“The FBI Reports A Break In Every 15 Seconds” Scam

“The FBI reports a break-in every 15 seconds” is how each call begins. The recorded message goes on to say “Let us place a small sign in your yard and we will install a new security system for free.” There has been a little coverage on this scam from smaller local news outlets. [1] The scammers always call from different numbers [2] and with an irregular frequency. Almost every post I’ve read about these calls says that they, like me, are on the Do Not Call list. This post is an attempt at catharsis. How much can I find out about this company and what resources will I need?

I’m starting with some basic sleuthing and complaint filing. I phoned my cell phone carrier and reported the numbers. The customer service representative said she’d forward all of the information I provided to their “Scam Department”. I’m not sure if there is such a thing at cell phone providers but I do hope it’s real.

What was different about this phone call was that when I pressed “1″ for more information I didn’t get an immediate rep. I was disconnected and received a phone call a few minutes later [2]. I wasted my time with the scammer today just trolling her but next time I’m going to pump her for information. So I tried looking up the second number that called me and the area code matches Colorado Springs, Colorado. I called Sprint and TMobile to see if the number matched one of their customer records. Each customer service agent denied that the numbers belonged to any of their customers and one gave me a clue on what to look for next. “This number belongs to a landline with SMS capabilities.”

When I searched for landline providers in Colorado Springs I found Century Link is the largest provider. I called their residential customer service center and after speaking with a few different agents was told that the number didn’t match a residents number but it doesn’t mean that the person with that number isn’t a customer. It could be that the phone number belongs to a batch of numbers that are part of a small business account. She was nice enough to give me the number of their small business accounts but they were closed for the night.

I’ll keep at this in my spare time because now I’m curious if I can uncover these scammers without the resources used of law enforcement or the government. My guess is they are using a call center’s ability to mask ANI so each of the numbers in the second footnote are fake however the number that called me back today seems real enough. My guess is this person is a sales rep working for the scammer and if anyone presses “1″ during the initial robocall they get a notification and call back.

[1] http://wtkr.com/2013/02/28/woman-says-sc…

[2] 4047210540 http://www.findwhocallsme.com/4047210540
347-690-1807 http://www.callercomplaints.com/SearchRe…
207-512-2295 http://whocalled.us/lookup/2075122295
207-512-2295 http://whocalled.us/lookup/2075122295
919-249-0360 http://whocalledme.com/PhoneNumber/919-2…
480-999-5639 http://wafflesatnoon.com/2012/03/10/scam…
702-444-4939 http://wafflesatnoon.com/2012/03/10/scam…
972-905-6694 http://wafflesatnoon.com/2012/03/10/scam…
817-725-8612 Received personally by author
309-270-2208 http://whocallsme.com/Phone-Number.aspx/…
973-273-7826 http://www.callercenter.com/973-273-7826…
701-301-4001 http://www.callercenter.com/701-301-4001…
206-496-0929 http://800notes.com/Phone.aspx/1-206-496…
253-382-992 http://800notes.com/Phone.aspx/1-206-496…
503-457-1176 http://800notes.com/Phone.aspx/1-503-457…
216-278-0127 http://800notes.com/forum/ta-8d32864d2b5…
612-351-3204 http://800notes.com/forum/ta-8d32864d2b5…
321-800-4409 http://800notes.com/forum/ta-8d32864d2b5…
717-628-7009 http://800notes.com/forum/ta-8d32864d2b5…
727-350-9789 http://800notes.com/forum/ta-8d32864d2b5…

[2] 719-355-6263

Pulling My Digital Pants Back Up

A recent Ars Technica article on ASUSGATE pointed to this blog and named me as a blogger who was caught with his digital pants down. I wanted to capture some of my incident response procedures now that some time has passed and my stress levels are back to normal. As noted in the article the first thing I did was shut down all non-necessary services such as FTP and Samba. Luckily for me I never liked the idea of AiCloud so that service was already off. Next I ran a port scan on my external IP address from an server outside of my home network to make sure that no ports were left opened. My goal was to ensure that literally 0 ports were open to the outside world and my router didn’t respond to uninitiated packets sessions. I ran an nmap scan that checked ports 1-65534 and found a port in the very high ethereal range (something like 32000) and dug back through the ASUS interfaces until I found the culprit. Apparently I had forgot to turn off the VPN pass through option from my time working at Akamai. I ran the scan again focusing only on the port that was found in the previous scan and it was off.

I’m still concerned that I have a known IP address though. At the very least anyone who doesn’t like me could send a DDoS (or just a DoS with a strong enough connection) and make sure I don’t see the internet for a while. From the research I’ve done cable companies like Comcast dole out IP addresses using DHCP but the leases can be for years. The only time they change them is when the MAC address changes so my next step is to disconnect my ASUS and connect a laptop running a liveCD directly to the cable modem in hopes of getting a new IP address.

When ASUS contacted me they sent notes on the best practices they were announcing to existing customers and details of a beta patch that was rolling out. What I didn’t see was that the FTP service would explicitly not be open on the WAN interface and require authorization from the user to open up their files to the internet. Those victims that put a username/password on their FTP should not use default credentials like “admin/admin” since they are well known and, as stated above, the IP address of the router probably hasn’t changed.

