Protecting my Mom – Part 3 – How Easy is it to Get Hacked?

Keeping our moms safe can be a daunting task.

Keeping our moms safe can be a daunting task.

In our first installment of “Protecting my Mom” we discussed some phone phishing attack that I was targeted for. This was followed by our second part where I found myself being attacked over a Wi-Fi network that was setup for the express purposes of compromising machines that roamed onto it. In this final installment, we take on the role of an attacker and are reminded of how easy it is to be hacked.

My challenge to myself was simple,  how fast could I target a machine and compromise it using off the shelf tools. My goal: 5 minutes from start to finish. How much time did I need? The stopwatch showed a mere 2 minutes and 13 seconds. Scared yet?  — After doing that I was. After being the target of a hack twice in the span of less than a week, I decided to go from being the “prey” to being the “hunter.” How hard is it to be hacked? And if I was hacked, how long does it take me to start grabbing data that I could use? Don’t worry, I’m doing this as a bit of a test and I’m using my own Virtual Machines, so I’m not turning my abilities on any other person, it’s more of a challenge to see how hard it is.

Protecting my Mom – New Generation of Attacks Threaten us All

Most days I sit comfortably at my desk behind multiple layers of defenses keeping myself and my machine from harm. I sip my coffee and don’t even think about defending threats from myself, instead most of my energy is focused on how do we push forward in our industry against those armies of darkness that seek to compromise our privacy, security and exploit information for their own cause. This week, was different. In three different cases, I found myself at the center of the attack. It was humbling, and at the same time reminded me of how much work we have to get done.

What scares me the most is the unsuspecting prey that countless hackers stalk?  I’m knowledgeable about what and how hackers try to exploit victims. But I worry about my friends and family members that don’t have that same savvy knowledge. I think about my Mom, using the internet for her banking and the occasional check of Facebook… little does she know she’s in the epicenter of the attacks.

So this Blog is the first of a series of three chronicling my last week. I want to share with you three attacks that happened to me in the hopes that it gives you a flavor for where attacks are coming from nowadays. No longer is it the rogue link to install software or the email bomb that just annoys you.  It’s a whole new world where callers, innocent internet checks, and group emails all lead towards exposure.

MONDAY:  Attack 1 – “Windows Service Center”

Last Thursday, I ended up getting home a bit early from a week of travel.  It was about 4:00 p.m. in the afternoon and the house phone rang. It was just me and my kids at home. My kids range in age from seven to eleven and in most cases, it would have been them to answer the phone, but I happened to be there. I grabbed the phone, looked at the number and saw it was a originating from New York. With family on the East coast, I didn’t think twice about grabbing the phone. After five seconds with no one speaking, I should have just hung up, but I stuck this one out. Then it happened… the attempted hack started.

Access DeniedThe caller identified himself and began, “Hello this is XXXXXX from the Windows Service Center.”  Intrigued, I decided to let him continue. “We have detected you have a computer virus on your machine and we’re here to help fix it.” At this point, my hack-o-meter instantly was pegged and I knew this was a scam, but for fun, I decided to let this play out. I asked, “how do you know I have a virus?”  He responded, “because we have systems that detect these sort of things.”  I asked, “how do you know it is my machine?” He retorted, “because we in America spy on our citizens.”  I had to laugh at this one, to use that approach was fascinating, and more curiously, based on background noise, I firmly believe this call was not originating in the United States. Again, I pushed a little bit harder, “I have two machines in my house, which one is it?”  He then responded, “I’m sure it is all of them, so we’ll fix them both.

If memory serves me right, I was cutting some tops off of strawberry’s at this point in the kitchen and he asked me to go over to my computer. I told him I was in front of my computer at this point even though I was still cutting up strawberry’s. He started off by asking me to go to my control panel in Windows and told me that my Windows Firewall wasn’t active. WOW! I thought to myself, this is an impressive scam!  Sure enough he successfully told me what to click (if I actually was in front of the computer) to navigate to my windows firewall and then told me the instruction to disable it because “bad software had taken it over.” Pretending I did, we continued. I asked him, “Are we done now?”  To which he responded that he’d need access to my machine to make sure. I told him that I didn’t know how to do that and he asked me to go to some website by an IP address. Of course, at this point he began to see through my ruse. I told him I couldn’t get there but asked him what was there and he told me it was something “like a WebEx or online meeting” where he could control my machine.

