest way to ensure that you’re visiting the real site. It also provides strong authentication and far better passwords than you can create on your own.

Okay, now go get RoboForm.

That’s all for now folks. Keep it clean out there. ūüėČ


Shawn K. Hall

Catphishing on the Rise

In the last week I’ve had three separate Facebook friends re-friend me using¬†new accounts. A few¬†months ago I even had a cousin re-friend me “after Facebook sent him a million dollars and he could finally afford to create a new account!” His words, not mine. He was, of course, not actually my cousin but an impostor trying to get me to click through a third party link to infect my computer. It was kinda cute. ūüôā

Clients have reported that¬†online friends they’ve known for years are now re-friending them and asking for money to bail them out of strange situations¬†— everything¬†from jail¬†to “beta testing” to solar investment loans. In all cases, contacting the person directly with their (previously known) offline contact methods (phone, text, IRL) results in first surprise, then horror, as the person realizes what has been done in their name.

And that’s the real issue here. It’s not like you’re witnessing your friends falling for a scam from an anonymous Nigerian Prince. No, they’re friending you and you¬†(in their mind) are responsible for anything that happens to them. From that moment forward, even long after they learn it was not really you, they’ll always associate you with this event. Some won’t talk to you anymore out of embarrassment. Some will blame you as though there were some way you could have prevented their folly. In any case, you’re both harmed by a total stranger using your name.

This phenomena is called catphishing: The process of creating a fake online persona based on someone else and using it to take advantage of the target’s friends. Impersonation through, quite literally, duplicity.

Here’s the problem

She was astonished to see how her grandmother looked.

She was astonished to see how her grandmother looked.

Online service providers, such as Facebook, Google, Yahoo, Microsoft and so on, don’t exactly perform DNA testing to ensure that the guy claiming to be your neighbor really is your neighbor. If they did, nobody would use their services. Since they don’t, it’s up to you to be able to identify whether it really is your neighbor.

They don’t make it easy.

These intelligent scammers¬†will use just about any means possible to replicate the identity of the person they’re posing as. They’ll re-use the same or similar image as their personal photo. They might crop it differently than the original that they’ve harvested from the real person’s page, but it’ll be¬†“real”. They’ll also migrate some content, mostly copied directly from the original account, onto the new catphishing page. They’ll also copy personal details, such as dates, employment or social history, possibly even replicating the victim’s relationships with additional accounts. All it really takes, when the information is already available only a click away, is the time to copy and paste.

These types of phishing accounts are usually short-lived. Within only a few days they’ll be identified by the targets friends as a phish, though in that time dozens or even hundreds of people may be victimized. This means the attacker will have to act fast. Once they’ve created the account they’ll quickly send out many friend requests to the targets existing friends. They’ll then add or contact many, and the few that answer quickly will then be social engineered.

First a little small talk, then mentioning some great event – like being mailed a million dollars by Mark Zuckerberg, or how they just saved a bunch of money by doing something different like taking advantage of a government program or loan gimmick. They won’t waste much time getting to the pitch, though they might not be able to respond to everyone all at once so it might be a day or two before they push. When you feign interest they’ll have a link at the ready to help you “research” their pitch. It might even be a personal page on a popular site or a typo-squatted version of a popular domain. They’ll seed the idea then send you a link to infect yourself or enable you to self-hijack by posting your account information at an untrustworthy site.

While you’re giving up your information, your real friend is completely oblivious to what is happening.

So how do you protect yourself?

First and foremost, don’t just friend everyone that asks. A very effective means of security (in most things) is to let other people be the guinea pig. This means you don’t respond to friend requests or new contacts immediately. Just wait. At least a couple days, but a week or more is ideal. By this time, there’s a good chance other people would have suffered at their hands if it’s a phish, and thus the account may have either been locked or shut down by the time you are prepared to accept the friend request. Patience really is it’s own reward.

Of course, if you suspect an account isn’t legitimate, report it. Most popular websites have tools to report various contacts and requests, and these are the tools you should be using. This allows the website owner (such as Facebook) to aggregate information about these attacks to block specific types of attacks or shut down entire networks of attackers all at once, and possibly prevent some of them in the future. It’s up to you to report it properly and fully, however. Simply blocking a user will not have any effect other than eliminating their unwelcome messages to you. If you want to stop it you have to be specific in how you report it.

