15 days of fame

Screenshot 2019-09-03 11.03.37 Looks like the storm of visitors to this blog looking for information on that fake video circulating Facebook is over. Most of the searches were for the hostname of the server which I happened to mention in the post. Which, I guess put me to the top of the search results.

One individual found me on Facebook and accused me of being the creator of the video because I mentioned it on my blog. Of course, I had her read the blog post for help addressing her account to getting the hacker’s session kicked out and securing it.

Fb Messenger virus

Got a message from a coworker that suggested I was in a video. Naturally, I am supposed to click on it, but it felt wrong. A quick Duck Duck Go search revealed it to be a virus.

If you think a virus was installed on your device, then my advice is to find a trusted anti-virus software to scan your computer. There are also malware apps to scan & protect your phone. Some carriers offer them for free.

Some reports suggest if you click on it, then you get a Facebook login page.

Only, it is not a real one and designed to capture your credentials. That gives another party your credentials so that they can:

  1. send this out as messages to your contacts
  2. capture more information from your account

If you fell for the 2nd login issue, then my advice is to:

  1. Immediately change your password.
  2. Kick off all sessions in the “Security and Login” page. There is a “Log Out Of All Sessions” option.
  3. Also in the security section, setup two-factor authentication.
  4. Turn on getting alerts about unrecognized logins.

Of all the things I can report, I cannot report this?

It seems like Facebook should be able to detect this virus or phishing by now. What I can see of the link goes to a Facebook server: si-chao.cstools.facebook.com  So, at least the link to virus/phishing is on their servers enough that they could check for its presence.

The person who sent it me says the account was locked out for 24 hours for behaving suspiciously. The act of sending hundreds of messages in a few seconds alerted Facebook to automated behavior. So, these are accounts they could be checking for being compromised.

Friend Request Hoax

A legitimate message expressing concern about your impersonation account would:

  1. Ask if you created another account.
  2. Provide the address to the new account so you can go to the profile, click the three dots on the cover photo, select Report, and follow the instructions for impersonation.

Instead, the hot hoax right now says:

Hi….I actually got another friend request from you which I ignored so you may want to check your account. Hold your finger on the message until the forward button appears…then hit forward and all the people you want to forward too….PLEASE DO NOT ACCEPT A NEW friendship FROM ME AT THIS TIME.

Let’s break this down.

First, we have the preying on a fear we all have about our Facebook accounts getting hacked. Worse, this “hacker” is now going after friends.

But, the recommendation makes no sense at all. “Hold your finger on the message until the forward button appears…then hit forward and all the people you want to forward too…

Forwarding the message to others is how chainletters operate. You are being played by forwarding it. You are spreading fear. You are not helping.

Carrier Phish

Got a phone call from my own cell phone to itself. That was pretty interesting the first time, but I declined the call because I was certainly not calling myself. A day later, I got another call.

This one I answered. It was an interesting call informing me my account with the cellphone carrier was locked. I would need to go through the automated process to unlock it. Press 1 to continue; enter my zip code…

At that point, I hung up, went to my carrier’s website and checked I could in fact login. I didn’t get far enough into the process to identify my account, so I think I am safe. But, yeah, it seems like a good number of people could fall for this scam.

USB Drives to Move Election Malware

From “Can Georgia’s electronic voting machines be trusted?“:

Though voting machines aren’t directly connected to the internet, witnesses testified last week that USB drives are used to transfer election data from internet-connected computers to election servers.

So, computers that are connected to the Internet are used to move data to the election servers. Malware can be used to reach those computers. The theory here is the election servers by not being on the Internet are more secure because they are “air-gapped.” However, Stuxnet eight years ago taught us: Not as much as once thought.

Stuxnet was never intended to spread beyond the Iranian nuclear facility at Natanz. The facility was air-gapped and not connected to the internet. That meant that it had to be infected via USB sticks transported inside by intelligence agents or unwilling dupes, but also meant the infection should have been easy to contain.

USB drives are the prime vector to contaminate air-gapped computers. It sounds like the election officials are aware because they added this claim to the article:

Election officials say security precautions protect voting machines from tampering. For example, a USB drive is reformatted every time before it’s plugged into an election server.

I find it unlikely they download data onto a USB drive, delete that data by formatting the USB drive, and only then insert the blank USB drive into an election server. It would be easier just to not use a USB drive at all. They probably mean they format the USB drive while it is in the potentially infected Internet-connected computer, which would not prevent malware from inserting itself onto the USB drive at the time the GEMs data is copied onto the USB drive.

 

How wide was the Equifax data breach?

143 million US consumers were caught up in the data breach. I keep seeing it portrayed as 44% of the US population. But, the US population includes children.

