Dr. Bill.TV #419 – Audio – “The Sad, Sorry (Sideways) Security Edition!”

Cryptocurrency miners infect Dr. Bill’s PC, Dr. Bill orders a Google Pixel 2 XL, Star Wars: The Last Jedi trailer, Nintendo NES Classic, Amazon’s waterproof Kindle, Severe flaw in WPA2, PIA VPN, Google adds antivirus to Chrome, Securi Firewall hacked.

Links that pertain to this Netcast:

TechPodcasts Network

International Association of Internet Broadcasters

Blubrry Network

Dr. Bill Bailey.NET

ChuckieDaniel.com and The Lifetrain Internet Radio Station

WOFR.org – Word of Faith Internet Radio


Start the Video Netcast in the Blubrry Video Player above by
clicking on the “Play” Button in the center of the screen.

(Click on the buttons below to Stream the Netcast in your “format of choice”)
Streaming M4V Audio





Streaming MP3 Audio

Streaming Ogg Audio

Download M4V Download WebM Download MP3 Download Ogg
(Right-Click on any link above, and select “Save As…” to save the Netcast on your PC.)

You may also watch the Dr. Bill.TV Show on these services!

 

Dr. Bill.TV on YouTube Dr. Bill.TV on Vimeo

 


GoDaddy Securi Web Firewall Hacked!

Man! I use Securi on my sites too! Ack!

This bug let a researcher bypass GoDaddy’s site security tool

ZDNet – By: Zack Whittaker – “A widely used security tool owned by web hosting provider GoDaddy, designed to prevent websites from being hacked, was easily bypassed, putting websites at risk of data theft.

The company’s website application firewall (WAF), provided by Sucuri and acquired by GoDaddy earlier this year, protects websites against a range of attacks by adding an extra layer of security to a website to protect against cross-site scripting and SQL injection techniques.

But a security researcher told ZDNet that the firewall would let through some commands, allowing him to gain access to vulnerable databases behind the scenes. That, he said, put sites at risk of data theft.

Touseef Gul was able to bypass the firewall with a relatively simple SQL injection string, which he showed to ZDNet but we’re not publishing. SQL injection attacks can be launched from the web browser’s address bar. If the attack is successful it will display a list of database tables on the website itself. Where he was expecting to receive an ‘access denied’ message, the firewall let the command through and returned a list of tables from the target website’s database. He was also able to obtain the database’s admin account and MD5 hashed password, which nowadays is easily crackable.

What surprised the researcher, he said, was how easy the firewall was to bypass.

He gave an example of part of the code he used. He said that while the firewall would block a common command used in SQL injections, such as ‘UNION SELECT,’ a modified, encoded version of the same command — such as ‘UNION SELE%63T’ (where %63 is an encoded ‘C’) — was not blocked by the filter.

For its part, GoDaddy said it patched the bug within a day of the security researcher’s private disclosure to the company.

‘In reviewing this situation, it appears someone was able to find a vulnerable website and manipulate their requests to temporarily bypass our WAF,’ said Daniel Cid, GoDaddy’s vice-president of engineering.

‘Within less than a day, our systems were able to pick up this attempt and put a stop to it,’ he said.

Cid said the company is ‘not aware of other customers’ impacted by the bypass, but wouldn’t say how many websites were at risk of the bypass technique.

Lesley Carhart, a digital forensics and incident response specialist, explained that web application firewalls mimic the behavior of antivirus products rather than a traditional firewall.

‘In a lot of ways web attacks are way harder to firewall than traffic in and out of a network,’ said Carhart. ‘You can deny almost everything at a network firewall or host firewall.’

‘Web traffic filtering relies more on blacklisting bad stuff using signatures than whitelisting slews of unneeded ports and protocols like traditional firewalls,’ she added.

Web application firewalls block attacks on sites running web applications that are already vulnerable to attacks, like out-of-date content management systems, like WordPress or Joomla, she explained.”

‘In principle, it’s a great move to add another layer of defense to sites, but it should never be mistaken for or implied to be a replacement for secure coding,’ she said.”

Google Further Secures Chrome on Windows!

This is GREAT NEWS!

Google just added these antivirus features to Chrome for Windows

ZDNet – By: Liam Tung – “Google has introduced three changes to Chrome for Windows to improve the browser’s malware detection and removal capabilities.

The company is targeting malware and malicious extensions that modify search results to redirect users to unintended pages, inject ads, and lock users on ad-filled sites.

