Computer News & Safety – Harry Waldron Rotating Header Image

February, 2016:

Malware – Malicious fake invoices with Word macro virus circulating

Graham Cluley’s security site shares awareness on avoiding fake invoice emails that are circulating with Word macro viruses embedded (a 20 year old attack method):


It’s been over 20 years since the first Word macro virus reared its ugly head and pulled the carpet from underneath the feet of computer users worldwide.  Up until then, it was pretty easy to know what to look out for – executable files (normally .EXE or .COM) and floppy disk boot sectors.

But macro viruses changed all that, infecting the templates inside Microsoft Office files – Word documents, Excel spreadsheets and Powerpoint presentations – where Microsoft had, rather unhelpfully from the security point of view, incorporated a macro language that could execute instructions.

And, of course, computer users were much more used to having Word documents and even (in some cases) spreadsheets sent to them via email than they were .EXE files, and so the opportunities for malware to spread successfully grew significantly.

419 Scams – Avoid the Casino Online Winner spammed email

Malwarebytes shares awareness on avoiding all scams that appear to good to be true as the “Casino Online Winner” scam is circulating currently:

Remember the time when you won a ridiculous amount of money from a Casino you’d never heard of, much less visited?  Me neither, but as it turns out it doesn’t really matter when dealing with the wacky world of email spam – where winnings are often plentiful despite not actually taking part:

Dear Email User, Congratulations!!!!” You have won £3000.000.00 from SilverSands Casino Online Promotions”    We wish you success in our SilverSands Casino Online Promotions /Email Internet Program held in Republic of South Africa Announcement made today, Your Email Address was attached to Reference No: 04 08 09 11 36 50, Drew the Lucky winning No 11- 15 -16 -19 -22 -03 from 800,000 Email Addresses consequently won in the 1st Category. You have therefore Been Approved to claim a Star Prize of £3000.000.00 Three Million Pounds in cash credited to Power Ball No: 23 25-30-45-50-MB/2016. Payable through our Paying Agent in South Africa.

Below are your winning details for claiming
Winning Reference No: 04 08 09 11 36 50
Lucky winning No: 11- 15 -16 -19 -22 -03
Power Ball No: 23 25-30-45-50-MB/2016.
Amount Won: £3000,000.00

To claim Your Winning Prize Contact Mrs. Rachel Johnson Claim Director in our Paying Bank in South Africa for Immediate Release of your fund.

Contact Person: Mrs. Rachel Johnson

You are hereby advice to Contact Mrs. Rachel Johnson for your claim and send your information below with your winning details immediately via email to process your payment.

1.Your Full Name:
2.Your Postal or Residential Address:
4.Direct Mobile:
8.Reference No:
9.Alternative Email:

WordPress Security – Over 26,000 websites impacted by DDoS Attacks

Active BOTNETs have been attacking the denial-of-service attacks against Word Press based sites (often used for blogs) as shared below.

We first disclosed that the WordPress pingback method was being misused to perform massive layer 7 Distributed Denial of Service (DDoS) attacks back in March 2014. The problem being that any WordPress website with the pingback feature enabled (its default setting) could be used to attack the availability of other websites. The attacks would inundate the web server with Layer 7 requests resulting in very large DDoS attacks.

If you are not familiar with the terminology, Layer 7 attacks (also known as http flood attacks) are a type DDoS attack that disrupts your server by exhausting its resources at the application layer, instead of the network layer. They do not require as many requests or as much bandwidth to cause damage; they are able to force a large consumption of memory and CPU on most PHP applications, CMSs and databases. We provide a more in depth explanation in our previous article – Analyzing Popular Layer 7 Application DDoS Attacks.

Massive Layer 7 attacks – Despite the potential reduction in value with the IP logging, attackers are still using this technique. Likely because website owners rarely check the user agent logs to derive the real IP address of visitors. For system administrators I highly recommend referring to it when performing your administrative and forensic tasks.

