E-SPEAIT T10 Security
“A Fool Gets Beaten Even At Church” (an Estonian Proverb)
Some thoughts for starters
- "The biggest security risk is always located between the keyboard and the chair“ - an IT maxim
- "It is not possible to create a foolproof machine, because fools are so clever“ - an Amish farmer to Howard Rheingold who went to laugh on "savages" and came back very much in thought
- The question is not IF a system gets compromised but WHEN.” - Kevin Mitnick
- "We are Samurai... the Keyboard Cowboys... and all those other people who have no idea what's going on are the cattle... Moooo.“ - Eugene 'The Plague' Belford in Hackers
A broom at the door
In old times, Estonian rural people used to set a broom standing against the outer door when leaving home - any neighbour seeing it understood that the hosts are not home and nobody entered. The custom is still alive in some remote corners of the country. Now, we could compare it to some modern insurance contract...
In fact, security is known to make some twists in history. Paradoxically, Estonians must thank the Soviet army for helping to preserve the nature of West Estonian islands - the "Empire of Evil" guarded its citizens with iron fist and access to the "border zones" was heavily regulated (to prevent escape). But in this case, it meant no tourist hordes trampling down the meadows and beaches... This may also be considered an example of Robert Theobald's concept of mind-quake as discussed at the beginning of the course.
In the book “Hackersː The Heroes of the Computer Revolution” by Steven Levy it is told how the original hacker community at MIT treated the introduction of passwords not as a security measure but a violation of freedom. As a reaction, they recommended to use blank password - and about 1/5 of users complied. Yet today, we have a radically different situation (and probably also Richard Stallman who was one of the protesters would now recommend passwords).
As mentioned several times, in times of old computers were elitary - access to one meant the person had an academic degree (which was much harder to obtain back then). As a result, no practical business was possible. In today's Western world, even a homeless person can own a computer (see http://thehomelessguy.wordpress.com/). This has definitely had a positive effect on overall society, but some consequences are not that nice:
- It has created (and later, failed to banish) crooked business models targetting ignorant bystanders
- It has raised a new generation of criminals well-versed in technology
- Most importantly, it has left a majority of users behind, promoting technological ignorance and making them easy prey for criminals.
The problem called Microsoft
Even if the topic is often under heavy debate, the reality suggests that computer malware is in absolute majority a phenomenon focusing on Microsoft software. There are several reasons for this.
First, MS-DOS and early Windowses were single-user systems with no native networking (Unix was a 'network native' but was mostly accessible for experts only). This means a generation of users growing up with no password habits. Moreover, Windows 95 introduced a primitive, token password system that protected nothing and could be bypassed by pressing the Esc key - and when NT and 2000 came with actual password protection, the mindset of average users was already gone awry.
When asked why they are the prime target, Microsoft typically refers to the largest market share. It is somewhat true - but much more important is the largest share of clueless users (by far). A bit simplified classification could be: Linux for geeks and hackers, macOS for artists and hipsters, Windows for everyone else. Geeks and hackers are tech savvy, most hipsters and artists are at least smart - this leaves the most clueless and boneheaded types with Windows.
An old (and quite cynical) saying goes - "When two men escape a lion, how fast must they run? Faster then the other guy." So bugs can be bad, but often they are even not needed - it is enough to target the clueless user instead. Therefore, educating users should become a priority compared even to patching the systems (as put by Jarno Niemelä of F-Secure: "There is no patch for stupidity").
Karl Marx and Freddie Mercury
The subtitle begs a question indeed - what are those dudes doing here and what do they have in common? But
- Karl Marx wrote about “Unity and struggle of opposites”
- Freddie Mercury sang: “I can't live with you, I can't live without you....”
The point: a large problem is that data security is a big business with conflicting interests. Would McAfee or Symantec rejoice if one day, by a miracle, there was no malware in the whole world...?
