A Fool Gets Beaten Even in Internet
Mottp: “A Fool Gets Beaten Even In Church” (an Estonian Proverb)
Some thoughts for starters
- "The biggest security risk is always located between the keyboard and the chair“ - an IT maxim
- "It is not possible to create a foolproof machine, because fools are so clever“ - an Amish farmer to Howard Rheingold who went to laugh on "savages" and came back very much in thought
- The question is not IF a system gets compromised but WHEN.” - Kevin Mitnick
- "We are Samurai... the Keyboard Cowboys... and all those other people who have no idea what's going on are the cattle... Moooo.“ - Eugene 'The Plague' Belford in Hackers
A broom at the door
In old times, Estonian rural people used to set a broom standing against the outer door when leaving home - any neighbour seeing it understood that the hosts are not home and nobody entered. The custom is still alive in some remote corners of the country. Now, we could compare it to some modern insurance contract...
In fact, security is known to make some twists in history. Paradoxically, Estonians must thank the Soviet army for helping to preserve the nature of West Estonian islands - the "Empire of Evil" guarded its citizens with iron fist and the "border zones" were under heavy regulation. But in this case, it meant no tourist hordes trampling down the meadows... This may also be considered an example of Theobald's mindquake concept as discussed at the beginning of the course.
In the book “Hackers” by Steven Levy it is told how the original hacker community at MIT sensed the introduction of passwords not as a security measure but a violation of freedom. As a reaction, they recommended to use blank password - and about 1/5 of users complied. Yet today, we have a radically different situation (and probably also Richard Stallman who was one of the protesters would now recommend passwords).
As mentioned several times, in times of old computers were elitary - access to one meant the person had an academic degree. As a result, no practical business was possible. In today's Western world, even a homeless person can own a computer (see http://thehomelessguy.wordpress.com/). This has definitely had a positive effect on overall society, but some consequences are not that nice:
- It has created (and later, failed to banish) crooked business models targetting ignorant bystanders
- It has raised a new generation of criminals well-versed in technology
- Most importantly, it has left a majority of users behind, promoting technological ignorance and making them easy prey for criminals.
The problem called Microsoft
Even if the topic is often under heavy debate, the reality suggests that computer malware is in absolute majority a phenomenon focusing on Microsoft software. There are several reasons for this.
First, MS-DOS and early Windowses were single-user systems with no native networking (Unix was a 'network native' but was mostly accessible for experts only). This means a generation of users growing up with no password habits. Moreover, Windows 95 introduced a primitive password system that protected nothing and could be bypassed by pressing Esc - amd when NT and 2000 came with actual password protection, the mindset of average users was already broken.
When asked why they are the prime target, Microsoft typically refers to the largest market share. It is somewhat true - but much more important is the largest share of clueless users (by far). A bit simplified classification could be: Linux for geeks and hackers, OS X for artists and hipsters, Windows for everyone else. Geeks and hackers are tech savvy, hipsters and artists are at least smart - leaving the most clueless and boneheaded types to Windows.
An old (and quite cynical) saying goes - "When two men escape a lion, how fast must they run? Faster then the other guy." So bugs can be bad, but often they are even not needed - it is enough to target the clueless user instead. Therefore, educating users should become a priority compared even to patching the systems (as put by Jarno Niemelä of F-Secure: "There is no patch for stupidity").
Karl Marx and Freddie Mercury
WTF...? What do those dudes do HERE?
Marx: “Unity and struggle of opposites”
Mercury: “I can't live with you, I can't live without you....”
Point: a large problem is that data security is a big business with conflicting interests. Would McAfee or Symantec rejoice if one day there was no malware in the whole world?
Malware industry
The biggest perdition of 21st century IT: perverted business models allowing bad behaviour to be profitable
A very wide area from nosy marketing (I know that you always visit fishing sites so I advertise you fishing rods and rubber boots) to direct crime (identity theft, scams)
The main problem still not solved: how to cut the stimuli for creating malware?
… and security industry
A Jewish story tells of two doctors, father and son: “Dad, you worked on Mr Smith for seven years with no result, I cured him in two months!” - “Son, I used his money to educate you.”
From ancient times, people have paid for security. And it was understood that
Security means selling the safe feeling
To keep the job, it is wise to keep the dangers at bay but not eliminate them
Sometimes, playing the “good cop, bad cop” works best
Big Brother...
