Sunday, March 26, 2017

What the Phrack

Every wonder about all those "PH's" used in hacking terms like phreak, phrack and phishing? I watched a CBS Sunday Morning story about phone booths and it occurred to me that there are at least two generations who have no idea what "phreak" or "phrack" mean, or why phishing is spelled the way it is. It all goes back to phones.

Back when answering machines started to catch on, we could call our own landline from a pay phone to punch in a code on the keypad or, if calling from a rotary dial phone, hold a device up to the telephone handset that played a simulated tone sequence to tell the answering machines to play messages. Hackers of the 1970's and '80's figured out that those tones could be used in creative and unexpected ways to manipulate phone lines. Free long distance calls were a popular choice (and illegal, it must be noted, as it constituted fraud against telephone companies). Hackers also discovered that universities and governments sent data back and forth over phone lines, too. Remember the 1983 movie, "WarGames"? The act of these types of phone line shenanigans became known as "phreaking." I confess, I have no idea why hackers (also known as "crackers" back in the day) were called "freaks," but I can guess as early reverse engineers were considered social outsiders. Anyway, the spelling quickly evolved to marry the words "phone" with "freak."

Thus, a cultural pattern was born.

So, what's "phrack"? Well, it's actually capitalized. Phrack was the first and remains the longest-running hacker 'zine. Its founders named it by combining "phreak" with "hack." Understandably, early issues focused on the ways, means and underground culture of phone hacking, as it predated technologies like broadband and the Internet as we know it today. In its 7th issue in 1986, Phrack published, "The Conscience of a Hacker,"(sometimes referred to as "The Hacker Manifesto") which formed the basis for the archetype of a hacker as an outcast teenager in his mom's basement. In the 1990's data carriers moved from phone lines to Ethernet and Phrack branched out, too. They published arguably THE seminal article on uncovering and exploiting code bugs in 1996, "Smashing The Stack For Fun And Profit," by Aleph One (aka Elias Levy, the moderator of a popular network and host vulnerability disclosure forum at the time).

"Phishing" has similar roots in telephony. Phishing is a form of social engineering, more simply stated as a con job. It relies on the con artist, or phisher, tricking unsuspecting victims into supplying their user names and passwords to online properties in any number of ways. The term "fisher" was first used in 1995 in a multi-featured hacking tool targeting the then-king of the World Wide Web, AOL. The tool is long gone but AOHell's documentation is still online here (warning: strong language). "Fishing" transitioned to "phishing" in 1996 by members of the popular hacking forum (then known as "newsgroups") alt.2600 who adapted it in a nod to hacking's roots in phreaking.

As an aside, if you haven't seen "WarGames," you really should. Not only is it the phirst - er, first true hacking movie, it still holds up as one of the best IMHO.

Tuesday, March 7, 2017

Defeating Tech Support Scams, Mac Edition

Mac users are falling prey to tech support scams in growing numbers. Because of this, they're being increasingly targeted. Why? The myth that Macs are impervious to malware, scammers and fraud.

Let's start with that word, "myth." Mac does, indeed, have a lot of safety features built into its operating system. However, contrary to popular belief, this is not the reason the bad guys left them alone for so long. There was one simple reason for that - market share. Criminals put their time and energy into the technology that gave them the most bang for the buck because Microsoft had and continues to hold the highest number of users. See, e.g. netmarketshare.com for current statistics.

Apple is still behind Microsoft in overall users but the popularity of Apple products continues to increase for both home and enterprise (office) use. The rapid growth rate is what's put OS X and iOS in the crosshairs of the bad guys. The double whammy is the Apple user population is unprepared. While Windows users have had years of experience and resources available to exercise caution, Mac users have grown accustomed to taking things at face value and simply trusting the platform. This works out well for tech support scammers, in particular. Like most people unaccustomed to thinking defensively, a lot of Mac users are easy to scare. How do I know it's a lot? Because of the growing number of scams and scammers.



The primary purpose of these "warnings" is to get you to call or click.

