Safer Internet: Connection: Avoid Malware

Quotes | Summary | Types | User Practices | Apps | Plugins | Flash | Java | Anti-Virus | Advanced |
References: General | Android | Anti-virus | Cyberattacks/Cyberwar |
Extensions, Plug-ins | Flash, Shockwave | iOS | Java | JavaScript | macOS |
Microsoft Office | Ransomware | Spyware | Web Servers | Windows

---

Quotes

• "In God we trust,... all others we virus scan."
• "If you spend more on coffee than on IT security,...
  you will be hacked. What's more, you deserve to be hacked."
  ~Richard Clarke, White House Cybersecurity Advisor
• Amish Virus...
  Because we don't have any computers or programming experience, this virus works on the honor system.
  Please delete all the files from your hard drive and manually forward this virus to everyone on your mailing list.
• Disney Virus... Everything on your computer goes Goofy.
• Prozac Virus... Screws up your RAM but your processor doesn't care.
• Airline Virus... You're in Dallas, but your data is in Singapore.
• Health Care Virus... Tests your system for a day, finds nothing wrong, and sends you a bill for $4,500.
• Dr. Jack Kevorkian Virus... Searches your hard drive for old files and deletes them.
• Viagra Virus... Expands your hard drive, while putting too much pressure on your zip drive.
• Viagra 2 Virus... It turns your floppy into a hard drive.

Summary

• [1] Understand different types of malware, by transmission and action
• [1] Improve user practices: "be-aware"
• [1] Install and update approved apps: software
• [1] Manage / Minimize Plugins, Extensions, Add-ons
• [1] Flash: Update, Block or Uninstall
• [1] Java: Update, Block or Uninstall (but keep JavaScript enabled)
• [1] Install & Maintain AntiVirus tools -- if available / applicable
  -- lower priority than updating software and safer user behaviors.
• [2] Disable programming functionality in apps, e.g., Microsoft Office macros
• [3] Advanced Settings: JavaScript, WebGL, web admin
• References

[1] Understand Different Types of Malware

• Malware can access, compromise local files -- and online identities and accounts.
• Viruses Wreak Havoc On Your Files
• Spyware Steals Your Information
• Scareware Holds Your PC for Ransom
• Trojan Horses Install a Backdoor
• Worms Infect Through the Network
• There's often overlap

[1] Improve User Practices

• Pay attention -- most malware requires active user involvement
• Don't click on links or open attachments in an unexpected email from "friends", "boss", "family"
• Use browser Bookmarks / Favorites or a password manager to access web sites -- see later section: Browsing: Go To Correct Site
• Don't click on links in popups, or unknown links in web pages, esp. ads
• Do not respond to popups that "hijack" your browser, esp. those that "found malware" or download unexpected 'Flash updates' -- just quit browser (see Block Ads section if you can't close/quit); reputable companies do not use such annoying / scare tactics

[1] Install and Update Approved Apps

• Backup your Devices; install & update your software -- system and applications -- by downloading only from vendor's app store (if screened), app's own Update preference or control panel, other reputable sites
• [3] macOS: System Integrity Protection (SIP) is enabled by default, which aims to protect critical system folders by locking them down; temporarily disable SIP only if you know what's you're doing
• [3] Don't "jail break" or "root" your device, i.e., don't install unofficial or pirated system/application software -- or visit "warez" or "dark" sites
• macOS: App Store
• iOS: App Store
• macOS: System Preferences > Security & Privacy > General > Allow Apps Downloaded From: [screenshot]
• [1] Mac App Store
• [2] Mac App Store and Identified Developers
• [3] Anywhere -- note: option hidden by default in 10.12
• [2] To open an "unidentified" app that you're sure about:
• macOS: Applications > (ctrl-click app) > Open > Open
• iOS: use the TestFlight app to accept expected invitations from known developers
• Enable phishing/malware/plugin warnings
• macOS: Safari > Preferences > Security > Fraudulent sites; Internet plug-ins [screenshot]
• macOS: Firefox > Preferences > Security > Block reported attack sites / web forgeries / add-ons
• macOS: Chrome > Settings > Advanced Settings > Privacy > Protect you and your device from dangerous sites
• iOS: Settings > Safari > Privacy & Security > Fraudulent Website Warning [screenshot]
• [2] Don't automatically open downloaded files (check file types)
• macOS: Safari > Preferences > General > Open "safe" files after downloading [screenshot]

[1] Manage / Minimize Plugins, Extensions, Add-ons

• macOS: Safari > Preferences > Security > Allow plugins [screenshot]; [screenshot: Plug-in Settings]
• macOS: Firefox > Preferences > Applications
• macOS: Firefox > Preferences > Security > Warn me when sites try to install add-ons
• macOS: Chrome > Preferences > Advanced Settings > Privacy > Content Settings > Plugins; also Unsandboxed Plugins
• Consider disabling problematic, obsolete, infrequently-used plugins
• most sites, e.g., YouTube, default to HTML5 for video if Flash not present; Java less popular -- covered next
• iOS: unnecessary -- since plugins are not generally allowed
• configure to selectively load a plug-in if desired, or re-install if needed
• remove obsolete plugins, e.g., Microsoft Silverlight
• macOS: Finder > (disk/user) > Library > Internet Plugins

