Tuesday, March 7, 2017

Defeating Tech Support Scams, Mac Edition

Mac users are falling prey to tech support scams in growing numbers. Because of this, they're being increasingly targeted. Why? The myth that Macs are impervious to malware, scammers and fraud.

Let's start with that word, "myth." Mac does, indeed, have a lot of safety features built into its operating system. However, contrary to popular belief, this is not the reason the bad guys left them alone for so long. There was one simple reason for that - market share. Criminals put their time and energy into the technology that gave them the most bang for the buck because Microsoft had and continues to hold the highest number of users. See, e.g. netmarketshare.com for current statistics.

Apple is still behind Microsoft in overall users but the popularity of Apple products continues to increase for both home and enterprise (office) use. The rapid growth rate is what's put OS X and iOS in the crosshairs of the bad guys. The double whammy is the Apple user population is unprepared. While Windows users have had years of experience and resources available to exercise caution, Mac users have grown accustomed to taking things at face value and simply trusting the platform. This works out well for tech support scammers, in particular. Like most people unaccustomed to thinking defensively, a lot of Mac users are easy to scare. How do I know it's a lot? Because of the growing number of scams and scammers.



The primary purpose of these "warnings" is to get you to call or click.

Calling gives live humans the opportunity to heighten the scare tactic as they walk you through installing a malicious back door. Yes, they really are in a call center - they get paid by the number of installs by the criminals who will then lease out your computer to other criminals or use it themselves to launch further scams.

The automated method of this scam involves scaring victims into clicking on links, videos or ads that redirect you to these warnings then clicking to download a "fix" that's really a back door, ransomware or a payment screen to install a "fix" that essentially holds your web browser or computer hostage until you pay, click or call.

Defeating the scams is relatively simple. It starts with basic hygiene. Do you stay current with security updates for your operating system and apps? Do you run anti-malware in active mode? Do you regularly back up? If you said "yes" to all of these, move on to the next section. If you said "no" to any question, do it now, then move on to the next section.

Every computer needs to know where and how to find other computers. In order to do that, they each need to speak both human and machine. Humans type "cnn.com," a domain, which the machine translates to it machine-readable, numeric equivalent, an IP address. This is a gross oversimplification of the domain naming system or DNS but it gets us to the next step. Your computer's hosts file.

A hosts file is a sort of cheat sheet that performs that domain name-to-IP address translation that can override DNS servers. Updates to the hosts file only govern the machine that the file is on, which is one of the reasons why it's not a popular protection. It's high maintenance. But for home users, who have only 1-3 computers to worry about, it's worth the hassle because it's effective (in my opinion, of course).

At the bottom of this post I've linked a text file that contains a long list of domain names preceded by the IP address 0.0.0.0. This means that the domain names will translate to 0.0.0.0 only, making the domain unreachable by any browser or application that uses the hosts file on that computer. Why does this matter? Because the way these malicious redirects work on the tech support popups is by silently telling your computer to go to these domains to launch the code that makes the popup happen (or look like a popup) in the first place. By editing your hosts file to make the domains unreachable, you stop the attack before it happens. All you need to do is copy and paste that list. I've pulled it together through multiple sources and vetted extensively. Is this absolutely all of the tech support scam domains? It's all the ones I know about as of this writing. It'll likely change but these have been around and active for a while. So, while no single update will ever protect you from everything (be wary of anything or anyone that tells you otherwise), it's a darned good start.

There are a couple of ways to edit your hosts file. The GUI method is a bit clunky. You open Finder, select Go from the menu bar, then Go To Folder to open a search window. Type /private/etc/hosts in the search window and a new Finder window opens with the hosts file highlighted. You need to drag the file out of this window and to your desktop in order to edit it. After you copy & paste the list below to the end of the file, you drag & drop the edited file to the Finder window for /private/etc to replace the old version with the updated version. You'll also need to flush the DNS cache of your computer.

A much easier method is the terminal. There's a text editor built into the operating system that's accessible by opening a terminal window and typing "sudo nano /private/etc/hosts" like this:

You should be asked for your password then you'll see the terminal window change as it drops you into the hosts file:


Now it's as easy as cut & paste:
1) Highlight the list linked below by clicking Command (the key next to the space bar) and the A key simultaneously. This keyboard shortcut means "highlight all content."
2) With the entire list highlighted, click Command and the C key simultaneously. This keyboard shortcut means "copy."
3) Go to the hosts file in your open terminal window, place the cursor below the last line in the file, and click Command and the V key simultaneously. This keyboard shortcut means "paste."

