Do as I say, don’t do as I do

DtloeRQWwAAlmiR

What are we who like to call ourselves “security professionals” trying to learn our users when it comes to plugging  USB devises unknown USB devises that they find or get as hand outs?…. Don’t plug them into your computer!

And what do I get as a hand-out at a the BlackHat Europe security conference?… a USB dongle…. Need I say more?

How I lost 0.12 USD to ticked fraud

RAMMSTEIN-VEROEFFENTLICHEN-RAMMSTEIN-IN-2In August 2019 there will be a Rammstein concert here in Oslo, and of course the tickets were sold out in no time at all… so in short no tickets for me :/ But a couple of days ago a friend of mine told me that someone on Facebook is selling four tickets to that exact concert. So, my wife and I contacted someone that claimed to be a student called Magnus Lie with the email address magnus.lie10@gmail.com.

Magnus turned out to be really friendly kind of guy, offering to help us set up an account with skrill.com for secure money transfer, and he claimed using skrill.com would keep both parties happy and safe from fraud (and other evil things) He was even asking some control questions about our skrill.com setup, just to keep us safe and secure (very nice of him to ensure that we don’t get tricked).

PicsArt_11-30-05.26.19So, when we were setup and ready to go he told us to just go ahead and transfer the money to magnus.lie10@gmail.com and he would make the necessary arrangements on his side.  Paranoid as we both are we did a quick google search on “magnus.lie10@gmail.com” , a search that gave no relevant hits. I also decided to do a quick test transfer on http://www.skrill.com to see what happened. Well it turned out that Mr Lie seemed to have an alias a Mr Uday Daas. So, when we asked Magnus (or Uday) who Uday Daas was he went silent for some minutes (suspect that the number of minutes reflects the time needed to setup a new Gmail and Skrill account..” – Oh, he said. did you use the correct email address? did you use magnus.lie11@gmail.com? And that was the end of that trade.

It seems to be a common trade/weakness with fraudsters that they are just way to helpfull, and since I’m a Norwegian, my spider sense starts tingling when people are service minded… its just not right 🙂

And Magnus\Uday please don’t spend the 0.12 USD, you got from me, on candy. Make sure you put it your piggy bank so you can save it for someting nice….

 

Security Alert, a black cat crossed your path

Black_cat_crossing_my_path_in_Canal_Walk_-_geograph.org.uk_-_1169749A recent survey done in Norway shows that 67% of companies and organizations in Norway put bad luck and coincident down as a reason for security incidents within their organization. Is it just me or is that a very worrying number? I mean 2/3 thirds of the 1500 companies and organizations interviewed put “bad luck” down as the reason for security incidents occurring within their organization  If it was 3 or 5 percent or maybe even 10, I would have shrugged and thought “well, yes fair enough” And just to be clear we are here talking about real companies and organizations, some of them delivering critical services to the public, we are not talking about superstitious old ladies that are walking under a ladder while a black cat is crossing the road.

It is very unsettling that so many Norwegian companies have a management are comfortable with putting down “bad luck” as the root cause: To me that indicates lack the basic understanding of the value of their own company, why they are hit by security incidents and what makes their company a potential target for threats that can cause security incidents.

One word of advice to the companies that are putting down “bad  luck” as the root cause for security incidents; If you value your company and customers, spend some time on money on information security, hire a CISO and don’t rely on luck as your main security control.

Maybe I should seek some comfort in the fact that back in 2016, 74 percent listed bad-luck as a contributing factor, so maybe we are heading in the right direction. If only I didnt see that black cat crossing the road earlier today.

 

Saving little old ladies from windows support

2gdl6qAfter spending over 90 minutes on the phone with our “Friends” at “Windows support” I’m not at all surprised that people get tricked into giving them full control of their PC’s and giving them their credit card details. They are actually extremely service minded (much more the a real service desk usually is…) Never thought I would be able to keep them on the call for 90 minutes before they called my bluff and I had to cave in.

As usual It started with a call from Windows Support, and this time around I thought… well I’m sitting at home, I have a VM to spare, let’s see where this takes me. On the other end of the line was this nice girl speaking with an Indian accent, she could inform me that someone was trying to break into my computer and steal all my personal stuff. And if I booted up my computer she would show me what was happening. And while she was talking to me she dropped all the keywords to build trust between me (the victim) and her. It was an endless stream of “trusted partner, hackers, security keys, and encryption” and of course the magic sentence “we will fix this for free and we will make it so no one can attack your computer again.” Did I say it was for free?  So to show me what was going on she got me to run some commands in the windows command shell (cmd) commands that for the regular PC user might look advanced and super complex. But for an old sysadmin, not so much (but entertaining). After winning my trust and convincing me that yes indeed there is something very suspicious going on (I guess in some way she was correct) She handed me over to a second line specialist that would help me clean up.