He pushed really hard to get me there, but after a few more questions from me he started to get VERY mad. Not to mention I had moved onto rinsing some peppers and the water running was likely giving me away too. He told me, “You could be arrested if you don’t eradicate this virus” and even played off the emotional heart-strings, “you are exposing your family to harm.”  Then he crossed a line that I’ve never seen before, “I’m not asking you to go here, I’m telling you that you must” as his voice took on a threatening tone.

At this point, I told him that I needed to speak with a supervisor to validate this was the right thing to do. A man got on the line, didn’t identify himself and when I asked where they were and what company they worked for, you could tell I now was the one trying to go after them.  After I told them how shallow it was to attack innocent people like this, he blurted out a few expletives and mumbled some other inappropriate comments before hanging up.

If I had played his game, I have no doubt that the website I would have gone to likely would have been a way for them to remote control into my computer and more than likely it would have been used to download some Malware onto my machine. Things like key-loggers to capture my every password, my access, and even troll around my machine for some good documents that I might have. No doubt, my machine would have gone from a well-protected one to one that was riddled with Malware with a firewall turned off. All scary realizations for me.

…But could this have turned out differently?

What’s more scary though is I still play this story out with the “what-if” scenarios. What if my son had answered the phone? What if my wife had answered the call? Would they have played along or have gotten off the phone before damage was done? If they had played along, would the call have ended so innocently that they’d not have shared what happened with me? Could they have used my home machines (which don’t have valuable data) as a conduit to my work one, which definitely is more sensitive? The caller had the skills to make themselves sound believable, and the pressure-cooker capabilities of a time-share salesperson. They were well skilled to have seen this be a success.

On the heels of this event, I did everything I could to trace this attack back. It turns out the NY phone number was masked and it was originating from an exchange in India. The IP address website I was asked to access was from China. The call-back information was obviously invalid and I didn’t take the charade far enough to get more data to track them Typing on computerdown. Hindsight being 20/20, I wish I had spun up one of my Malware Virtual Machines to access their website and see what else they did or at least trace the traffic from that event back to a more authoritative location so I could snoop back at them. More than likely they were using the computer of their previous victim, so that likely would have led nowhere, but nonetheless, I came up short on sleuthing this one.

Beyond the attack on me, I went online and began to search for the keywords from this conversation, “Windows Service Center” and a few others. It turns out there were more than a few dozen of these attacks reported, each recounted a story like mine, and in many cases, the victims acknowledged they were successfully exploited as part of this attack.

The Moral of Part One

What’s the moral of this story?  There is no safe phone call and there is no innocent phone call. Unfortunately, it won’t take you long to go online and search and find other scams like this. Just this week we heard of the IRS phone scam defrauding millions from people impersonating the IRS. Some tips for all of us (and my mom) on this one:

  1. If someone calls, unfortunately, don’t trust them and make sure you validate their identity.
  2. Watch for key signs that the call is illegitimate. Ask yourself, does the caller ID number make sense? If it is “Unknown” really question it. If it is from outside of your home country, question it as well.
  3. If they are legitimate, they should be fine with you calling them back. Ask for their number and extension and ring them to validate you have a good number for them. At the same time however, if they give you an out of country number, DON’T CALL IT. This is a different type of scam…
  4. Never put yourself at risk doing something you know is wrong. Your firewall is there for a reason. We write patch-management software for a reason, never let someone ask you to take it down.
  5. If someone asks you to do something suspicious like go to an unverified website… don’t do it.
  6. Never… EVER… let them pressure you with commands or threats to do something you don’t want to.
  7. Call the authorities and email us. This activity is illegal and is a cybercrime. By you reporting it, people like me find out about it and then we go after these criminals.
  8. When in doubt, call/email me before you do anything… and I’m not just talking about emails from my mom… I’ll take emails from anyone on subjects like this.

I wish there was a switch on the wall that I could flip for us all to turn off the darkness.  Unfortunately, there isn’t. In the interim though, we’re here to make it safe for us all as best as we can. Be safe everyone.

VMworld Barcelona Wrap Up

We have concluded a very successful VMworld Barcelona. Thank you to the over 8,000 customers, partners, press and analysts we met this week – you are the reason for the success. VMworld Europe lived up to its reputation an exceptional networking experience and real-world training for anyone in the IT industry, and this year’s event offered new product announcements and highlights for all audiences (check out some of the videos here).

We had a great reception for Vmware vCenter Protect with over 150 people taking the vCenter Protect Hands On Lab, and over 90 attending our session on simplifying and automating the task of updating both physical and virtual machines. And, vCenter Protect was the #1 demo in the VMware booth! What a great event – can’t wait to see you all again in Barcelona next year!

