Wednesday, December 13, 2017

Who Is Killing The Anonymizing VPNs?

The primary use for a VPN is to keep data encrypted from the point of origin to its destination. For corporations this means that when you start working on your emails on public WiFi at the airport, the data cannot be seen by people who are “sniffing” what is being sent across the network. Neither the corporation nor the users are trying to hide their location; it’s all about keeping that data private to the company. An anonymizing VPN serves the same purpose, however it is also used to hide the user’s location. When I use my anonymizing VPN it may look like I am in an entirely different state or country than I really at. In between the time data is sent through the anonymizing VPN to its destination, my IP address is effectively changed. I may be in Colorado, but to the websites I visit I’m in Tokyo. Well, I was until I decided to be in London. The only place I am not is where I am.

For the rest of this post I will generally refer to anonymizing VPNs simply as VPNs for simplicity, but not all VPNs are used for anonymity.

Ever since 9/11 encrypted communications by private citizens has been placed squarely in the crosshairs of the CIA, the FBI, the NSA, and probably the FDA too. FDA is a three letter acronym (TLA) so the FDA probably has to take a stand on encryption. Some laws and the interpretation of these laws require an innocent suspect (and guilty ones too) to provide passwords required to decrypt data that may be of interest to investigators, but so far encrypted data in transit through anonymizing VPNs has been relatively secure.

I’m not convinced that the biggest threat anonymizing VPNs face is the government though. I believe it is private industry and the reason may have more to do with security than disregard for privacy; and it is a pain in the @ss. But then so are the archaic password complexity requirements that most companies inflict upon their users. If security was painless only masochists would be insecure. Yes, advertisers and data aggregators despise privacy and hence hate these VPNs, but they probably are not the foe. The foe is security. A prime example of the situation involves Google – particularly Gmail. I access Gmail on my laptop as well as on my phone. I also have VPN clients on my laptop and on my phone. So here’s what happens. The email client on my laptop which appears to be in London, polls for new email at specified intervals. Polling for email requires my email client to automatically log into my Gmail account to check for new email, and it also tells Google that I am in London. My email client on my phone, which appears to be in Tokyo, polls for email five seconds later and tells Google that I am in Tokyo. What do you think that looks like to Google? I’ll show you.



I may not always be a big fan of Google, but they blocked the log in attempt because they are trying to protect me. It is annoying to get these messages multiple times a day, but giving credit where credit is due, Google no longer makes me change my password every time this happens. That’s nice, but what is really uncalled for is making me solve five captcha’s when I search for the meaning of the word “Omphaloskepsis.” Now when Google does that I just use Bing. Of course I only search using Google or Bing if I am not satisfied with the results from https://duckduckgo.com. Usually DuckDuckGo finds what I need. I assume Google is forcing the captchas because of the anonymizing VPN I use, rather than the “suspicious activity” I am told was seen emanating from my computer. I can’t be sure that there was no suspicious activity though… I was using Lenovo laptops and we all know what happens when Lenovo pre-loads software.

Banks are not particularly fond of customers changing their locations frequently, or sometimes at all. For quite a while when I tried to access my account at a specific bank, I was told that I could not access my account at that time. Once I disabled my VPN I was granted access. The bank was not trying to force me to stop using the VPN, they just wanted to keep my account secure. Now I usually just have to answer challenge questions instead of being denied access. As a side note, I once discovered a bug (not a security bug) on my credit union’s website. In order to reproduce the issue I had to make it look as if I was in another location; but not just any location would work. If you want to set off alarms at a financial institution, where do you want them to think you are logging in from? Yes, Brazil. Banking Trojans seem to thrive in Brazil. They’re born there, they have their little bot kids there, and eventually retire in Brazil.

Typically I don’t try to sell anything on my blog, but I will make an exception this time because I can and I can loosely tie it to the subject. Anyone want to buy a rare, vintage, clear body Microsoft Mouse? https://www.oldmouse.com/mouse/microsoft/cleardove.shtml.



I decided to post this exact mouse for sale on Craigslist. Craigslist wouldn’t let me access their site until I turned off my VPN, or appeared to come from a different location. Appearing to come from a different location is an important point that I will get back to. Recently I tried to access one of my frequent flier accounts. Once again I had to turn off the VPN, or appear to come from a different location. Forced VPN relocation is becoming more and more common. The reason that changing the exit location makes a difference is that some of the IP addresses from exit points have been blacklisted.  In addition to using VPNs for good things, VPNs are used by cybercriminals too.

Once an IP address is identified as being associated with cybercrime it gets blacklisted. Craigslist, airlines, and most other companies do not care if I am in in Seattle, Texas, Denmark, Hong Kong, and so on, but they do care if IP addresses I use are also associated with criminal activity. Sometimes I have to try several different exit points before I am allowed to connect to a site. It can take 30 seconds or even a minute or more to do what should take a few milliseconds. That may not sound like a lot of time, but think about a single webpage taking a minute to load.

No, the anonymizing VPNs are not going to be killed by Google or Craigslist (although they might be beaten senseless by United Airlines), but I believe that users of anonymizing VPNs are finding an increasing number of problems when using them. The US government doesn’t need to do anything about the challenges that VPNs present; private enterprise will do it for them for free.

On a final note, regardless of its rarity it does not appear that I am going to get $150 for that mouse anytime soon.

Randy Abrams
Independent Security Analyst

Friday, December 1, 2017

RFID Tags in Clothing – What Could Go Wrong

Sometimes we need a break from all of the serious security issues we deal with and talk about. This blog is a break from breaches, sabotage, espionage and camouflage. If you want serious security today might I recommend Top 4 Reasons Why Hackers Plant Geolocation Malware on Websites, or some of my previous blogs such as Evasion and Regeneration; Decoys and Deception, or New Equifax Website Compromise.

