How Xerox, Google, and The Intercept Exposed an Anonymous NSA Document Leaker

The ironically named Reality Winner was not one. Reality bites. It bites any anonymous leaker from any government agency who may be naïve enough to believe that their anonymity will be guaranteed. Likely motivated by her desire to expose Russian connections to “a soulless, ginger orangutan” (a.k.a. Donald Trump), Reality Winner sought out and leaked a document that she probably thought would achieve this end. Sadly for her, she only exposed her connections to the leaked document.

Winner began working for NSA contractor, Pluribus International Corporation, shortly after Trump was inaugurated. Winner is a vegetarian weightlifter and an environmental activist who supported Bernie Sanders.


When Trump approved construction of the Keystone/Dakota Pipelines, Winner wrote on Twitter, “Repeat after me: In the United States of America, in the year 2017, access to clean, fresh, water is not a right, but a privilege based off one’s socio-economic status. If that didn’t feel good to say aloud, contact your senators today and tell them those exact words as to why the Keystone XL and Dakota Access pipelines cannot be built on American soil. Let’s fix the pipes meant to bring water, sans lead or pollutants, to our citizens before we build pipes meant to benefit big oil and poison the land.”

No doubt Trump’s June 1st withdrawal from the Paris Climate Accord further fueled Reality’s pro-environmental flames. Coincidentally, it was on that same day that the FBI was notified by the NSA that someone had leaked a top secret document to the online news outlet, The Intercept.  The Intercept had informed the NSA that it was in possession of a top secret document that they were going to release. They gave the NSA a copy of this report in order for them to verify its authenticity. The Intercept seems to have naively believed that they were not compromising the anonymity of the leaker by doing this. That was a mistake.

Many new printers print nearly invisible yellow dots on any document it prints. The dots and the pattern they create can be used to identify the type of printer, the model number, the serial number of the actual printer used, and the precise time the document was printed. Any scanned document, like the one Winner sent to The Intercept and The Intercept sent the NSA, would contain these dots.

Here are a series of pictures which show these dots on the leaked NSA document and the pattern they created. To show what these dots are like and how they can be used, I created the images below. The first image shows the upper left hand corner of the original document, which is already magnified to some degree; yet, no obvious yellow dots (or pixels) are evident, at least to my eye. (The encircled area shows where the dots exist and indicates the area which will be subsequently magnified.)

the yellow dots


I then magnified the above image to 600% and, perhaps, some sharp-eyed readers can begin to see a few faint yellow areas.

dots 600x

However, to really see these dots, I had to increase color saturation. So, at 600% magnification, with color saturation, here is what the dots looked like on the NSA document.

dots saturation

The complete pattern with the decoded information it includes is shown in the following image. (For more information on hidden document codes visit the EFF website.)

leaked document pattern

I have since confirmed that the pattern persists even when the document is copied into another program, such as Word, or onto other websites.

So The Intercept, in effect, told the FBI that one of the 4,000 employees at Pluribus International Corporation, Georgia, printed this document on a specific printer with the above serial number at 6:20am on May 9th. At 6:20am? That, in itself, should limit the number of people who could have done this. In the end, it was found that only six people had printed out this report. This pretty much outed poor Reality.

This top secret report was first published four days earlier on May 5th, so Reality was, in my opinion, either tipped off on its existence or was diligently conducting ongoing searches for incriminating documents. In short, she had an agenda. In any event, according to the affidavit, the six people who printed this document had their company computers investigated. Among them, only one, Winner, had had email contact with The Intercept.

Interestingly, Winner did not use the company email for this contact but her Gmail account. She probably thought that this would be safer. This was a mistake. The company likely monitors all emails going through its systems. It was simply a matter of searching their database for any communication with The Intercept. Yes, the communication was innocent, (she wanted a transcript of a podcast) but it showed she was at least aware of the news outlet’s existence.

However, this alone would not be enough to arrest her. It is possible the company had a keylogger installed on all of its computers, so they may have had a record of her Gmail password which they could use to access her account. This would allow them to see if she had any other further correspondence with The Intercept from computers outside the company.  However, if they did this, the company would be in danger of committing a criminal act.

Thus, it is likely that the FBI will have to ask Google for access to Winner’s Gmail account. Will Google give this information to them? If you have to ask this question, see my last post on Google tracking and privacy. Google will almost always give access to user accounts when government agencies request it.  Although Google claims that it carefully reviews all such requests before allowing government agencies to access an account, in truth, they will only rarely refuse to do so. If it is found that Winner had further correspondence with The Intercept via her Gmail account, this would be the conclusive evidence that the government would need to convict her. It will be interesting to see how this aspect of the case develops.

The Intercept further implicated Winner when one of its reporters contacted an inside informant at the NSA who later contacted the FBI. So much for trusted sources. The affidavit states the belief that Winner may have communicated with The Intercept in other ways and that evidence of such communication, or of the documents themselves, may be found on her home computer or other devices.

When contacted on June 3rd, “Winner admitted intentionally identifying and printing the classified intelligence reporting at issue despite not having a ‘need to know,’ and with knowledge that the intelligence reporting was classified. Winner further admitted removing the classified intelligence reporting from her office space, retaining it, and mailing it from Augusta, Georgia, to the News Outlet, which she knew was not authorized to receive or possess the documents. Winner further acknowledged that she was aware of the contents of the intelligence reporting and that she knew the contents of the reporting could be used to the injury of the United States and to the advantage of a foreign nation.”

