New way of living and new way of cheating

Happy Day!

Yesterday I received a spam email from my grandfather. I just wanted to browse the same and see what it contains. Then I thought that I should this as an article as in my blog to share with you. This is another example of spam is not always spam.

I really can not verify the truth in the two stories that I am going to publish, but worth reading them and changing how we think, act and live in our every day with the latest gadgets that we own very proudly. I sure that the gadget saved many lives in many situation, helped many in different ways, at the same time the opposite is also true. So read the following first.

Subject of the email: New Theft ideas

New Electronic Technology and theft

First story: GPS

A couple of weeks ago a friend told me that someone she knew had their car broken into while they were at a football  match. Their car was parked on the green which was adjacent to the football stadium and specially allotted to football fans. Things stolen from the car included a garage door remote control, some money and a GPS which had been prominently mounted on the dashboard.
 
When the victims got home, they found that their house had been ransacked and just about everything worth anything had been stolen. 

The thieves had used the GPS to guide them to the house. They then used the garage remote control to open the garage door and gain entry to the house. The thieves knew the owners were at the football game, they knew what time the game was scheduled to finish and so they knew how much time they had to clean up the house. It would appear that they had brought a truck to empty the house of its contents.

2. MOBILE PHONE
 
This lady has now changed her habit of how she lists her names on her mobile phone after her handbag was stolen. Her handbag, which contained her cell phone, credit card, wallet…etc… was stolen.
 
20 minutes later when she called her hubby, from a  pay phone telling him what had happened, hubby says ‘I received your text asking about our Pin number and I’ve replied a little while ago.’
 
When they rushed down to the bank, the bank staff told them all the money was already withdrawn. The thief had actually used the stolen cell phone to text ‘hubby’ in the contact  list and got hold of the pin number. Within 20 minutes he had withdrawn all the money from their bank account.
 
 Moral of the lesson:

Do not disclose the relationship between you and the people in your contact list. Avoid using names like Home, Honey, Hubby, Sweetheart, Dad, Mom, etc…. And very importantly, when sensitive info is being asked through texts – CONFIRM by calling back.

 Also, when you’re being text by friends or family to meet them somewhere, be sure to call back to confirm that the message came from them. If you don’t reach them, be very careful about going places to meet ‘family and friends’ who text you.

Conclusion:

I really feel that most of us would never think about the possible ways of getting cheated. Because it is not our way of living or that is not want we do. But for those who cheat or rob, it is their way of living and their duty is to find new ways and their responsibility is to escape.

So never write something at any place other than your own brain that is easy to for others to understand and follow you. Use code names for your personal information. It is our duty to protect our valuables and our responsibility to be safe, neither our local police nor our government’s.

Have Fun!

What are the consequences if you are not “Be Secure, Be Happy”?

Happy Day!

Note: This is the first in the series ‘What are the Consequences if you are not “Be Secure, Be Happy”?‘ I will keep on posting several articles over a period of time as I find more stories, some of them would be real life stories.

You read or learnt a lot about IT Security in general. But did you ever heard what will happen if you ignore the “Basics of Security”. I would like to explain this with an example that happened in the first half of Jan 2009 and continues to happen.

Microsoft released a patch MS08-067 on Oct 23^rd 2008 to mitigate the vulnerability which allows executing code remotely if an effected computer receives specially crafted instructions in certain Windows OSs. If you had turned automatic updates on your computer, and if you performed the same, then you are safe from this worm.

What if I did not stay up to date? The worm, Worm:W32/Downadup.AL, the simple name Downadup by F-Secure, that appeared in Nov 2008, reappeared in the first half of Jan 2009 with more advanced functionality, as described below.

Update on Jan 27^th 2009:

Over the past few weeks IT security industry and professionals learnt a lot about Downadup worm. The worm spread to several millions of computers. Still no one identified if this worm has done anything significant that effects the individual privacy or stealing personal information, except its ‘intelligent spread’. Everyone is waiting to see what the author’s intension is? The only way to know is when this worm does something really interesting thing, which could be dangerous.

As the news and information about this worm is wide spread, most of the security professionals found a way to monitor its behavior, and most importantly the prevention and detection methods were also found and implemented. In this situation it is most unlikely that the author wants to take advantage of this worm in the known methods.

One of the possible methods the author can take advantage is by taking advantage of its peer-to-peer communication capability. If the same happens it would be very difficult to detect and prevent the worms spread.

In my opinion the best way to be safe is to be aware of basic security principles through education and practicing them.

End of update on Jan 27^th 2009!

What should I do if I am already effected by Downadup or Win32/Conficker.B?

• F-Secure’s Downadup page, very good description of the worm, removal instructions and more and some aliases.
  
• Microsoft KB article with detailed description and removal instructions for Worm:Win32/Conficker.B http://support.microsoft.com/kb/962007.
  

Note: Every vendor in the market has a way of naming a virus. The following are the names from various vendors. This is only a partial list to give you as an example. At the end of the name .A or .B denotes the next version or another variant of the same virus found earlier. So if you are searching for more information on the virus on the Internet, you need to keep in mind this information, and search with different names.