The new security features for Chrome on Windows are an addition to existing defenses, such as Safe Browsing warnings for pages known to deliver malware.

Google is now clamping down on Chrome extensions that change user settings, such as the default search engine. The browser will automatically detect when an unauthorized change is made and offers to restore the original settings.

It has also redesigned Chrome’s Cleanup feature which offers a shortcut to restoring the browser’s default settings after an infection. It shows an alert when the browser detects unwanted software and offers a way to remove it. Chrome users have previously been able to use the standalone Chrome Cleanup Tool to remove harmful software. Google says it redesigned the alerts to make it easier to see what software will be removed.

Chrome Cleanup has also gained a malware detection engine from antivirus firm ESET, which works in tandem with Chrome’s sandbox technology.

This integration of the new ‘sandboxed engine’ doesn’t replace antivirus on Windows as it only targets and removes software that violates Google’s unwanted software policy. However the policy covers a variety of bad behaviors, from deceptive installs to spyware. It also mean that Chrome can detect and remove more unwanted software than previously.

Google estimates the new security features will help ‘tens of millions’ of Chrome users clear up security problems in the next few days.”

This is Bad! Wifi Has Been Compromised!

Stay tuned on this one!

Severe flaw in WPA2 protocol leaves Wi-Fi traffic open to eavesdropping

Ars Technica – Dan Gooden = “An air of unease set into the security circles on Sunday as they prepared for the disclosure of high-severity vulnerabilities in the Wi-Fi Protected Access II protocol that make it possible for attackers to eavesdrop Wi-Fi traffic passing between computers and access points.

The proof-of-concept exploit is called KRACK, short for Key Reinstallation Attacks. The research has been a closely guarded secret for weeks ahead of a coordinated disclosure that’s scheduled for 8 a.m. Monday, east coast time. An advisory the US CERT recently distributed to about 100 organizations described the research this way:

US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected. The CERT/CC and the reporting researcher KU Leuven, will be publicly disclosing these vulnerabilities on 16 October 2017.

According to a researcher who has been briefed on the vulnerability, it works by exploiting a four-way handshake that’s used to establish a key for encrypting traffic. During the third step, the key can be resent multiple times. When it’s resent in certain ways, a cryptographic nonce can be reused in a way that completely undermines the encryption.

A Github page belonging to one of the researchers and a separate placeholder website for the vulnerability used the following tags:

WPA2
KRACK
key reinstallation
security protocols
network security, attacks
nonce reuse
handshake
packet number
initialization vector

Researchers briefed on the vulnerabilities said they are indexed as: CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088. One researcher told Ars that Aruba and Ubiquiti, which sell wireless access points to large corporations and government organizations, already have updates available to patch or mitigate the vulnerabilities.

The vulnerabilities are scheduled to be formally presented in a talk titled Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 scheduled for November 1 at the ACM Conference on Computer and Communications Security in Dallas. It’s believed that Monday’s disclosure will be made through the site krackattacks.com. The researchers presenting the talk are Mathy Vanhoef and Frank Piessens of KU Leuven and imec-DistriNet, Maliheh Shirvanian and Nitesh Saxena of the University of Alabama at Birmingham, Yong Li of Huawei Technologies in Düsseldorf, Germany, and Sven Schäge of Ruhr-Universität Bochum in Germany. The researchers presented this related research in August at the Black Hat Security Conference in Las Vegas.

The vast majority of existing access points aren’t likely to be patched quickly, and some may not be patched at all. If initial reports are accurate that encryption bypass exploits are easy and reliable in the WPA2 protocol, it’s likely attackers will be able to eavesdrop on nearby Wi-Fi traffic as it passes between computers and access points. It might also mean it’s possible to forge Dynamic Host Configuration Protocol settings, opening the door to hacks involving users’ domain name service.

It wasn’t possible to confirm the details reported in the CERT advisory or to assess the severity at the time this post was going live. If eavesdropping or hijacking scenarios turn out to be easy to pull off, people should avoid using Wi-Fi whenever possible until a patch or mitigation is in place. When Wi-Fi is the only connection option, people should use HTTPS, STARTTLS, Secure Shell and other reliable protocols to encrypt Web and e-mail traffic as it passes between computers and access points. As a fall-back users should consider using a virtual private network as an added safety measure, but users are reminded to choose their VPN providers carefully, since many services can’t be trusted to make users more secure. This post will be updated as more information becomes available.”