– Mike Bleakmore

 

 

 

 

 

 

SpiceWorld 2012 Was A Real Sizzler!

I had the pleasure of attending SpiceWorld 2012 in Austin, TX this week – what a great event! There were over 460 IT Pros in attendance, and I’m quite certain Spiceworks could have doubled the attendance numbers with a larger venue.

There was a great deal of excitement at this year’s event, from the all the new functionality (including Mobile Device support) to an expanded set of programs that vendors like us (VMware) can utlize to better leverage the Spiceworks community.

The highlight was the session we sponsored titled “How Virtualization Can Save Your Bacon,” where Chris Westphal from VMware and Darren Schoen (a prolific Spiceworks Community Representative) presented together in “Bacon Suits.” For whatever reason, the Spiceworks community has a strong affection for “all bacon products.” All-in-all it was a terrific event.

– Dave Eike

The Bacon Will be Sizzling at SpiceWorld 2012

With SpiceWorld 2012 rapidly approaching, VMware is thrilled to be participating again this year. We’re planning to spend a great deal of time both at our booth and in the sessions we’re conducting discussing important issues that continue to challenge our customers…especially those in the SMB.

From the ever-expanding issues associated with patching third  party applications such as Adobe, RealPlayer and Firefox, to the need for greater levels of automation for those every day, mundane, repetitive tasks (i.e., IT Scripting, standing up a virtual machine, and network reporting).

We look forward to discussing solutions to your most important and pressing issues.  And while you’re there, please stop by The After Party on Wednesday, October 10th where we will be sponsoring the Table Area Happy Hour with free drinks and appetizers and of course, more SWAG including bacon give-aways.

To learn more about how VMware can help save your bacon, visit our Spiceworks community site here.

See y’all in Texas!

– Dave Eike

VMware vCenter Protect-Right Here Right Now

We had a blast at VMworld San Francisco last week! We had more than 600 people attend the VMware vCenter Protect sessions, 1200 people participated in the hands-on labs, and another 200 joining our presentation in the Green Room while waiting to get into the hands-on lab. While customers were interested in our announcements on the new bundle with vSphere (vSphere Standard with Operations Management) and inclusion in My VMware. I believe the real reason we drew such an impressive crowd is simple: we solve a nagging problem for IT administrators.

The rapid growth of virtualization in companies large and small has elevated the need for robust patch management, especially for hypervisors and VMs (including offline VMs and templates). vCenter Protect is unique in its ability to manage both physical and virtual machines – whether those VMs are online, offline, or templates. Addressing this critical need manually is time-consuming and arduous especially given scarce resources. vCenter Protect saves both time and money by simplifying and automating the process of updating all machines on a network in a consistent and on-going manner. This is ideal for customers that need to show compliance to management or industry or government auditors.

Thanks to everyone we met in San Francisco. We’re looking forward to VMworld Barcelona (October 9-11) where we’ll have the same hands-on labs and sessions for vCenter Protect. In the meantime, please try the product for free for 60 days here and see for yourself how simple it is and how much time it will save.

– Mike Bleakmore

Overview of Microsoft’s Digital Certificate Changes

Microsoft has been working quickly on a major change to how digital certificates are looked at from an operating system standpoint.  With these changes to digital certificates, Microsoft is assisting their users in hardening their environments from a security aspect.  This information has been released on Patch Tuesdays and there has been a LOT of information released.  So, you may need some help trying to decipher just exactly what is going on, how it affects you and what you need to do from an administrator standpoint.

I am going to first break this down by the date each was released so you can get a good idea of this whole process:

June 12
Microsoft announced an automatic updater that will check for certificates that have been blacklisted and moved as an untrusted certificate in the Disallowed Certificate Trust List (CTL).  At this time, the automatic updater is only available to newer Microsoft operating systems (Windows Vista, Windows 7, Windows 2008 R2).  This new tool will check daily for updates Microsoft may release for certificates.

The Windows PKI blog also released information, stating that Microsoft will be releasing an automatic certificate updater for all operating systems in August.

July 10
Microsoft releases Security Advisory 2728973.  This security advisory is a non-security update that moves all Microsoft digital certificates that are not more than 1024 bits in length to the untrusted certificate store.  At this time, Microsoft is only addressing Microsoft digital certificates that are not more than 1024 bits in length.  But, this will all change during the August 2012 Patch Tuesday.

In addition, Microsoft changed the digital certificate automatic updater (2677070), released during the June 2012 Patch Tuesday, to a critical non-security update.  By changing the severity of the non-security update, this update will show missing and install by default on Windows Update.