The hosts file will scroll as the update occurs. When it stops, click Control and the O keys simultaneously (that's the letter "O," not a zero) to save the update. You should now see something like this:


Click Control and the X keys simultaneously to save and exit the hosts file editing. Restart your browser and you're done.

While not absolutely necessary, it's still a good idea to flush the DNS cache, which means forcing your computer to forget about recent domain name-to-IP-address resolutions. There are several ways to do this, depending on which version of OS X you're using. A good resource to find the correct command for your flavor is brought to us by the good people at OpenDNS here.

Here's the hosts file update list. I've included adware and first-stage browser crash sites in addition to the tech support scam sites to round out your safer Internet experience.






Saturday, January 28, 2017

"Calexit" Backed By The Kremlin

FYI, anyone thinking that "Calexit" is a good idea should take a look at who's behind it: Russia.

Why? Divide and conquer foreign governments while increasing the scope and power of its own:
 http://yaleglobal.yale.edu/content/putin-anti-globalization-hero

Interesting to note that Russia celebrates every country dividing except its own - talk of secession is illegal there:

"Moscow supports pro-Russian separatists in eastern Ukraine, but criminalizes calls for separatism or increased regional autonomy at home."
[https://themoscowtimes.com/news/russian-anti-globalization-movement-to-unite-separatists-from-western-countries-49589]

yescalifornia[.]org, the website set up for the Calexit initiative, was registered by Louis Marinelli:
Domain Name: YESCALIFORNIA.ORG
Registrant Name: Louis Marinelli
Registrant Organization:
Registrant Street: 606 27th Street
Registrant City: San Diego
Registrant State/Province: California
Registrant Postal Code: 92102
Registrant Country: US
Registrant Phone: +1.6195812403
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: louisjmarinelli@gmail.com

Who's he? Read for yourself:
http://ww2.kqed.org/…/from-his-home-in-russia-calexit-lead…/

Moscow hosted & funded anti-globalizationists from around the world in July 2016:
http://thediplomat.com/…/us-and-eu-separatist-groups-to-ga…/

http://www.businessinsider.com/yes-california-moscow-embass…

California’s “embassy” is the headquarters of Russia’s Anti-Globalization Movement:
http://anti-global.ru/?p=19183&lang=en

Google dork (search term) to see just how Marinelli is portrayed in Russian propaganda:
site:rt.com louis marinelli

Sunday, January 22, 2017

Attribution for Beginners

How do intelligence analysts know <nation-state/threat-actor> is behind malicious activity?

The simple answer is that criminals are human. Humans are creatures of habit. Humans follow certain constructs of behavior native to their geographic regions. Humans make mistakes. In intelligence terms, these human foibles translate to "tools, techniques and procedures," or TTPs.

This isn't the most illuminating answer to anyone new to threat research and adversary hunting. So in this blog, I'll go over a very basic example. I won't show a bad guy, real or based on a real adversary, for a number of reasons. First and foremost, the minute an adversary's TTPs are made public they change them up. This can set active investigations and legal cases back months. Instead, for illustrative purposes, I'll use the country's (reportedly) new cyber security czar's already-public website, Giuliani Security and Safety.

Attributing activity is similar to reconnaissance, the first step in the cyber kill chain. The only difference is that the analyst is backing into the information using artifacts collected in the initial stages of investigation. The typical first couple of the artifacts researched are the source activity's IP addresses and domain names. Let's say we found giulianisecurity.com in our logs. First, we look for the IP addresses associated with the domain:

Digging into the background on these IPs reveals that they were/are dedicated to giulianisecurity.com/www.giulianisecurity.com. Because they're dedicated, as opposed to residing on shared hosts with other domains, these IPs are interesting. We'll note these as solid leads on enumerating the infrastructure behind the domain. What we would do from here in a real investigation is use tools like Shodan, Censys, Nmap and others to identify what's on the IPs - software, versions, exposed services and ports, known vulnerabilities of software/versions and services, etc. For the sake of brevity and because this is not a real attacker/investigation, I'll skip that part here. Interested readers can find this information easily.

