Saving little old ladies from windows support

2gdl6qAfter spending over 90 minutes on the phone with our “Friends” at “Windows support” I’m not at all surprised that people get tricked into giving them full control of their PC’s and giving them their credit card details. They are actually extremely service minded (much more the a real service desk usually is…) Never thought I would be able to keep them on the call for 90 minutes before they called my bluff and I had to cave in.

As usual It started with a call from Windows Support, and this time around I thought… well I’m sitting at home, I have a VM to spare, let’s see where this takes me. On the other end of the line was this nice girl speaking with an Indian accent, she could inform me that someone was trying to break into my computer and steal all my personal stuff. And if I booted up my computer she would show me what was happening. And while she was talking to me she dropped all the keywords to build trust between me (the victim) and her. It was an endless stream of “trusted partner, hackers, security keys, and encryption” and of course the magic sentence “we will fix this for free and we will make it so no one can attack your computer again.” Did I say it was for free?  So to show me what was going on she got me to run some commands in the windows command shell (cmd) commands that for the regular PC user might look advanced and super complex. But for an old sysadmin, not so much (but entertaining). After winning my trust and convincing me that yes indeed there is something very suspicious going on (I guess in some way she was correct) She handed me over to a second line specialist that would help me clean up.

The very nice and very very very patient gentleman that was acting as the second line specialist was tasked with playing on this new-found trust and gain remote access to my computer. And again, the keywords was secure, hackers and free. The only catch was that if he was going to fix all my security problems on my computer he needed remote access, so he very painstakingly guided me through the process of installing team viewer. (I had my stupid hat on that day, so it took some time to get it done) But finally it got installed and he had remote access to my computer, and both of us was very happy. He could then show me the content of the windows event log, and with a very worried voice he told me that each of the red icons in the event log represented a successful attack against my poor computer. For those of you who have seen an windows event log you would understand that an ordinary PC user would be very worried, since the stream of red icons can seem endless.

It all came to an end when he wanted my credit card number to renew my Microsoft premium support agreement that apparently had expired. The proof of this was an expired certificate in my computers cert store (that had nothing to do with any support agreement) and he could only fix my poor little PC if I reactivated the support agreement. Unable to provide him with a valid credit card number I had to confess my sins and that I had just been playing along all the time.

But I as I said in the beginning, I now understand why people keeps getting tricked by this scam. Because they can be very convincing if you are an ordinary user (as most people are).

… like to think I saved an little old lady from getting ripped off  🙂

Go gentle online

bird-1081980_960_720First, yes the title for this post is lifted from the Robbie Williams song “Go gentle” that he wrote to his daughter

My own daughter is now rapidly closing thirteen, the magic age limit where the gates to social media hell or heaven is opened. For at thirteen she meets the age restriction set for most social media sites. She will then be allowed to create accounts, but she does not necessary have the right to (at least not if you ask me). The world of Snapchat and Instagram will lay at her feet. Btw I asked her about Facebook, but apparently only old farts like me still use Facebook.

So, because I have chosen a career within the field of information security, I’m unfortunately all too aware of all the dangers that lures behind almost every connected device out there. And the infosec guy in me keeps whispering in my ear that I need to monitor everything she does and be friend with, and follow her on any social media platform out there that she might think of joing, So she is safe from “bad hombres” with bad intentions, or see if she is visiting websites that I don’t want her to visit.

Well first of all, the “friend with your own kids on social media” does not really work, does it? I have had several parents telling me that “They have full control of what their kids are doing on different social media platforms, because they follow them.” and my answer often is, so you don’t think your kid is smart enough to create multiple accounts..? I know that I would have done that, too escape thy prying eyes of my parents. And if you have full control, why have we been discussing cyberbullying since the kids were 9?

And when it comes to doing 1984 style full monitoring, that kind of goes against all privacy principles I have. And to be honest I don’t want to know every little detail about what she is doing online, and I don’t want her to feel like her parents are doing 24/7 monitoring of her life.