The biggest perdition of 21st century IT could be the blossoming of perverted business models allowing bad behaviour to be profitable. It forms a very wide area with foggy borders - from nosy marketing ("I know that you always visit fishing sites so I'll serve you advertisements about fishing rods and rubber boots") to direct crime (identity theft, scams). But one thing is sure: the main problem "how to cut the stimuli for creating malware" remains unsolved yet.
A Jewish story tells of two doctors, father and son: “Dad, you worked on Mr Smith for seven years with no result, I cured him in two months!” - “Son, I used his money to educate you.” From ancient times, people have paid for security. And it was understood that
- Security means selling the safe feeling
- To keep the job, it is wise to keep the dangers at bay but not eliminate them
- Sometimes, playing the “good cop, bad cop” works best
Another issue is the Big Brother - governmental interference is growing worldwide, but especially in the “democratic” Western world. Good examples from computer security can be found over the last 50 years, from the ECHELON to the later Carnivore packet sniffer and the Magic Lantern keylogger to PRISM and others . Sometimes the Brother orders the industry not to mess with him – e.g. it has been suggested that some antiviruses may ignore the 'governmental malware'[1]
While politically motivated breaches of security and privacy are more visible in the East (China, Russia...), economically motivated breaches by “public” entities that are actually businesses - e.g. BSA, MPAA, RIAA - are much more prominent in the Western world.
The beginning was rather harmless. In 1969, Joe Engressia used free calls by whistling control tones into the analog phone, two years later John “Cap'n Crunch” Draper found a whistle producing a 2600Hz tone in a box of cereals, the find leading to the development of different-coloured "boxes" to control phone network (blue box, yellow box, red box...). Kevin Mitnick in his Art of Deception recalls his early feats of acquiring free bus tickets and fooling the payphone - but the early motives were still related to slightly misguided curiosity and independence.
1994 remains a milestone in security - it brought the first spam in Usenet, the 10 MUSD Citibank heist by Vladimir Levin and capture of Kevin Mitnick with about 20 000 credit card numbers (said to "cover his running costs"). Opening the Net to business in 1991 had shown its dark side.
Common bad stuff
The common techniques have been used in variations for a long time. They exploit of human weaknesses and, most importantly, adapt much faster than related legislation.
Spam
In 1978, Gary Thuerk sent a DEC event advertisement to about 600 users of ARPAnet, causing an uproar and earning the title of the first online spammer. The heyday of spam e-mail was around the turn of the century, with about 200 bln spam messages per day and spam forming 75-90% of all online traffic. By 2018, it had reduced to 55%[2] - e-mail is still a valid medium, but others have started to compete with it (mobile apps, instant messaging, social media).
Note: spam e-mail is very inexpensive (sending a message costs around 0.00001 centʂ[3]). And even with very low "hit rates" it remains profitable (some sources suggest that if one receiver out of 5 000 actually buys the spammed product, the spammer is already in profit).
Phishing
A 'crackerized' version of 'fishing' (akin to 'phreaking' in phone systems), it means interception of important information (passwords, card numbers). It began in AOL during the 90s, but became a widespread problem with the advent of social media (the first well-known hunting ground was MySpace).
Phishing attempts range from blatant stupidity (naive, error-riddled messages in the vein of "U be wanted for stealing big money, we know how solve it") to “one size fits all” (these messages are plausible in certain contexts but totally unbelievable in others - e.g. if an Estonian receives a "court call" to some court of law in central Chicago) to dangerous, well-targetted and manipulative spear phishing (the most dangerous kind, where senders actually know a lot about the victim).
Scams
The classic example is the 'Nigerian letter'-style advance free fraud (“need to smuggle out 30 mln, you will get 10%, but first I need 1200$ to grease some palms”). These keep working for two main reasons:
- most people are greedy - for many, a part of their brain just shuts down when they are promised to get rich.
- this is actually the way of doing business in large parts of the world - what Europeans and Americans may call corruption is normal for many others (as is preferring one's relatives when choosing people for various tasks, also known as nepotism).