Let's move on to see what we can learn about the domain. One of the key factors is learning who registered the domain. There are multiple ways to do this. I'll use a graphical example:



There's a lot of information here. Interested folks can look up the RFC on DNS here. Meanwhile, let's focus our attention on the registrant details:



Who's Data Docket? Might be a website or IT company but it's best not to speculate. We let the data speak. As of this writing, the search term "Data Docket" fails to yield the domain name in the Registrant Email address in the first page of Google results. That means "datadocket.com" is buried in the nether regions of the results which means it's got low traffic numbers. Sounds oddly small potatoes for such a high profile customer.

Let's try the email address. The search results for that look more promising. Here's the top hit:


So who's David Haenel? All results, and I mean ALL, relate to a lawyer in Florida. Just to be sure, I tried searches on his name plus every keyword I could think of that could turn up a web designer or host ("web," "website," "developer," "web host,""technology," etc.). The only results that came up, time after time, were related to David Haenel, Esq. He has the corner on the Internet search results. So here he is:


Now we start to ask questions. Why is a lawyer registering the domain of a cyber security company? What's his relationship to the source domain? Sure, Rudy Giuliani was a lawyer but if you're going to outsource technology-based responsibilities, wouldn't a technology company be more appropriate? Which makes this deviation from the norm seem deliberate. Or does it? Let's see what LinkedIn has to say about Mr. Haenel.



That third entry is interesting. A simple search for "Scorch SEM" gives us the domain name scorchsem.com, no surprises there. A visit as of this writing showed a parked page (placeholder). Seems unusual for a 13-year-old company. So we take a look through the Wayback Machine and find this, circa 2013:


Note the contact email, "David@ScorchSEM.com." Interesting but inconclusive. David is a pretty common name. Until we turn our attention to the bottom of the page:


Copyright by Finebloom & Haenel. Where have we seen those names before? On the header of the pages for Finebloom Haenel & Higgins, as seen above. Seems like the same guy. Going back to the search results on the name "David Haenel" it's starting to make sense - Scorch and info@datadocket.com both tout SEO, search engine optimization. Mr. Haenel is clearly good at SEO given that he's managed to corner the search market on his name.

By the way, there's a reason I chose a lookback at 2013. It's the year giulianisecurity.com went live. They secured the domain name in 2004, added the first IP host in 2009, and parked the domain until Feb 2013.

From here, we would look for intersections between the lives of Haenel and Giuliani to see what, or who, brought them together. We would build relationship maps based on those intersections, the infrastructures, and end up with the story of who's who and why.

This (extremely brief) exercise has been based in what's called "OSINT" or open source intelligence. In other words, putting pieces together using publicly available information. Had this been a real investigation, we would have had non-public information to help us uncover the facts, such as logs from systems touched and traversed. If malware was involved we would have samples and/or artifacts like configuration files, supporting scripts, command and control infrastructures, and such.

Similar to a physical crime scene, all bits of data in and around the scene of cyber crime are sifted for breadcrumbs of trails that can lead to identifying the true source of malicious activity. Even when the bad guys try to trip up investigators to throw them off track, the specific tactics they use for disinformation are also fingerprints once you know how and where to look.

Saturday, September 10, 2016

How Not To Do Security Research

Something came to my attention that’s a convenient follow-on to my previous post:



The overt message in this video is good. We should all be careful about how we handle our ATM, debit & credit cards. On the other hand, the power of the warning is lost on people like me who cringe at the behavior of the messenger. It’s hard enough for the good guys to navigate legal waters without people like this encouraging others to emulate their bad behavior.

Don’t get me wrong - I jiggle card readers at ATMs and gas stations all the time. Those are the top targets for the type of card skimmers depicted in this video. But that’s where the similarities between us end.

Mistakes this guy made:

- Removing the device without informed consent of the impacted financial institution and/or law enforcement, not ok. But wait, you say, it came off in his hand. However, he clearly had a cell phone. He could have stopped at that point and called the police, the bank or both. "Freeze the scene" is a fundamental in digital forensics.

- Walking away with evidence unlawfully collected, really not ok. Unless, of course, that walk is to the nearest police station or bank branch. Which it wasn't, we can surmise, as we listen to the next mistake...

- Intending to destroy evidence ("I'm gonna go see what I can do about reverse engineering this") without informed consent, egregiously not ok. Regardless of whether or not he did disassemble the reader, the whereabouts of that device between time of discovery to being turned over the to the police (see his first "Update" on the YouTube page) and what happened to it in the duration is undeniably called into question. It's no longer a viable piece of evidence in any court of law in the hands of a passable defense attorney.