The trust option.

So, we are trying to go for the trust option. For some of you this might sound a little blue eyed and “Norwegian” and yes, I know that she will do things she is not allowed to, honestly, I will be very surprised if she doesn’t. The trust approach includes setting up a contract between us (the parents) on her, outlining how she is to behave online, do’s and don’ts and consequences if guidelines are not followed. But what it is also equally important is that it puts requirements on us as her parents. That we are not to take sneak peaks on the content of her phone or computer, and that we will not use functions like “find my phone” to figure out where she is. My hope and wish is that this setup will make sure that if something bad happens online, she will come to us and talk about it, or any other adult she trusts, so she don’t need to fight online trolls alone

Password sharing

However, stepping onto the scene of social media will include sharing her passwords, with her parents. Not because we wish to log on and read her messages, but because if something happens, e.g. if she is running hours late from coming home at the agreed time, we as parents will need to look at social media accounts to be able to know where she is. But sharing of passwords also goes back to trust. We as parents are only allowed to use the passwords under certain conditions and the passwords are kept in an online vault (I use the Lastpass family plan for this) so she will be notified if we open her password vault. Of course this will only work if she trust us enough to put all her passwords into that password database. Even for accounts she don’t want her parents to know exists.

Blue eyed?

As I stated earlier, this might be a bit too naïve and blue eyed, and a couple of years down the line I might think “how stupid was I? I should have listen to my inner infosec guy and installed monitoring software and used “find my phone” to have full control.

Go gentle

To my daughter, now that you are moving into the world of snapchat and Instagram. But probably not Facebook, since its only us old farts who still hang around there.

So here is some advice, in a badly re-written version of the Robbie Williams song “Go Gentle”

You’re gonna meet some perverts.
Welcome to the zoo.
Bitter disappointments.
Except for one or two.
Some of them are pretenders.
Some of them are mean.
Most of them are twisted.
Few of them are clean.

Now when you go flirting with
boys on snapchat.
Just keep it simple.
You don’t have to send nudes though.
Don’t waste time whit the idiots
Think that they’re heroes.
They will betray you.
Take care your friends

Don’t try to make them love you.
Don’t answer every troll.
Baby be a giant.
Let the world be small.
Some of them are deadly.
Some don’t let it show.
If they try and hurt you.
Just let your daddy know.

Now when you go giving your heart make
Sure they deserve it.
If they haven’t earned it.
Keep searching, it’s worth it.

 

The little green box

AS8033-377x228When walking around in office buildings that are protected by expensive electronic locks, requiring to swipe your access badge to be able to get in (or out), you have probably also noticed a little green box on the side with the text “emergency door release” written on it. This “Security bypass boxes” will let you through the door without an valid access pass.

If the physical security setup, and the security team have not been required to do compromises due to HSE requirements (e.g. emergency escape routes) or have been a sleep during the planning, this little green boxes will only allow your to get out from a security zone and not in. HOWEVER, as always compromises and mistakes are done and you will find that these little green “security bypass” boxes will grant you access into paces where an valid access pass should be to only way to get in.

Ah yes, its very nice that you have this super duper expensive physical access control system with electronic locks and encryption keys that have not yet been hacked, But why do you have these green boxes on each side of the door?

Alarms

These little green boxes can (and should) be connected to an alarm system, triggering an alert when the button is pushed. And if the alerts are monitored a guard might be dispatched to check out what is going on.  But when you think about  the chance for multiple guards will come storming down the hallway as soon as you have triggered the green “security bypass box” will be rather small.  Its usually no room in the security budget for that to happen.