Recently I had to shop for a washing machine. I had forgotten that now a days washing machines are part of the Internet of Things (IoT).  It was pretty easy to narrow down my choices of washing machines; if the washing machine listens and tells all to Google then I don’t want it, I have my Android phone for that. I would need to remember not to talk about confidential information when I am in the laundry room… Google hears all, Google sells all.

All of these high tech washing machines made me contemplate what other absurd things we can apply IoT technology to?  I decided that IoT clothes would be absurd… until I had my million dollar idea for a ground breaking application of the technology.

You see, I am really about function over form. My sense of fashion is only marginally better than most IoT vendor’s knowledge of the need for IoT security. I reason that if I could have RFID tags in my clothes, I could put my sports coat next to a shirt and then my mobile phone will tell me if the clothes work together. Next I put a tie with the shirt and sports coat and my phone tells me if it is business casual or a misdemeanor.


RFID tags would be solve my fashion impairment affliction. I could take pictures of my clothes to the store with me and know if something will pop before I buy it. It’s not just me, it’s a wonderful application for color blind people (who without exception have a better sense of color coordination than I do).

I could bring my clothes to the washing machine and it will TELL me which items can safely be washed with each other! The cost savings would be enormous. No more buying clothes that work together at the store and then inadvertently dyeing them to a color that no longer works with anything -including impressionist paintings.

There's also the problem that fashion changes. My app will be updated every time there is a new fashion (black is timeless). At last, if I buy on the first day of the cycle, my clothes can be fashionable for the full six months of their planned obsolescence. What's more, I could enter the name of an opera house or a burger joint and my phone will tell me if the clothes are acceptable for the dress code. Evidently sandals do not count as shoes at those fancy shmancy opera houses. I actually knew that and intentionally wore them when my ex-girlfriend tried to make me go to see the opera Lily.

So what could go wrong with putting RFID tags in clothes? Perhaps a manufacturing error puts the wrong chip in my clothes I'm wearing for an interview at T.J. Maxx. Suppose a hacker is able to hack the RFID chips and flash them to the 1970's fashion styles? If there is a manufacturing product recall for a defective RFID tag (the cheap ones are read only) is the shirt replaced with a refurbished shirt? Will the shirt be depreciated based on wear? If I am a clothing manufacturer would my competition hack into my system and sabotage my RFID tag stock?

Yes, there are potential security risks but still, if we nerds can finally go incognito in public it is a risk we are willing to take.

Randy Abrams
Independent Security Analyst

Tuesday, November 14, 2017

Sometimes It Isn’t All About Russia

Saying that Russia has been in the news for espionage and hacking, etc. is like saying there’s oxygen in the air – it seems we breathe that news. Despite whatever Russian hackers have done, people get so hung up on the marketing value of the Russia brand that they forget there was supposed to be a story too. The exploitation of DDE is an example.

There are many articles about Russian hackers exploiting the terrorist attack in New York in order to lure people into opening documents that are booby-trapped with DDE content.  There are two real stories here and Russian hackers are not one of them. We have a story involving confidence attacks and another story about DDE exploitation.

Happy Birthday Sweet 16

2017 marks the 16th anniversary of the Anna Kournikova worm. Amusingly, at least to me is that when I thought of using the Anna Kournikova worm as an example in this blog, I had completely forgotten that Anna hails from Russia. I also wasn’t thinking about the lyrics either. “You've turned into the prettiest girl I've ever seen.” is also in the lyrics to the song. That Anna is from Russia was not relevant to the story of the worm. That Anna is a lovely woman is only relevant to the construction of the worm attack. The story is about techniques that are highly effective in enticing users to execute malware. The point of “Happy Birthday Sweet Sixteen” is that we are not dealing with anything new.  The “ILoveYou” worm is a year older but nobody says “Happy Birthday Sweet Seventeen” so Anna it is. There is also another interesting parallel between the Anna Kournikova worm and the DDE exploit attack vector. Jan de Wit, the author of the Anna Kournikova worm, used a virus construction kit to generate the worm for him. Not to say that Russian, Chinese, American and other hackers are not sophisticated, but tutorials to exploit the DDE vulnerability are on YouTube.’ Just sayin




If, like Jan, you prefer to use a kit, Metasploit has a module all set up for you.

Prescriptive Guidance

Russian hackers using exploits to deliver malware is not a story. Using a tragedy as a lure is not a story. Anyone involved in security already knew that exploitation the terrorist attack story would be happening within minutes. If you are going to use the Russian brand for marketing (like I am now), use the marketing for good. In that spirit I would like to provide at least a little prescriptive guidance. 

1) Read
Despite the varying nature of usefulness, Microsoft usually provides mitigation strategies for vulnerabilities. In this case you should read the Microsoft Security Advisory 4053440 titled “Securely opening Microsoft Office documents that contain Dynamic Data Exchange (DDE) fields.”

Many security companies have excellent write-ups of the actual threat, how it works, what Yara rules and Snort signatures may be available, and other truly relevant information. Read those articles if security is your thing. Read my blog if it isn’t .

2) Keep your eye on the ball
Perhaps you can employ Microsoft’s mitigation strategies, but whether you can or cannot, remember that blocking these attacks is part of a strategy, not the goal. Protecting data is the goal.

There are books, courses, and I believe even theologies that deal with data protection, but “how to” is beyond the scope of this blog and outside of my area of practice. Cutting through the haze of hype is the story I want to tell. If you are keeping your eye on the ball, the DDE vulnerability is a reminder that protecting your data is the endgame. If your data is vulnerable to exploitation of DDE, perhaps DDE is not your biggest problem. The DDE issue might also be a reminder to audit/test your defense systems. 

