Get mad? Get Even? Or get up and running again?

When a system is broken into, the management often has a choice to make: should they take some time to try to figure out who was behind the break-in, should they bring in the police, or should they just clean up the mess that they find and move on.  This is the choice that the City of Norfolk faced when a time bomb clobbered 784 systems, according to this blog.  Debugging and understanding how a break-in occurred is a bit of a black art unto itself, requiring a substantial amount of expertise that focuses on the innards of Windows, and it requires time for the experts to track back what they think the source of the problem is, and even then the ability to do a trace may not be possible.  For one, it depends on what sort of forensic evidence can be found within logs, whether those logs themselves have been tampered with, and what sort of backups were taken of the systems involved.

Here’s the problem with not trying to trace back: the miscreant who screwed you the first time can do the same thing again, using the precise same attack vector.  At the very least it helps to have relationships with your security vendor to be able to report the problem, but as defenses get more complex, our continuing game of Cat and Mouse demands that so do the attacks.  An initial attack vector might itself lead to the use of secondary means to attack.  For instance, probing attacks work very poorly against a walled off Intranet, and in fact can be a means to alert The Guys In White Hats that the probing system has been broken into.  However, the likelihood of that happening from within the Intranet is smaller.  What’s more, as white collar criminal investigators know, one cannot rule out the possibility that someone on the inside will in fact have gotten things going.

This supports the whole notion of what Cisco calls Borderless Networking. That’s a marketing mouthful for a concept that Steve Bellovin articulated many many years ago, which says that bottleneck firewalls are going to need to give way to more sophisticated forms of defense on devices themselves.

A combination of good backups and logging to secure systems might have helped.  Logs give some notion as to who did what when, assuming that you are logging the right things.  Backups provide you a means to preserve state.  This works in three dimensions: you can, perhaps even incrementally, look back into the history of a system for forensic purposes, you can preserve a crime scene through a very low level backup, and you can get back to a known good state.

Beware Facebook Scams! Protect yourself!

CybercrimeAs Facebook now has more accounts than there are people in the United States, it should come as no surprise that it is possible to break into some of those 300 accounts.  This happens.  Well, what happens next when an attacker breaks into a Facebook account?  Several things are likely.  First, the attacker will retrieve as much information about the individual and his or her friends as possible.  There are several key pieces of information that prove valuable:

  • Birthday and Hometown are enough information for an attacker to reliably predict social security numbers of people born after 1989.  You can hide this information from your profile by going to your profile, clicking on the little box in the upper right of the Information tab, and deselecting birthday and home town.
  • Email address is useful to feed into a phishing/spam engine.
  • Telephone # and IM account information is enough to either use or sell to other scammers.

Next, an attacker may try to directly contact friends to scam money out of them.  While such attacks are unlikely to take the form of a 419 scam where the attacker tries to play on greed, they will more likely play on peoples’ sympathies.

Here is an example:

0Wn3d Friend: Hey
0Wn3d Friend: How are you doin?
Target: good evening, Friend!
Target: i’m doing well, and you and your family?!
0Wn3d Friend: Not too good
Target: oh?
0Wn3d Friend: We are in a very deep mess
0Wn3d Friend: Glad you are here
Target: what happened?
0Wn3d Friend: We are stranded in London England
Target: WHAT?!  how so?
Target: where?
Target: (in london)?
0Wn3d Friend: Kentish Town
0Wn3d Friend: We got mugged on our way back to the hotel at a gun point
Target: oh geez
Target: have you gone to the police?
Target: do you have a phone?
0Wn3d Friend: Yes,We were able to file a report to the cops and that is been Investigated
0Wn3d Friend: They made way with all we got here
0Wn3d Friend: Cash,bank cards and also the cell phone
Target: ok.
Target: i have a few friends outside of london.  are you in a hotel?
0Wn3d Friend: Yes
Target: do you still have your passports?
0Wn3d Friend: Yes,I’m still safe with the Passport
Target: ok.  how long are you supposed to be in London?
0Wn3d Friend: That has been the problem
0Wn3d Friend: I seriously need your urgent help getting back home
Target: what hotel are you in?
0Wn3d Friend: Sector Hotel
0Wn3d Friend: I have a flight back home in the next 3hrs but the hotel management won’t let go
Target: do you have the hotel’s address & phone #?
0Wn3d Friend: I don,t have the #
Target: i’ll need an address
0Wn3d Friend: 151 Kentish Town Road, London, NW5 2CG
0Wn3d Friend: I’m having problem with the hotel on the bills

What happens next is that the attacker asks for a credit card.

So how do you know it’s a scam?  First, Amazingly, Google is your friend.  If you enter just a few details from this example, you’ll see that Kentish Town and the Sector Hotel show up as a scam. The other odd thing about this exchange is that the person claims to have been mugged at gun point in London.  I’m not saying it doesn’t happen, but it’s rare.

More importantly, ask yourself why this friend is contact you, and not calling a relative for help.  To be sure, if this person really is a friend, you should already have a phone number for that person.  Call him or her, but do not rely on contact information from the attacker.  Calling a number they give you can cause you to lose a lot of money.  If they answer the phone and have no idea what you’re talking about, you know it’s a scam.  If they don’t answer, call a relative of theirs or ask for more details.  In this case the person said they filed a police report.  Get the report number from the person, name of an officer who took the report, and independently call the police.    Do not rely on anything in the facebook profile of the friend.  You should assume the attacker has already manipulated all of that information.

Most importantly, never send credit card information over the network in such circumstances.

Ok, so you’ve figured out it’s a scam.  Congratulations!  What do you do next?  Report it, and fast.  Facebook is pretty responsive when it comes to shutting down accounts.  In one case I’ve reported, they reacted within 10 minutes.  To report abuse on facebook, click on Help at the bottom of the page, and right at the top you will find the following:

Hacked accounts and spam

Click on that text, and it will help you report the information.  You will need the URL of the profile of the friend who you are reporting.  To get this, type the friend’s name in the search bar.

Don’t feel bad that you are reporting a friend, either.  This is a case where your friend is being maliciously used, and you are doing your part to putting an end to it.