It is no surprise that Winner confessed when she was confronted with the above evidence. However, she has subsequently pleaded not guilty, which is somewhat baffling. More baffling is the fact that the government did not interfere with The Intercept publishing this top secret document two days later on June 5th. Interestingly, the announcement of Winner’s arrest followed within hours of the document’s publication. This made it  appear, perhaps intentionally, that The Intercept was not a viable outlet to send a leak to. Wikileak’s Julian Assange lambasted the unprofessional conduct of the outlet and offered a $10,000 reward for information “leading to the public exposure & termination” of the reporter. Assange had no choice but to take this action because those publishers who do not protect their sources cast a shadow on all leak platforms.

The bottom line here is that Winner will be made an example of to deter potential leakers from misusing their access to secret information in the hope of affecting the political landscape. Making leaking platforms look unstable will also make those with access to sensitive information think twice before giving this information to leak publishing organizations. In short, leakers should only do so with the full expectation that they will likely be caught. If they truly believe that their actions have a moral value that supersedes any penalty they may have to pay, then nothing the government does to Reality will stop them.

Posted in Uncategorized | Tagged , , , | Leave a comment

For Those Who Don’t Want to be Followed While Browsing

Nothing is more costly than a free service. If you think such services such as Google, Yahoo, Facebook, or Twitter are given to you for free, you have a naïve idea of how these companies make their money. The truth is that Information from you is collected from your browsing habits and sold to marketers and partners at a nice profit; a profit that you get no financial benefits from. In short, you are working for free. I guess it’s you who are offering the free service.

Okay, raise your hand if you’ve read the license agreement for the services you receive from the above companies. Yeah, that’s what I thought. When you clicked the ‘Accept’ box on the privacy agreement, you gave up more rights to your privacy than you may have wanted to. Probably the best way to begin this post is to use a quote from Google CEO, Eric Schmidt, himself.

“If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place. If you really need that kind of privacy, the reality is that search engines – including Google – do retain this information for some time and it’s important, for example, that we are all subject in the United States to the Patriot Act and it is possible that all that information could be made available to the authorities.”

 To translate, yes, we are following you and gathering data on everything you search for. We will also give any information we have on you to the government if they want it. That is to say, if you use Google, you are under government surveillance by default.

All these companies generate revenue in much the same way. They sell the rights to your privacy. They sell your personal information. But what exactly do they learn about you and what powers do they really have? Here is a list of some of the things Google says it can do in its privacy agreement. Remember, this type of information gathering is not only done by Google.

They know, and can use, your name, email address, telephone number, credit card number (used to verify age), and what kind of YouTube videos you like. Can they read your emails?  “Our system may automatically scan the content in our services, such as emails in Gmail, to serve you more relevant ads.” So the answer is, ‘yes’, but they claim this is all done by machines and not humans. Google is a large company offering many services and signing up for one service means you are under surveillance for all of their services. “This includes information like your usage data and preferences, Gmail messages, G+ profile, photos, videos, browsing history, map searches, docs, or other Google-hosted content.” In addition, “we collect device-specific information (such as your hardware model, operating system version, unique device identifiers, and mobile network information including phone number). Google may associate your device identifiers or phone number with your Google Account.” This allows them to access “telephony log information like your phone number, calling-party number, forwarding numbers, time and date of calls, duration of calls, SMS routing information and types of calls.” Not only that, but they can use your device to store whatever information they find on you, which seems somewhat presumptuous. “We may collect and store information (including personal information) locally on your device using mechanisms such as browser web storage (including HTML 5) and application data caches.” Hmm, maybe they should pay you for storing information on your computer that helps their marketing.

Who are they selling your information to anyway? Google sells data to companies who sign up for their targeted ad services. They match the business’ product to the profiles of people who may be interested in it. The more you browse and use their services, the more they learn your likes and dislikes. Even if you opt out of receiving targeted ads, you will still get ads. In other words, if you want ads targeting your supposed interests, you have to let them use your personal information. Google is not innately evil. They are simply doing what you told them they could do.

However, there is another dimension to internet surveillance that Google and other social media firms would rather not talk about. This is the topic of providing information on you to the government or law enforcement agencies. The disclosure of the NSA’s Prism surveillance program by Edward Snowden named at least 9 internet firms who were supplying information to the U.S. government.


Among these companies were Google, Yahoo, Microsoft, Facebook, Skype, and Apple. But the Washington Post reported that “98 percent of PRISM production is based on Yahoo, Google, and Microsoft.” Google admits that they “will share personal information with companies, organizations or individuals outside of Google if we have a good-faith belief that access, use, preservation or disclosure of the information is reasonably necessary to:

    • meet any applicable law, regulation, legal process or enforceable governmental request.
    • enforce applicable Terms of Service, including investigation of potential violations.
    • detect, prevent, or otherwise address fraud, security or technical issues.
    • protect against harm to the rights, property or safety of Google, our users or the public as required or permitted by law.”

Google, and the other companies mentioned, met this disclosure of their working with the government with declarations of innocence. “Google cares deeply about the security of our users’ data. We disclose user data to government in accordance with the law, and we review all such requests carefully. From time to time, people allege that we have created a government ‘back door’ into our systems, but Google does not have a backdoor for the government to access private user data… [A]ny suggestion that Google is disclosing information about our users’ internet activity on such a scale is completely false.”