I often recall Greg Thompson’s post on LinkedIn in the wake of WannaCry. Growing weary of the Gregorian chant “Patch Patch Patch Patch Patch Patch Patch Patch Patch” he exclaimed:


Like Greg said, “...we need to re-think how we control/manage vulnerabilities.” 

Thanks Greg, for the reminder to keep my eye on the ball.

You see… sometimes it isn’t all about Russia, but it just might be about tennis lessons with from Anna Kournikova. Anna’s story is timeless and I think that Anna is too - she is just as beautiful as she was 16 years ago when a worm by her namesake made the world news.

In the blog "Internal Audits, Lawsuits, ad Love Letters, I promised a blog dealing with the Malware aspect of using public computers. You can find that blog  on the Quttera blog at Public Computers and Malware.

Randy Abrams
Senior Security Analyst at Quttera Labs


Saturday, November 4, 2017

Internal Audits, Lawsuits, and Love Letters

What Comes to the Business Center Computer Stays on the Business Center Computer

Several examples of data left behind on public computers will be shared in this blog. When possible or deemed necessary attempts were made to notify the owners of that their data had been at risk. Sensitive content was also deleted from these computers. Typically I deleted all temporary files as well as those left behind in common locations.

Before I continue I want to make it clear that I am not a hacker. It took no special skills to find the files in the examples used below. If a computer was reasonably well locked down, and some are, I wouldn’t know how to hack into it. The only “special tool” I used that was not on the computers inspected was a hex editor. A hex editor is very useful in determining the true file type of a file that does not have its regular extension.
 
Please Help

Do any of my readers know how many bags of mints every United Airlines flight leaving St Louis should have onboard? I found a copy of the Trans States Airlines (TSA) August 2009 Bid Quiz on a public computer in a hotel. I have been dying to find the answer to this question ever since.

Tools of Social Engineering

Trans Sates Airlines is or was a regional carrier for United Airlines. As I was looking through some “temporary” files on a computer in Austin, TX I came across a “bid quiz” and a PDF containing a training roster that included the names of several flight attendants, what appears to be their employee numbers, dates of training and training locations. However I did not find this quiz and PDF in 2009, it was 2012 when I first encountered it three years on that computer before I removed it.

What comes to the business center computer stays on the business center computer.

The story does not end there. I only had time to review a few of the temporary files at the time so I copied the rest of them onto a thumb drive for later perusal and use as training material.

In 2016 I finally got around to inspecting the files as I was creating a new training presentation. Seven years after the file had been left for dead in that temporary directory it was still relevant. In early 2017 there were at least 5 flight attendants still employed by TSA (not the TSA). At least one or two flight attendants had gone to work for other airlines. Finding the flight attendants was as simple as typing their names into a LinkedIn search box. From 2009 to 2012 the file was publically available as a weapon of social engineering. Today it may be an even more effective attack tool. Knowing several years of a victims past and colleagues can be quite convincing.

“Hey, I remember you. We talked on some flights between St, Louis and was it IAD?” Wow this brings back memories. Do you know what Jane is up to now? She was such a sweetheart. Last I heard she opened a yoga studio in Australia.”   Nice foundation for a confidence scam, except there is a lot more on social media now to build on. I did reach out to TSA. I offered to return their data if they wanted it and I requested the answer to the question about the mints. I received no reply.

Are You Traveling for Business or for Pleasure?
If you are a home user you might want to know what you could be leaving behind on these computers. My favorite finds are Yahoo emails that can be found in the temporary internet files directories. Temporary files from html email frequently have names that look like this “H2YDZKEU.htm.”

Those files then open in the browser like this



Aside from the fact that the email was sent to me, there were several other email addresses on the “TO:” line. Sometimes the emails indicate a transfer from a work account to a home account. Protecting yourself really isn’t as easy as telling a browser to delete all of the temporary files, at least Internet Explorer doesn’t remove them all. There are several other places to find temporary files on a windows computer.

I am a Security Professional, I got it

If you are responsible for enterprise IT/security I have some solid advice for you. Pray. Pray really hard. I do not care if you are an atheist, pray!  If you play D&D you are already a step ahead of me.

You might want to let the CEO know what things have been found on these computers. We’re not talking about the malware threats. Why let the CEO know? Aside from the fact that the CEO may be an offender, you may need some support to get the funds required to protect proprietary information. I’ll give you a bit of ammo below. Examples relevant to Finance and HR can be found.

An Internal Audit and a Bit More

While dumpster diving on a business center computer I came across an internal audit for a major chain that provides cash advances. I discovered which branch was being audited, the contact at the branch, and the auditor’s findings. While the branch received a satisfactory rating, issues such as a check missing a payee and a missing disclosure were noted.


 


On the same computer a document concerning a cash advance was also found. The document contained the customer’s name, address, phone number, customer number, and transaction logs.

Yeah, there’s no legal liability there… is there?

A Lawsuit

On one occasion I discovered correspondence between a very large law firm and their client. The client was filing a claim against the Manville Trust. In this case the PDF was sent to the claimant’s yahoo account, and was also sent via snail mail to the claimant at the hotel he was staying at. I did not include the law office’s logo on the letter head. It was not the lawyers who opened the doc on the public computers, they employ about two dozen lawyers who could make life hard for me if they were made aware that I exist and they are board or just mean.



The Love Letter – A Picture Paints a Thousand Words

Olga, the one who opened the email, may not care if the world knows that Kenny is in love with her, but she might not want her email address to be shared. I didn’t email her to find out though.



Not all correspondence is a love letter. One document left behind was titled:  “A Letter to Just One of the Other Women”

If the letter, a Word document) had been to Mary, or Sue, or Linda, I would not have redacted the name. The letter was to a woman whose first name is unique. There is only one person with that name on Facebook. The letter was much longer and contained information that corroborated identification. Even with a more common name personal identification may have been possible through correlation of a variety of social networking sites. The document was also probably edited or even composed on the hotel computer. One can speculate that the letter was sent as an attachment and the original was forgotten.