[1] Flash: Update, Block or Uninstall

• iOS: NA
• macOS: I generally recommend uninstalling Flash from system; if necessary to use for some Flash-based sites, selectively use Google Chrome, which keeps Flash up-to-date automatically (at least for a little while longer), provides "sandboxing", and also auto-pauses certain videos / ads
• macOS: Chrome > chrome://plugins > Enable, Always Allow to Run maybe possible to run on-demand selectively via ctrl-click?
• If you do need to use Flash more frequently / conveniently, make sure it's always up to date and control using a flash blocker
• macOS: System Preferences > Flash Player > Advanced > Updates
• macOS: System Preferences > Flash Player > Storage > Delete All
• macOS: Safari > Preferences > Extensions > Get Extensions : ClickToFlash
• macOS: Safari (ctrl-click) > ClickToFlash Preferences
• macOS should automatically disable insecure versions, and display message: 'Blocked plug-in', 'Flash Security Alert' or 'Flash out-of-date'

[1] Java: Update, Block or Uninstall

• iOS: NA
• macOS: System Preferences > Java > Update [screenshot]
• macOS: System Preferences > Java > Security > Security Level
• macOS: Safari > Preferences > Security > Allow Plugins > Website Settings : Java : Ask [screenshot]
• If installer wants to install any crapware or change settings by default, e.g., Yahoo homepage, search engine -- uncheck anything you don't want! -- installer now seems to be 'clean'

[1] Install Anti-Virus (AV)

• Install & maintain antivirus software on your device, if applicable & desired
• Be careful where you obtain malware protection software -- some may be malware / adware itself -- especially if obtained via ad links, popups, pop-under windows
• Having AV installed is no excuse to be careless
• iOS: unnecessary
• macOS: optional -- to avoid distributing infected files to others, e.g., Windows friends, or if still using external portable media from unknown sources: USB drives, CD/DVD, floppies, etc.
• virus definitions may not include newest threats; scanning may slow down, interfere with system
• examples: Avast; Avira; ClamXav; Comodo; Sophos
• note: if you're running Windows on macOS (using Boot Camp, or virtualization software like VMware Fusion or Parallels Desktop), you should absolutely run Windows anti-malware software -- Mac anti-malware won't help
• Windows: Windows Settings > Update & Security > Windows Defender
• If you must use others' devices to access your accounts, make sure they're well-protected (antivirus) and maintained (software updates) -- see Mobile Privacy section, esp. to avoid keyloggers or other spyware

[3] Advanced Settings: JavaScript, WebGL, web admin

• JavaScript: on
• JavaScript (not the same as 'Java') is essential for most modern sites; most browsers don't provide an option to disable
• macOS: Safari > Preferences > Security > Enable JavaScript
• You can generally remove tracking scripts by using a Content/Ad Blocker -- see Block Ads section
• WebGL: on
• WebGL (Web Graphics Library) JavaScript-based graphics using GPU
• macOS: Safari > Preferences > Security > Allow WebGL
• If administering your own website, check system log for suspicious activity, e.g., logins to non-existent or unauthorized accounts, unexpected accesses to admin pages or to non-existent modules / pages / directories; add suspicious IP addresses to a 'deny list'

References

• {TCYOP-4: 70-71; TCYOP-3: 57-58}
• sections: Refs: Android; Anti-virus; Cyberattacks/cyberwar; Extensions, Plug-ins; Flash, Shockwave; iOS; Java; JavaScript; macOS; Microsoft Office; Ransomware; Spyware; Web Servers; Windows
• topics: airgap, botnet, cryptojacking, keylogger, social engineering, USB drives, zombie
• other computer virus jokes: politicalhumor.about.com; ahajokes.com
• Wikipedia: Malware: short for malicious software, is a general term used to refer to a variety of forms of hostile or intrusive software, e.g, to disrupt computer operation, gather sensitive information, or gain access to private computer systems. Only some is internet-related.
• HowStuffWorks: How to Detect Online Scams
• Wikipedia: Zero day attack exploits a previously unknown vulnerability in a computer application or operating system, one that developers have not had time to address and patch
• Wikipedia: Worm: malware that actively transmits itself (automatically, w/o user intervention) over a network to infect other computers
• Wikipedia: Virus: malware that has infected some executable software and, when run (usually by user opening a program, email or document), causes the virus to spread.
• HowStuffWorks: How Computer Viruses Work; How to Know if Your Computer is Infected with a Virus
• HowStuffWorks: How do viruses and worms spread in e-mail?
• HowStuffWorks: 10 Worst Computer Viruses of All Time
• Wikipedia: Trojan Horse: malware that appears benign/desirable but conceals malicious code; e.g., Zeus (2007-)
• HowStuffWorks: How Trojan Horses Work
• Viruses, Trojans and Worms video: 2:31
• Wikipedia: Botnet: collection of Internet-connected programs communicating with other similar programs in order to perform tasks -- some may be malware
• Wikipedia: Zombie computer: malware used to send email spam, to host contraband data such as child pornography, or to extort via distributed denial-of-service attacks.
• Wikipedia: Denial of Service Attack (DoS): make a machine or network resource unavailable to its intended users
• HowStuffWorks: How Zombie Computers Work; How to Fix Your Zombie Computer
  