Google may be right. There would be no need to install a backdoor if the front door was already open. Google appears to have worked out an arrangement with the NSA. One investigator stated that “according to officials who were privy to the details of Google’s arrangements with the NSA, the company agreed to provide information about traffic on its networks in exchange for intelligence from the NSA about what it knew of foreign hackers.” In such a case, Google would not have to install a backdoor that the NSA could use, they could just ‘accidentally’ forget to close it. In other words, they could leave an unpatched exploit in place that the government could exploit.

I won’t pursue this in any detail because it’s clear that the government can easily access your information via Google or other social media services. The important fact to keep in mind is that every social media platform is developing new strategies to acquire personal information on their users. Facebook even wants to design a program that will allow an algorithm to determine your mood by accessing your face through your camera. This is marketing through assessing your emotional state, but how long will it be before this evolves into marketing by manipulating your emotional state?

If you do not want your browsing and other habits to be monitored for marketing, you will have to find how to disable the tracking capabilities of each social media outlet. These sites don’t make this easy. However, before you begin adjusting your ad settings, I would suggest going to a site called, Panopticlick. This site will test your browser’s tracking vulnerabilities for free. Here is what it said about my usual browser.


And here it was it says about my use of the Tor browser.


Yes, the Tor browser does seem to limit the use of your personal information. The important statistic to note is that which gives the uniqueness of your browser fingerprint. The higher the number, the easier it is to identify you. It is the uniqueness of your browser configuration that gives you away and this has nothing to do with cookies. Your browser fingerprint allows you to be identified and tracked even with cookies disabled.

Do not be surprised if you see a red ‘X’ in every category. I have most of my browser tracking sites turned off. To get a more complete view of who is tracking you, go here, It will be a sobering experience. If you want to opt out of all targeted marketing and see who’s been using your information, go here. In short, you will quickly learn that everyone is targeting you and you’ll never stop all of them.

In my last post I showed how to avoid Facebook’s pixel-based marketing. For Google, you will have to go to your personal account, “Ad settings”, “Manage Ads Settings”. When you get here, you can turn off “Ads Personalization”. If you go to the bottom of the page you will see the “Opt out of more ads” link which will give you more control over who targets you.

Again, I do not want to condemn Google or any other digital site as having nefarious goals. These are businesses that provide services we like to use. As businesses, they need to make money to operate. True, they could make their marketing plans somewhat more transparent, but when it comes to using internet services, it’s a let-the-buyer-beware landscape. I have less tolerance for their attitudes on government surveillance. There is no transparency at all here and we can’t be sure how much information is collected by the government by whim rather than by judicial decrees. If these social media sites collapse, it will not be targeted marketing that brings them down. It will be the fear of continual surveillance and the paranoia that this will generate in its users.

Posted in Uncategorized | Tagged , , | 1 Comment

Scribbles: the CIA Document Tracking Program that Uncovers Leakers

Nobody disputes the fact that there have been a lot of leaks making the news recently, and nobody disputes that many of them emanated from the intelligence community.


But there is one question that needs to be answered: How is this possible? We’re talking about agencies that have the power of universal surveillance. How is it possible that they cannot see what’s going on in the next office?

This is even more confusing when one realizes that they have, and have had, programs in place to identify leakers for years. The leak collector site, Wikileaks, has just released information on a CIA program called. “Scribbles”, which puts digital watermarks on documents to allow their movements to be traced. With this program, the government can identify whistleblowers, those leaking documents to whistleblower sites, those leaking documents to news media, and foreign agents who may steal these documents.

Scribbles takes advantage of Word to put tracking beacons into any documents created on a computer or network. Word allows for images to be put into a document and this is the same vector that Scribbles uses. It is a sort of pixel-based tracking program. Such tracking has been around for years and allows for one transparent pixel in an image or document to contain a program that allows for tracking. The pixel sends out a beacon to its control center with information. Tracking will not only identify the IP address of the person receiving the document, but when the document was opened, what operating system the possessors of the document used, and what they did with the file. If the file is forwarded to others in the network, an entire network could be mapped out.

But with this ability to track documents, why are the leaks continuing? This could occur for a number of reasons. Scribbles will not work if documents are encoded or come with a password. If the document is opened in a non-Microsoft Office program, it may make the tracking program visible. In other words, any potential, document-leaking staff member who knew about the program would be able to easily circumvent it.

As I mentioned above, there is nothing new about pixel tracking programs. Such tracking programs are widely used by marketers to learn about potential customers. Facebook even has its own pixel tracking system for anyone with a business on Facebook. If you have a Facebook account, information on what you do online is collected so that you can be targeted with ads wherever you go and, your browsing patterns can be handed over to its business partners. Such surveillance can be good for people who are interested in purchasing certain items but others may view this as an infringement on their privacy. If you are in the latter group, you can opt out of this surveillance. It’s a bit of a convoluted process that begins with you clicking on the small triangle next to the question mark in the upper right hand cornet of your Facebook page.

fb triangle

You then go to “Settings”, “Ads”, and “Ads based on my use of websites and apps”. Eventually, you will have navigated to a page that looks like the one below. In the “Show online interest-based ads:” setting, make sure it is set to “Off”.

fb ad settings

You can also tweak other advertising preferences on this page. I found the “Advertisers you’ve interacted with” interesting because I only found two that I remember interacting with. Keep in mind this only disables Facebook tracking. Other marketing companies will still be able to present you with targeted ads. In short, your browser habits are under continuous surveillance. I’ll write more about how to avoid this surveillance in a future post.