Now You Can Read a Kindle in the Tub?

If you want to…

Amazon finally makes a waterproof Kindle, after 10 years of Kindles

The Verge – By: Lauren Goode – “Amazon has been selling Kindles for 10 years now, but “waterproof” hasn’t appear on its list of incremental technological advancements until now. The company just announced a new version of its popular e-reader that builds on last year’s Kindle design and now has an IPX8 waterproof rating.

The new Kindle Oasis — the same name as last year’s premium Kindle — has jumped up in size, moving from a 6-inch screen to a 7-inch screen. It has an aluminum back, which gives it a more premium look and feel than the Kindles with soft-touch plastic.

Unlike last year’s Kindle Oasis, which used a magnetic case you attached to the e-reader to extend its battery life, the new Oasis relies entirely on its built-in battery. It has a similar physical design, with one thicker side that tapers down on the other side, for one-handed reading. But Amazon has made a point of saying that it managed to fit in a bigger battery, while keeping the tapered side of the device at 3.4 millimeters.

The resolution of the e-paper display is the same at 300 ppi, but it has a couple extra LED lights now for a brighter, more even-looking display. And it also has ambient light sensors that adjust the brightness as you move from room to room, or from outdoors to indoors. (The earlier Voyage Kindle does this, too.)

There are physical page-turn buttons, plus the touchscreen page-turn option; Amazon says it’s worked on both the hardware and software side of things to make page-turning feel faster.

But the big news with the upgraded Oasis is its waterproofing, a long-requested feature from some Kindle fans. (Yes, last year’s model was called Oasis and wasn’t waterproofed.) The new e-reader has been tested in two meters of water for up to 60 minutes. It’s also been tested in different water environments, like hot tubs, pools, and bubble baths. Amazon declined to say how it waterproofed the Kindle, but since it still has an open USB port for charging, it’s recommending that people stand the Kindle upright after it’s been submerged.

The proof is in the pouring: the Oasis’ waterproofing gets a quick test. Audible fans will be happy, as well: the new Oasis has a built-in Audible app. This doesn’t mean you can listen to Audible from the Kindle itself — it still doesn’t have any speakers — but you can start an audio book from the device and stream it over Bluetooth to a set of headphones or a speaker.

The new Oasis ships at the end of October and is replacing last year’s Oasis, leaving four Kindles total in Amazon’s lineup: the original Kindle ($80), the Kindle Paperwhite ($120), Kindle Voyage ($200), and the Oasis, which starts at $250 for an 8GB model. That’s double the base storage of previous Kindles, which Amazon says is to accommodate the storage of audio books. It also connects over both Wi-Fi and 4G LTE.

Amazon has been notoriously coy when it comes to saying how many units of Kindle it has sold — which was the first piece of hardware Amazon ever made and sold — but Kevin Keith, Amazon’s general manager of devices, said in an interview that sales are still “quite good,” with “tens of millions” sold. He also noted that Kindle is in more countries than any other Amazon device.

‘Kindle’ has indeed become synonymous with ‘e-reader’ over the past decade, but that doesn’t necessarily mean Amazon will enjoy the same kind of Kindle success over the next 10 years. In 2016, data showed that ebook sales were down, while sales of physical books surged. And in 2015, a Pew research report on American device ownership showed that e-reader ownership was down significantly from the year prior. According to non-Amazon data, it seems to have reached its peak in 2011.

But a spokesperson for Amazon said that Kindle is still as ‘relevant as ever,’ pointing out that Kindle sales are up year-over-year globally and that it had its best-selling day ever on Prime Day of this year.

For now, at least, there’s a new Kindle you can drop in the bath, the hot tub, or wherever else you enjoy your ebooks when you need a break from the internet.

Update: This article has been updated to include more context on Kindle sales from Amazon. Also, the price of the new Kindle was reported incorrectly in an earlier version of this article. The story has been updated to reflect that it is listed as $249.99 ($250), not $248.”

A Good Deal for Classic Gamers!

Nintendo Classic NES

It’s baaack!

Nintendo bringing back NES Classic Edition in 2018

Polygon – by: Michael McWhertor – “Nintendo’s NES Classic Edition mini console is coming back. Nintendo said in a release today that last year’s popular but hard to find miniature version of the Nintendo Entertainment System will return to store shelves next summer.

New shipments of the NES Classic Edition will be welcome news for fans, as Nintendo released the console in limited supply for a very short window. That was always the plan, Nintendo said, but clearly continued demand for the 8-bit system has changed the company’s mind.