The odds are that you do not have a letter to the other woman, but have you ever composed anything that required discretion or read any such items on a public computer? Perhaps saved them?

Did you ever print out a boarding pass? I could have re-assigned a middle seat to a passenger late last year. His flight didn’t depart for hours! It was a long flight too.

In early 2017 I found a number of items on the computer in an executive lounge at an airport. I came across a financial advisor’s communications in a document that indicated it contained proprietary information and trade secrets.

Typically strategic development plans are not for public consumption. I have only included a small part of this document.



In this case I’m not really sure that the company cared. They never got back to me on Facebook. Also found was an investment firm’s communications with an indicator that the content included proprietary trade secrets. It actually appeared to be boiler-plate, but I don’t know.

Amusingly, on the same computer was a PDF with installation instructions for a Chamberlain garage door opener. I left the installation instructions on the computer for the benefit of others who may find them useful.

A few additional examples.



The spreadsheet I found with the names, salaries, and merit raises for faculty at a university in Texas should never have been there. Of course the faculty are woefully underpaid. Teachers need to be appreciated more.

Online banking is like money in the bank.


There was enough information in the HTML file to identify the account owner, where he lived, multiple sources of income, and places he frequented.

Finally, there are always the selfies and the pets. Out of respect for private citizens I have anonymized these pictures.





A Most Gratifying Experience

On one hotel computer I found a spreadsheet with the names of the salespeople, their team leaders, and how much product each had sold. This information belonged to a fairly large company that is the leader in their field. When I contacted the appropriate person, among her first words were “we will begin training immediately?” That is what this is all about.

Understand private and corporate risk, and act accordingly

This blog does not address the malware threats. I will be writing about that on the Quttera blog.

One final word of caution. Should you decide to look for what was left behind on a business center computer, there are somethings that you can never un-see…






I warned you.

My blog dealing with the malware risk when  using public computers is live at Public Computers and Malware

Randy Abrams
Senior Security Analyst at Quttera Labs

Tuesday, October 24, 2017

Cleaning and Gutting Phish for Beginners

To start with, beginners don’t usually clean phish but anyone can help to get the cleaning process started. Admitting that someone else has a problem is the first step toward fixing the problem! If it is your own website that is hosting a phish then it is up to you to clean it, or get help cleaning it.

Phishing links can be dangerous to click on as they make take you to a site with exploits. If you have a safe environment, such as a virtual machine or sandbox, then it is typically ok to follow the link, but be sure to replace the VM with a pristine copy or delete the contents of the sandbox.

When you receive an email that you suspect or know is a phish, before you delete it share it with Phishtank. The easiest way to get it to PhishTank is to forward the email to  phish@phishtank.com. PhishTank make phish available for people to validate. Security companies can also pull information so as to more quickly block the phishing attacks. It is a great idea to sign up for an account at PhishTank. If you have the know-how to tell a phish from spam you can help by logging into PhishTank and evaluating some phish.


If the phish is attacking customers of a financial institution you might be able to contact the institution, but frequently it is hard to find a way to report the phish to. Sometimes you can message the affected company on social media and find out where they would like the phish forwarded to.
Sometimes you can let website owners know when their websites are being used to host the phishing pictures and kits.

Now let’s move along to gutting a phish. We will start with the small phish.




We’ve all seen these before. I particularly like the professional touches on this one such as To: Undisclosed-Recipients and “This message was sent to “”.” I right-clicked on the email so I could view the source text. On the lower right you can see the context menu. Here are the entire contents of the body (guts) of the phish.

<!DOCTYPE html>
<html>
<head>
<title></title>
</head>
<body>
<p><a href="http://bit.ly/2QKGRFNGDBF"><img alt="Mountain View" src="http://bit.ly/TGFDCYTHGRFDHGF" style="width: 592px; height: 473px;" /></a></p>
</body>
</html>

There are two significant things going on here. src="hxxp://bit.ly/TGFDCYTHGRFDHGF"   is where the picture in the email is coming from. This is the second link above. The first link is the smelly part of the phish. hxxp://bit.ly/TGFDCYTHGRFDHGF is where the phishing kit used to be located. It was replaced with a 404.
These links happen to be bit.ly shortened URLs, but there are many sites that provide URL shortening services. You really want to know where you are going before you go there, so expand the URL back to the full version before you decide to click. The JoshMeister has some great tips for decoding links that have been shortened by using a variety of services.

Since this URL is shortened by bit.ly we just add a + sign to the link and hit enter. This takes us to the bit.ly site where we are shown the full URL. In this case hxxp://bit.ly/TGFDCYTHGRFDHGF+


hxxps://s1.postimg.org/1smpducc3j/boaaaaaaaaaaa_NEW.png is not the link that matters. That one has advertising that would give the phish away. The one you want is the smaller one in orange. hxxp://bitly.com/TGFDCYTHGRFDHGF leads us to the plain picture shown at the beginning of the gutting section of this blog.

When you click on the picture in the Phishing email you would have been taken to the phishing kit which asked for your login information and many other details. It even asked you to create 5 challenge questions that are commonly used. I liked the one that asked “What is your father’s middle name?” I answered “The one between his first name and his last name.” I do not suggest that you visit the phishing sites though. I was using my wife’s computer so I was never at risk.

So how did I help to clean this phish? First I admitted that someone else had a problem and then I let them know that there was a problem.

I wrote up more about this specific incident in a blog titled “Phishing for a Gold Medal” at Quttera. I am now a Senior Security Analyst at Quttera. I included a couple of more shots of this particular phish and a tiny bit of biographical information about the gold medal winning Olympic athlete.
In addition to my personal blogs here, I hope you will follow me at Quttera as well!

