The PrintFriendly Button Is Back.

One of my less-commendable habits, is to add plugins to my WordPress blog, which might not be necessary, but which might OTOH be useful after all.

There is now a button at the bottom, left-hand side of my postings, which has a little printer icon, which my readers can click, in order to obtain a printable version of my postings.

There was an earlier point in time, when I took this plugin to be potential malware, because its presence in the browser causes scripts to run from other domains, and I did not think it wise, to be inviting scripts to run as part of my blog, which I do not know the purpose of, and which exist, because the Web-site of a plugin, includes another Web-site I know nothing about, which runs a script. So at that time, I went into high alert for no other reason, installed a whole security suite named “WordFence”, and removed the “PrintFriendly” plugin from my site.

Since then, my confidence in the security of my own site has improved – in spite of the fact that I’m still installing plugins – and I’ve come to think that my reaction back then might have been a bit unscientific. After all, even though I could know for certain that this unidentified script was being loaded onto my browser – which subsequently blocked it – I had no sure way of knowing it contained malware. The script in question may simply have had as purpose, to provide some sort of funding to the site that hosts PrintFriendly.

If the reader clicks on this icon, he’ll see that a floating window pops up, from which he can choose how – or if – he wants to print my posting. That floating window will only appear, if the reader allows his browser to run scripts from ‘printfriendly.com’. That floating window is still hosted on the other party’s server – belonging to PrintFreindly and not to me – and because that floating window is being hosted on their server, it also represents a resource which they need to pay for in some way, even though I’m not paying them.

Now, WordFence has a feature (enabled on my blog), that is called a ‘Front-Side URL Scan’. In short, instead of only scanning my plugin folders for trouble, this feature examines all the URLs which the home-page of my blog sends to the would-be browsers, and compares those URLs to blacklists of known malware. I will next be able to see, whether the URL in question was actually blacklisted – by anybody other than me. If it was, this plugin will disappear again from my blog.

But for now, I’m giving this plugin another chance.

Dirk

 

I am confident that my site is secure again.

What happens from now on, is that ‘WordFence‘ performs routine security scans of my blog. It then emails me with reports.

According to the latest report, emailed to me overnight as I slept, my blog had one issue, out of hundreds of potential issues: One of my plug-ins needed an upgrade.

Of course, I would have seen that this plug-in required an upgrade anyway, as soon as I checked my Dashboard this morning, which showed me the same result.

Yay!

Dirk

 

Malware Alert to all my Readers!

Even though my Blog is hosted on a supposedly-secure Linux machine, on which the core WordPress Files have permissions set such, that the Web-server cannot write to them, there is always some slight danger, that an infection can make its way onto my blog, through plug-ins which I have installed, which come from the WordPress site, but which are not under the scrutiny of the Debian software team, who created my WordPress core files. My Web-server can also self-install updates to those plug-ins, from their respective owners, because the write-permissions of the plug-ins directory are such that it can. ( :1 )

The reader may have noticed that there used to be an icon in the bottom of my postings, which allowed him either to Print the posting, to Save it as a PDF, or to Email it elsewhere. This icon was due to the ‘PrintFriendly Plug-In‘.

This plug-in did not even install any suspicious code on my server, but is cloud-based, in that any use made of it will redirect to the Web-site and servers, belonging to PrintFriendly. Not only that, but the icon itself can contain links to their site.

Well today I did notice, that my Web-browser, when pointed at my own site, tried running scripts from a site called ‘kxcdn.com’, and which my own browser had the installed extensions to block. This raised an alarm-bell in my head, and I went into action, looking for any contagion.

The PrintFriendly plug-in, or more correctly, their site it pointed to, was the source of that contagion. Deactivating that plug-in has now taken away the capability of the readers, to Print, to PDF or to Email my postings. But it has also removed any of the malicious attempts to redirect to ‘kxcdn.com’. The threat has effectively been neutralized on my server.

But, If You Did open that site, it would possibly have led you to This Situation. If it did, I hope you did not fall for their ploy. I apologize profusely if this happened to you, and do my best to control such problems from the first moment I notice them.

I have now installed the WordPress-security-extension ‘WordFence‘, and hope that this will reduce any vulnerabilities in the future.

Dirk

1: ) Actually, before my WordPress instance can update its plug-ins, I need to authorize the event. However, this safeguard only determines at what time updates can take place in practice, and just might make me aware of some suspicious activities that have yet to happen. It does not actually control, what code is inserted in the update.