Probably the worst cases are those based on real-life disasters (like the 2020 coronavirus [4]), missing people or actual crimes - people are willing to reach for the last possible straw of hope and are easy prey.
Simple manipulations
These “cheap offer, no delivery” or “too good to be true” type of scams actually predate Internet, having existed in times of ordinary mail. They were also among the first kinds of cybercrime to appear after lifting the business ban. Later, the perpetrators have had to wander due to harassment by owners of larger online environments (it took awhile to realize the problem, but established social media companies like Facebook have been quite successful in excluding those guilty in this kind of behaviour).
Typical goods that are used in these scams are small but expensive items (watches, jewelry) as they are generic enough not to cause suspicion and can actually be sent easily over various channels.
Car scams
These can be e.g.
- Offering an expensive car cheap, asking for some money “for transfer costs”
- Using a fake cheque on a larger sum, asking to return the difference
- Even a real car, but with shady origins (typically, stolen)
Date scams
Probably one of the most social type of scams - typically involving some 'damsel in distress' or most commonly a young attractive woman from some unattractive country (there are many actual women trying to improve their lives this way, yet a lot of these scammers are male in real life). A “future spouse” is massaged throughout the online relationship and finally asked for “some money to come to you”. The whole process can include various manipulations, in worse cases involving the “spouse” in some more serious criminal scheme (e.g. being a middleman for stolen goods).
Tech stuff
These include
- Direct hijacking using security holes
- Malware – classic viruses have mostly been replaced by worms
- Ransomware, e.g. CryptoLocker
- XSS (Cross-Site Scripting)
- DNS attacks (pharming)
- Fake names and homoglyph attacks
Online manipulations
A typical manipulation has three stages:
- Gather as much information as possible on the mark, using innocent-looking inquiries
- Use the gathered information to play an insider, getting access to much more important information
- Use the information as you see fit
An online manipulation can also be partially real-life, including:
- Shoulder surfing - at terminal, code locks etc
- Tailgating and piggybacking - to pass doors following an authorized person
- Dumpster diving – to find carelessly discarded information
Noteː a very good read to understand this area deeper is No Tech Hacking by Johnny Long.
Examples
Martin the Auditor
Mrs Jones, the bookkeeper of the department, receives a call from a „Martin Mint from internal audit team“. Martin asks some questions, like
- How many employees does the department have?
- How many of them have university degrees?
- How often is training offered in the department?
- What is the account number for staff costs?
- How many employees have left during the year?
- How is the general working atmosphere in the department?
Note: the actual number of questions is typically larger (at least 15-20).
What is wrong here...? The list hides a 'bomb' or a question that should not be answered to a complete stranger (in this case, the staff costs account). It is hidden about halfway into the mass of questions. It is not unheard of that the person who actually disclosed the information is so convinced he/she didn't that would be willing to go to a polygraph test - and passes it.
A really helpful helpdesk
(Needed: a throwaway cell phone with calling card)
- Call Mr Smith the company's bookkeeper, posing as a helpdesk asking about any problems and leaving your number. Somewhere during the chat, ask for the network socket number ("It is 14, right? Oops, 17 indeed").
- Call the company's main IT office, posing as a technician on call to Mr Smith's office and ask to switch socket 17 off for repairs ("Damn dumbuser got himself a W32BadDude virus!").
- Wait until Mr Smith (now offline) panics and calls that helpful guy who called him earlier (In an hour, the problem will be solved - of course, after calling back to the IT office and asking to reconnect socket 17 again.)
- "To avoid it in future“ ask Mr Smith to run a program (that does not do anything visible).
Mission complete: a sniffer/rootkit/trojan is in place
(get rid of the phone too)
Turn the tables!
There is a new sport: mugu-baiting (aka scambaiting). The main idea is to answer to some “Dr Jones” scam letter, play a stupid and clueless victim (inventing yourself a hilarious name like Gerald Womo Milton Glockenspiel [5] gives style points) and try to get the “entrepreneur” to do various creative things.