Randy Abrams
Independent Security Analyst by night and
Senior Security Analyst at Quttera Labs

Wednesday, October 18, 2017

Living With Brian Cassin – CEO, Experian

I have to change my address again. I don’t like where Bank of America has moved me to so I am going to move to 475 Anton Blvd., Costa Mesa, CA 92626. I hear that they have really nice digs there.

Following my discovery of  an issue with a link on the Equifax website I decided to return to what I set out to do in the first place - get my mailing address corrected on my Experian credit report. How hard could that be?

This is where the unholy collusion of creditors and credit reporting agencies makes a blatantly unabashed public appearance. The answer to “how hard could it be?” is “it is surprisingly hard.”

Any creditor can report a change to your mailing address, your gender, your age, your marital status, etc., and Experian will change it and you cannot contest it. Your creditor has to change the information for you. If your creditor will not (or cannot) change it then you are "attached to another object by an inclined plane, wrapped helically around an axis."

In this case Bank of America has explicitly told me that they have no idea where the incorrect information is in their systems. The address is correct in my online profile, just not in the system that reports to Experian.

Nobody knows how many millions of Americans have incorrect personal information on their credit reports. Experian has no idea because there is no data validation. Consumers do not know because changes are made secretly, and even when they are discovered, there is no recourse.

Even with free annual credit reports, falsified information can easily persist for months on end unless a person pays the ransom to see their credit reports more frequently. Changes to personal information should be proactively reported to the consumer. Equifax proactively tipped me off to the Experian issue.

At Experian incorrect financial reporting can be contested. Correct financial reporting can be contested. Incorrect personal information is off limits. Just one more slip of the keyboard at Bank of America and I will be a 21 year old, Native American woman, living in Finland and married to Brian Cassin. Granted that is an unlikely scenario since Finland is too cold for me.

I asked Experian “If Bank of America reports my address as being the address of Experian’s corporate headquarters, will you change it to that?” The response was “Yes, if that is what a creditor reports then that is what will be on your credit report.” Unlike Experian, changing my address online at Bank of America is simple! I think this will be the start of a beautiful friendship. I am moving in with Brian Cassin at the posh Experian headquarters.

 I know where I will live; you only think you know where you live.

Please send your best wishes to me on my move to the Experian headquarters by post at:

Randy Abrams
C/O Brian Cassin CEO
Experian
475 Anton Blvd.
Costa Mesa, CA 92626
Randy Abrams
Independent Security Analyst just trying to find his home.

Saturday, October 14, 2017

VirusTotal, Equifax, and Antimalware Products

There is a subtle precision in the statement “VirusTotal only showed three antimalware scanners detecting malware.” If you think that means only three scanners on VirusTotal detected the malware, then read it again more carefully; that is not what it says and that is not what it means.

Before I continue to talk about VirusTotal mythology, there are a few things I would like to clarify concerning my find of a malicious link on the Equifax website.

  • The site was not hacked, but as stated in the title of my blog, it was compromised. There is a difference; there were no exploits, no backdoors, etc.
  • There was no malware and there were no malicious pages on the site.
  • There is no indication or probability that data was stolen as a result of the compromise.
  • Equifax’s security team is blameless for this one. They were sucker-punched so badly by a third party who was in turn compromised.  The whole food chain was poisoned.
  • Infection required two clicks, a download and an install. It was not a drive-by.
  • There was a serious threat to people who clicked on the link and fell for the attack. This was really nasty malware.

I do not understand why the Experian page was down for two days. I have a theory, but I will wait for the producers of Ancient Aliens to tell me what some people believe before I publish.

Speaking of antimalware, I hope that Kim Komando will agree to write some guest blogs under the pen name “Auntie Malware.” How cool would that be? But I digress. At the 2017 Virus Bulletin Conference in Madrid Spain I presented VirusTotal tips, tricks, and myths. I believe the full presentation will be available soon. The content of the presentation was submitted to my friends at VirusTotal to validate accuracy. I am going to do a series of blogs about VirusTotal mythology.

There are multiple reasons why one cannot assume that only the scanners that display detection on VirusTotal are the only ones that have detection of the threat. Just as importantly you cannot assume that if the scanner you did not display detection of the threat you were not protected.

VirusTotal uses command-line versions the scanners. Command-line antimalware scanner cannot be expected to perform the same way that the GUI versions do. There are undocumented switches that can boost heuristic detections to a levels not available in commercial offerings. Antimalware vendors can hide detection on VirusTotal. Sometimes you do not want the malware authors to know what you know. The commercial versions may very well have detection.

There is more to say on the subject, but for now know that “Displayed on VirusTotal” does not mean that only those scanners that display detection provide detection. Don’t forget protection; it is not the same as detection, but it matters. I know for a fact that at least one product that did not demonstrate detection offered protection. I have a very high degree of confidence that other scanners did too.
In the next series of blogs, which may not be sequential, I am going to dispel the following myths:

  • VirusTotal can be used to perform comparative testing
  • Detection of malware on VirusTotal means the scanner can detect it
  • Lack of detection means the file is safe
  • False Positive means false positive
  • Detection by more scanners means better coverage
  • Malicious website means malicious website

I am going end this blog by summing up VirusTotal in one neat little quote by Alan Greenspan.

“I know you think you understand what you thought I said
but I'm not sure you realize that what you heard is not what I meant”


Randy Abrams
Independent Security Analyst
https://www.linkedin.com/in/randy-abrams-ba24391/

Wednesday, October 11, 2017

New Equifax Website Compromise

Update: Third party analysis tends to indicates something that is conceptually the same as malvertising. Watch the video and replace Equifax with your favorite website. It happens every day throughout the world. Now it's a security training video.

