Sometimes, life just hands you an ice cream cone

Recently, I was just sitting at my computer, when I got a call on my phone.  Unfortunately, I don't have a recording app on my phone (I did on my old one), so this is just the highlights from a few handwritten notes and my memory ...

(call from 212-777-3001)
Me: Hello?
Caller: Hello, this is <mumble>Global Soft<mumble>, we're recording errors on your computer
Me: huh?
(Really? I'm finally getting one of "those" calls)
Caller: we're getting lots of errors from your computer.  viruses, malware, ....
Me: huh?  How do you know about this stuff?
Caller: we receive error messages from your computer.  your computer is infected ... i just need to walk you through a few steps to fix it ...
Me: huh?
...
Me: huh?  I'm sorry, I'm pretty dumb about computers.  How do you know what's wrong with my computer?
Me: huh?  Oh! I know! Do you mean I bought your service when I bought the computer
Caller:  yeah, yeah, that's right.  that's what you did!
...
Caller: ok, I just need you do to a few things ...
Caller: turn on your computer ...
Caller: Let me know when you see your desktop ...
Me: huh? it's on, I'm looking right at it.
Caller: do you see your desktop
Me: huh?  I don't know ... it says dollar sign
Caller: (confused) huh? :-)
Me: huh? I see a dollar sign prompt  (I'm looking at a Linux shell prompt, but was trying to remember what a Wylbur prompt looked like ... If you're wondering: http://en.wikipedia.org/wiki/ORVYL_and_WYLBUR)
Caller: where's your desktop?
TMe: huh? what's a desktop? oh! That! there is no desktop.  This is a brand new computer they just gave me
Me: before this we did everything with punched cards ...
Caller:  how do you get to the internet?
Me: huh?  Do you mean how do we do things?  I can submit any card deck you need, the submission desk is just down the hall ...
Caller: Are you at work?  Is this your personal computer?

(... much hilarity ensues while I offer to submit cards and he tries to get me to the desktop and/or internet)

Me: huh?  Of course I'm at work.  I don't have a personal computer
Caller:  Can you get to the Internet from work
Me: I'm not authorized to use the Internet

CLICK! (he finally hung up)

:-)

I am kicking myself a bit.  Not only did I have no way to record the call, but I realized afterwards that I have a throw-away, very vulnerable, Windows-XP virtual machine (from a course I took recently) that would have been a perfect victim.   Unfortunately, I have a feeling that my dyslexia would have kicked in ... and my credit card would have ended up being denied in that case.  :-)

But, pretending I was using punched cards did give me a bit of a giggle.

Update:

Here's an article which give another example of how somebody else had fun with these guys: http://arstechnica.com/tech-policy/2012/10/i-am-calling-you-from-windows-a-tech-support-scammer-dials-ars-technica/


Update 2: Another article, also from ARS, provides more detail on how one of these operations is run (and how the FTC is taking them down.) http://arstechnica.com/tech-policy/2014/05/stains-of-deceitfulness-inside-the-us-governments-war-on-tech-support-scammers/

Update 3 (9/12/2014): There's now a metasploit module which allows you to turn the tables on these scammers. http://www.scriptjunkie.us/2014/09/exploiting-ammyy-admin-developing-an-0day/

A Couple of Cool Classes

I've devoted the last couple of Saturdays to taking the first two classes on penetration testing offered by Georgia Weidman. (http://www.bulbsecurity.com/)

The short version of this posting is that I completely recommend them, they're awesome!

The first class, Penetration Testing with Metasploit is exactly what the title promises.  It's the perfect class for someone who, like me, is fairly familiar with the tools of our trade, but has never taken the time to learn how to use Metasploit.  Yes, you can just read a book or the user docs, but learning how to use it by attacking realistic targets is a much better way to learn. (And much more fun!)

Even if you're relatively new to security, I think you can still get a lot from the class.  Here's a test: If I say "Port 80 on localhost", or "cracking hashes from /etc/shadow", does that mean anything to you?  Do you think you can stand up a pre-configured virtual machine using VMware player or VirtualBox?  If your answer to these is "yes", I think you'll be able to participate in this class.  The focus is on using Metasploit, and a few other tools ...  so if you can follow directions, you should be able to keep up.  Keep in mind, the point of Metasploit is to package exploits so that you can use them without knowing the details of how they work.  Even if you don't completely understand the exploits being demonstrated, seeing them in action is extremely valuable.

The class is entirely hands on.  Prior to the class, Georgia sends you two virtual machines, one running Windows XP and one running Ubuntu Linux.  She also instructs you to grab a copy of the Kali virtual machine (Kali, nee BackTrack, is a collection of pentesting tools.)   You'll be shocked to hear that both of the virtual machines she provides have some vulnerabilities.  :-)

Georgia runs the class using an on-line webinar system that lets her talk to everyone while she shares her screen.  She also gives out a set of slides, which provide a written backup to what she's showing.  The basic flow of the class is that you use the Kali VM  to attack the XP and Ubuntu "victim" virtual machines.  On the screen she's sharing, Georgia is running the same exploit you are, discussing it while she demonstrates it.  This is not some instructor reading from a power-point deck, it's more like watching reality TV for hackers ... except you get to play along!  Finally,  the webinar system allows students to submit questions, which Georgia is good about answering quickly and clearly.