August 14 (what to expect)
Microsoft will be releasing a non-security update moving all digital certificates less than 1024 bits in length to the untrusted certificate store.  UPDATE:  The non-security update that will be released by Microsoft will block certificates (not move certificates).

Let’s take a look at some common questions administrators may have with all of these changes:

What are the most common issues I could face with the August 14th update?
The most common issue users could see is getting invalid certificate errors when browsing to secure websites that have a digital certificate less than 1024 bits in length.

What are all the issues that users could face with the August 14th update?
This is the full list from the Windows PKI blog:

•Error messages when browsing to web sites that have SSL certificates with keys that are less than 1024 bits
•Problems enrolling for certificates when a certificate request attempts to utilize a key that is less than 1024 bits
•Creating or consuming email (S/MIME) messages that utilize less than 1024 bit keys for signatures or encryption
•Installing Active X controls that were signed with less than 1024 bit signatures
•Installing applications that were signed with less than 1024 bit signatures (unless they were signed prior to January 1, 2010, which will not be blocked by default).

Why are certificates under 1024 bits considered a risk?
Attackers could potential brute force crack any certificate less than 1024 bit in length.  This is becoming more of a threat as computer gain more and more processing power.  A process that once would take all of NASA’s computers to break could potentially be completed by an attacker armed with a few powerful computers.  The issue with less secure certificates is a common conversation that has been happening in the security industry.

Why is an automatic updater for certificates so important for me?
The Flame virus is a perfect example of how we all need help with digital certificate maintenance.  The Flame virus found a way to hijack a trusted, legitimate digital signature from Microsoft.  Once Microsoft identified this breach in the digital signature trust, they released a non-security update to move the digital certificate to the untrusted store.  With the automatic updater, Microsoft will be able to easily and rapidly approve and disapprove digital signatures.  This will help administrators as you will not have to watch for these non-security updates released by Microsoft.

The automatic updater for root certificates is only for bad/untrusted certificates?
The updater Microsoft released deals with both trusted and untrusted certificates.  Previously, Microsoft updated their certificates through the non-security update “Update for Root Certificates”.  This update typically comes out a few times per year on Patch Tuesday.  This is just another non-security update that you will not need to worry about with the automatic updater installed.

What are the administrators’ next steps with this change:

Be prepared
Identify any internal certificates used in your organization that are less than 1024 bits in length.  If any are found, make a plan to replace these certificates as soon as possible.  If you cannot make changes to these certificates between now and the August Patch Tuesday, hold off on applying this update for now.  Please note, this certificate change from Microsoft is a good security measure.  You should look at adopting this technology at your earliest convenience.

Inform your users and help desk
When you apply this certificate update change, it will be important to inform your help desk and users about this security change.  This will help identify any issues with this change as soon as possible and a quick turn around on a fix for your users.  With this major of a change, knowledge is power to users, help desk and admins.

Firewall implications
If you are running a locked down Internet environment where users are only allowed to get to certain web sites, you will need to add a couple of entries.  These URLs are static URLs the automatic updater will check in daily with:
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab

Stay informed
I will be updating this as new information becomes available.  We know more changes are coming during the August 2012 Patch Tuesday.  Watch Microsoft’s PKI blog, Microsoft SRD blog and Microsoft’s MSRC blog for more information.  To date, Microsoft has put out a lot of information on these changes to help their customers.

Resources:
There is a lot of information regarding this subject available from Microsoft.  Here are some key areas to review for more information.
Windows PKI Blog- Blocking RSA Keys Less than 1024 bits (part 2)
Windows PKI Blog- RSA keys under 1024 bits are blocked
Microsoft Security Research & Defense Blog-Microsoft’s continuing work on digital certificates

– Jason Miller

Visit MVware @ Microsoft Management Summit (April 16th-20th) in Las Vegas

Keeping up to date with patches historically meant operating systems and applications from Microsoft.  In today’s threat landscape, however, third-party applications have become the leading cause of most vulnerabilities on the network.  Many companies around the world rely on Microsoft System Configuration Manager (SCCM) for patch management.  That simply is not enough to bolster network security, however, because Microsoft applications are not the only ones at risk.

Microsoft Management Summit 2012 begins today in Las Vegas and if you are attending the show, we invite you to stop by VMware booth #621.  We’ll be demonstrating the latest releases of our VMware vCenter Protect Update Catalog and VMware vCenter Protect Essentials at the booth.  These solutions simplify and automate patch management for Microsoft and third-party applications.