F-Secure	: Net-Worm.Win32.Kido or Worm:W32/Downadup.AL
Microsoft	: Worm:Win32/Conficker or Worm:Win32/Conficker.B
Kaspersky Lab	: Net-Worm.Win32.Kido.fo
Symantec	: W32/Conficker.worm.gen or W32.Downadup.B
Sophos	: Mal/Conficker or Mal/Conficker-A
McAfee	: W32/Conficker.worm.gen.a
Ikarus	: Net-Worm.Win32.Kido
BitDefender	: Win32.Worm.Downadup

Most importantly the worm can spread through removable devices (also can copy itself to the same) if auto run is not disabled. And changes most important security related settings (registry key settings, auto-run settings, access rights to the user, etc) in the computer, so that the worm can stay inside the computer undetected. The worm is also capable of avoiding antivirus detection by working with rarely used APIs. It is also disabling windows update and certain network traffic optimizing features to ease its spreading further and give access to its author to use your computer as zombie as part of botnet.

Also blocks access to certain web sites based on string filter algorithm so that you cannot download any antimalware or patch to apply. For example if you are visiting F-Secure site, it will close the browser or will not allow you reach the web site.

Finally the worm is programmed to automatically generate certain domain names based on the time obtained from ask.com, google.com, w3.com, etc. The worm generate more than 250 domain names every day, and contacts them either to update itself or download new code for further execution. This makes it impossible for the Anti-malware program to detect or even to establish a behavior pattern. So far the estimation is that the worm infected more than 3.5 Million PCs effected across the globe and the Dark Tech world is ready for another botnet using the zombie computers.

What should I have done to avoid this?

1. Turn on Automatic updates, and updated your Windows OS regularly.
2. Turn off Auto runs
3. Use a decent antivirus program and scan your computer regularly. Visit AV Comparitives.Org for a comparison of antimalware tools.
4. Be careful not to receive any programs from unknown sources, especially P2P networks.

Conclusion: Even if one computer in the entire network is left un-patched, the entire organization can be effected. And if all the zombies’ are used as botnet, the impact could be devastating. Due to one person’s ignorance others are also being effected in the network, putting the entire organization at risk. This means anything can happen. Your sensitive information can be compromised exposing you to further risk. Look at the following extract from F-Secure’s blog ‘How big is Downadup?. Read the following extract from F-Secure’s blog to know better.

A very large part of that traffic is coming from corporate networks, through firewalls, proxies, and NAT routers. Meaning that one unique IP address that we see could very well be 2,000 infected workstations in real life.

I would recommend every organization to conduct Security Awareness programs once every year.

Hope this helps you to Be Secure, Be Happy!

Further reference:

• My other blog post Malware Scans – Multiple Engines, Online Scanners for malware scanning and removal options.
• BitDefender’s description at MalwareCiity.Com and further reference and their Removal tool.
• ThreatExpert.Com for worm name aliases.
  
• Book: The art of War by Scott A. Watson. A very good book for all managers, especially for security managers and business owners in the current situation we are living. There is a good reason to refer this book here. This book many good strategies that we all need to know to progress in our daily life.

Have fun!

The Engineers Trap

Happy Day!

Since we are talking about IT Security if you think that only information stored in our computers, CD/DVDs, backup devices need to be protected, then I would request you to rethink. I would like you to read the extract of the following from The Art of Deception, By Kevin Mitinick to understand what IT security (or security and privacy) in general mean. This is a very long, but very important if you really want to understand security in general. If you are really serious about learning about security in general I would highly recommend reading this book and No Tech Hack by Johnny Long. These two books will give you very good insight how every one of us should develop new thinking habits and new ‘vigilant life style’.

The Engineers Trap

It is widely known that head-hunter firms use social engineering to recruit corporate talent. Here’s an example of how it can happen. In the late 1990s, a not very ethical employment agency signed a new client, a company looking for electrical engineers with experience in the telephone industry. The honcho on the project was a lady endowed with a throaty voice and sexy manner that she had learned to use to develop initial trust and rapport over the phone. The lady decided to stage a raid on a cellular phone service provider to see if she could locate some engineers who might be tempted to walk across the street to a competitor. She couldn’t exactly call the switch board and say, “Let me talk to anybody with five years of engineering experience.” Instead, for reasons that will become clear in a moment, she began the talent assault by seeking a piece of information that appeared to have no sensitivity at all, information that company people give out to almost anybody who asks.

The First Call: The receptionist

The attacker, using the name Didi Sands, placed a call to the corporate offices of the cellular phone service. In part, the conversation went like this: Receptionist: Good afternoon. This is Marie, how may I help you?

Didi: Can you connect me to the Transportation Department?

R: I’m not sure if we have one, I’ll look in my directory. Who’s calling?

D: It’s Didi.

R: Are you in the building, or… ?

D: No, I’m outside the building.

R: Didi who?

D: Didi Sands. I had the extension for Transportation, but I forgot what it was.

R: One moment.

To allay suspicions, at this point Didi asked a casual, just making conversation question designed to establish that she was on the “inside,” familiar with company locations.

D: What building are you in – Lakeview or Main Place?

R: Main Place. (pause) It’s 805 555 6469.

