Protecting my Mom – Part 3 – How Easy is it to Get Hacked?

Keeping our moms safe can be a daunting task.

Keeping our moms safe can be a daunting task.

In our first installment of “Protecting my Mom” we discussed some phone phishing attack that I was targeted for. This was followed by our second part where I found myself being attacked over a Wi-Fi network that was setup for the express purposes of compromising machines that roamed onto it. In this final installment, we take on the role of an attacker and are reminded of how easy it is to be hacked.

My challenge to myself was simple,  how fast could I target a machine and compromise it using off the shelf tools. My goal: 5 minutes from start to finish. How much time did I need? The stopwatch showed a mere 2 minutes and 13 seconds. Scared yet?  — After doing that I was. After being the target of a hack twice in the span of less than a week, I decided to go from being the “prey” to being the “hunter.” How hard is it to be hacked? And if I was hacked, how long does it take me to start grabbing data that I could use? Don’t worry, I’m doing this as a bit of a test and I’m using my own Virtual Machines, so I’m not turning my abilities on any other person, it’s more of a challenge to see how hard it is.

Protecting my Mom – New Generation of Attacks Threaten us All

Most days I sit comfortably at my desk behind multiple layers of defenses keeping myself and my machine from harm. I sip my coffee and don’t even think about defending threats from myself, instead most of my energy is focused on how do we push forward in our industry against those armies of darkness that seek to compromise our privacy, security and exploit information for their own cause. This week, was different. In three different cases, I found myself at the center of the attack. It was humbling, and at the same time reminded me of how much work we have to get done.

What scares me the most is the unsuspecting prey that countless hackers stalk?  I’m knowledgeable about what and how hackers try to exploit victims. But I worry about my friends and family members that don’t have that same savvy knowledge. I think about my Mom, using the internet for her banking and the occasional check of Facebook… little does she know she’s in the epicenter of the attacks.

So this Blog is the first of a series of three chronicling my last week. I want to share with you three attacks that happened to me in the hopes that it gives you a flavor for where attacks are coming from nowadays. No longer is it the rogue link to install software or the email bomb that just annoys you.  It’s a whole new world where callers, innocent internet checks, and group emails all lead towards exposure.

MONDAY:  Attack 1 – “Windows Service Center”

Last Thursday, I ended up getting home a bit early from a week of travel.  It was about 4:00 p.m. in the afternoon and the house phone rang. It was just me and my kids at home. My kids range in age from seven to eleven and in most cases, it would have been them to answer the phone, but I happened to be there. I grabbed the phone, looked at the number and saw it was a originating from New York. With family on the East coast, I didn’t think twice about grabbing the phone. After five seconds with no one speaking, I should have just hung up, but I stuck this one out. Then it happened… the attempted hack started.

Access DeniedThe caller identified himself and began, “Hello this is XXXXXX from the Windows Service Center.”  Intrigued, I decided to let him continue. “We have detected you have a computer virus on your machine and we’re here to help fix it.” At this point, my hack-o-meter instantly was pegged and I knew this was a scam, but for fun, I decided to let this play out. I asked, “how do you know I have a virus?”  He responded, “because we have systems that detect these sort of things.”  I asked, “how do you know it is my machine?” He retorted, “because we in America spy on our citizens.”  I had to laugh at this one, to use that approach was fascinating, and more curiously, based on background noise, I firmly believe this call was not originating in the United States. Again, I pushed a little bit harder, “I have two machines in my house, which one is it?”  He then responded, “I’m sure it is all of them, so we’ll fix them both.

If memory serves me right, I was cutting some tops off of strawberry’s at this point in the kitchen and he asked me to go over to my computer. I told him I was in front of my computer at this point even though I was still cutting up strawberry’s. He started off by asking me to go to my control panel in Windows and told me that my Windows Firewall wasn’t active. WOW! I thought to myself, this is an impressive scam!  Sure enough he successfully told me what to click (if I actually was in front of the computer) to navigate to my windows firewall and then told me the instruction to disable it because “bad software had taken it over.” Pretending I did, we continued. I asked him, “Are we done now?”  To which he responded that he’d need access to my machine to make sure. I told him that I didn’t know how to do that and he asked me to go to some website by an IP address. Of course, at this point he began to see through my ruse. I told him I couldn’t get there but asked him what was there and he told me it was something “like a WebEx or online meeting” where he could control my machine.