Nintendo also said, officially, that it plans to release more Super NES Classic Edition consoles, its miniaturized version of the Super Nintendo Entertainment System, than originally planned. “Fans have shown their unbridled enthusiasm for these Classic Edition systems, so Nintendo is working to put many more of them on store shelves,” Nintendo said in a release.

Earlier this week, Nintendo of America president Reggie Fils-Aime said in an interview that the Super NES Classic Edition will be more readily available than its 8-bit predecessor.

“I would strongly urge you not to over-bid on an SNES Classic on any of the auction sites,” he told the Financial Times, adding that Nintendo had “dramatically increased” production of the SNES Classic.

Nintendo has promised since it announced the Super NES Classic Edition that it intends to make “significantly more” retro consoles than it did during the NES Classic Edition’s lifespan. But actually pre-ordering and guaranteeing one of the systems has been a headache for consumers, and Nintendo had only committed to manufacturing the Super NES Classic Edition through the end of 2017, leading to worries that the retro system would be hard to find.

The Super NES Classic Edition will include 21 games for Nintendo’s 16-bit console, including Super Mario World, The Legend of Zelda: A Link to the Past, Star Fox 2 and Super Metroid. The system will launch Sept. 29 for $79.99.

The NES Classic Edition, which was originally released in November 2016, included 30 classic 8-bit games. The system originally retailed for $59.99.”

Google Pixel 2 XL: My Next Phone!

Hands on: Google Pixel 2 XL review

TechRadar – By: Cameron Faulkner:

OUR EARLY VERDICT
Despite losing the cherished 3.5mm headphone jack, the Pixel 2 XL seems to have gained more than enough to make up for it thanks to a mix of unique and sought-after features like waterproofing, Active Edge and a truly impressive camera.

Google Pixel 2 XLFOR
Stock Android feels more unique with Active Edge
Confident design
Amazing camera
Waterproof

AGAINST
Price increased over 2016 model
Specs don’t move the needle
No 3.5mm headphone port

After an incredible year for smartphones, which so far has seen the launch of the Samsung Galaxy S8, iPhone X, LG V30, Essential Phone and many more boundary-pushing entries, Google is up to bat for the last big hit of 2017.

And today it took a mighty swing by announcing the Google Pixel 2 and Google Pixel 2 XL, both of which reshape and polish the already-impressive 2016 Pixel devices, but not without a little controversy.

Focusing on the Pixel 2 XL, the company clearly put some effort into making something more than just a larger version of the Pixel 2, as it did last year. In fact, this plus-sized phone visually stands out next to its smaller kin to such a degree that it might as well be a whole new product line.

It’s not just the outside of the phone that has us excited. The specs, including the Snapdragon 835 processor, improvements made to the camera and the intriguing Active Edge feature, look to put it up against (and in some regards, beat down) the toughest round of competition ever put forward by leading manufacturers.

But as always, it comes down to this question: is the phone worth the cost?

When it launches worldwide later this year, the Pixel 2 XL will ship for the hiked-up price of US$849/AU$1,399 (about £630) for the base 64GB model, while the 128GB is priced at US$949/AU$1,549 – we’re getting close to the ceiling in terms of prices set by the Samsung Galaxy Note 8 and iPhone X.

We’ve had some time with Google’s latest at its big event, and leading into our full review, we’ll be updating this post with new impressions as we use the device, fresh photo samples and comparisons and more, so stay tuned.

Design, display and Active Edge

Even if it was pure coincidence, the original Pixel XL certainly blended nicely into the crowd of iPhones, thanks to its generous bezels top and bottom. However, in the year following its debut, this style has quickly gone out the window in favor of the bezel-less look, with even Apple opting for a high screen-to-body ratio with the iPhone X.

So, rather than risk of getting left behind in the last big announcement of the year, it makes sense that the Google Pixel 2 XL would adopt a similar look. And what a refresh this is. Compared to the smaller 5-inch Google Pixel 2, the larger 6-inch version, which now costs a whopping $200 more, provides a decent amount of reason for the price madness.

Starting with the bezels (or the lack thereof), Google’s new phone mostly clears them from view to put the focus on the display – an improved P-OLED display that features a polarized display that can be viewed easily with sunglasses.

Not surprisingly, the new device improves on the original’s with the 2,880 x 1,440 resolution (QHD+), which makes it, once again, the better of Google’s two 2017 options for virtual reality via the Google Daydream View headset.