Although Scribbles has its shortcomings, it does have a place in the anti-leaking arsenal. However, if the intelligence agencies want to control online-enabled leaking, they have far more powerful cyber tools at their disposal. In fact, if you were an intelligence agency employee attempting to leak information via online channels, you would have to be insane, suicidal, or simply ignorant to try this route. The only way to do so without getting caught would be to work in collusion with a hacker or with those in control of the network.

In a previous article, I pointed out that employees could, in cooperation with a hacker, ‘accidentally’ open a bad attachment, click on a bad link, or visit a compromised website. All of these could allow a hacker onto a network where they could just happen to find documents that they could leak to the media or other agencies.

Those in control of securing a network could be in a position to leak information by circumventing the very safeguards they have put in place. They could do this either directly or by allowing certain individuals on a network to leak documents undetected. I’m not saying that anyone would do this, only that this is the only way that a leak could occur without being detected by the wealth of cyber tools the intelligence agencies have at their disposal.

Still, the best way to leak is by smuggling the information out on a USB or SD card a la Snowden. This would require the leaker to disconnect from the network in order to download sensitive data without raising suspicion. Again, collusion with network administrators could help in this endeavor.

However, there is another angle to using programs like Scribbles which cannot be overlooked. Imagine that an intelligence agency wanted to infiltrate a whistleblower network. They could pose as a leaker and send tracking documents to that site. The documents could be used to map the network and find potential vulnerabilities that could be used in a more sophisticated malware attack later on. The agencies could set up spyware on the whistleblower site that would let them see where leaks are coming from and who the leakers within their agencies were.

In short, it would be difficult to believe that the intelligence agencies could not identify most leak attempts. Leakers are usually motivated to do so for three basic reasons:  to achieve financial gain (such as selling secrets to foreign governments or competitors), to affect the political landscape (such as the DNC leaks), or to gain emotional satisfaction (revenge  of disgruntled employees or indignation of whistleblowers who feel their employer is engaged in immoral or unethical behavior). For these reasons, I would suspect that most intelligence agency employees are subject to surveillance in their personal lives as well as their working lives. Such a project, known as the ACES project, was proposed by James Clapper in 2014. “What we need is a system of continuous evaluation where when someone is in the system and they’re cleared initially, then we have a way of monitoring their behavior, both their electronic behavior on the job as well as off the job.” I’m not sure if this system has been formally put in place but, informally…who knows. So do the intelligence agencies know the source of their leaks? You be the judge.

Posted in Uncategorized | Tagged , , | 3 Comments

Chrome Browser Vulnerability Allows Hackers to Take Remote Control of Your Device and Network

In order to be infected by most malware, you have to download a malicious file and open it. Downloading the bad file is simply not enough to cause you problems. But what if there was a file that downloaded and opened itself automatically? That would truly be your worst nightmare. Sadly, if you use Google’s Chrome browser, your nightmare has now arrived.

Browsers make our lives easier by automating a lot of processes. For example, if you don’t specify where you want your download to go, it will go into a file often called, ‘Downloads’. When Chrome assumes a file is safe, the user will receive no other information when a download is called for. The file is simply downloaded. Normally, this presents no problem. However, a new vulnerability in Chrome makes this automated process the springboard for a serious malware attack.

Most files will not open automatically when downloaded but a few will. Among these are files which will create an icon which is really a shortcut link to some other location. These files come with the extensions .lnk or .scf. The .lnk extension has been stopped from automatically opening but the .scf extension has not. It will open when the file or directory it is stored in, such as the ‘Download’ file, is opened. In other words, Windows File Directory will automatically activate the icon. The problem occurs when the SCF ‘icon’ is actually a link to a remote server. At this point, the remote server will receive the hashed passwords for the user’s PC and, if they are on a corporate or institutional network, the hashed password for this as well. So if the attacker can lead the victim to a website with a malicious SCF file, Chrome will help the attacker do the rest.

Maybe it’s a good idea to look at hashing at this point. If you already know about hashing, you can skip this paragraph. Hashing is basically a one-directional encrypting process. When you first register your login information on a website, the website transforms your password into a random series of numbers, letters, and symbols of a particular length called a ‘hash’. It’s the hash, not the actual password, that they store on the website. Unlike regular encryption, this hashing cannot be reversed. Thus, when a hacker steals your hashed password they cannot apply some formula or key to decrypt it. They have to use another technique which is basically, guessing. They simply type in a guessed password to see how it is hashed. If they have guessed correctly, they will see that their hashed password matches the one on the list of stolen hashed passwords. Only then can they log into your account.


Your Windows password is automatically hashed so the attacker operating the remote server that receives it has two options. They can try to use software to guess and match (crack) the hash in order to get the actual password, or they can use the hashed password itself. This is because some Microsoft services only require the hashed passwords to operate. Such services include OneDrive,, Office 365, Office Online, Skype, Xbox Live, and more. In other words, using either of these techniques can allow an attacker remote access to your computer and any network to which you may be connected. Needless to say that good hackers can leverage network access to steal  sensitive data from an enterprise or compromise other users on the network. It all depends on whether their goal is information-based or financially based.

 Although the Chrome browser may allow for downloads of SCF files to proceed without hindrance, you may suppose that antivirus software will detect these files and notify users of their presence. Unfortunately, this does not appear to be the case. The main investigator of this vulnerability stated that, “we tested several leading antivirus solutions by different vendors to determine if any solution will flag the downloaded file as dangerous. All tested solutions failed to flag it as anything suspicious.” Moreover, Windows Explorer automatically removes the visibility of the SCF extension so it will not appear in the name of the file. In other words, if the attacker uses a file named photo.jpg.scf, the user only sees photo.jpg, which may appear as a valid jpg file.