In a recent case we investigated, 26,000 different WordPress sites were generating a sustained rate of 10,000 to 11,000 HTTPS requests per second against one website. At some intervals, the attack would peak to almost 20,000 HTTPS requests per second. The attack started at 1pm (EST) and by midnight it was still ongoing.

Windows 10 – Kaspersky Cleaner removes temporary work files rather than malware

Kaspersky has introduced a new cleaner tool to remove temporary Windows work files that can accumulate and use large amounts of disk space.  The new Kaspersky Cleaner represents an alternative to cCleaner, the Wise Disk Cleaner, and other similar tools, as documented below:

Kaspersky Cleaner is a free software from Kaspersky Lab to clean your PC. More precisely, Kaspersky Cleaner helps remove junk files from your Windows 10, Windows 8 or Windows 7 operating system and doesn’t deal with viruses, malware or spyware.

Kaspersky Cleaner Features — The free tool allows you clear Recycle Bin contents, temporary files and various logs, restore system settings, and remove activity traces by deleting cookies, logs, and history from your web browser.

Overall, a decent product from Kaspersky Lab. Given that Kaspersky Cleaner is still in Beta phase, we expect the product get additional features in future releases. As of now, CCleaner is probably the best free and safe cleaning utility out there for Windows operating system. However, if you are a fan of Kaspersky Lab products, please visit the following link to download Kaspersky Cleaner for Windows.

Data Breach – IRS confirms up to 700,000 households impacted

The Internal Revenue Service shares an awareness that possbily 700,000 individuals may have been impacted by a data breach last year.  They have spotted some attempts to create false tax returns and are in process of warning additional impacted households.

Cyberattacks on taxpayer accounts affected more people than previously reported, the Internal Revenue Service said Friday. The IRS statement, originally reported by Dow Jones, revealed tax data for about 700,000 households might have been stolen: Specifically, a government review found potential access to about 390,000 more accounts than previously disclosed.

In August, the IRS said that the number of potential victims stood at more than 334,000 — more than twice the initial estimate of more than 100,000.  Additionally, the IRS said there were 295,000 taxpayer transcripts that were targeted, but “access was not successful.” The agency said it will send mailings to affected taxpayers beginning February 29.

Android Security – FEB 2016 update patches 13 vulnerabilities

Earlier this month, Google issued a critical security update which patched 13 vulnerabilities.  Users should update promptly to ensure the best levels of security protection.

Google has come out with its second security patch update for Android in 2016, this time patching 13 vulnerabilities in the mobile device operating system. Five of the vulnerabilities are rated by Google as having critical severity.

Of the five critical vulnerabilities patched by Google, two (CVE-2016-0803 and CVE-2016-0804) are remote code execution vulnerabilities in Android’s mediaserver. The Android mediaserver has been the focus of Google security patches ever since the Stagefright flaw was first exposed in July 2015. As was the case in the January Android update, the new mediaserver flaws are not specifically in the libstagefright library, but they are in the same general area of Android’s architecture.

Security Updates – OpenSSL release planned for March 2016

Corporate users should carefully test, pilot, and install these new releases to better protect against critical vulnerabilities discovered and resolved by these updates.

The OpenSSL project team will be releasing OpenSSL version 1.0.2g and 1.0.1s on the 1 March 2016 that fixes several high severity vulnerabilities. They are also reminding everyone that version 1.0.1 will end 31st Dec 2016.

Microsoft Cloud – New Security tools emerging in 2016

As cloud based storage and application hosting are strategic for the future, improved security tools will be rolled out in 2016 to facilitate management and protection for these critical resources.

Microsoft is adding a range of new security management and reporting features to its Office 365 and Azure cloud services as part of the company’s holistic approach to enterprise security announced last year.   In April, the company will release a new product called Microsoft Cloud App Security that will allow customers to gain better visibility, control and security for data hosted in cloud apps like Office 365, Box, SalesForce, ServiceNow and Ariba. The new product is based on technology from Adallom, a cloud access security broker Microsoft acquired in September.