To provide herself with a backup in case the call to Transportation didn’t provide what she was looking for, Didi said she also wanted to talk to Real Estate. The receptionist gave her that number, as well. When Didi asked to be connected to the Transportation number, the receptionist tried, but the line was busy.

At that point Didi asked for a third phone number, for Accounts Receivable, located at a corporate facility in Austin, Texas. The receptionist asked her to wait a moment, and went off the line. Reporting to Security that she had a suspicious phone call and thought there was something fishy going on? Not at all, and Didi didn’t have the least bit of concern. She was being a bit of a nuisance, but to the receptionist it was all part of a typical workday. After about a minute, the receptionist came back on the line, looked up the Accounts Receivable number, tried it, and put Didi through.

The Second Call: Peggy

Peggy: Accounts Receivable, Peggy.

Didi: Hi, Peggy. This is Didi, in Thousand Oaks.

P: Hi, Didi.

D: How ya doing?

P: Fine.

Didi then used a familiar term in the corporate world that describes the charge code for assigning expenses against the budget of a specific organization or workgroup:

D: Excellent. I have a question for you. How do I find out the cost center for a particular department?

P: You’d have to get a hold of the budget analyst for the department.

D: Do you know who’d be the budget analyst for Thousand Oaks – headquarters? I’m trying to fill out a form and I don’t know the proper cost center.

P: I just know when y’all need a cost center number, you call your budget analyst.

D: Do you have a cost center for your department there in Texas?

P: We have our own cost center but they don’t give us a complete list of them.

D: How many digits is the cost center? FOr example, what’s your cost center?

P: Well, like, are you with 9WC or with SAT?

Didi had no idea what departments or groups these referred to, but it didn’t matter. She answered:

D: 9WC.

P: Then it’s usually four digits. Who did you say you were with?

D: Headquarters–Thousand Oaks.

P: Well, here’s one for Thousand Oaks. It’s 1A5N, that’s N like in Nancy.

By just hanging out long enough with somebody willing to be helpful, Didi had the cost center number she needed – one of those pieces of information that no one thinks to protect because it seems like something that couldn’t be of any value to an outsider.

The Third Call: A Helpful Wrong Number

Didi’s next step would be to parlay the cost center number into something of real value by using it as a poker chip.

She began by calling the Real Estate department, pretending she had reached a wrong number. Starting with a “Sorry to bother you, but …. ” she claimed she was an employee who had lost her company directory, and asked who you were supposed to call to get a new copy. The man said the print copy was out of date because it was available on the company intranet site.

Didi said she preferred using a hard copy, and the man told her to call Publications, and then, without being asked – maybe just to keep the sexy-sounding lady on the phone a little longer – helpfully looked up the number and gave it to her.

The Fourth Call: Bart in Publications

In Publications, she spoke with a man named Bart. Didi said she was from Thousand Oaks, and they had a new consultant who needed a copy of the company directory. She told him a print copy would work better for the consultant, even if it was somewhat out of date. Bart told her she’d have to fill out a requisition form and send the form over to him.

Didi said she was out of forms and it was a rush, and could Bart be a sweetheart and fill out the form for her? He agreed with a little too much enthusiasm, and Didi gave him the details. For the address of the fictional contractor, she drawled the number of what social engineers call a mail drop, in this case a Mail Boxes Etc.-type of commercial business where her company rented boxes for situations just like this.

The earlier spadework now came in handy: There would be a charge for the cost and shipping of the directory. Fine – Didi gave the cost center for Thousand Oaks: “IA5N, that’s N like in Nancy.”

A few days later, when the corporate directory arrived, Didi found it was an even bigger payoff than she had expected: It not only listed the names and phone numbers, but also showed who worked for whom – the corporate structure of the whole organization.

 

The lady of the husky voice was ready to start making her head-hunter, people-raiding phone calls. She had conned the information she needed to launch her raid using the gift of gab honed to a high polish by every skilled social engineer. Now she was ready for the payoff.

LINGO

MAIL DROP: The social engineer’s term for a rental mailbox, typically rented under an assumed name, which is used to deliver documents or packages the victim has been duped into sending

MITNICK MESSAGE

Just like pieces of a jigsaw puzzle, each piece of information may be irrelevant by itself. However, when the pieces are put together, a clear picture emerges. In this I case, the picture the social engineer saw was the entire internal structure of the company.

Analyzing the Con

In this social engineering attack, Didi started by getting phone numbers for three departments in the target company. This was easy, because the numbers she was asking for were no secret, especially to employees. A social engineer learns to sound like an insider, and Didi was skilled at this game. One of the phone numbers led her to a cost center number, which she then used to obtain a copy of the firm’s employee directory.

The main tools she needed: sounding friendly, using some corporate lingo, and, with the last victim, throwing in a little verbal eyelash-batting. And one more tool, an essential element not easily acquired – the manipulative skills of the social engineer, refined through extensive practice and the unwritten lessons of bygone generations of confidence men.

MORE “WORTHLESS” INFO

Besides a cost center number and internal phone extensions, what other seemingly useless information can be extremely valuable to your enemy?

Have Fun!