Since the file does not appear malicious to either Chrome or antivirus software, you will need to be the download filter. To do this, you simply have to set Chrome’s advanced settings to “Ask where to store each file before downloading” option. Then, you will be able to intercept any automatic downloads that may otherwise occur.

You may also want to adjust your firewall to stop any SMB communications to devices outside of your network. Unless you have an older Windows operating system, such as Windows XP, you should probably disable SMB 1.0. I gave directions on how to do this in a recent post.

Although it might seem an easy flaw for Google to fix, so far, none has been reported. Thus, unless you want your computer remotely controlled by someone else or your business to be infiltrated, you need to browse with some caution. Of course, there is another option. You can change your browser. Sorry Google.


Posted in Uncategorized | Leave a comment

A Simple Guide for Protecting Yourself from Ransomware

If you think the last ransomware attack was the end of the story, you’re wrong. If you think only enterprises are targeted by ransomware, you’re wrong. And if you think you have an operating system that is safe from ransomware, you’re wrong. In other words all of us are vulnerable. In fact, most researchers think that the next targets could be bigger enterprises and more individuals via a vast botnet attack.

However, it remains true that all of these attacks can be subverted by a few simple steps because, when all is said and done, attackers only have a few vectors that they can exploit to get control of your device. Although there are many ransomware varieties that are prowling the internet for victims, the attacks always begin by attacking individuals. If these individuals are working for companies or institutions that depend on quick access to data, so much the better for the attackers. Enterprises have a role to play in all of this, but each person, each employee must know how attackers are trying to trick them into becoming victims. Here are the steps to take to stop that from happening.

1, System Updates and How to Get Them

 Windows 10 really gives you no choice but to accept updates. In truth, that’s probably good, at least for critical updates. There are ways to work around the automatic updates but, for safety’s sake, it’s best to make your updates automatic. Go to your settings, then to Updates and Security and here you can check for the latest updates.


The WannaCry Ransomware targeted older operating systems, especially Windows XP and enterprise networks that used these older systems. As the chart below shows, extended support for Windows 7 and above will continue for a few years yet so be sure to keep up with those updates.

support schedule

Older, unsupported versions of Windows Vista and below, normally have no support. However, due to the seriousness of the latest ransomware attack, Microsoft has created some patches that you can download here.

Quick installation of updates is important because hackers will use the updates to find what holes existed that needed patching. They know that many people won’t update right away so they will search the internet for unpatched computers and networks that they can attack. Big enterprises with big networks take a long time to patch and the hackers know it. These exploits are termed one-day exploits because that’s how long it will take the attackers to begin the attack on networks that do not update fast enough.

There are other steps for advanced users to take and they can be found here. I wouldn’t recommend these to the average user because some of the suggestions deal with tweaking the registry and any mistakes could seriously affect the functionality of your device.

2. Disabling SMB1.0

This may sound daunting but it is not. What you will be doing is protecting your device from being remotely attacked. Basically, if this is not disabled, attackers can work around later updates of the SMB protocol to cause you problems. This is especially true for enterprises with large networks. SMB stands for Server Message Block and is used for sharing files on a network. If you run Windows XP or have an old printer you may still need SMB1.0, otherwise you probably do not. Even with all of its shortcomings, SMB1.0 comes enabled on Windows 10. I have disabled SMB1.0 on my device and will let you know in updates if any functionality problems arise.

So, to disable SMB1.0, go to ‘Search’ (lower left hand corner) and type in “Windows features”. You will be given a control panel for turning off or on various Windows features (see below). You will probably see the area that I highlighted with the box checked. Simply uncheck it and reboot your computer. If you think this is a small thing, think again. As one Microsoft expert on the topic wrote, “stop using SMB1. For your children. For your children’s children. Please. We’re begging you.”

windows features

  3. How to tell if an email attachment is malicious

 There are some good phishing scams out there. They can fool anyone. Some phishing emails may come from your friends or even from people in management. The attachment may have a legitimate name. It could be photos from a party you went to or information your CEO wants you to read. You can’t simply refuse to open any attachment. You could lose friends and even your job. So what do you do?

The first thing to remember is that no attachment is dangerous until you download and open it, thus, releasing its payload. So, before you open it, you can scan it for viruses or malware with your antivirus software. If your file is smaller than 150MB, you can use a good online scanner like VirusTotal.

At the same time that WannaCry Ransomware was bringing down enterprises around the globe, Jaff Ransomware was using a botnet to spread its payload at the rate of 5 million an hour, mostly to individuals. Although researchers are not sure how WannaCry delivered its payload, Jaff was doing so with the help of a PDF attachment. Opening the attachment will give you this.

pdf ransom

The file mentioned is a Word document packaged within this PDF file. It will look like this.

word ransom

If you follow the instructions and enable editing, you will install the ransomware which will begin encrypting all of your files. Eventually, you will be told to pay a ransom in Bitcoins of over $3,000 to get your files back.

This attack needs you to enable macros before it can operate. Until you do this, you are safe. Make sure your macros are disabled. First, you need to find your Word Macro Settings menu. This will either be in Trust Center Settings or Tools/Macros/Security. There, choose the High or Very High option.


According to Kaspersky Labs, the spammed phishing emails come with a subject line similar to “Receipt to print” and will sometimes have a message like, “Print two copies”.

The senders will be generic “John” or “Joan” but with an unusual email address that should give them away. It doesn’t matter to the criminals as long as they can trick even a small percentage of people.