Office 365 will also get some new security management capabilities that will be integrated with Microsoft Cloud App Security. These include security alerts that notify administrators of suspicious activity in the service; cloud app discovery that lets IT departments know the cloud services Office 365 users are connecting to; and app permissions, allowing administrators to revoke or approve third-party services that users can connect to Office 365.

Early in the second quarter, Microsoft plans to roll out Customer Lockbox for SharePoint Online and OneDrive, which will improve the customer approval process and will provide more transparency in situations when Microsoft engineers need to access Office 365 accounts and data to troubleshoot problems. Customer Lockbox is already available for Exchange Online.

The Azure Security Center received additional security management and reporting options. Customers can now configure security policies for resource groups instead for an entire subscription base. This allows them to set different policies for different types of workloads. Microsoft has added a new Power BI Dashboard to allow customers to better visualize, analyze and filter security alerts from any of their systems and devices in order to discover possible attack patterns and trends.

Malware – Fake Zika Virus news alerts spammed in Brazil

Symantec shares a security alert on a massive spam campaign in Brazil that centers around the Zika virus concerns.  Malware authors often sensationalize around major news events as bait to infect home or corporate users. Users should always go to mainstream news sites to verify these claims, rather than clicking on a potentially malicious link.

On February 1, 2016, the World Health Organization (WHO) declared a Public Health Emergency of International Concern (PHEIC) in response to the outbreak of the Zika virus and its associated birth defects in the Americas. Since this declaration, Symantec Security Response has observed a malicious spam campaign seeking to capitalize on the global interest in what the director of the WHO calls an “extraordinary event.”

Brazil: Curious health advice on Zika virus — The country most notably affected by cases involving the Zika virus is Brazil, so it comes as no surprise that one of the first cases involving Zika-related malicious spam would focus on Brazilian citizens. 

The malicious spam email claims to be from Saúde Curiosa (Curious Health), a health and wellness website in Brazil. The subject of the email says, “ZIKA VIRUS! ISSO MESMO, MATANDO COM ÁGUA!” which translates to: “Zika Virus! That’s Right, killing it with water!” The email itself uses imagery and text taken from a real article on Saúde Curiosa, but includes buttons and attachments to try to capture the recipient’s attention, such as “Eliminating Mosquito! Click Here!” and “Instructions To Follow! Download!” as well as a file attachment.

The links behind these buttons lead to the URL shortening service Bitly, which redirects to the file hosting service Dropbox. Symantec products detect both the file hosted on Dropbox and the file attached to the email as JS.Downloader. Once a user is infected with JS.Downloader, it will attempt to download additional malware onto the compromised computer.

Leadership – Ask probing questions to learn from others

John Maxwell’s leadership blog shares excellent advice on preparing good probing questions in advance. This is beneficial when interviewing users, executives, or others involved in IT or business projects.

Whenever I am preparing for a meeting with someone, I spend time determining what questions I want to ask. I do this because I want to make the most of the time I have, but I also do it to engage with the other person. I want people to know that I value them, and that, if possible, I want to add value to them. To do that, I believe I must get to know them. That requires that I ask questions, they talk, and I listen. And if I hope to receive value from people, again I need to ask questions and listen. You can’t do these things unless you get to know people.

But there are some questions I try to ask everyone. You may want to use them too:

1. What is the greatest lesson you have learned? — By asking this question I seek their wisdom.

2. What are you learning now? — This question allows me to benefit from their passion.

3. How has failure shaped your life? — This question gives insight into their attitude.

4. Who do you know whom I should know? — This allows me to engage with their network.

5. What have you read that I should read? — This question directs my personal growth.

6. What have you done that I should do? — This helps me seek new experiences.

7. How can I add value to you? — This shows my gratitude and desire to add value to them.