The very nice and very very very patient gentleman that was acting as the second line specialist was tasked with playing on this new-found trust and gain remote access to my computer. And again, the keywords was secure, hackers and free. The only catch was that if he was going to fix all my security problems on my computer he needed remote access, so he very painstakingly guided me through the process of installing team viewer. (I had my stupid hat on that day, so it took some time to get it done) But finally it got installed and he had remote access to my computer, and both of us was very happy. He could then show me the content of the windows event log, and with a very worried voice he told me that each of the red icons in the event log represented a successful attack against my poor computer. For those of you who have seen an windows event log you would understand that an ordinary PC user would be very worried, since the stream of red icons can seem endless.

It all came to an end when he wanted my credit card number to renew my Microsoft premium support agreement that apparently had expired. The proof of this was an expired certificate in my computers cert store (that had nothing to do with any support agreement) and he could only fix my poor little PC if I reactivated the support agreement. Unable to provide him with a valid credit card number I had to confess my sins and that I had just been playing along all the time.

But I as I said in the beginning, I now understand why people keeps getting tricked by this scam. Because they can be very convincing if you are an ordinary user (as most people are).

… like to think I saved an little old lady from getting ripped off  🙂

Go gentle online

bird-1081980_960_720First, yes the title for this post is lifted from the Robbie Williams song “Go gentle” that he wrote to his daughter

My own daughter is now rapidly closing thirteen, the magic age limit where the gates to social media hell or heaven is opened. For at thirteen she meets the age restriction set for most social media sites. She will then be allowed to create accounts, but she does not necessary have the right to (at least not if you ask me). The world of Snapchat and Instagram will lay at her feet. Btw I asked her about Facebook, but apparently only old farts like me still use Facebook.

So, because I have chosen a career within the field of information security, I’m unfortunately all too aware of all the dangers that lures behind almost every connected device out there. And the infosec guy in me keeps whispering in my ear that I need to monitor everything she does and be friend with, and follow her on any social media platform out there that she might think of joing, So she is safe from “bad hombres” with bad intentions, or see if she is visiting websites that I don’t want her to visit.

Well first of all, the “friend with your own kids on social media” does not really work, does it? I have had several parents telling me that “They have full control of what their kids are doing on different social media platforms, because they follow them.” and my answer often is, so you don’t think your kid is smart enough to create multiple accounts..? I know that I would have done that, too escape thy prying eyes of my parents. And if you have full control, why have we been discussing cyberbullying since the kids were 9?

And when it comes to doing 1984 style full monitoring, that kind of goes against all privacy principles I have. And to be honest I don’t want to know every little detail about what she is doing online, and I don’t want her to feel like her parents are doing 24/7 monitoring of her life.

The trust option.

So, we are trying to go for the trust option. For some of you this might sound a little blue eyed and “Norwegian” and yes, I know that she will do things she is not allowed to, honestly, I will be very surprised if she doesn’t. The trust approach includes setting up a contract between us (the parents) on her, outlining how she is to behave online, do’s and don’ts and consequences if guidelines are not followed. But what it is also equally important is that it puts requirements on us as her parents. That we are not to take sneak peaks on the content of her phone or computer, and that we will not use functions like “find my phone” to figure out where she is. My hope and wish is that this setup will make sure that if something bad happens online, she will come to us and talk about it, or any other adult she trusts, so she don’t need to fight online trolls alone

Password sharing

However, stepping onto the scene of social media will include sharing her passwords, with her parents. Not because we wish to log on and read her messages, but because if something happens, e.g. if she is running hours late from coming home at the agreed time, we as parents will need to look at social media accounts to be able to know where she is. But sharing of passwords also goes back to trust. We as parents are only allowed to use the passwords under certain conditions and the passwords are kept in an online vault (I use the Lastpass family plan for this) so she will be notified if we open her password vault. Of course this will only work if she trust us enough to put all her passwords into that password database. Even for accounts she don’t want her parents to know exists.

Blue eyed?

As I stated earlier, this might be a bit too naïve and blue eyed, and a couple of years down the line I might think “how stupid was I? I should have listen to my inner infosec guy and installed monitoring software and used “find my phone” to have full control.