However, as of now WordFence does control this, and has given me a clean bill of health!

wordfence_1

 

 

Interpreting various Kleopatra Errors

If we initially install “Kleopatra” under Windows, by way of ‘GPG4Win’, there could be many reasons fw the application may not work at first. But once it is installed, we usually expect it to continue working, especially if we also did not upgrade it.

But it has recently happened to me, that an attempt to launch the Kleopatra GUI failed, and gave me “Application Error 0xc0000005″. After that, uninstalling specific software, which did not insert any special libraries into the workings of Kleopatra, and then rebooting the Windows 7 machine, got rid of the error, and allowed Kleopatra to work again. In order to understand what this could mean, it is necessary to understand what Kleopatra normally does.

Kleopatra is a GUI, for the “GNU Privacy Guard” suite, which provides encryption, which manages public and private keys, and which manages the encryption of private keys as well. In order to do this, the application starts a process called ‘gpg-agent’, by means of which passwords can be entered securely, with which we are protecting our secret encryption keys. Securely means, in such a way that no other applications can read or log these passwords.

The error message above is somewhat vague. It can mean that a corrupted registry key has been digested by Windows, or it can also mean that some application is trying to access protected memory that does not belong to it. One possible meaning it could have in the case of Kleopatra, is that this application was unable to establish a secure way for key-strokes to be received by ‘gpg-agent’.

The fact that a reboot was required, after the other software was uninstalled, before Kleopatra would work again, could also mean several things:

  1. The other application could have installed a library to our Windows System, which remained loaded, even though the DLL File was already deleted. Specifically, this could be a Linux application using the Qt GUI libraries, that was ported to Windows, but that also set its version of the Qt libraries as the system-wide default, which might not be compatible with the Qt libraries that Kleopatra uses, and which the latter defines properly, in a way staying local to it.
  2. Windows could have digested a corrupted Registry entry during the previous reboot, in a way that would affect the entire session, even after this Registry entry was removed from the version stored on the HD.
  3. The other application could have left some process running in the BG, which could have affected how key-strokes are entered, even though we weren’t using that other application.

 

There is a more specific term for Case 3 above: We call that a key-logger. And it comes in a fitting context, that a program we use to manage our secret encryption keys, would announce to us that something was wrong.

In this case I would ask myself, whether I have actually typed in any passwords since the preceding reboot, including the password that unlocks the session. I assume that the first time we start a Windows session, this key-logger would not get the password to the machine, because processes have not yet launched, which do so after we start the first session. But if the screensaver came on, and if we entered our password to unlock that, then the BG processes would presumably be running already, and would be able to log that password.

And so aside from getting rid of such a potential threat, we also need to ask ourselves whether some immediate effort needs to be made, to change sensitive passwords…

In my own case I also observed, that the simpler GUI named ‘GPA’, which does not use Qt as its GUI library, and which also installs with ‘GPG4Win’, was still working 100%, and that the ‘gpg-agent’ process was successfully launched and running. A more critical error would have stemmed from ‘gpg-agent’ instead of from attempting to launch the GUIs.

Another observation which applies to my scenario is, that After I Uninstalled the other application and rebooted, the Error Went Away. I did not use a System Restore Point. If somebody was to install a key-logger intentionally, then he would also configure his uninstall script in such a way, as to leave that key-logger installed, if we simply gave the command to uninstall the application, which would in this case be the Trojan.

Dirk

(Edit : ) It is worth pointing out, that Kleopatra is an application, where the EXE File is not installed in the same folder, as the DLL Files it will link to. But it is normal Windows behavior, first to look in the folder of the EXE to try finding the DLLs there. Only after those are not found there, does Windows ‘look for them elsewhere’.

This could explain why Kleopatra was one of the fewer programs on my machine, that were malfunctioning, which the majority of the programs were not.

It should also be pointed out, that the other application which was causing this malfunction in my scenario, had its libraries distributed in numerous folders local to it. Therefore, it would have made sense on some level, for its developer to enter those folders into the path, in which his EXE Files were supposed to search for them.

The result could easily have been, that the DLLs which belong to Kleopatra, and which Kleopatra would thus try to link to, matched the exact names of DLL Files in the other programmer’s folders by chance, to which Kleopatra could have linked falsely.

But this may not always be everybody’s scenario. Some people report getting this error message sporadically, and without the success of having gotten rid of. And then, what could it mean?