4. Check those links

Similar to attachments, links may also come from friends or management. They may have valid names. Hover over any link with your cursor to see if a valid address appears in the lower left hand corner of your screen. If you’re still not sure, or the URL doesn’t appear, you can push the ‘Reply’ button and you will see the true address of the sender in the “To” field. Don’t send the message. Simply look at that address and see if it looks valid. If you are still unsure of a link, test it by copying it and using VirusTotal to check it. If you are still unsure you can always contact the sender in person or by phone to see if they actually sent that email and link. Yes, it is possible that visiting an infected website alone will be enough to download and install ransomware. This is called a ‘drive-by’ attack and it often employs the Flash Player, Adobe Reader, or Java. Keeping these programs up to date is a good way to thwart such attacks.

5. Enterprise Security

Enterprises need to isolate data on their networks so that it is not easily accessed and then encrypted. Many will use sandboxing to do this. However, the Jaff Ransomware knows this and has been designed to detect and avoid sandboxes. Hardware separation employed on all network endpoints may be the best solution. In this case, even if the normal-use half of an endpoint is breached and encrypted, important data on the hardware-separated network half of the device cannot be accessed by the attacker. All important data is kept safe.


If you’ve taken the steps mentioned above, you should be protected from most ransomware and other malware attacks. That said, back up your files. Malware is always evolving and no malware is evolving faster than ransomware. Researchers are already warning users not to be complacent just because the most recent attack was accidentally thwarted. The attackers will quickly find a new workaround. I personally believe that the attack was bigger than the attackers really wanted it to be. Just as what happened in the San Francisco metro attack, they may have drawn too much attention to themselves. Those hackers had to back off on their ransom demands.

Attackers really just want the money paid and the victims to remain silent. Many enterprises pay the ransom and say nothing so as not to ruin their reputations. That’s why most ransom demands are kept relatively low. The criminals know it is easier for the company to pay than to risk tarnishing their image. Besides, they often need the encrypted data too much to risk losing it.  At the beginning of this year, almost every security firm predicted that ransomware would be the big story of 2017. I concurred and I will stand by that prediction.

Posted in Uncategorized | Tagged , , | 2 Comments

Android Banking Trojans Now Found in Trusted Apps on Google Play


If you use a banking app on an Android device, you need to be especially careful of a new type of attack that is causing concern in the cybersecurity community. The concern comes from the fact that this banking malware hides inside harmless apps and, what’s worse, these apps have been turning up on Google Play. In other words, downloading something as simple as a flashlight can download a banking trojan.

This banking malware will steal your login information by presenting a page that looks identical to your normal banking login page. It can do this in two ways. When the app is downloaded, you will get the usual permissions interface. If you simply allow all permissions you may give administrative rights to the app. This means that whoever controls the app also controls your device. The malware will scan your device for any banking apps loaded on it and prepare a fake login page for you to see when you try to log into your account. Of course, logging in will give your information to the criminals who will then use it to do whatever it is they want to do.

The other method allows you to log into your account first and, then, out of nowhere, gives you a screen asking you to log in again. It’s the same login screen because the criminals have captured it. However, logging in this time takes you to an unrelated page. You may think something was wrong with your browser and you then go back and login as usual and nothing is wrong. All your funds are there as they should be. Right, but maybe not for long. The criminal has all your data and can use it when they need it. Of course, this attack doesn’t necessarily have to attack banks, it’s just that that’s where the money is. They could just as easily use the same technique to get into your Gmail or  Facebook accounts.

I know what you’re thinking. This can’t happen if you have Two Factor Authentication (2FA). Wrong. All forms of  2FA have been circumvented. Let me give you an example. You log into your banking site and are supposed to receive a SMS message with a code that you can use to authenticate your login. However, the criminal who has control of your device mutes the SMS arrival signal and intercepts the SMS message. Now, they have the code. They can even have the device request a new code which you, the victim, will interpret as the original code. Unfortunately, you will be unable to use this code.

The name of the newest trojan behind these attacks is called, BankBot; however, there are a number of new variations on this idea appearing with a number of different names. As the name implies, the BankBot trojan targets banks, as of this writing, almost 500 of them. To find out if your bank is being targeted, go to this page and use your browser’s “Find on Page” function with your bank’s name or abbreviation (i.e. db = Deutsche Bank) to see if it is being targeted through Android apps on Google Play. A word of caution here. As of this writing, most of the targeted banks are in Europe or Asia. However, since this malware is spreading so rapidly in many variations, it is only a matter of time before it is found in the U.S. Your bank may not be listed now, but be vigilant because it will be.

The big problem is that the malware is using a trusted site, Google Play, with trusted apps. It is able to bypass, or at least delay, Google Play algorithms from detecting any problem with the app by using a variety of obfuscation techniques. The malware designers figure their malware will eventually be detected and the app removed from Google Play, but if they can get the app downloaded by enough people, they can consider the attack a success. Remember that if they are able to gain administrative rights over a device, they can spread the malware in more traditional ways, such as by sending fake files/links to your contacts through phishing emails or social media messages. To put it bluntly, this attack vector is positioning itself to be one of the biggest malware events of 2017.

As if to underline this point, it has just been reported by Check Point that at least two million Google Play-based downloads of malware-infected apps have been detected since November of last year. “The apps were uploaded to the app store as early as November 2016, meaning they hid successfully for five months, accumulating an astounding number of downloads.” This happened despite the fact that Google, once alerted to the problem, removed the infected apps. The researchers were focusing only on one type of malware that infects guides to games such as FIFA, Pokemon GO, Shadow Fight, and Hungry Shark World. The malware appears to be using Google Play as a way to set up a botnet. This particular malware has been mostly used to distribute adware, however, it could be tweaked to do far more.