• Wikipedia: air gap physically isolate a secure computer network from unsecured networks
• Wikipedia: Rootkits modify the host's operating system so that the malware is hidden from the user.
• Wikipedia: man in the middle attach (MITM) requires an attacker to have the ability to both monitor and alter or inject messages into a communication channel
• Wikipedia: Logic bomb: malware triggered by certain conditions, e.g., programmer fired
• HowStuffWorks: How does a logic bomb work?
• Wikipedia: social engineering obtaining confidential information by manipulating and/or deceiving people
• Wikipedia: Hacker (black hat); Firewall
• Wikipedia -- conferences/conventions: Black Hat Briefings; DEF CON
• HowStuffWorks: How Hackers Work; How Firewalls Work; Could hackers devastate the U.S. economy?; Computer Security Quiz
• That QR Code You’re About to Scan Could Be Risky, F.T.C. Warns NYT; 12/11/2023
• How to Not Get Hacked by a QR Code "quishing"; Wired; 12/3/2023
• It's Safe to Scan QR Codes (If You're Careful) LH; 5/12/2023
• FBI Advising People to Avoid Public Charging Stations 4/12/2023
• How to Recover From a Browser Hijacking Attack LH; 3/9/2023
• Why You Should Never Plug In an Unknown USB Device LH; 7/7/2022
• How to Use Microsoft Defender on All Your Devices
  the security tool for Apple, Android, and Windows is now
  available to any Microsoft 365 subscriber; Wired; 6/27/2022
• Steps to Simple Online Security: 8: Free Antivirus Software Is Good NYT; 4/15/2022
• FCC puts Kaspersky on security threat list, says it poses "unacceptable risk"
  Moscow-based firm joins Huawei and ZTE on the same US security threat list; Ars; 3/25/2022
• The Log4J Vulnerability Will Haunt the Internet for Years Wired; 12/13/2021
• Hacker Lexicon: What Is a Watering Hole Attack?
  two types of victims: the legitimate website or service that attackers compromise
  to embed their malicious infrastructure, and the users who are then compromised
  (usually via browser bug) when they visit; Wired; 11/28/2021
• 'Stalkerware' Apps Are Proliferating. Protect Yourself.
  these spyware apps (mostly Android, some iOS) record your conversations, location and everything you type,
  all while camouflaged as a calculator or calendar; NYT; 9/29/2021
• Feds list the top 30 most exploited vulnerabilities. Many are years old Ars; 7/29/2021
• Amnesty International researchers published a toolkit to help anyone scan their iPhone and Android devices for evidence of compromise by NSO's Pegasus spyware TC; 7/19/2021
• No, open source Audacity audio editor is not "spyware"
  the community's telemetry concerns were received and addressed two months ago;
  new privacy policy; Ars; 7/6/2021
• Google App Engine feature abused to create unlimited phishing pages malicious subdomains; BC; 9/20/2020
• How to Check Your Devices for Stalkerware Wired; 7/19/2020
• TikTok says it will stop clipboard snooping after iOS 14 reveals when apps attempt to read the clipboard; TikTok claims it was used to identify spammy behavior Tel; 6/25/2020
• Hacker Lexicon: What Is a Side Channel Attack? computers constantly give off more information than you might realize—which hackers can use to pry out their secrets; Wired; 6/21/2020
• UPnP flaw exposes millions of network devices to attacks over the Internet Windows; printers, modems, routers; best defense is to disable UPnP altogether; Ars; 6/11/2020
• The Curious Case of Copy & Paste -- on risks of pasting arbitrary content in browsers 6/2/2020
• Major security flaw found in Thunderbolt Macs and PCs: Should you be worried? for Mac, only if physical access to powered on Mac; MW; 5/16/2020
• Filipino Onel de Guzman, author of the Love Bug worm that infected millions of PCs in May 2000, talks about his creation and claims he regrets writing it BBC; 5/3/2020
• Meet the white-hat group fighting Emotet, the world's most dangerous malware Cryptolaemus group; from banking trojan to malware loaded; ZD; 2/29/2020
• Microsoft to bring its Defender antivirus software to iOS and Android malware and phishing attack protection; CNet; 2/20/2020
• One of the most destructive botnets can now spread to nearby Wi-Fi networks weak WiFi passwords; Ars; 2/11/2020
• There's a scary new reason not to borrow a stranger's iPhone cable FC; 10/8/2019
• How Can You Tell If an App Is Malware? LH; 9/20/2019
• How to Find Spyware Your Employer Installed on Your Computer and What to Do About It Giz; 8/5/2019
• The Worm That Nearly Ate the Internet Conflicker infected 10 million computers in 2010. So why did cybergeddon never arrive? NYT; 6/29/2019
• A Computer Afflicted With 6 Infamous Viruses Has Passed $1 Million at Auction art project: The Persistence of Chaos; MB; 5/21/2019
• Hard-to-detect credential-theft malware has infected 1,200 and is still going Separ's 'living-off-the-land' approach (spartan malware that's built on legitimate apps and utilities) bypasses many antimalware providers; starts by end user clicking on a disguised executable; Ars; 2/20/2019