What the creator of this video did by stomping all over the evidence of a crime ensured the bad guys got away it and victims will never see a dime in restitution. Most banks indemnify customers in this type of fraud to some extent. In the US, skimmer victims are typically liable only for the first $50 in losses. In the EU, where this video was reportedly shot, the victims would likely have been fully compensated.

I use this video now when interviewing job candidates. There’s more to threat research than technical skill. Critical thinking is just as important. Enthusiasm is great, obstruction of justice is a massive fail.


Saturday, August 20, 2016

So You Think You Can Cyber?

With a new school year looming, students ask themselves, "What do I want to do for a living?" Several summer interns at my day job and elsewhere have asked me about the information security field. The top question has been consistent which means it's time for a new blog post!

Why is cyber security such a hot field now?

It's a byproduct of accessibility of Internet connectivity and proliferation of connected devices. Twenty years ago, only the biggest companies and governments had the bandwidth, literally and figuratively. As ecommerce caught on, crime quickly followed. It started with the curious, the attention-seekers, and espionage. By the early 2000's, financially-motivated attackers emerged with the rise of online banking. Malware spread through email, attacking both corporations and consumers by impersonation (e.g. Zeus), while laws and defenses scrambled to catch up. Then came exploit kits which up-leveled the scale of attacks leading to an explosion of criminal activity. Skilled information security analysts, digital forensics investigators, and vulnerability analysts (pentesters) were in short supply. The technologies needed to combat the threats either didn't exist or came at high cost. "Information security" was a checkbox on audit reports for regulated industries and payment card processors that auditors themselves didn't fully understand or appreciate which meant they could be easily satisfied by incomplete or vague responses. While the industry struggled to define itself, the demand for highly skilled and experienced workers grew - too few people and too few products/services to fill a fast-growing field. The inevitable happened. Breaches became more common with increasing impact. Heartland and TJX proved to the criminals that they only needed to be right once while the defenders had to be diligent 100% of the time. Thus the odds were in favor of the bad guys. In the last 5 years, the number of significant breaches and huge dollar losses made its way into the mainstream press which brought cyber security issues into the common vernacular (at last).

As pointed out above, defenses need to be effective all the time, which requires a highly-skilled workforce with a depth of technical knowledge, problem-solving skills, legal awareness (particularly for incident responders and forensics specialists), and to continuously maintain the knowledge and skills. Add to the mix soft skills like grace under pressure, non-linear critical thinking, and, one that's often overlooked but absolutely essential, playing well with others. The attack surface grows constantly, crosses operating systems, devices, platforms, and programming languages while the threats constantly grow and shift, encompassing script kiddies, hacktivists, fraudsters, organized crime and nation state attackers. One need only look at a Target or Sony situation to understand the risk of taking shortcuts on security technologies and practitioners. There's no such thing as a "set and forget" security product or service - all security solutions require people who understand the threats and the technologies in order to maintain the products and services, which all require tuning to each organization's specific needs along with constant care and feeding to maintain effective vigilance. To stay on top of this ever-growing, ever-shifting landscape, we need a steady flow of new talent coming into the field, and there's just not enough of them. Meanwhile, experienced practitioners are hopping around from company to company because we're being chased by staffing recruiters dangling big paychecks literally every day. There's also a high degree of burnout because of the stress. So, it's basically a matter of supply and demand. There just aren't enough workers to fill the more than 1 million job openings (see http://www.forbes.com/sites/stevemorgan/2016/01/02/one-million-cybersecurity-job-openings-in-2016/#63aa9ec37d27). Folks in the industry are trying to change this through outreach at all levels of learning, from grade school-level up to advanced degree programs.

So, do you think you can cyber?

Saturday, April 9, 2016

Tourist's Guide to the Dark Web

I've gotten the same question from multiple people lately, which means it's time for a blog post. The question: What exactly is the 'Dark Web'?

First, let's clear up the language. There's "deep web," "dark net," and "dark web." These are not synonyms.

The "deep web" is any website that's not indexed/searchable on what we know and love as the Internet. Your online bank account or Yahoo/Gmail/Live/etc. email are examples of this. Basically, if you need to authenticate to reach content (log in with a username and password or passcode), you're accessing the deep web.

A "dark net," the term most often mistakenly used as a euphemism for "dark web," is unused IP space within an allocated range. It can also mean undiscoverable/masked IP space, such as virtual private networks (VPNs). Prior to the existence of the dark web, VPN nesting (using multiple virtual services to connect) was a popular method for those wishing to make their online trail difficult to follow.