On its face, the Pixel 2 XL’s bezel layout makes for a similar look to the LG V30 and LG G6. Given that very company poured work into the latest Google phablet, this comes as little surprise, and thankfully, the Pixel 2 XL stands out easily so that you won’t confuse the phones.

Tearing our eyes away from the display (admittedly, a hard thing to do), the rest of the phone has received some big updates that are worth mentioning.

First, let’s address the elephant in the room: neither the Pixel 2 or the Pixel 2 XL feature a 3.5mm headphone jack. These aren’t the first Android phones to omit the legacy port, but given that it made a pointed jab at Apple for doing so last year, there’s a bit of egg on Google’s face right about now.

However, it’s less than you might think given that Android Oreo supports plenty of high-quality wireless audio codecs. This doesn’t excuse the decision, but as opposed to citing “courage” as its inspiration, Google appears to have accounted for the change by working to solve the greater issue of a bad wireless experience, which we’re all for. Plus, it’s tossing a 3.5mm to USB-C adaptor in the box.

Additionally, it has announced the Google Pixel Buds, which could be a good wireless solution if you happen to have $159 around. They’re most interesting than your average headphones though, as they live-translate languages.

Moving right along, the edges of the Pixel 2 XL are rounded off, offering a single, smooth texture instead of the divisive, multi-layered mix of chamfered and glossy metal used in 2016’s model. As usual, the right side of the smartphone plays host to the volume rocker and power button, with each delivering an optimal amount of tactility when pressed.

This sounds like a silly thing to pass judgment on, but in past years the hardware buttons on Nexus phones haven’t yielded the longest lifespan for remaining clicky. Thankfully, we haven’t experienced any issues whatsoever in its Pixel lineup, and this new phone appears to be no exception, though it’s an issue that usually takes months to manifest itself.

Moreover, the Pixel 2 XL features a new button of sorts that’s impervious to whittling away: its Active Edge feature, which lets you squeeze the phone’s frame to issue a command.

Want to boot into the camera app or pull up Google Assistant? Just give the phone a light or hard squeeze, the intensity of which you can determine yourself.

You might remember that this feature first popped up as Edge Sense in the HTC U11, and now it’s been swallowed up in the Pixel 2 XL. While some may stick to using buttons and on-screen prompts, Active Edge is an important new feature that adds a fun, new element of navigation to stock Android, which has the reputation of being a bit stale to some who prefer custom launchers.

Flipped over on its back, the same split, two-toned design of aluminum and glass carries forward into 2017’s Pixel devices, and it’s less divisive than before. My colleagues had some tough words for the original Pixel’s look, calling it “peculiar” and “premium, if slightly odd.” I personally don’t agree, though I can see where they’re coming from. That being said, this melding of materials on the Pixel 2 XL is much more harmonious.

The fingerprint sensor now sits below the glass fold, with only the large rear-facing camera, flash and accompanying sensors sitting within the glass. The slight camera bump might be seen as a flaw to some, but we’re in support of Google raising the camera sensor out a bit, as it prevents the horrors that are endured when the original Pixel’s rear glass cracks.

Performance

Early rumors pointed to the Pixel 2 and Pixel 2 XL being the first phones to launch with a next-gen Snapdragon processor, but that didn’t come to pass. Alas, both smartphones feature 2017’s go-to flagship workhorse, the Snapdragon 835.

Paired with 4GB of RAM, the Pixel 2 XL might not seem like it’s gunning for prime position in the numbers race, but of course we’ve yet to see what this phone is capable of in real-world testing.

Last year’s Pixel XL is equipped with the Snapdragon 821, and we’re still pretty pleased with the performance eked from it, so given Google’s recent work to build a name for itself in internal chipset development, our guess is that this phone has some unique performance tricks up its sleeve.

Of course, this smartphone will already be ahead of the greater pack of Android flagships at launch thanks to it coming with Android Oreo out of the box. You can expect super-fast boot times, optimized background app usage and, perhaps, a few more interesting Pixel-exclusive features coming down the line as Oreo matures.

The Pixel 2 XL’s camera and battery are well worth a discussion, though we won’t know what each is truly capable of until we spend more time with the phone.

Starting with the cameras, Google has gone the extra mile to make its already-stellar camera even better – it’s a 12MP sensor with an aperture of f/1.8 to capture low-light shots better, whether it be in the haze of night or a dark concert hall. On its front, Google has stuck with an 8MP sensor.