Android

• How Hackers Tricked 300,000 Android Users into Downloading Password-Stealing Malware LH; 12/1/2021
• Uninstall These Malicious Android Apps That Stole Facebook Passwords LH; 7/4/2021
• How to Get Rid of Android's Most Annoying Malware: xHelper LH; 2/18/2020
• This New Android Malware Can Survive a Factory Reset LH; 10/30/2019
• Double-Check That Your Android Antivirus App Actually Works some underperform or may even pose serious security risks; LH; 3/20/2019
• In a test of 250 Android antivirus apps in the Google Play Store, only 80 could detect more than 30% of malware, and only 23 had 100% detection rate ZD; 3/14/2019
• Delete These Malware-Laden Apps From Your Android Right Now LH; 3/14/2019

Anti-Virus

• HowStuffWorks: Is there any free anti-virus software?
• Avast shutters data-selling (Jumpshot) subsidiary amid user outrage Users were not happy to learn "security" software sold their browsing habits; Ars; 1/30/2020
• Antivirus Maker Avast Sold Data on Millions of Users TB; 1/29/2020
• Are You One Of Avast’s 400 Million Users? This Is Why It Collects And Sells Your Web Habits. Forbes; 12/9/2019
• Recent antivirus tests are bad news for paid security suites Windows; their basic AV capabilities are being equaled by free apps; PC; 1/30/2019

Cyber Attacks, CyberWar

• Wikipedia: Anonymous loosely associated international network of activists and hacktivists; well-known for distributed denial-of-service (DDoS) attacks on government, religious, and corporate websites
• Wikipedia: Hacktivism; Denial of Service Attack make a machine or network resource unavailable to its intended users
• HowStuffWorks: How Anonymous Works
• Wikipedia: Computer Emergency Response Team Internet security incidents and cyberthreats
• Wikipedia: cyberterrorism; cyberwar Kosovo 1998; US Cyber Command; CISPA: Cyber Intelligence Sharing and Protection Act proposed: 2011
• HowStuffWorks: Is cyberwar coming?; How CISPA Works
• HowStuffWorks: What does the U.S. cybersecurity czar do?; Could a single hacker crash a country's network?; Could hackers devastate the U.S. economy?
• Could Cyberwar Make the World Safer? NYT; 8/22/2021
• The Untold History of America's Zero-Day Market lucrative business of dealing in code vulnerabilities is central to espionage and war planning; Wired; 2/14/2021
• With Hacking, the United States Needs to Stop Playing the Victim the U.S. also uses cybertools to defend its interests. It’s the age of perpetual cyberconflict; NYT; 12/23/2020
• Journalist’s phone hacked by new 'invisible' technique: All he had to do was visit one website. Any website. NSO Group; 6/21/2020
• China's Military Is Tied to Debilitating New Cyberattack Tool Aria-body (embedded in MS Office files) had been deployed against governments and state-owned companies in Australia and SE Asia; NYT; 5/7/2020
• A Critical Internet Safeguard Is Running Out of Time Shadowserver; Wired; 3/16/2020
• The Untold Story of the 2018 Olympics Cyberattack, the Most Deceptive Hack in History Wired; 10/17/2019