The "dark web" is the mysterious sub-Internet underground society filled with shadowy figures who are anti-censorship or conducting nefarious activity.

Understanding the Internet's underbelly requires a brief overview of the Internet itself. Typically, a web browser is the means by which most of us connect to websites (I know, I know, there's curl, wget, and such; that's a different discussion). Web browsers dictate the user experience governing your connection. You can customize them to block ads, enforce SSL encryption (on websites that support it), add or remove domain and IP block lists, and on and on, or you can simply launch the browser, as is, and you're off and running. Meanwhile, your service provider, such as your home ISP, or your network admins at your office have ultimate control over how Firefox, Safari, Internet Explorer, Edge, Chrome, etc. access and interact with web and mobile sites. While some of the places we visit are members-only (see deep web), everyone can freely access the multitude of public web pages.

Well, not everyone. Which leads us to the "dark web."

The dark web was originally intended as a literal and figurative tunnel bored through the open web to enable unfettered Internet access for political dissidents, journalists, and others concerned about online privacy and censorship. Access is gained by one of several special web browsers that circumvent website tracking and traffic-control technologies while hiding their originating IP address to avoid being identified. Tor and i2P are examples of these browsers while the Great Firewall of China is an example of a reason they exist. The dark web very quickly attracted other types of people wishing to remain anonymous and/or hide their activity, namely criminals. Forums and markets appeared offering everything from street drugs, tutorials on cashing out ill-gotten gains, buying & selling weapons, hackers-for-hire....you get the idea.

The dark web is like any other community in real life or on the Internet. It has its nice side, where privacy-minded folks just want to do what they do without their activity being impeded or tracked. And it has its creepy neighborhoods, places you might think twice about visiting. I know the pull of curiosity is strong and anonymity can be empowering. Just remember that what you see can't be unseen. Disturbing content can stay with you, whether you like it or not. Consider yourself warned.

So how does the dark web work? It's sort of like a peer-to-peer network where the data sent from the browser gets broken up and distributed across multiple server relays ("nodes") operated by volunteers and through which traffic gets randomized. For optimization, a single session lasting a few minutes will follow the same route. Longer sessions or subsequent sessions will get re-routed to make tracking more difficult.

If you visit, enjoy your stay and try to avoid getting hurt or hurting others. The takedown and arrest of the operator of one of the dark web's largest drug markets, Silk Road, should serve as a reminder that, at the end of the day, we're all human. Humans make mistakes and that's how they get caught.


Tuesday, January 19, 2016

Open Season on ID Theft

It's that time of year again, tax time for the US and UK. Scammers keep track of the dates, too, and they've rolled out their 2015 tax year-themed malware and identity theft campaigns.

So how do they trick victims? The most common method is phishing. Here's an example making the rounds:


Clicking on the link takes the victim to a page that looks similar to this:


There are several hints that neither the email above nor the purported IRS page are legitimate. First and foremost, according to the IRS, they won't "initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information. This includes requests for PIN numbers, passwords or similar access information for credit cards, banks or other financial accounts."

Next, take a closer look at the URL:


Notice the domain name, "executiva.net." It should be obvious that the IRS web pages are all hosted on irs.gov.

Another clue in the URL is something we see often in phishing pages, the presence of multiple top level domains (TLDs). In this case, we see both ".com" and ".net." Without going too far into the technical weeds, a domain's TLD is the root of its home on the Internet where browsers or other Internet-connected devices can find it. While a domain can be registered with multiple TLDs,- such domain.com, domain.net, domain.org, etc. - each will reside on separate websites in order to route properly with each root TLD serving as a guide. There can be only one at a time.

So what can you do to protect yourself this (and every) tax season?

1) As mentioned in previous posts, I'm a fan of security freezes. It can be a hassle but a one-hour investment of your time buys you a lifetime of peace of mind.

2) Never click on links in emails. Period. Too many online companies have trained us all to click but it's safer to type in the web address yourself to ensure that you land where you expect to land.

3) Hover your mouse over hyperlinks in email. In all browsers that I can think of, this reveals the full and true address associated with the link. In phishing emails, you'll notice mismatches between what you expect to see and the real address.

4) Report phishing attempts to the IRS. They have great information and guidance, along with appropriate reporting email addresses, here: https://www.irs.gov/uac/Report-Phishing