Initially, it seemed to me the better metric was 11 million more than all of 2016 IRS tax filers. The problems with this latter comparison? Lots of people who file taxes might not have a credit history and some with credit histories might not file taxes in a specific year. Which brings up taxes for a specific year comparing against people who had a credit history across many years is sketchy.

Other statistics give me headaches too.

  • The US Census’ latest 2016 estimate is that there were 325M (million) people in the country. The original 44% statistic is based on that.
  • The US Census’ latest 2016 estimate is that there were 249M adults in the country. That brings the percentage up to 57%.
  • The Bureau of Labor Statistics says in July 2017 when the hack occurred, there were 160M members of the civilian noninstitutionalized population. That excludes inmates and members of the armed forces most of whom probably have credit histories.

So, I took the BLS 160M and looked up the excluded populations.

  • It looks like there were about 1.5M in the prisons.
  • And there is about 1.4M active military.

Combining these, it looks like about 88% of people in the “potentially have worked population” were affected.

I feel good with the 88% number.

Really, though, everyone probably has had their SSN and birthday exposed.  If you have ever attended a K-12 school, post-secondary education, gotten insurance, gone to a doctor, engaged in any way with a financial institution, or given your SSN to a government entity, then you should assume that your personal information is ready to be exposed at any time. Nor should you rely on being told. The state of Georgia exposed every voter’s SSN to subscribers of the voting list by accident and notified no one because they felt the CDs being returned meant no one could have the info. (Because the subscribers could not have copied the files off the discs.)

Overuse of SSNs

The overuse of the Social Security Number bothers me.

Healthcare providers use the SSN. They all want it, so they all have it in their files and databases. Given the push to move records to electronic form, they all have it recorded in databases. This makes them tempting targets for fraudsters. They have to use the strongest security practices to protect the data which also makes working with it more difficult which leads to shortcuts that make them more vulnerable.

From Bruce Schneier,

It’s not just Equifax. It might be one of the biggest, but there are 2,500 to 4,000 other data brokers that are collecting, storing, and selling information about you — almost all of them companies you’ve never heard of and have no business relationship with.

He goes on to talk about how companies are tracking our moves online and tying it to their profiles of our identity.

If my financial account (like a credit card number) is compromised, then the bank’s solution is to close the bad account and open a clean one for me. If my Social Security Number is compromised, then my solution is to closely monitor the opening of accounts using it. Getting a new SSN is very difficult because unlike a financial account, the number is my unique identifier.

Personally, I think the fine for a healthcare entity getting breached should be $100 per account. So, Anthem’s 2017 breach of 18,000 members would cost it $1,800,000. Anthem’s 2015 breach of 78.8 million would cost it $7.88 billion. (They got a fine of $115 million or about $1.50 per account.)

 

DOJ, Dreamhost, and DisruptJ20

The government has no interest in records relating to the 1.3 million IP addresses that are mentioned in DreamHost’s numerous press releases and opposition brief.

Basically, the Department of Justice served Dreamhost this warrant asking for

  1. the code backing the web site,
  2. the HTTP request and error logs,
  3. logs about backend connections to upload files to the server
  4. databases
  5. email account metadata and contents
  6. account information for the site owner

Dreamhost resisted the warrant as overly broad. The DOJ is backing off the HTTP logs and unpublished draft posts.

If the site is using certain WordPress plugins to track visitors, then it is possible that the IPs for visitors are in the database. Or if the DOJ looked at the public HTML and noticed a Google Analytics JavaScript, then they know they can issue a warrant to Google to get the visitor information. Would Google resist handing it over as hard as Dreamhost?

 

TED Talk: Trolling a Spammer

Back in the early days of spam, I did try replying to a few, but I never got anything like this.

Suspicious emails: unclaimed insurance bonds, diamond-encrusted safe deposit boxes, close friends marooned in a foreign country. They pop up in our inboxes, and standard procedure is to delete on sight. But what happens when you reply? Follow along as writer and comedian James Veitch narrates a hilarious, weeks-long exchange with a spammer who offered to cut him in on a hot deal.

Phishing

Over a month ago, I received a creative phishing attempt. We use a relatively popular service which is mimicked fairly well. I typically receive notification emails from it by an administrative assistant. This came from another name. That was my only real clue that made me look closer. Since, I have received almost a dozen, each pretending to be a different product.

I noticed they all used different domain names for the payload link. But, they all use file.php?d=<value> or f.php?d=<value> to deliver the payload.

Computers are smarter than I am when it comes to patterns like this, so I created an email filter to look for the file names and set it loose. If I see another phishing attempt using another script name, then I will add it to the list. But, so far, I am pleased with how well it protects me from myself.