Extensions, Plug-ins

• see sections: Flash, Java
• Wikipedia: Silverlight; Adobe (Macromedia) Shockwave
• Ethical.net: Browser extensions
• Our Favorite Ad Blockers and Browser Extensions to Protect Privacy NYT; 9/30/2021
• Our Favorite Ad Blockers and Browser Extensions to Protect Privacy
  Ad blocker: uBlock Origin;
  Tracking blocker: Privacy Badger;
  Secure connections: HTTPS Everywhere;
  Cleaner links: ClearURLs;
  Local resources: Decentraleyes;
  Login protection: Use a password manager;
  Firefox Multi-Account Containers;
  Extra-credit tools: Use a VPN, Enable DNS over HTTPS (DoH), Change your default search engine;
  NYT; 3/11/2021
• How to Make Sure Your Browser Extensions Are Safe Wired; 6/27/2021
• Teams behind Chrome, Safari, Firefox, and Edge unveil a development forum at W3C to standardize and build a unified, more secure foundation for extensions CNet; 6/4/2021
• Up to 3 million devices infected by malware-laced Chrome and Edge add-ons 28 malicious extensions hosted by Google and Microsoft; Ars; 12/16/2020
• What You Need to Know About the Latest Chrome Extension Malware Campaign LH; 6/24/2020
• Check Chrome and Remove Any of These 70+ Malware Extensions LH; 2/14/2020
• Mozilla removes four Firefox extensions made by Avast and AVG after reports that they were harvesting user data and browsing histories still available on the Chrome Web Store; ZD; 12/3/2019
• DuckDuckGo Privacy Essentials extension returns to Safari ApIn; 11/7/2019
• Mozilla to stop supporting sideloaded extensions in Firefox starting March 2020, with Firefox 74; ZD; 11/1/2019
• Google to Minimize the Data Collected by Chrome Extensions PC; 7/23/2019
• Uninstall These Eight Browser Extensions That Stole Data from Millions
  Branded Surveys (Chrome); FairShare Unlock (Chrome and Firefox)
  HoverZoom (Chrome); Panel Community Surveys (Chrome)
  PanelMeasurement (Chrome); SaveFrom.net Helper (Firefox)
  SpeakIt! (Chrome); SuperZoom (Chrome and Firefox); LH; 7/18/2019
• My browser, the spy: How extensions slurped up browsing histories from 4M users Have your tax returns, Nest videos, and medical info been made public? DataSpii: How extensions hide their data grabs -- and how they're discovered; Ars; 7/18/2019
• A third of all Chrome extensions request access to user data on any site 35.4% ask users for permission to access and read all their data on any site, 84.7% had no privacy policy; check privacy/security of any Chrome extension: CRXcavator; ZD; 2/22/2019
• [2] How Web Apps Can Turn Browser Extensions Into Backdoors TP; 1/22/2019
• It's Time to Audit All the Extensions You've Installed on Your Browser Chrome, Firefox, Safari, Edge; Giz; 1/18/2019

Flash, Shockwave [Adobe]

• Wikipedia: plugin; Flash; Flash cookies
• Microsoft to fully remove Adobe Flash from Windows 10 in July PC; 5/4/2021
• Flash Is Dead -- but Not Gone Zombie versions of Adobe’s troubled software can still cause problems in systems around the world; Wired; 1/24/2021
• Adobe just released the last Flash update ever Flash Player will block playback starting on 1/21/2021; Verge; 12/9/2020
• Flash Animations Live Forever at the Internet Archive no plugin required, just WebAssembly support; 11/19/2020
• Flash on Firefox will die completely in 55 days Firefox 83 is the penultimate version of Mozilla's browser to support the once ubiquitous plug-in. Security and battery life concerns hastened its demise; CNet; 11/17/2020
• Microsoft Is Finally Purging Flash From Windows Giz; 10/28/2020
• Porn surfers have a dirty secret. They’re using Internet Explorer -- and Flash Ars; 9/12/2020
• The rise and fall of Adobe Flash Ars; 7/7/2020
• Adobe Flash Is Actually Going to Die This Time, For Real [12/31/2020] Giz; 6/16/2020
• How to Enable Flash on Chrome Browser OSXD; 2/17/2020
• How to Avoid the Most Popular Mac Malware, 'Shlayer' fake Flash Player download; LH; 1/24/2020
• Google's Chrome 76, now in beta, will block Flash by default a Google employee claims Chrome 76 will prevent sites from detecting users in Incognito Mode; 9to5; 6/13/2019
• Adobe Shockwave will be discontinued on 4/9/2019 interactive content has moved to platforms like HTML5 Canvas and WebGL in recent years; Verge; 3/11/2019
• Microsoft culls secret Flash allow list after Google points out its insecurity Previously, some 58 sites were given special treatment. Now it's only Facebook; Ars; 2/20/2019
• [2] Malvertisers target Mac users with steganographic code stashed in images via HTML5 coding; underlying link if clicked directs to fake Flash update site; Ars; 1/24/2019
• Mozilla: Firefox 69 will disable Adobe Flash plugin by default ZD; 1/14/2019