Of course, the class is not without glitches.  As an instructor, you can't spin up a bunch of virtual machines on your laptop, interactively run malicious exploits against them and share the entire mess via a webinar/screen-sharing service from your home, without something breaking.  In both classes, some time was lost dealing with glitches, resulting in the class running 9 hours long instead of the scheduled 8.  Even with a few breaks thrown in, 9 hours is a long time.  By the end of each class I was a quivering bowl of Jello ... I have no idea how Georgia was able to keep going for 9 hours.  But each time, while I was pretty fried by the end I was also grinning like a mad man.

After the class is over, Georgia provides access to a video of the class.  She also will be granting students access to a lab network which contains additional machines to practice on.

So here's the best part ... the class costs only $100!

<Rant> I've gotten very frustrated at the cost of decent training these days.  For example, I'm a huge fan of some of the SANS courses, but there's no way I can afford them personally, and many employers simply can't afford to drop that kind of money on training.  I'm fully aware of, and OK with, the profit motive.  But it feels like the best and biggest training organizations are heavy on "what the market will bear", and light on "what's best for the industry".  Thank goodness for events like DEFCON, BSides or SNOWFROC ... without those there would be nothing for those of us who make up the "middle class" of security.</Rant>

In summary, this class is by far the best training deal I've ever encountered.  I learned some valuable skills taught by a real pro, I had a total blast and I didn't have to max out the credit card to do it.

I'm not sure when it'll be offered next, but check out: http://www.bulbsecurity.com/online-security-training/penetration-testing-with-metasploit/ for more information.

The second class, Penetration Testing Level 2, is very much a continuation of the first.   It's assumed you're familiar with the material from the first class, and goes into detail about more sophisticated attacks.  In addition to the VMs from the first class, an additional Windows-7 VM is provided.  Metasploit is still the primary tool, but other tools are also used for more sophisticated attacks.  For example msfvenom, the Social Engineering Toolkit and Hyperion are all used to package exploits. In another exercise,  one of the virtual machines is compromised and then used to pivot and attack a second machine.  These are still "elementary" pentesting techniques, but the hands-on nature of the class really takes it beyond the purely academic and makes it a valuable learning experience.

Penetration Testing Level 2 costs a whopping $200, and is worth every penny.  Again, I'm not sure when it's going to be offered again, check out: http://www.bulbsecurity.com/online-security-training/penetration-testing-level-2/

A couple of recommendations if you take one of these classes:

• Grab the virtual machines ahead of time and make sure you've got them running well.  If you're building your environment the morning of the class, you're already behind the curve.
• If possible, use a two monitor setup.  Having Georgia's shared screen on one monitor, and running Kali on the second monitor, is the trick setup for these classes.

It sounds like Georgia may create an entire series of classes along these lines ... at this sort of price point, given the high quality (and fun quotient) of the first two classes, I think that the entire series would be a pretty interesting training option.

Password Cracking is a Art

Just a quick posting to recommend the following article:

http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/

It's easy to think that cracking passwords is a point and click activity ... just grab a big password list, recruit a bunch of processing power and let'r run.  If you think that's how it works, you're wrong.

This article describes the process taken by three separate password cracking experts to attack the same list of password hashes.  They approached the challenge with different tools, different approaches and achieved different results.

The key point (other than some nice tricks) is that as with many security endeavors, password cracking is a both a craft and an art.  To be good at it, you need to know the underlying cryptography, you need to know your tools and you need to know how people behave.  And then most importantly, you need to develop creative solutions based on your knowledge and hard earned experience.

As I go about my daily work in this field, I'm often reminded of the passion and craftsmanship I experienced a very long time ago when taking a wood working class.  It was at a top design school, and I was a rank beginner surrounded by folks building beautiful pieces of furniture.  They understood how to make wood do things I could only dream about, things that seemed like magic until you understood how they did it.

Kinda like figuring out that '3e93fb79e0970b6b8229ff8bec22d069' is the hash for 'qeadzcwrsfxv1331'.

:-)

Another adaptation to enhance our survival :-)

Below's a nice little note which points out that since some malware tries to evade analysis by detecting when it's running in a "lab" environment, you can "immunize" your systems by making them look like a lab.

https://community.rapid7.com/community/infosec/blog/2013/05/13/vaccinating-systems-against-vm-aware-malware

In this case, they provide a tool which makes a few simple changes to your system and runs a few programs to simulate running under VMware.  Cute, but of course soon enough the attackers will just evolve more sophisticated ways to detect when their code is really being examined.