Remember to lock the door

a771d8983e149cccdf438779fc6bb4d2So what this little green box does, is that it will actually cut the power to the magnetic lock (same as what happens when the fire alarm is triggered) . This means that the door will remain unlocked after you have passed through it, something that will might raise suspicion and an increased risk that someone (hopefully) will report it.  This can easily be mitigated by using a small plastic reset tool (example in the picture to the left). By inserting this tool on the underside of the green box you will reset it to its original state and the door will be locked after you pass through. And its likely that the guards monitoring alerts will conclude that it was just another false alarm. Not sure where to get such a tool? well get a 3D printer and start creating all the little reset gadgets you need.

OBS – Remember to get a permission slipp

Note that if you wish to test this, you must make sure that you have obtained permission from the relevant stakeholders  (The landlord, the company that uses the office, the guard company  ++) If you don’t have that, this will be considered breaking and entry.

And.. DON’T TOUCH the red one, that can land you into all sorts of trouble (unless there is a real fire.

 

Even security pro’s are suckers for free stuff (guess we are humans after all)

free-stuffit is interesting to see that even on security conferences you will find every thing that warn our users about. Things that we as security professionals tell our friends and co-works that no no, you must not touch.

  • Free USB thumb drives. On the last conference I attended I got a free floppy disk, but I doubt that represent any major risk, unless it contains Brain.exe
  • Free and Open WiFi. A security conference is probably the last place you want to connect to a open WiFi.
  • Free gadgets made in China that you can plug into your laptop or connect to your phone
  • The opportunity to sell your contact information to get a sticker  on a piece of paper (well why not, you might win a prize and if you are really lucky the prize is a malware infected thumb drive, or more likely the chance to get a flooded mailbox)

And no, I’m not pretending to be any better then the rest of the conference participants… I’m also a sucker for free stuff we all get. Lets plug in this Chinese Bluetooth hands free without a user manual in English, nothing bad can come of that right? Maybe its best to stick to the occasional t-shirt or baseball cap.

Canary Tokens – Free IDS for small businesses.

canaryIDS, or intrusion detection systems, can be very costly and resource demanding, because of this many medium and small companies never implements this types of solutions and as a consequence  breaches caused by external threat actors to internal employees snooping around in systems will most likely never be discovered.  And in the world of GDPR this might spell disaster for a company processing personal identifiable information, and according to GDPR that is more or less everything.

Canary tokens to the rescue.. (maybe)

Enter a free and easy to use tool called “Canary tokens” created by thinkst. Canary tokens will let you create free honeypots (or honey tokens) that will alert you by email when triggered. Now since this is a free and very basic tool it will not provide with much information on who actually triggered the token. It will give you the timestamp on when the token was accessed and source IP, but at least you know that someone is snooping around in your system, and you can take the appropriated actions to counter the breach.

The canary tokens website will let you generate multiple types of tokens, that should cover most of your needs;

  • A URL an adversary might visit
  • A domain or hostname an adversary might resolve
  • A Word or PDF document an adversary might open
  • A Bitcoin wallet from which an adversary might withdraw funds

So far I have just been playing around with the Word and PDF tokens and they have worked very well.

Of course as any other security tools and mitigations, advanced attackers can take steps that will void your canary tokens and prevent alerts from being triggered. But to be honest, if advanced hackers (e.g. state sponsored) have a foothold within your corporate network you will be very lucky if you noticed anything at all).

From the Canary Tokens blog –  Why should I care

“Network breaches happen. From mega-corps, to governments. From unsuspecting grandmas to well known security pros. This is (kinda) excusable. What isn’t excusable, is only finding out about it, months or years later.

Canary tokens are a free, quick, painless way to help defenders discover they’ve been breached (by having attackers announce themselves.)”

Simple field test

I decided to do a simple field test and posted a canary token PDF file named password.pdf on my test web server. It was not linked from any web pages, but fairly easy to find through directory indexing and traversal, so I did not put much effort into hiding it. After approx 1 hour I got an alert informing me that someone had tried to open my super duper secret file on my web server.

IMPORTANT – It will not prevent a breach. 

It is important to note that canary tokens will not protect you from being hacked, but it will provide you with a simple tripwire that, when triggered, will alert that someone is accessing your data.