On Facebook you can go to the fake user account¬†page, click the account action button (…), select Report, Report this profile, then select “They’re¬†pretending to be me or someone I know.” Then follow the prompts.

fb-report fb-report-profilefp-report-catphish

Don’t forget to tell the person they’re claiming to be, preferably through a previously known offline contact method.

What if they’re posing as me?!

Same thing. Report them quickly and warn your friends that may have succumbed to your fake friendship.

But wait, there’s more! In most states there are laws against phishing. Here in California the law¬†is really written only to protect businesses, but you, as a victim, can sue an¬†impostor for a¬†half million dollars if they pose as your business.

It doesn’t hurt to regularly search social media for your own name, too. Not your account, mind you, just your name. This will return other accounts that are using your name so you can investigate them. Even a few minutes of effort once a month can save you and your friends from a lot of hurt down the road.

Another trick is to add a Google Alert to your name for social media. This bypasses your own social account (if configured correctly) and emails you whenever your name appears on a site. First go to Google Advanced Search and fill out the form to use a search phrase such as this:

“john t example” site:facebook.com -“johntexample”

This searches for his exact name, on Facebook, but excludes his Facebook slug/username. Now go to the Google Alerts page and search for the formula you composed above. “Show options” then set the alert to contact you once per day. It’s not a perfect solution, but it might catch a phish.

Good luck, and keep it clean out there,

Shawn K. Hall

Enable SSL Certificate Revocation Checks

Today brings another¬†disclosure of a popular entity SSL certificate being improperly issued. These certificates allow the attacker to spoof content, and perform phishing and man-in-the-middle attacks against users who might otherwise not have any reason to distrust their connections. The potential for exploitation increases significantly for untrusted networks, such as open Wi-Fi nodes, minimal security networks like coffee shops and airports¬†and so on. I suggest you use OpenDNS to minimize the risk of DNS poisoning — it has many other benefits as well.

This is only the most recent example of a popular certificate being issued to the wrong party. Sadly, this type of thing happens on a regular basis.

Even so, many browsers and fail to perform proper certificate validation to ensure that this type of hijacking is a minimal risk.¬†The default behavior for most recent operating systems and browsers is to perform some certificate revocation checks, but leave some options inadequately validating the trust level for revocation. You can verify that your browser is properly configured within it’s settings as below.

For Internet Explorer:

Go to Tools, Internet Options.

IE - Tools, Internet Options

Click the Advanced tab, then under the Security group check both “Check for publisher’s certificate revocation” and “Check for server certificate revocation“.

Check both "Check for publisher's certificate revocation" and "Check for server certificate revocation"

Check both “Check for publisher’s certificate revocation” and “Check for server certificate revocation”

Click OK to save the options.

For Chrome:

Go to Menu, Settings:

Chrome: Menu, Settings

Scroll to the bottom and click show advanced settings.

Chrome: Show advanced settings

Finally, check the box for Check for server certificate revocation. Your preference will be saved immediately.

Chrome: Check for server certificate revocation

For Firefox:

Go to Menu, Options.

Firefox: Menu, Options

Click the Advanced tab, the Certificates sub-tab, and the Validation button.

Firefox: Advanced, Certificates, Validation

In the popup check both options, “Use the Online Certificate Status Protocol (OCSP) to confirm the validity of certificates” and “When an OCSP server connection fails, treat the certificate as invalid“. Click OK and OK in the Options window to save the changes.

Firefox: Certificate Validation
And while all of this is important, don’t forget to setup OpenDNS!

The DNSChanger Scare – or Is the FBI Really Going to Turn Off the Internet?

Unless you live in a cell at Guantanamo Bay, chances are¬†you’ve heard the horror stories of how the FBI is going to beturning off the Internetfor millions of Americans in less than 48 hours. Let’s¬†dispel a few myths:

Will I Lose Internet Access?


We’re not talking about some sort of¬†doomsday event.¬†Even if you’ve been infected with the DNSChanger malware, your Internet service will not go down. DNS would not resolve, which would mean that while you probably won’t be able to visit any websites until you fix it, the hardware, software and networks will remain in place to ensure your Internet service is operating fine.

And if you do lose access, it’s important to understand that “it’s not them, it’s you.”