iOS

• How NSO Group's iPhone-Hacking Exploit Works Giz; 12/22/2021
• Using Extensions in Safari in iOS 15 and iPadOS 15 TB; 10/2/2021
• Pegasus spyware: How to check your iPhone and why you shouldn't worry MW; 7/22/2021
• This App (iVerify) Will Tell You if Your iPhone Gets Hacked with caveats; MB; 11/14/2019
• How 18 Malware Apps Snuck Into Apple's App Store phony ad clicks; Wired; 10/25/2019
• Make Sure You Didn't Download One of These 17 Malicious iOS Apps LH; 10/24/2019
• [2] Checkm8 creator says his iPhone exploit requires physical device access and lacks persistence after reboot but will make jailbreaking more accessible and safer; Ars; 9/28/2019
• [2] Unpatchable bug in millions of iOS devices exploited, developer claims "Checkm8" jailbreak exploit works on devices from iPhone 4s to iPhone X, developer claims; Ars; 9/27/2019
• Mysterious iOS Attack Changes Everything We Know About iPhone Hacking For two years, a handful of websites have indiscriminately hacked thousands of iPhones; Wired; 8/30/2019
• These Legit-Looking iPhone Lightning Cables Will Hijack Your Computer MB; 8/10/2019
• It's Almost Impossible to Tell if Your iPhone Has Been Hacked MB; 5/14/2019
• Cybersecurity 101: Five settings to secure your iPhone or iPad
  1. Turn on USB Restricted Mode to make hacking more difficult: Settings > Touch ID & Passcode > USB Accessories : Off
  2. Make sure automatic iOS updates are turned on: Settings > General > Software Update > Automatic Updates : On
  3. Set a stronger device passcode; Settings > Touch ID & Passcode > (old passcode) > Change Password > Options > Custom Numeric Code
  4. Switch on two-factor authentication; Settings > (your name) > Password & Security > Two-Factor Authentication : On
  5. Change your reused passwords -- use your password manager; or if using iCloud Keychain: Settings > Passwords & Accounts > Website & App Passwords > (enter passcode) > (choose site) > Change Password on Website; TC; 2/19/2019
  

Java

• Wikipedia: Java
• HowStuffWorks: How Java Works; Quiz

JavaScript (JS)

• Wikipedia: JavaScript; JS Security; Virtual machines
• Wikipedia: Cross-site scripting (XSS) enables attackers to inject client-side script into Web pages viewed by other users
• Wikipedia: code injection caused by processing invalid data on server
• Wikipedia: same origin policy if content from one site (such as https://mybank.example1.com) is granted permission to access resources on the system, then any content from that site will share these permissions
• Wikipedia: Cross-site request forgery unauthorized commands are transmitted from a user that the website trusts; previous cookie
• Wikipedia: buffer overflow overwrites adjacent memory -- affecting security and other programs
• Wikipedia: sandbox executes software in a restricted operating system environment, thus controlling the resources accessed (files, etc.)
• JS blockers: Wikipedia: NoScript Firefox; JavaScript Blocker Safari
• How to Block JavaScript on Your iPhone or Android (and When You Should) LH; 10/6/2021
• FSF announces JShelter browser add-on to combat threats from nonfree JavaScript 9/30/2021

macOS

• Best antivirus software for protecting your Mac from viruses and malware MW; 9/3/2024
• How to know if your Mac has been hacked MW; 6/13/2024
• Is Apple's Built-in Antivirus Enough XProtect, Gatekeeper; 3rd party? MW; 2/16/2024
• What to do if you think your Mac has a virus
  Bitdefender Virus Scanner; AVG Antivirus for Mac;
  Avira Free Security for Mac; MW; 12/5/2023
• New malware strain stealing business data from Intel Macs ApIn; 9/16/2023
• 'Downfall' and Intel Macs: What you need to know about the flaw and fix Macs (from 2015 on) use affected processors,