This is the same sort of strategy used by some animals in nature.  If you appear to be something dangerous, predators will leave you alone.  Technically, this is known as Batasian Mimicy (http://en.wikipedia.org/wiki/Batesian_mimicry.)

One interesting aspect of Batasian Mimicy is that even "poor" mimics derive a benefit - it will be interesting to see if that observation holds true in the online contest between hunter and prey.  :-)

Is Hotmail the Only One?

Here's a nice little bit of research out of rutgers.edu. It turns out that Hotmail will shutdown your email account after it's been idle for 270 days. Not a crazy policy, and perhaps even with some security benefit.

But, here's the bad part, they also make your username (aka email address @ hotmail) available for reuse.

 The researchers were able to use this detail, combined with the Facebook policy of sending password reset credentials to the email address on record, to take over the Facebook accounts associated with "expired" hotmail accounts.

 This attack was assisted by using some simple scripts which allow easily testing whether a hotmail account has expired or not. The biggest limitation on the attack is that Facebook generally restricts visibility into an account's email address to "Friends" of the account. In effect, this means automating the attack becomes a tree traversal exercise as one compromises an account, and then attacks any friends of the compromised account who might be vulnerable.

I have a few comments on this.

1. I understand trying to let folks have the email address they want, that's just good business.  I can can even see how letting folks take an address permanently out of the pool of available addresses is begging for abuse ... but we're seeing more and more examples of how stealing an email address opens the gate wide for identity theft.  Facebook is pretty much in the mainstream with their password reset policies.  Now is a good time for Microsoft to change their policy; Don't make expired email accounts available for reuse, it's just too easy to abuse.
2. I sympathize with Facebook.  I've always considered password resets to be a very difficult problem.  Short of having somebody physically present showing ID, how can you really be certain who you're granting access to an account to?  As I am constantly reminded, "on the Internet, nobody knows you're a dog".  In this case, all you really know is that you're being asked to grant access to somebody who doesn't know the correct password. :-)   
3. Again, this problem is hard when addressed at scale.  Consider the case of Mat Honan, where Apple tried to do something more sophisticated than just fire an email to a stored email address, and yet their process was still shown to be quite vulnerable (http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/.)
4. Can you say Two Factor, Single Sign On?

Here's a good summary:  http://www.net-security.org/secworld.php?id=14892

Here's the full paper: http://precog.iiitd.edu.in/events/psosm2013/9psosm3s-parwani.pdf

As I say in my subject, is Hotmail the only major email provider who allow reuses of email addresses?

Always remember to shred your ship when done with it

We've all seen the hapless user who sells their computer on eBay without wiping the hard drive.

How about selling a Coast Guard patrol board to the North Koreans without wiping the navigation system.  :-)

What else did they forget to sanitize?

http://www.theregister.co.uk/2013/04/29/japan_coast_guard_forgets_wipe_data_norks/

There's a reason for process and rules, including that annoying check sheet for hardware disposal.

Ouch!

One of the issues we have to address as security folks is protecting a person's privacy.   If you've ever dealt with Personal Health Information (PHI), you know that there are strict rules about what aspects of a person's identity must be protected when associated with medical data.

In what can only be described as an object lesson of how important this is, the folks at the Data Privacy Lab (at Harvard) conducted an interesting experiment - looking into how many folks in the Personal Genome Project they could identify just by birthdate, sex and zip code.

Amazingly, they identified 200 participants with 84% to 90% accuracy.  Let me repeat that for emphasis ... using just birthdate, zip and sex they were able to link 200 folks to their "anonymous" genome with good accuracy.  They basically matched data from the genome project with public voter registration data and other public data.

Here's a web site where they report their findings: http://dataprivacylab.org/projects/pgp/
The full report is at: http://dataprivacylab.org/projects/pgp/1021-1.pdf

Best of all, they have a web site where you can put in your birthdate, sex and zip, and they'll tell you how many folks match in their public records. (http://aboutmyinfo.org/)

I tried it for my info, and there's only one record which matches my info.  I live in a relatively small town (Boulder, CO) but still I was shocked.  It's a good thing I don't feel a need to hid my identity.

For reference, here's what HIPAA says about data that needs to be protected (thanks Wikipedia, http://en.wikipedia.org/wiki/Protected_health_information):

Under the US Health Insurance Portability and Accountability Act (HIPAA), PHI that is linked based on the following list of identifiers must be treated with special care.

1. Names
2. All geographical identifiers smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and [t]he initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000
3. Dates (other than year) directly related to an individual
4. Phone numbers
5. Fax numbers
6. Email addresses
7. Social Security numbers
8. Medical record numbers
9. Health insurance beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers and serial numbers, including license plate numbers;
13. Device identifiers and serial numbers;
14. Web Uniform Resource Locators (URLs)
15. Internet Protocol (IP) address numbers
16. Biometric identifiers, including finger, retinal and voice prints
17. Full face photographic images and any comparable images
18. Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data