I like Equifax more than Experian. TrustedID gave me the heads up that Experian had falsified personal information in my file. After verifying that Experian did in fact falsify the data (it was due to incompetence and apathy) I decided to see if the misinformation had propagated to Equifax. As I tried to find my credit report on the Equifax website I clicked on an Equifax link and was redirected to a malicious URL. The URL brought up one of the ubiquitous fake Flash Player Update screens.



For all of you voyeurs...

Seriously folks. Equifax has enough on their plate trying to update Apache. They are not going to help you update Flash.
 
I know that nobody is surprised at my find, but watching Equifax is getting to be like watching a video of United Airlines “deplaning” a passenger... It hurts.
 
And once again Equifax, all I want from you are my credit scores. Please?

Independent Security Analyst



Tuesday, October 10, 2017

Equifax Caught Experian Falsifying My Personal Information

One of the silver linings of the Equifax breach is their free identity theft protection. Perhaps that is the only silver lining. I was skeptical when I received an email from TrustedID that said “We've noticed a change on your credit report.”  I know that identity theft is rampant and credit reports change frequently, but consider the source. Equifax owns TrustedID; need I say more? I figured the email would be something like a LinkedIn style “three people have looked at your credit report. Upgrade to premium to find out who they are.” Or “views of your credit report are up 80% over last week’s views.” Still, I was curious. I logged into my TrustedID account and was informed that Experian had changed my address on file.

My investigation revealed that Experian now showed my current address is in a city I have never lived in. Perhaps accusing Experian of falsifying my personal information is a bit dramatic, but it is technically true. I won’t say it was deliberate because I know Hanlon’s razor. Hanlon’s razor essentially says “"Never attribute to malice that which is adequately explained by stupidity." In this case apathy is probably closer to accurate than stupidity. To paraphrase Lily Tomlin’s classic “we’re the phone company” sketch… “We don’t care. We don’t have to. We’re the credit bureau.” Experian is not stupid, they excel in math. They know exactly how much each congress person that can be bought costs. Based upon the laws of supply and demand I expect it isn’t very much.

Here is how I believe Experian got it wrong. For several years my Brother and sister-in-law had been living in a house I owned in Seattle. When they moved they filed a change of address form with the post office. My brother’s name is Steve. Steve is a name with five letters. The name Randy has five letters in it too. The rest is history. Data validation is not on Experian’s strong suit. Fortunately when I request my free credit report my brother will pass it along to me after Experian sends it to him.

Let’s compare Experian’s attitude toward consumers with T-Mobile’s attitude. In 2015 it was revealed that Experian had suffered a 2 yearlong data breach that affected T-Mobile’s customers. T-Mobile CEO John Legere response included the following comments.

“Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian, but right now my top concern and first focus is assisting any and all consumers affected.”

Did you notice it was not Experian but rather T-Mobile whose first focus was on assisting customers?
Legere went on to say “Experian has assured us that they have taken aggressive steps to improve the protection of their system and of our data.”

 Improving the protection of T-Mobile’s data is important to Experian’s bottom line, but maintaining the integrity of consumer data is irrelevant to Experian. It doesn’t help or hurt their bottom line. Let’s hope the Equifax breach results in industry wide changes that, among other things, makes negligent changes of consumer data expensive.

In conclusion, thank you Equifax for bringing to my attention the falsification of my personal data by Experian. On a more cheerful note, when Experian is breached again the attackers won’t get my real address.

Independent Security Analyst
I am my brother’s keeper, but I am not my brother

Tuesday, September 12, 2017

Equifax: Here Is What I Want From You



My credit scores. I want my credit scores. I know you’ll give me a year of free credit monitoring, but I’m pretty sure that is only to try to sell me more stuff. Actually Equifax, you are stingy. When Anthem was breached their victims got two years of free credit monitoring AND a $1 million identity theft insurance policy. When Premera Blue Cross was breached they gave away two years of free credit monitoring. Not one year, but two full years AND I got free access for life to the results of my colonoscopy. Equifax, I just want my credit scores. The hackers get them free, why don’t I?

I decided to find out if I am one of the people impacted by the breach. What I learned was that if I can pick out apartments buildings from a lineup, know my last name, and the last six digits of my social security number then I am probably impacted. The last six of my social security number was tricky. I was able to find correspondence containing the last four digits, so that narrowed it down to a maximum of 100 guesses to get the first two. Lucky for me I got it on the third try or else I may have been locked out and had to ask a hacker for assistance.

So here’s how to find out if you are a victim.

Step 1: Go to https://krebsonsecurity.com/2017/09/equifax-breach-response-turns-dumpster-fire/ and pick out the website he indicates needs to be used. Do note that you may need to use a computer and a mobile device to verify the results. A tablet probably isn’t a bad idea either. Perhaps try it with iOS, Android, Win 10, and Symbian.

Step 2. Enter my last name and last six of my social security number (I don’t know if yours will work, but mine does, so I can confidently recommend it). Proceed to pick out ugly apartment buildings from a lineup. 




I hate these captchas. I wonder if the hackers had to complete them to get in too.

You can tell if you successfully completed step 1 by the following conspicuous message.




Have a last name?  √
Know or can guess the last six of your social security number?  √
Can pick ugly apartment buildings out of a lineup?  √

Winner!! You are the proud new owner of one glorious year of free credit monitoring!

I have to admit I got a bit queasy when the next screen appeared.



Why am I being asked for this information? Equifax knows all of this information just from my last name, the last six of my social security number, and some pictures of ugly apartment buildings now linked to my IP address. I forgot to check my VPN - it was off. I fear I am being set up. “See Mr. Investigator, he has some of the stolen data and knows which pictures are the ugly apartment buildings. He’s your culprit.” No, I think I will play it safe and appeal to the hacker’s consciences to do the right thing; Use the stolen data for good and sign me up so it doesn’t look like I committed the crime.