Google showed off its Google Lens and ARCore capabilities, both of which are coming to Pixel first. More to come on that later on, but definitely worth a lengthy discussion.

Moving onto the battery, as surprisingly efficient as the Snapdragon 835 has proved itself to be in the past year, we always like to see more battery in our phones, not less (staring daggers at the Moto Z2 Force.) The Pixel 2 XL has been boosted ever so slightly to 3,520mAh over 3,450mAh used in the original XL.

As a result, the 2 XL is very likely to be the popular choice among those who want to use Daydream for longer and, well, just do everything else for longer, too. We’re asking around about official battery capacity.

We’ll have to perform more testing to see if the pairing of its QHD+ display and larger battery will win out versus the Pixel 2’s 1080p screen and smaller battery, or if we’re looking at equal projected lifespans between the two – something that many have said about the first batch of Pixels.

Early verdict

2017 is a hellish year (in that it’s the best ever) to decide on a new smartphone, and Google certainly hasn’t made it any easier with the Pixel 2 XL.

But thanks to some smart re-configurations on both the design and internals fronts, plus a few extra surprises, like Active Edge and its seemingly killer camera, this smartphone could be the one you’ve been waiting for since, if you’re like me, last year’s Google Pixel.

This new device appears to have made improvements where it needed them most (performance and design,) as well as in areas where it already had a comfortable lead (camera, software).

Despite these welcome additions to the Pixel formula, the most unwelcome ingredient is its new price tag, which starts at $849. The divide between the smaller Pixel 2 is wider now: $200 instead of $120.

Is the jump worth it to you? Until we know for sure how the XL’s battery and chipset perform under pressure, check out our guide that might just help make that very decision an easy one.”

This an Exploit That Got Me!

It was in a Google Chrome extension (Chrome Text Editor) that I installed. More about that on the next show!

Surreptitious cryptocurrency miners hide on Politifact and hundreds of other sites

TechCrunch – By: Devin Coldewey – “Politifact is the latest and perhaps most high-profile website to have hosted code that secretly hijacks visitors’ CPUs to mine cryptocurrency. Driven by a boom in cryptocoin value and a lack of protections against JavaScript routines like this one, this surprising form of audience monetization is now found on hundreds of sites.

(Update: Politifact has removed the code and is looking into how it got there.)

It’s not quite an ad, and it’s not quite malware, nor is it strictly speaking a virus or exploit. JavaScript is used for all kinds of things in the background of practically every major website, from tracking users to displaying custom fonts. Generally speaking, these apps are running code hosted on another server that the end user can’t inspect, and often doesn’t even realize their browser is executing.

In recent months, several JavaScript-based cryptocurrency miners have appeared. The idea, supposedly, is that instead of showing your visitors ads, you have their CPU run the calculations necessary to mine a currency like Bitcoin. As the administrator, you could control the CPU load and reap any resulting coins. CoinHive is a new business that offers this as a service.

Predictably, this already questionable approach to monetization has already been repurposed by malicious actors. Injecting a bit of JavaScript into the front page of a website is often simpler to do than penetrate its databases or phish its admins; and once it’s in, it runs itself — all you have to do is give it a wallet to put the coins in.

That seems to be what happened at Politifact; my blocker registers a CoinHive instance on the main pages of the site, with new requests coming in multiple times a second. Inspecting the site’s JavaScript shows an enormous chunk of CoinHive miner code sitting amongst the ordinary scripts. It’s pretty hard to miss, and if not blocked it takes over the whole CPU until the tab is closed. With a few million users mining for a minute or two each while they check out the latest political shenanigans, those cycles add up quick.

I’ve contacted the site’s team to ask what the story is; someone there told The Register that they’re looking into it, but I’ll update if I hear back with more details.

The site is far from alone: a study by ad blocker company AdGuard showed that hundreds of sites, most of them on the shady site (porn and torrent sites, for instance) are running CoinHive code, or some other JavaScript-based miner.

What can you do? Well, this is a great reason to install an ad blocker, if you haven’t already: in addition to getting rid of intrusive ads and trackers, some of them block unknown scripts or have a blacklist of known malicious ones. I use uBlock Origin, which also makes it easy to whitelist sites (like this one) that only feature organic, free-range advertisements. But you could also use NoScript, AdBlock or any one of the many out there, depending on your platform and browser.”

1 2 3 4 327