He pushed really hard to get me there, but after a few more questions from me he started to get VERY mad. Not to mention I had moved onto rinsing some peppers and the water running was likely giving me away too. He told me, “You could be arrested if you don’t eradicate this virus” and even played off the emotional heart-strings, “you are exposing your family to harm.”  Then he crossed a line that I’ve never seen before, “I’m not asking you to go here, I’m telling you that you must” as his voice took on a threatening tone.

At this point, I told him that I needed to speak with a supervisor to validate this was the right thing to do. A man got on the line, didn’t identify himself and when I asked where they were and what company they worked for, you could tell I now was the one trying to go after them.  After I told them how shallow it was to attack innocent people like this, he blurted out a few expletives and mumbled some other inappropriate comments before hanging up.

If I had played his game, I have no doubt that the website I would have gone to likely would have been a way for them to remote control into my computer and more than likely it would have been used to download some Malware onto my machine. Things like key-loggers to capture my every password, my access, and even troll around my machine for some good documents that I might have. No doubt, my machine would have gone from a well-protected one to one that was riddled with Malware with a firewall turned off. All scary realizations for me.

…But could this have turned out differently?

What’s more scary though is I still play this story out with the “what-if” scenarios. What if my son had answered the phone? What if my wife had answered the call? Would they have played along or have gotten off the phone before damage was done? If they had played along, would the call have ended so innocently that they’d not have shared what happened with me? Could they have used my home machines (which don’t have valuable data) as a conduit to my work one, which definitely is more sensitive? The caller had the skills to make themselves sound believable, and the pressure-cooker capabilities of a time-share salesperson. They were well skilled to have seen this be a success.

On the heels of this event, I did everything I could to trace this attack back. It turns out the NY phone number was masked and it was originating from an exchange in India. The IP address website I was asked to access was from China. The call-back information was obviously invalid and I didn’t take the charade far enough to get more data to track them Typing on computerdown. Hindsight being 20/20, I wish I had spun up one of my Malware Virtual Machines to access their website and see what else they did or at least trace the traffic from that event back to a more authoritative location so I could snoop back at them. More than likely they were using the computer of their previous victim, so that likely would have led nowhere, but nonetheless, I came up short on sleuthing this one.

Beyond the attack on me, I went online and began to search for the keywords from this conversation, “Windows Service Center” and a few others. It turns out there were more than a few dozen of these attacks reported, each recounted a story like mine, and in many cases, the victims acknowledged they were successfully exploited as part of this attack.

The Moral of Part One

What’s the moral of this story?  There is no safe phone call and there is no innocent phone call. Unfortunately, it won’t take you long to go online and search and find other scams like this. Just this week we heard of the IRS phone scam defrauding millions from people impersonating the IRS. Some tips for all of us (and my mom) on this one:

  1. If someone calls, unfortunately, don’t trust them and make sure you validate their identity.
  2. Watch for key signs that the call is illegitimate. Ask yourself, does the caller ID number make sense? If it is “Unknown” really question it. If it is from outside of your home country, question it as well.
  3. If they are legitimate, they should be fine with you calling them back. Ask for their number and extension and ring them to validate you have a good number for them. At the same time however, if they give you an out of country number, DON’T CALL IT. This is a different type of scam…
  4. Never put yourself at risk doing something you know is wrong. Your firewall is there for a reason. We write patch-management software for a reason, never let someone ask you to take it down.
  5. If someone asks you to do something suspicious like go to an unverified website… don’t do it.
  6. Never… EVER… let them pressure you with commands or threats to do something you don’t want to.
  7. Call the authorities and email us. This activity is illegal and is a cybercrime. By you reporting it, people like me find out about it and then we go after these criminals.
  8. When in doubt, call/email me before you do anything… and I’m not just talking about emails from my mom… I’ll take emails from anyone on subjects like this.