State interference is growing, especially in the “democratic” Western world. E.g.:
Carnivore packet sniffer
FBI Magic Lantern keylogger
Sometimes the Brother orders the industry not to mess with him – e.g. an antivirus must ignore a “virus-like” program
A growing problem
… and his nasty disciples
(some East, some West)
Politically motivated breaches of security and privacy (East)
Economically motivated breaches by “public” entities that are actually businesses – e.g. BSA, MPAA, RIAA (West)
The beginning: early pranks
1969 – Joe Engressia uses free calls by whistling
1971 – John “Cap'n Crunch” Draper, 2600Hz. Later builds the first blue box
Young Kevin Mitnick (his Art of Deception is recommended!):
Bus hack
Fooling the payphone with coin sound
Main motive: slightly misguided curiosity and independence
1994 as a milestone
First spam in Usenet
Vladimir Levin vs Citibank – 10M USD
Kevin Mitnick caught with about 20 000 credit card numbers
Opening the Net to business shows its dark side
Common bad stuff
Used in variations for a long time
Skilful use of human weaknesses
Adapt much faster than related legislation
Spam
In 1978, Greg Thuerk sends a DEC event advertisement to about 600 users of ARPAnet
In 1991, bad guys get up first
In heyday, about 200 bln spam messages per day, 75-90% of all traffic
In 2014, about 54 bln and 57% of traffic
Medicines and complements, sex stuff, fake diplomas…
The biggest problem: it is inexpensive (~0,00001 cents)
Earlier ruled by the US, China and Russia, recently added Western Europe and Spanish-speaking countries
Phishing
Interception of important information (passwords, card numbers)
Beginning: AOL in the 90-s
Went to the masses with the advent of social media
From blatant stupidity to “one size fits all” to dangerous, well-targetted and manipulative spear-phishing
Scams
Classic example: the Nigerian advance free fraud (“need to smuggle out 30 mln, you will get 10%, but first I need 1200$ to grease some palms”)
Especially nasty are the ones making use of real-life disasters
Simple manipulations
“cheap offer, no delivery” or “too good to be true”
Later, had to wander due to harassment by owners of larger online environments
Typical goods: small but expensive items (watches, jewelry)
Usually combined with spam
Car scams
Can be
Offering an expensive car cheap, asking for some money “for transfer costs”
Using a fake cheque on a larger sum, asking to return the difference
Even a real car, but where from?
Date scams
Most social (kinda)
A “future spouse” is asked for “some money for travel”
Can include various manipulations, in worse cases involving the “spouse” in some criminal scheme
Tech stuff
Direct hijacking using security holes
Malware – classic viruses are replaced by worms
Ransomware, e.g. CryptoLocker
XSS (Cross-Site Scripting)
DNS attacks (pharming)
Fake names and homoglyph attacks
Main stages of online manipulation
Gather as much information as possible on the mark, using innocent-looking inquiries
Use the gathered information to play an insider, getting access to much more important information
Use the information as you see fit
No tech
Can also be physical:
Shoulder surfing – at terminal, code locks etc
Tailgating – to pass doors following an authorized person
Dumpster diving – to find carelessly discarded information
Read more: No Tech Hacking by Johnny Long
Example 1: Martin the Auditor
Mrs Jones, the bookkeeper of the department, receives a call from a „Martin Mint from internal audit team“. Martin asks some questions:
How many employees does the department have?
How many of them have university degrees?
How often is training offered in the department?
What is the account number for staff costs?
How many employees have left during the year?
How is the general working atmosphere in the department?
What is wrong here...?
Example 2: really helpful helpdesk
Needed: a cell phone with calling card
1. call to Mr Smith the bookkeeper – posing as a helpdesk, asking about any problems and leaving your number. Somewhere in chat, ask for the network socket number too
2. call to main IT office – posing as a technician on call to Mr Smith's office, asking to switch number X socket off for repairs
Wait until Mr Smith (now offline) panics and calls that helpful guy who called him earlier
...
In an hour, the problem is solved – after calling back to the IT office and asking to reconnect socket X
„To avoid it in future“ ask Mr Smith to run a program (does not do anything visible)
Mission complete: a sniffer/rootkit/trojan is in place
(get rid of the phone too)
Example 3: turn the tables!
A new sport: mugu-baiting (aka scambaiting)
Main idea: answer to some “Dr Mobutu” scam letter, play a stupid white guy (inventing yourself a hilarious name like Gerald Womo Milton Glockenspiel gives style points) and try to get the “entrepreneur” to do various creative things
The top players have received money themselves or sent the scammer to meet in New York (alone, of course)
Examples: whatsthebloodypoint.com, scamorama.com, 419eater.com (Warning: do not read with full bladder!)
Nigeria(TM)
Why?
Long history of instability and corruption (rich country under unstable government, including military rule)
Poverty and inequality – 60% of population under poverty line, 80% of oil revenue goes to 1% of population
Large country, many tribes with old feuds
English as lingua franca (about 250 languages)
Literacy at 68%, decent overall education
Pretty good tech infrastructure
The scamming tradition predates Internet by far
Web 2.0 or Sleuth 2.0?
Most social networks are networks of trust (people on the friend list are 'homies')
TMI!
Most manipulations start with establishment of trust – a social network can do a lot of initial work 'off the shelf'!
Integrated services are a problem!
The Gazzag.com case in 2006
Countermeasures?
Legal steps, more flexible legislation
Well-defined policies
Technical awareness, esp. among 'ordinary users'
Guerrilla measures (NB! Ethically – and sometimes legally – a grey zone!)
...
Some words on social media
Make use of internal defense measures
If possible, do not use integrated services to login (e.g. Google)
Do not recycle passwords
Learn some about common risks and attack types
Create a personal security policy (what can be put up, what cannot)
The ex-baddie says
"Security comes from technology, trainng and policy”
– Kevin Mitnick, security advisor (!)
see also The Art of Deception
Technology: networks, firewalls, antiviruses... Training: awareness of different attacks Policy: set procedures and requirements https://www.sans.org/reading_room/whitepapers/engineering/a_multilevel_defense_against_social_engineering_920 For conclusion The dark side of today's IT is a nasty coctail of widespread networks, poor and slow legislation, unethical business practices and human stupidity The main cure: learn and teach! Enough of the fool thrashing for today...