The only way that you could be affected by this issue is if you’re one of the approximately 4 million (worldwide) people that were infected with one of the DNSChanger malware variants (such as Zlob) over the last six years and have not disinfected your computer yet. If you’ve been running, well, any antivirus software over the last year or so, you would have been disinfected and had your DNS settings reset. No big deal.

What’s DNS and Why Should I Care?

DNS, or the Domain Name System,¬†is one of the core functions of the Internet. This service is usually provided by your ISP to translate domain names like example.com to their IP addresses. DNS also provides other capabilities, such as the ability to have¬†redundant networks should a server fail, provides the very basis for¬†email¬†relay capabilities (MX), anti-spam measures (DNSRBL), and ensuring that the site you’re connecting to is the “real” site (DNSSEC).

If your DNS doesn’t work, you won’t be able to visit any domain-name based websites (such as google.com, bing.com,¬†facebook.com¬†or yahoo.com). You will still be able to visit IP-based websites such as¬†or

Windows Sucks!

A common myth about DNSChanger is that this malware only infected Windows computers. That’s not true. Not only did it not only affect Windows-based computers, but it may have infected your Mac¬†OS X¬†(RSPlug & Puper), changed the settings on your Router/Modem or even your phones (via Flush.*).

While Windows was surely the most popular target, it was most definitely not the only one.

How Can I Tell If I’m Infected?

You can test whether you will be effected by the DNS changes simply by visiting dns-ok.us or even Google¬†or Facebook¬†– if you see a message indicating that you’re infected or need to correct your DNS, then you’ve got problems.

If you’ve been infected, you should first disinfect your computer. Changing your DNS settings alone will not remove the malware from your computer! You can get¬†the free version of MBAM,¬†AVG, Avast!, or use the McAfee DNS Checker tool to remove the malware from your computer.

Infected or Not, What Should I Do?

Run a virus scan. There are literally dozens of free anti-virus programs out there. Pick one. Run it.¬†Do this once in a while even when the MSM isn’t in Chicken Little mode. If you’re infected, it means you haven’t run a scan since at least November. Think about that for a minute.

Then immediately setup OpenDNS on your computers and networks. OpenDNS ( & is a free DNS service that provides additional protection by filtering out phishing and malware sites automatically Рwith the option of filtering another 58 categories of content from porn to p2p to web spam or even politics (free account required).

If you’re insane and would prefer to avoid the added security of the phishing and malware filters provided free by OpenDNS, you can opt instead to use Google’s Public DNS¬†( & Or contact your ISP to find out what their DNS servers are usually set to.

How Did I Get Infected?

If you were infected by this malware you were most likely visiting porn or warez sites on your computer, or used an¬†Internet connection that was already¬†infected by someone else that had. The sad truth of computer security is that even “being good” won’t prevent you from being infected when someone else on your network is bad.

Again, the best way to ensure that your computer/phone/tablet isn’t infected through this DNS poisoning method¬†is to setup OpenDNS directly on your device so that it always uses a “safe” DNS source.

Why is the FBI Turning Off This Service?

A better question would be, why did they turn it on in the first place? All they’ve done by replacing the malware DNS servers with their own is spend $10,000/month and preserve hundreds of thousands of infected computers. What they should have done is replace it with a locked DNS that relayed all requests directly to dns-ok.us or the DCWG so people that were infected could immediately correct it. Instead, they’ve prevented the malware from propagating, but they’ve enabled as many as half a million computers to stay infected. As an IT guy myself, I see this similarly as if they had sold untrackable guns to drug cartels so they could see what they did with them.

The bottom line…

This is not really the problem it’s been made out to be. The DNS Changer Working Group (DCWG) spokesman Barry Greene is quoted as saying:

“Think about it: Various estimates place the number of PCs worldwide at between 1 billion and 2 billion. That means the 250,000 or so still-infected computers represent fewer than 2-100ths of a percent (0.02 percent) of all PCs in the world. That‚Äôs about the number of PCs a botnet hunter commandeers in a single day,” Greene says, adding: ‚ÄúIt‚Äôs no big deal.‚ÄĚ

Really, my only serious concern is that for some reason the FBI will change their mind and postpone shutting down the servers again, effectively keeping these users infected even longer.

That’s all for now folks. Keep it clean out there. ;)


Shawn K. Hall