For the past week or so, I’ve been following the continuing discovery of BankBot offspring and other banker malware showing up on Google Play apps. Recently, the target has been Flash Player updates and even Google Play updates.

flash player bank

google update bank(From Koodous)

It is not just a whack-a-mole approach that Google must use in combatting this malware, it is more a Hydra-like whack-a-mole; when one app is removed two more, often with slightly different code, appear. The reason for this proliferation is due to the fact that the malware is available at a low cost (or even free) on deep web and other sites and that it is relatively easy to implement. So rapid is this proliferation that some of the malware has not even been named yet.

BankBot malware may appear in many variations and may even be given different names, but they all use similar attack vectors. Although most use the overlay trick of presenting victims with fake login screens, these screens are used in different ways. Some will lock the screen while criminals wipe out the victims account. Some will present various error messages to delay the victim. Others come with no hard-coded login pages but will search the victim’s device for various apps and prepare for the attack by downloading the login page associated with the app. They will present a fake login page at the appropriate time. One form of banking malware, Trojan.Android/Charger.B, will even take a picture of the victim through the infected device’s camera and send it to the attackers. All of this functionality will be hidden in normal apps that maintain their functionality.

Is there any way to tell in advance if an app on Google Play is infected? That’s difficult. If, however, the reviews seem to point to something suspicious, it is better not to download the app. Look at this review for one banking app.

“Ever since latest update I been having issues with even getting logged in. It comes up saying sorry temporarily delays try again later! It never did this before the last update? Please fix so it can be a great app again! Thanks”.

 Sure, this is one person’s bad experience, but if there are more of these, it would make me nervous.

 The main advice I would give is to be very careful about giving any app administrative privileges. Once you do this, the criminals have complete control of your device and will stop you from uninstalling the malware. If you try to deactivate the administrative rights given to the app, you will only get a popup screen that won’t go away unless you activate administrative rights again. It may, in some cases, be possible to deactivate the rights in safe mode. If you don’t know how to do this, see this post.

Some banking trojans install keyloggers so if your bank offers mouse-controlled numeric keypads for entering credentials, use them. Of course, this won’t work with malware that can ‘see’ your screen. Look for any changes in login screen design, any unusual messages, or unrequested login or logout screens. Yes, you will be, and should be, somewhat paranoid but better safe than bankrupt. Antivirus software is always being updated to look for such malware so make sure it is updated on your device and use it to scan frequently, especially after something unusual seems to happen.

Also keep in mind that these Android banking trojans can steal login credentials from other sites as well. I have seen Skype, PayPal, and even antivirus updates targeted. If you are really worried, you can go analog. That is, you can take the radical action of actually walking into your local bank, as crazy as that sounds.


Posted in Uncategorized | Tagged , , , , | Leave a comment

Beware of the Rise of Scam Sellers on Amazon

If you’re like most people, when you heard, back in August, 2016, that 200 million Yahoo users had been hacked, you probably shrugged it off. Maybe you had no Yahoo account, or you had one, but never used it. Maybe you had changed your password recently so you felt it didn’t affect you. Well, if you thought any of these things, you were wrong. You could still be affected by this Yahoo hack. If you bought or buy anything on Amazon, you may not ever receive it. That may be because you have just bought something from a fake seller. Nothing will happen to you except for the inconvenience as Amazon will refund you for your purchase. However, if you are a seller associated with Amazon, you could be in big trouble.

Handmade jewelry seller, Amy Jennings, was understandably surprised when Amazon told her to ship the gun holster that someone had bought from her firm. She had not made any jeweled gun holsters recently. She suspected something was wrong and decided to check her Amazon account. This, she could not do. The account had been taken over by someone else who was pretending to be her and her firm. This meant that any money made from sales of her product had gone into the hacker’s account which had replaced her own. If you think that Amazon will refund the losses that these businesses incurred, think again. Amazon is a business. They don’t simply shell out money for customer refunds from their own bank account. They charge the account of the seller who failed to deliver the goods. Yes, the seller may eventually get this money back if Amazon accepts responsibility for the hack, but that is not guaranteed. A number of sellers are suing  Amazon for their mismanagement and their loss of much more money than Amazon is offering them in compensation. Some have even had their accounts completely drained by the hackers.

Beginning in late August, 2016, the number of scam sellers on Amazon grew at such a pace that, by December, Marketplace Pulse, the e-commerce market analyst site that assists Amazon, opened a new site called Scam Sellers, because “the more we looked at it, the more aware we became that this is not a one-off issue but instead a continuing effort to exploit the marketplace.” It’s no coincidence that fake seller sites ramped up during the holiday buying season, most scams do. However, the number of fake sites continued to rise thereafter. If you visit the Scam Seller site, you will see the latest fake sellers on Amazon. In the past month alone, the company has identified 2,541 scam sellers. However, this story has only recently been attracting the attention of the mainstream media.

amazon scams.jpg

The situation is rapidly worsening and Marketplace Pulse reports that “during the past few days we detect roughly 75 new scam sellers every day, out of which 20 or so are previously dormant, and now hijacked accounts. It’s unclear how this is achieved, but it is happening at scale, not as here-and-there events.”