I wish there was a switch on the wall that I could flip for us all to turn off the darkness.  Unfortunately, there isn’t. In the interim though, we’re here to make it safe for us all as best as we can. Be safe everyone.

Access Intimidation

Don’t be intimidated out of making changes to your computer that improve your security and reduce the risk to vulnerabilities. An interesting phenomenon of antivirus software is the real time scanning it provides. Recently my laptop hardware was upgraded and it required me to install a new video driver to support the enhanced graphics built into the onboard chipset. I was faithfully scanning my laptop for the latest patches and service pack support as well as checking that the drivers were current for the hardware. The video driver vendor insisted there was an available upgrade and I immediately tried to install it from the Internet per the online support. The driver was unsuccessful in loading so I decided to download it to my local hard drive and retry the install. It downloaded successfully and when I double clicked the file it presented the installer and uncompressed the files, but when the progress bar was presented it halted with no error message displayed. Once again, when it rebooted I was informed that video driver update was available. I examined my antivirus/malware quarantine folder and discovered the video driver software had been added. It was a simple task to add the name of the file to my “white list” of acceptable applications and when I attempted the install again it was successful.

While frustrating to install, I am glad my computer is well protected and that driver level modifications are not taken for granted. I wanted to pass this on to users that might think that they are unable to make modifications or updates to their computers because of insufficient access rights or equipment malfunction when in reality they were simply protecting themselves from themselves. Remember that a lot of solutions to computer problems are resolved with understanding PEBCAK (Problem Exists between Chair and Keyboard).

In reviewing the new known malware on the Internet in June 2011, following are two new vulnerabilities that could affect your security:

Adobe Flash Player CVE-2011-2107 Cross-Site Scripting Vulnerability Alert
The vulnerability, CVE-2011-2107, is a cross-site scripting vulnerability that can allow an attacker to make HTTP requests while masquerading as the affected user. This vulnerability is being exploited in the wild in targeted attacks.

Microsoft Internet Explorer CVE-2011-1255 Time Element Remote Code Execution Vulnerability
The vulnerability affects Microsoft Internet Explorer versions 6, 7, and 8. The issue is related to the time element handling and occurs due to memory corruption, allowing an attacker to execute arbitrary code in the context of the application. Failed attacks may result in denial-of-service conditions.

– Kim Fors

Adobe announcement cranks up chatter on vendor auto updates

Earlier this month, Adobe announced that it is going to beta an automatic updater for its products in response to the surge of attacks against its software — Reader, Acrobat, and Flash.

According to McAfee’s threat prediction report for 2010, Reader and Flash will replace the Microsoft operating system as the primary targets for malware attacks in 2010. That’s bad news for all of us since these products are nearly ubiquitous for both home users and corporations.

While I give Adobe credit for taking some action — much like I gave them credit for adopting a quarterly patch cycle — silent patching with an auto updater is not a good answer for businesses of any size. Why? Loss of control.  With auto updates, businesses can’t determine if or when or how a patch is applied. They can’t control when the auto updater service runs or where it pulls updates from or what updates are going to be installed. Adobe says it will provide some control to the end user — which is fine for home users, but that’s not who has responsibility for patching in businesses.

Businesses need to centralize control over the patching process. They need to control if and when to patch, how and when systems will be rebooted, and they need to have proof that patches were successfully deployed. Adobe and other vendors who create auto updaters are asking you to operate your business on blind faith. If more and more vendors follow Adobe’s lead, our systems will be slowed by updaters vying for CPU and our network bandwidth will be clogged with multiple updaters downloading  the same patch hundreds or thousands of times.

That sounds like a recipe for chaos. And readers/subscribers of patchmanagement.org seem to agree.

Director, Product Marketing