About VMware’s solutions for patch management

VMware vCenter Protect Update Catalog extends SCCM beyond Microsoft products to solve critical third-party patch management needs.  vCenter Protect Update Catalog plugs into SCCM as a simple data service that requires no additional agents, console or management to learn.  Just import the third-party patch catalog for Adobe, Google, Java Firefox, iTunes, etc. into SCCM and you’ll be patching vulnerabilities on your servers and workstations in minutes.  Click here to learn more about vCenter Protect Update Catalog.

VMware vCenter Protect Essentials reduces the cost and complexity of IT management with an integrated approach to IT security and compliance.  vCenter Protect Essentials provides centralized Windows patch management and asset inventory management for both virtual and physical machines.  This includes centralized management for Windows operating systems and the most widely used Windows-hosted applications running on both virtual and physical servers and workstations.  Click here to learn more about vCenter Protect Essentials.

Hope to see you in Las Vegas this week, and don’t forget to enter your name to win an Xbox 360 with Kinect at booth #621.

– Mike Bleakmore

Microsoft: We Won't Update Others' Windows Apps

In a recent blog post by Farzana Rahman, Microsoft’s group program manager of the Windows Update group, she wrote that Microsoft has no plans to support third party patching now or in the future. She writes:

Lastly but not the least, I want to address the feedback from users who would like WU to update their 3rd-party applications. People clearly find the experience with multiple updaters on the system less than optimal (and we agree!) Each application updater gives you a different experience, you have to remember to go visit each updater to install updates, you never know when or how updaters will run and what they might do, and so on. People would like one updater for the entire system.

This comes as no surprise to those of us at Shavilk, now part of VMware, who have offered just such a service since the 1990’s. Our flagship product VMware vCenter Protect Essentials Plus (formerly NetChk Protect), delivers a one-stop-shop for all third party applications (and some legacy Microsoft applications, too). All of the complexity that Farzana describes in her post is addressed in a simple easy-to-use interface for organizations of all sizes to keep their networks secure and up to date.

In fact, we offer Security Advisor, a free service that performs a thorough scan of your network and delivers a report on all of the applications installed on machines (whether physical or virtual) on your network. Most companies we talk to are surprised by the number of titles, versions and publishers installed on machines across their networks. What’s worse is that critical updates to these applications are missing, opening the network–and therefore the business–to unnecessary risk.

So, vCenter Protect Essentials Plus is the “one updater for the entire system.” Problem solved.

– Mike Bleakmore

The Go to Place For Small and Midsize Business IT Management

Being acquired by VMware has brought many exciting changes to Shavlik. With the integration in full swing, we are busy incorporating the Shavlik products into VMware and changing our branding. Continuing our strategy of offering SMBs simplified IT management, the current Shavlik product line is being enhanced and expanded upon, leveraging the sophisticated technology offered by VMware and at the same time extending VMware’s offering to the SMB market.

As a first step, we announced a new release of VMware Go and VMware Go Pro on October 18th, taking cloud-based IT management to the next level by adding additional functionality and integrating the popular features of IT.Shavlik. VMware Go provides a free IT management service to SMBs enabling them to run a comprehensive assessment of their physical and virtual IT infrastructure providing the user with recommendations to reduce costs, increase security and optimize their IT infrastructure. With VMware Go, you can run unlimited patch and asset scans on your physical and virtual network, tracking missing security patches and get a clear understanding of the assets deployed on your network including hardware and software whether physical or virtual. To streamline trouble ticket management, an easy Help Desk is assessable anywhere, anytime. For those of you wanting to virtualize, this product makes it easy for you by providing an intuitive wizard to guide you through the installation and set-up of a virtual environment.

VMware Go Pro provides all these benefits but in addition gives you the tried and tested Shavlik patch management technology including scheduled deployment of patches – freeing up valuable time and resources. In addition, you get hardware asset management so you can not only track assets but can organize hardware groups to maximize resources throughout their lifecycle. Control software licenses by tracking installed software titles to maintain compliance as well as further simplify trouble ticket management, with a secure user portal for end users to submit their tickets.

It is an exciting time for SMB IT management with affordable and powerful options available in Go as a web-based service. IT.Shavlik will be available to current customers until January 31, 2012. I encourage you to check out VMware Go – it’s free and can immediately simplify your IT management. Upgrade to a free 30 trial of VMware Go Pro where you can manage your physical and virtual environment – all in one place from anywhere and at anytime.  For more information go to https://go.vmware.com/.

– Mike Bleakmore