So how did we get to this point and how is this scam perpetrated? Well, first of all, we have to get back to the original Yahoo hack of 2012. Over time, the personal data from this and other hacks appeared for sale on the deep web, like it did in August, 2016. The data, in itself, does not include Amazon account information. The problem is that many people tend to use the same password, or variations on it, for multiple sites. Someone, for example, might use the password, ‘Williams’, on one site and ‘wi11iams’ on another of their sites. Criminals may first identify individuals who run sites affiliated with Amazon and then hope that they use the same password there that they use on other sites that the scammers already have the password for, such as Yahoo.

Once the scammers are on the victim’s Amazon site, Amazon assumes they are the real owner. They can, then, change their login information and change the bank account to which money from sales is sent. Of course, if they want, they can just try to steal money from the owner’s account and leave. Using this seller’s site, they can then offer phantom products on Amazon at more than competitive prices. Recently, they’ve been selling the popular gaming console, Nintendo Switch, at well-below normal prices. Customers must think they have found a great bargain, when, in reality, they have found a great scam. Once again, if it seems too good to be true, it probably is.

The scam seller will most likely keep the site until it looks like they might be found out. That may be no more than a few weeks or a month. They may claim that delivery will take up to a month so that Amazon is not concerned about any customer complaints until after that time. My own investigations have shown that these scam sites are using a number of other tactics as well. The criminals will sometimes use the trusted identity of the original owner to set up a fake site with another storefront name. They will often seed the bogus site with positive reviews upon taking it over to give it credibility. Some will send fake tracking information to buyers to keep them from reporting the site to Amazon and allow them more time to continue fooling buyers. The customer may even get a notice that the order was delivered but to a different address, which gives the seller some extra time while the buyer tries to, ineffectively, negotiate the source of the problem. Here are some typical reviews of scam sites.

“My order summary stated that these items were delivered 3/19/2017. Did not receive them. Tried to contact seller, and was informed that they no longer did business with Amazon, so they were unable to be of assistance.”

 “I have placed this order after research and waiting to receive. Unfortunately order got cancelled by giving explanation someone hacked the account. Such a full waste of time and efforts. Very poor service and customer support. I wish if I could zero star.”

 Notice in the last example that it appears the seller got their site back and blamed hackers for the problems the buyers faced. But is this true? Could this be just another ruse used by the hackers? I can only confirm that the site is no longer listed on Amazon. If, however, the original owner did get their site back, they would have to deal with the tremendous blow to their reputation caused by the bad reviews posted during the time the site was controlled by hackers. In such a case, I would recommend starting over with a new name.

It is relatively easy to spot a scam seller if all the recent reviews are negative. It’s a different case if positive reviews are thrown into the mix as you can see from the following hacked seller.

amazon custormer complaints

So how can you keep from getting scammed by fake sellers? What are the warning signs?

 Well, first of all, if you are suspicious about a seller, you can always go to and use the search function to see if the suspicious site is listed as fraudulent. If it is not, you’ll have to use other warning signs.

1. They are a new site offering many products at prices too good to be true.

2. Shipping by Amazon (FBA; Fulfillment by Amazon) is not offered and seller gives long shipping times (2-4 weeks).

3. Weird names for a business. Here are some names of actual fake sites.




Keith Backhaus


  1. Company is listed as existing outside of the U.S. but ships from somewhere within the U.S.

Companies listed outside of the U.S. are not necessarily evil. Check the most recent reviews as well as shipping times. Any company listing a 4 week shipping time may be worth avoiding if you want to play it safe.

The growing threat from fake sellers has led Amazon to take more drastic actions. Since many scam sellers use quick hit-and-run attacks, it is important for Amazon to identify them as soon as possible. To this end, they have implemented an automated seller suspension algorithm which can identify and block scam sellers within hours after they appear. Unfortunately, it can also block good sellers for a number of reasons and freeze their funds for 90 days. Make sure you follow Amazon guidelines before you set up your site or be prepared to be as frustrated as one disgruntled seller who wrote that, “Amazon just destroyed my business”.

In my opinion, Amazon is still the world’s best store. When I have had problems with orders, Amazon has always refunded me without hesitation. But what is good for customers is not always good for sellers. The opinion of sellers about Amazon is mixed as can be seen in the following from the Amazon Seller Forum site.

 “I’m split 50/50 with amazon, sometimes I really dislike it here, I suppose I’m a little bitter with how things have changed here. I also don’t like the way they treat sellers, suspended because a misguided or lying buyer can put your account in jeopardy, that’s crazy, feel ebay are a bit more seller friendly.”

 When the buyer comes first, the burden must be shifted to the backs of the sellers. In the case of scam sellers, it seems that this burden shift is justified. Using the same password on multiple sites or using easily guessed passwords is as bad as forgetting to lock the door of your shop when you go home at night. On the other hand, some seller complaints seem justified, such as the complaints about the lack of or inadequacy of support.

As long as Amazon continues to be the highest profile market on the internet, it and its sellers will be the target of attacks. It is difficult for Amazon and, by extension, sellers to keep up with all the attack vectors that arise. The latest, for example, uses Amazon’s Buyer-Seller Messaging service and two-factor authentication to trick sellers into handing over personal information. It’s clear that Amazon must work more closely with its sellers to mitigate such threats. Rapid communication and comprehensive support are vital. Buyers can play a role by letting Amazon know of questionable seller behavior and using better judgement when purchasing. None of this will completely stop hackers, but it will make their lives more difficult.

Posted in Uncategorized | Tagged , , | 1 Comment