Calling gives live humans the opportunity to heighten the scare tactic as they walk you through installing a malicious back door. Yes, they really are in a call center - they get paid by the number of installs by the criminals who will then lease out your computer to other criminals or use it themselves to launch further scams.

The automated method of this scam involves scaring victims into clicking on links, videos or ads that redirect you to these warnings then clicking to download a "fix" that's really a back door, ransomware or a payment screen to install a "fix" that essentially holds your web browser or computer hostage until you pay, click or call.

Defeating the scams is relatively simple. It starts with basic hygiene. Do you stay current with security updates for your operating system and apps? Do you run anti-malware in active mode? Do you regularly back up? If you said "yes" to all of these, move on to the next section. If you said "no" to any question, do it now, then move on to the next section.

Every computer needs to know where and how to find other computers. In order to do that, they each need to speak both human and machine. Humans type "cnn.com," a domain, which the machine translates to it machine-readable, numeric equivalent, an IP address. This is a gross oversimplification of the domain naming system or DNS but it gets us to the next step. Your computer's hosts file.

A hosts file is a sort of cheat sheet that performs that domain name-to-IP address translation that can override DNS servers. Updates to the hosts file only govern the machine that the file is on, which is one of the reasons why it's not a popular protection. It's high maintenance. But for home users, who have only 1-3 computers to worry about, it's worth the hassle because it's effective (in my opinion, of course).

At the bottom of this post I've linked a text file that contains a long list of domain names preceded by the IP address 0.0.0.0. This means that the domain names will translate to 0.0.0.0 only, making the domain unreachable by any browser or application that uses the hosts file on that computer. Why does this matter? Because the way these malicious redirects work on the tech support popups is by silently telling your computer to go to these domains to launch the code that makes the popup happen (or look like a popup) in the first place. By editing your hosts file to make the domains unreachable, you stop the attack before it happens. All you need to do is copy and paste that list. I've pulled it together through multiple sources and vetted extensively. Is this absolutely all of the tech support scam domains? It's all the ones I know about as of this writing. It'll likely change but these have been around and active for a while. So, while no single update will ever protect you from everything (be wary of anything or anyone that tells you otherwise), it's a darned good start.

There are a couple of ways to edit your hosts file. The GUI method is a bit clunky. You open Finder, select Go from the menu bar, then Go To Folder to open a search window. Type /private/etc/hosts in the search window and a new Finder window opens with the hosts file highlighted. You need to drag the file out of this window and to your desktop in order to edit it. After you copy & paste the list below to the end of the file, you drag & drop the edited file to the Finder window for /private/etc to replace the old version with the updated version. You'll also need to flush the DNS cache of your computer.

A much easier method is the terminal. There's a text editor built into the operating system that's accessible by opening a terminal window and typing "sudo nano /private/etc/hosts" like this:

You should be asked for your password then you'll see the terminal window change as it drops you into the hosts file:


Now it's as easy as cut & paste:
1) Highlight the list linked below by clicking Command (the key next to the space bar) and the A key simultaneously. This keyboard shortcut means "highlight all content."
2) With the entire list highlighted, click Command and the C key simultaneously. This keyboard shortcut means "copy."
3) Go to the hosts file in your open terminal window, place the cursor below the last line in the file, and click Command and the V key simultaneously. This keyboard shortcut means "paste."

The hosts file will scroll as the update occurs. When it stops, click Control and the O keys simultaneously (that's the letter "O," not a zero) to save the update. You should now see something like this:


Click Control and the X keys simultaneously to save and exit the hosts file editing. Restart your browser and you're done.

While not absolutely necessary, it's still a good idea to flush the DNS cache, which means forcing your computer to forget about recent domain name-to-IP-address resolutions. There are several ways to do this, depending on which version of OS X you're using. A good resource to find the correct command for your flavor is brought to us by the good people at OpenDNS here.

Here's the hosts file update list. I've included adware and first-stage browser crash sites in addition to the tech support scam sites to round out your safer Internet experience.