You may think that this sounds absurd, but do remember:

1) Equifax is desperate. Their stock tanked, they’re being grilled by congress, some of their executives sold stock at questionable times, and they face multiple lawsuits. Equifax needs a scapegoat like McCarthy needed commies.

2) The name of this blog is, after all, Security Through Absurdity. Sometimes I have to get a bit tongue-in-cheek or even absurd.

Equifax, I don’t care if you are too cheap to give two years of credit monitoring. I don’t care if you don’t give me a million bucks of identity theft protection. I don’t care about lawsuits. All I want is my credit scores. That is the only information that the hackers have that I do not have, and they got it for free.

Collector of free credit monitoring services and free identity theft insurance policies, and connoisseur of ugly apartment building fine art.

Wednesday, August 16, 2017

Will Passphrases Kill the Password Managers?


I won’t keep you hanging… … … much... the answer is no! If the answer was all you needed, then thank you for visiting my blog. If you would like to know why I say “no,” then keep reading.

Just in case you do not know what a passphrase is, it is a password that uses words instead of gibberish. The words may or may not have spaces in them. “thisisapassphrase” and “this is a passphrase” are both passphrases. Do not use those two examples for your passphrases though.


The argument for passphrases is that they are easy to remember, and if they are about 20 characters long or more, they can be far stronger than something like “^T28dy2a$o,v” is. That is completely correct. I am a strong proponent of passphrases.
 
On the NPR show All Tech Considered, Paul Grassi, the Senior Standards and Technology Adviser at NIST, is quoted as saying the following concerning password managers
 
“… these apps are useful because they completely randomize the password, but he says they aren't necessary to maintain security.”
 
The new NIST guidelines concerning passwords and passphrases are widely regarded as excellent by security experts. I wholeheartedly agree with all that Paul said, except for the part about password managers, and here are the reasons why.
 

1) Some sites are not going to allow long password/passphrases. If you are limited to 15 characters or less, complexity does become far more important and password managers help with that. This also means that you have to try to remember the gibberish.

2a) Depending upon how many sites you have passphrases for, many people are not going to be able to remember all of the phrases and which sites they correspond with. This leads to 2b (for the record, “2b or not 2b” is not a good passphrase.

2b) When people get to the point that they can’t remember all of the passphrases and corresponding sites, they are likely to take shortcuts that are essentially the same as incrementing passwords or using the same passphrase at multiple sites.

Cracking passwords is not as common as obtaining passwords from a data breach or a phishing attack. This is why password reuse is so dangerous. This is also why incrementing passwords makes a complex 16 character password weak. Easily recognized patters in passwords, such as “Todayis01/10/17” make the next series of password extremely easy to guess.

If a person has 20 sites with a unique username and passphrase to remember for each site, I believe that they are likely to do something far more serious than incrementing. They may use a site identifier.

Write down 20 websites that require you to log into. The next to each one write down your user name and a unique passphrase for each of them. Just to make my point., choose the first four words of a different sentence in this blog for each of the 20 website’s passphrases. As soon as you are done, stop looking at them. Even if your username is the same for all of the sites, do you remember the passphrases and corresponding sites? Most people will not. You need a way to remember all of these. The trick that I envision some people using is site identifiers.

“Tractors swim in aquariums” is a great passphrase (at least it was before I published this blog).

Now to make it easy to remember which site I use each password for…

“Tractors swim in aquariums – Gmail”

Care to guess this user’s password for Facebook, LinkedIn, and the company they work for? Websites can prevent users from including the name of the site in a password, but users are clever that way. They’ll figure out something as predictable. Of course if you write it down you are a bit worse off than using a random complex password. The gibberish passwords are hard to remember. If I see your passphrase written on a piece of paper, about a second or two is all I need to see it and remember it.

Passphrases and passwords share an identical problem. You can’t remember them all. Password managers address that problem. That is why password managers are as relevant in tomorrow’s world of ubiquitous passphrases as they are in today’s world of ubiquitous passwords.

Here is my recommendation. Use an excellent passphrase for your corporate login and remember it. Use an excellent passphrase for your personal computer login. Use an insanely good passphrase for your password manager. A sentence you create that is at least 35 characters long, such as “the purple cow danced on the cheese” is insane enough. Make sure your passphrases are at least 20 characters long and not common sentences, and you’ll be good to go for almost anywhere you currently use a password.

In future blogs I will give more detailed guidance on how to make killer passphrases.

In a different blog I will discuss the passphrase token attack and linguistic passphrase attacks. These attacks intrigue me, but I don’t think they are anything to worry about too much at this point.


Independent Security Analyst (is not my passphrase)

Thursday, August 10, 2017

Evasion and Regeneration; Decoys and Deception


I recently had an interesting conversation with Alex Gounares, the CEO at Polyverse. Alex calls Polyverse’s security approach “Moving Target Defense.” Polyverse’s technology basically causes your operating system to continuously morph into something functionally the same and dynamically different, at a very high rate of speed, while replacing the container with each morph. The idea is to give attackers virtually no time to exploit a vulnerability before the vulnerability has been moved somewhere else. If malware does enter the system, the OS is replaced with a brand new, clean morphed OS almost as quickly as the malware had arrived. Full disclosure: I had been referred by a friend to Polyverse for contract work. There was not a synergy in current needs but the ensuing conversation was engaging and thought provoking. This is the “evasion and regeneration” I am talking about in the title of this blog.

One of my all-time favorite quotes goes something like this. “If you only see one solution you probably don’t understand the problem.” This sage advice that I found in the sidebar of a DIY robotics book applies to life. Sometimes when I do not like a solution. I discover I’m not actually trying to solve the real problem. Sometimes the first solution I see is the best solution. Other times I find multiple appealing solutions.  Regardless, I am always more educated by remembering to apply this principle to my life.