  but it's unclear if they are subject to the attack or not; MW; 8/12/2023
• Complete list of Mac attacks: Every Mac virus, malware and trojan MW; 8/2/2023
• How to Identify and Eliminate Abusive Web Notifications "Website ___ would like to send you notifications in Notification Center" -- Don't Allow;
  Safari > Settings > Websites > Notifications > Allow websites to ask for permission to send notifications (deselect)
  (similar settings for other browser); TB; 6/26/23
• Macs can get viruses, but do Macs need antivirus software? MW; 6/20/2024
• Help Prevent Evil Maid Attacks & Unknown Tampering of MacBooks with Nail Polish OSXD; 6/4/2023
• Your Mac might not be safe from ransomware for much longer MW; 4/19/2023
• New malware (MacStealer aka "weed") steals Mac passwords incl. credentials and cookies from Firefox, Google Chrome, and Brave browsers;
  and also extracts the Keychain database, and other files; ApIn; 3/27/2023
• The best antivirus for Mac is none at all ApIn; 3/18/2023
• ClamXAV review: Basic antivirus protection for an annual price MW; 3/14/2023
• Checking your Mac for viruses. Wait, what? MW; 2/24/2023
• Avira Free Security for Mac review MW; 1/19/2023
• AVG AntiVirus for Mac review: Basic but solid protection for free MW; 12/8/2022
• Study: Almost 50% of macOS malware comes from only one app = MacKeeper; 11/16/2022
• macOS's New XProtect Remediator Now Regularly Scans for Malware
  macOS 11 and later; TB; 9/2/2022
• macOS's New XProtect Remediator Now Regularly Scans for Malware
  macOS 11 and later; TB; 9/2/2022
• A Single Flaw Broke Every Layer of Security in MacOS Wired; 8/12/2022
• Good Mac security goes beyond antivirus ApIn; 7/22/2022
• CleanMyMac review: Some handy tools but its malware dictation still falls short MW; 7/7/2022
• Macs can get viruses, but do Macs need antivirus software? MW; 6/27/2022
• Mac malware spreading for ~14 months installs backdoor on infected systems
  UpdateAgent; Ars; 2/2/2022
• Booby-trapped sites delivered potent new backdoor trojan to macOS users DazleSpy; Ars; 1/25/2022
• CleanMyMac X review: A solid scrubber with hit-or-miss malware removal MW; 8/19/2021
• Malwarebytes Reports on the State of Mac Malware in 2020 TB; 2/19/2021
• Apple Platform Security Guide Reveals Focus on Vertical Integration TB; 2/18/2021
• [2] Mac malware spreads through Xcode projects, abuses WebKit, Data Vault vulnerabilities ZD; 8/14/2020
• New Mac ransomware is even more sinister than it appears ThiefQuest's spyware capabilities: exfiltrate files from an infected computer, search the system for passwords and cryptocurrency wallet data, and run a robust keylogger to grab passwords, credit card numbers, or other financial information as a user types it in; need to install piracted apps; Ars; 7/5/2020
• Malwarebytes: Macs Outpaced PCs in Number of Malware Threats Detected Per Endpoint in 2019, But Most Are Adware MR; 2/11/2020
• Airo Antivirus review: A promising start for a Mac-focused antivirus MW; 2/2/2020
• How to Avoid the Most Popular Mac Malware, 'Shlayer' fake Flash Player download; LH; 1/24/2020
• F-Secure Safe for Mac review: No-frills quality protection MW; 12/4/2019
• How to Install Malwarebytes on Mac to Scan for Malware & Adware Uninstall OSXD; 8/9/2019
• Microsoft is bringing its Defender antivirus software to the Mac Defender Advanced Threat Protection (ATP); for businesses (only?); Verge; 3/21/2019
• [2] Hackers keep trying to get malicious Windows file onto MacOS clever trick may be designed to bypass Gatekeeper protections built into macOS; uses Little Snith Mono framework; Ars; 2/11/2019
• [3] How to Bypass 'Safari no longer supports unsafe extension' Error in Mac OS Mojave OSXD; 2/8/2019