Top players have received money themselves, or sent the scammer to meet in New York (with nobody waiting there...).
Examples include
and several others
(Warning: do not read with full bladder!)
A warning for others
Why Nigeria? According to the CIA Factbook [6],
- Long history of instability and corruption (rich country under unstable government, including military rule)
- Poverty and inequality - 70% of population under poverty line, 80% of oil revenue reportedly go to 1% of population
- Large country, many tribes with old feuds
- English as lingua franca (about 250 local languages)
- Literacy at good levels, decent overall education
- Pretty good tech infrastructure
- The scamming tradition predates Internet
It might be easier to fall into the same trap than we sometimes like to think...
Web 2.0 or Sleuth 2.0?
Most social networks are networks of trust (people on the friend list are 'homies'). This leads often to very detailed personal information accessible to total strangers. And as most manipulations start with establishment of trust, a social network can do a lot of initial work 'off the shelf'!
Integrated services are a problem as well. A good example is the Gazzag.com case in 2006 [7] - spammed as the new cool social network, it proposed people to import their Orkut (leading network at that time) account. Incidentally, it happened a couple of weeks after Orkut received official recognition by Google (it was originally developed by an employee using his free portion of working time under Google's 80/20 system). Thus, the "Orkut password" was effectively the Google password.
Countermeasures?
There are several:
- Legal steps, more flexible legislation
- Well-defined policies
- Technical awareness, esp. among 'ordinary users'
- Guerrilla measures (NB! Ethically – and sometimes legally – a grey zone!)
Recommendations for social media site include
- Make use of internal defense measures
- If possible, do not use integrated services to login (e.g. Google)
- Do not recycle passwords
- Learn some about common risks and attack types
- Create a personal security policy (what can be put up, what cannot)
Kevin Mitnick has suggested in his books that security comes from technology, trainng and policy:
- Technology: networks, firewalls, antiviruses...
- Training: awareness of different attacks
- Policy: set procedures and requirements
Conclusion
The dark side of today's IT is a nasty coctail of widespread networks, poor and slow legislation, unethical business practices and human stupidity. The only known cure is spreading awareness, developing good policies and keeping technology in check.
Study & Write
Look at the "Mitnick formula" described above (technology, training, policy) and analyze the overall security situation in your home country (with examples).
References
- ↑ https://www.darkreading.com/vulnerabilities-and-threats/do-antivirus-companies-whitelist-nsa-malware/a/d-id/1112911
- ↑ https://www.statista.com/statistics/420391/spam-email-traffic-share/
- ↑ https://pubs.aeaweb.org/doi/pdf/10.1257/jep.26.3.87
- ↑ https://www.nbcnews.com/news/us-news/coronavirus-scammers-are-seeking-profit-deadly-virus-n1156126
- ↑ https://www.whatsthebloodypoint.com/scam.php?scamno=1
- ↑ https://www.cia.gov/the-world-factbook/countries/nigeria/
- ↑ https://tech.vaibhavgera.com/2006/11/gazzagcom-is-my-new-enemy.html
For additional reading
- LONG, Johnny. No Tech Hacking: A Guide to Social Engineering, Shoulder Surfing and Dumpster Diving. Syngress 2008. https://doc.lagout.org/Others/No%20Tech%20Hacking%20A%20Guide%20to%20Social%20Engineering%20Dumpster%20Diving%20%26%20Shoulder%20Surfing.pdf
- Several books by Kevin Mitnick (e.g. The Art of Deception)
- Scambaiting websites (e.g. http://www.scamorama.com)
- https://www.sans.org/reading-room/whitepapers/engineering/paper/920
The content of this course is distributed under the Creative Commons Attibution-ShareAlike 3.0 Estonian license (English: CC Attribution-ShareAlike, or CC BY-SA) or any newer version of the license.