I really am intrigued by Alex’s classifications of defenses as “stationary” and “moving target.” The moving target defense looks to me like a novel solution. Damn. The “S” word… “solution.” “If you only see one solution…” Sigh .Now my challenge became one to see if I could find better or equally appealing solutions that use a stationary target defense. In other words “Can a stationary endpoint be defended as well as an endpoint that is moving faster than the attackers can catch and inflict damage upon?”

There are many types of stationary target defenses but for this blog I am limiting discussion to one class of stationary target defense – deception and decoy. The reason is simple. It was the first to come to mind because my friend Gadi Evron is everywhere I go. Facebook, email, countries all over the world… Gadi is everywhere. In thinking about a stationary target defense solution that might be able to provide the effectiveness of a moving target defense, I remembered Gadi telling me about how his company, Cymmetria, uses decoys and deception to keep an attacker away from a stationary target.  TrapXAttivo Networks, and CounterCraft are three other companies that use a deception and decoy strategy. Aside from any technical merits of these solutions, I absolutely love the idea of deceiving the bad guys. Digital karma. Ask me about the time I kept a PC support scammer on the line for 45 minutes. He even waited for me to “cook my breakfast.”

I have an all-time favorite example of a successful stationary target defense. The defense was called “Rope-a-dope” and it made the “Rumble in the Jungle” one of the most exciting boxing matches in history. Muhammed Ali was essentially a stationary target for almost 8 rounds. In the 8th round Ali stopped being a stationary target and destroyed George Forman in an offensive flurry lasting less than 10 seconds. Rope-a-dope worked for Ali. Although it was an offensive maneuver that ended the fight, the defense was essentially stationary. I can’t imagine that getting pummeled by George Foreman felt like an Ashiatsu massage, but I wasn’t there.
Unlike Ali’s approach, companies employing decoys and deception do not let their targets stand and take punches – no matter how hardened the target is. Different companies use different techniques, but the high level concept is to use real or virtual computers that keep attention drawn away from the target by making the decoys look like they have the Holy Grail. One of the potential weaknesses of the decoy approach is that there is still a stationary target. I’m sure that all of the companies that use this approach are aware of this and have some pretty cool counter-measures, but still, there is a stationary target. If the decoys work all of the time then the actual target does not need to move.

My favorite moving target defense analogy is the SR-71 Blackbird. This spy plane was the fastest aircraft ever to fly.  The Blackbird had vulnerabilities. The Blackbird was designed for stealth, but you don’t really fly at Mach 3+ without leaving a detectable heat signature. To add to that, the skin around parts of the fuselage could be easily damaged. How did the Blackbird defend itself?  It flew faster than the missiles could reach it, faster than any other aircraft could fly, and it moved around a lot. Stealth was still a factor too. By the time the missile got there, the Blackbird was not. It didn’t matter that the Blackbird was in plain (no pun intended) sight.

Surveillance is a critical part of moving target defenses, deception and decoy defenses, and many other security approaches. Repelling attacks is good, but not everything. You want to have a discreet, digitally intimate relationship with your attacker. You just don’t want the attacker to know they are in the relationship. This should be your relationship status

 

This is what the adversary’s relationship status should be


You want to stalk your enemy… watch them... What is my enemy after? How are they going after it? How are their tactics adapting? Who is attacking me? What am I going to do about it? And so on… Ah ha! The OODA Loop is back!

Update: Attivo Networks expressed concern that I may be making decoy and deception defense look like a passive technology. I am actually surprised that none of the other vendors raised this concern because they all fight the misconception that they are glorified honeypots.

Modern decoy and deception approaches employ algorithms that can create a series of dynamically changing decoys and potentially even dynamically changing network topologies in response to the tactics of attackers. This is active engagement with the enemy, not passive intelligence collection.

Again, I am not recommending or endorsing any specific technology or security market segment. We’re talking philosophic approaches and challenging assumptions. I can’t imagine any single tactic working through the entire kill chain.

Given multiple approaches to achieve the same goals, which strategy is best? I can’t tell you, I don’t know your problem.

If you are Schick you are defending trade secrets. Encryption, DRM and data recovery probably address the real problem. Yes indeed, defend your endpoints, but don’t lose focus on the problem. Get that IP protected, then worry about the network and endpoints.

If you are a hospital you are defending human lives first. Protecting the equipment required to maintain the physical well-being of a patient probably requires different protection technologies and/or approaches than protecting the systems remotely monitoring a pacemaker. Banking Trojans may be the biggest threat to the accounting department, where data theft is the major threat to systems holding health records.

Make sure you are clear on the problem, assess the suitability of the approach to the problem, and them compare technologies and approaches. The right technological approach for you may not have been mentioned in this blog.

I really wanted to share with you the concept of diverse philosophical approaches to security, and demonstrate what happens when I remember some of the wisest words I know - “If you only see one solution you probably don’t understand the problem”

This is the official end of the blog, but feel free to read on if you enjoy the diversions that research on the Internet result in.  As you all know, the problem with research on the internet is not attribution and not validation, it’s that you get diverted to rather irrelevant information that is too compelling to ignore. In thinking about analogies to use in this blog, holograms came to mind. I could think of analogies using holograms for either type of defense, but they fell apart the very first time an adversary tried to “touch them.”  This analogy requires a hologram that can be “touched” to really fly. With that in mind I remembered that George Washington once said “if you can dream it you can find it on the Internet.”

Research into my dream led me to a company called Ultrahaptics. Ultrahaptics is developing a holographic technology which can make it seem like you are touching a hologram. How cool is that?


Randy Abrams

Independent Security Analyst (ISA)
Fan of Historical Quotes (FHQ)
Chaser of Internet Squirrels (CIS)