Microsoft Office

• see section: Flash
• Now Microsoft Office is blocking macros by default Verge; 7/22/2022
• How to protect yourself from the new Microsoft Office hack
  don't click on risky docs; make sure Protected View is still switched on in Office; PC; 9/9/2021
• An '80s File Format Enabled Stealthy Mac Hacking now-patched vulnerability would have let hackers target Microsoft Office using Symbolic Link, an old file type; Wired; 8/5/2020
• Ex-NSA Hacker Finds a Way to Hack Mac Users Via Microsoft Office now fixed for the latest version of Office on Mac, and for MacOS 10.15.3; MB; 8/5/2020
• G Suite's lack of end-to-end encryption means US agencies could force Google to hand over unreleased reporting, even unpublished info about journalistic sources 10/9/2019
• How Hackers Turn Microsoft Excel's Own Features Against It Wired; 6/27/2019

Ransomware

• Wikipedia: Ransomware: restricts access to the system that it infects, and demands a ransom paid to the creator of the malware in order to remove the restriction.
• No More Ransom! Need Help unlocking your digital life without paying your attackers?
• What experts think companies should do when ransomware strikes NPR; 8/12/2022
• GoodWill ransomware forces victims to donate to the poor and provides financial assistance to patients in need 5/24/2022
• Winning the War on Ransomware
  DOJ’s task force; Verge; 12/9/2021
• Ransomware gangs are complaining that other crooks are stealing their ransoms ZD; 9/30/2021
• Why ransomware hackers love a holiday weekend Ars; 9/5/2021
• The history of hacking ransoms and cryptocurrency CNet; 7/30/2021
• How REvil Ransomware Took Out Thousands of Business at Once
  automated updates via supply chain network; Wired; 7/4/2021
• Don't Ignore Ransomware. It's Bad.
  govt actions; backups; uptodate software;
  if companies, government agencies and organizations required all employees and others who access their computer networks
  to use strong passwords, password managers and multi-step authentication, it would go a long way to prevent cyberattacks; NYT; 4/29/2021
• How Did ‘Ransomware’ Get So Bad? NYT; 10/5/2020
• When coffee makers are demanding a ransom, you know IoT is screwed watch along as hacked machine grinds, beeps, and spews water; Ars; 9/26/2020
• Ransomware Has Gone Corporate. Where Will It End? the DarkSide operators are just the latest group to adopt a veneer of professionalism—while at the same time escalating the consequences of their attacks; Wired; 8/26/2020
• Researchers detail the increasingly prevalent LockBit ransomware, which may one day reach parity with other feared ransomware packages like Maze or Ryuk Ars; 4/30/2020
• The Covid-19 Pandemic Reveals Ransomware's Long Game hackers laid the groundwork months ago for attacks; Wired; 4/28/2020
• Ransomware Gangs to Stop Attacking Health Orgs During Pandemic BC; 3/18/2020
• Ransomware Attacks Grow, Crippling Cities and Businesses Hackers are locking people out of their networks and demanding big payments to get back in. New data shows just how common and damaging the attacks have become; NYT; 2/9/2020
• Why you can't bank on backups to fight ransomware anymore they still will face demands for payment in order to avoid the publication or sale of information stolen by the attackers before the ransomware was triggered; Ars; 2/7/2020
• New ransomware doesn't just encrypt data. It also meddles with critical infrastructure Ekans represents a "new and deeply concerning" evolution in malware targeting control systems; Ars; 2/3/2020
• Experts: Don't reboot your computer after you've been infected with ransomware Rebooting may lead to restarting a crashed file-encryption process, potential loss of encryption keys stored in-memory; ZD; 11/5/2019
• Profile of Michael Gillespie, who has cracked the encryption of 100+ types of ransomware and helped thousands of ransomware victims recover their files for free ProPub; 10/29/2019
• FBI warns of major ransomware attacks as criminals go "big-game hunting" Ars; 10/7/2019
• How insurance companies are fueling a rise in ransomware attacks Insurers prefer to pay the ransom. Why? ProPublica says attacks are good for business; Ars; 8/27/2019
• Don't Pay the Ransom The F.B.I. should follow the example of European law enforcement and help victims of ransomware decrypt their data; No More Ransom initiative, toolsNYT; 8/14/2019
• Cybersecurity officials warn state and local agencies (again) to fend off ransomware three steps urged by CISA, MS-ISAC, NGA, NASCIO: run daily backups, train staff on "cybersecurity awareness," and "revisit and refine cyber incident response plans"; Ars; 7/30/2019
• No More Ransom project has prevented ransomware profits of at least $108 million 82 tools that can be used to decrypt 109 different types of ransomware; ZD; 7/26/2019
• How to protect yourself from online scams including ransomware and more PC; 7/16/2019
• Georgia's courts hit by ransomware Ryuk; Ars; 7/1/2019
• Florida LAN: Someone clicks link, again, giving Key Biscayne ransomware Ars; 6/28/2019
• Sting Catches Another Ransomware Firm -- Red Mosquito -- Negotiating With "Hackers" rather than high-tech ransomware solutions; PP; 6/24/2019
• A tale of two cities: Why ransomware will just get worse Deal or no deal, either way cities pay through the nose because of failed IT practices; Ars; 6/21/2019
• [2] Zero-day attackers deliver a double dose of ransomware—no clicking required Oracle WebLogic; Ars; 4/30/2019
• Arizona Beverages, one of the largest drink suppliers in the US, is reeling after a ransomware attack FBI warned them beforehand of a malware infection; TC; 4/2/2019
• Here's how personalized ransomware attacks work, and how to protect yourself TNW; 3/28/2019
• New ransomware rakes in $4 million by adopting a "big game hunting" strategy Ryuk lies in wait for as long as a year, then pounces on only the biggest prey; Ars; 1/12/2019

Spyware

• Wikipedia: Spyware: malware that monitors users' web browsing, displays unsolicited advertisements, or redirects affiliate marketing revenues to the spyware creator.
• Wikipedia: Keystroke logging: action of recording (or logging) the keys struck on a keyboard, typically in a covert manner, e.g., passwords
• HowStuffWorks: How Spyware Works; How to Avoid Spyware; How to Scan for and Remove Spyware
• Spyware Maker NSO Promises Reform but Keeps Snooping recent revelations in India show that the threat from the company’s spyware to activists and journalists isn’t limited to autocratic regimes; NYT; 11/9/2019
• Fake veteran hiring site downloads spyware instead of jobs Ars; 9/25/2019
• El Chapo Trial: Kingpin Used Spyware to Obsessively Monitor His Wife and Mistress NYT; 1/10/2019

[3] Web Servers

• Apache, Drupal, Joomla, WordPress, etc.
• Many websites threatened by highly critical code-execution bug in Drupal Drupal is the third most-widely used CMS behind WordPress and Joomla; Ars; 2/21/2019
• How to Run a Web Server on iOS with iSH and python OSXD; 2/20/2019

Windows

• Best antivirus: Keep your Windows PC safe from spyware, Trojans, malware, and more PC; 8/9/2024
• The best antivirus protection CNet; 12/19/2022
• Hackers Are Exploiting a Flaw Microsoft Fixed in 2013
  optional update; ZLoader; Wired; 1/5/2022
• AVG Internet Security review much improved interface along with good protection and solid pricing; PC; 2/3/2021
• What you need to know about Windows Security in Windows 10 PC; 1/6/2021
• Windows Security review: There are better options, but not for the 'price' PC; 12/12/2019
• Why you can stop paying for antivirus software Microsoft's Windows Security (formerly Windows Defender) is now on a par with paid solutions such as McAfee and Norton; PC; 9/24/2019
• Why You Should Use Windows Defender's Ransomware Prevention LH; 8/16/2019
• How to remove malware from your Windows PC PC; 5/6/2019

---