Lastly I want to nitpick on the editor’s choice of describing my folly as being “caught with my pants down”. I think this was a great way to spice up the story but the analogy doesn’t work that well. I didn’t expose anything that I would be ashamed of. The image of my pants being down is my genitals are exposed and that’s something I don’t show in public and so a more apt analogy would be that my digital fly was down. Anyone in the world could get a peek into my digital pants, and it’s certainly embarrassing, but since I don’t walk around “commando style”[1] I was covered underneath that undone zipper.

[1] Military commandos who operate in the jungle often do not wear underwear because of the health issues associated with increased moisture and lack of air flow. http://en.wikipedia.org/wiki/Going_comma…

So This Is What Getting Pwned Is Like

EDIT: NullFluid points out that they aren’t the group that performed the intrusive scan but are only hosting the text file. [0]

There was a definite sense of dread when I started reading the txt file [1] disclosing a massive flaw in Asus routers. I’ve had an RT model ASUS for nearly two years now and recently hooked up a giant USB hard drive to it so I could stream movies from my blueray player. But I thought there was no way I was affected since I went through the settings for the FTP service and disabled all outside access. I did leave the FTP security set to anonymous because I thought anyone not logged into my WPA2 protected wifi couldn’t even see the service.

Out of curiousity I entered ‘ftp://[my external ip address]‘ into my browser and sat wide eyed when I saw the contents of my media server show up. I reasoned it must be because I’m already inside the network (which doesn’t even make sense really) but panic was starting to set in. So I pulled out my phone and turned off the wifi connection and tried it there. Now I was worried.

I started downloading the torrent of directory listings and quickly turned the FTP service off. I checked the pastebin with all the IP addresses that had the dir listing bug [2] and there was my IP address. Worry was now turning to fear. After the torrent finished I looked for my IP address and found that it was under ‘partial listings’.

There’s no point in my denying that I got pwned because in the file listings are things like ‘OLIVER_DAY_GMAIL_COM_201401052241083414.pdf’ which is a copy of a boarding pass I downloaded. I’d started pushing stuff from my Downloads folder onto the media drive for convenience sake. I’m not worried about what’s on that drive however I’m terrified by the idea that someone replaced a file with some malware and then I opened it assuming I was safe.

I’m also going through memories of flaky wifi in the last month plus some weird issues with the drive itself and wondering if it was due to others accessing my drive at the same time I was. It’s a really sickening feeling although I got off pretty lucky. In my life I’ve had friends who were pwned by rival hackers and had entire mail spools dumped, financial information leaked, etc. All I lost was a directory listing and some face.

Going through the file listings of other IP addresses I see insanely personal items like whole backups of laptops, family photos, porn collections, and tax documents. Anyone that has the list of IP addresses can potentially download any of those files. I wrote some python to walk through the list of IP addresses and check to see if logging in anonymously is still possible. I’m not bothering to look at anything just see if ftp.login() works and recording the statistics. The numbers are not reassuring. The code is also on pastebin for those who want to run it and help report the numbers. [3]

While I’m not entirely opposed to the idea of full disclosure I’m not sure I agree with nullfluid’s Brothers Grim, et al dump of vulnerable IP addresses. Even though this act caused me to discover the vulnerability in my own hardware I’m not okay with the idea that he took a snapshot of my FTP directory and made that part of the torrent. What was the point in that? It would have been just as effective to list the IP address and I would have reacted and benefited the same. All he’s they’ve done is made certain people way bigger targets because the listing shows movies, or music, or porn, or very very personal files. If nullfluid Brothers Grim, et al is going to poke into everyone’s drives anyway why not leave a note in the root of the FTP directory warning the user of the vulnerability? That’s the biggest problem I have with his their approach is he they told the world but he they didn’t tell the victims. Fine I’ve patched my Asus router and now question whether I should keep it at all. I agree it was a very poor decision on Asus’s part to make those default settings the way they were and I doubt I’ll turn the FTP service back on anytime soon. But including full directory listings of all these victims is on you nullfluid Brothers Grim, et al. It was a mistake on your part and you should apologize to us all.

[0] The text file lists the following as the crew that performed the scan: The Brothers Grim, Chuck Palahniuk, Gargamel, Debra Morgan, Gollum, Voldemort, Skeletor, Duke Igthorn
[1] http://nullfluid.com/asusgate.txt
[2] http://pastebin.com/ASfYTWgw
[3] http://pastebin.com/fpB7U1gb http://pastebin.com/HWLASXaY http://pastebin.com/zunt8jeu

Evangelism and other Definitions

I’ve been looking for a new job recently and found a position with an organization that does amazing work. They advertised for a security evangelist so I looked into the position. I’ve heard of the term before and never developed an opinion of them one way or the other. Frankly I didn’t really know what they did until a few days ago when my research began.

The first blog that popped up on Google is from a security evangelist at csoonline.com. He based a lot of his article on an article by krypt3ia who ranted about how bad it is to use the term evangelist.

I read krypt3ia’s article with an open mind but I always worry when someone starts a written argument with a literal definition from an actual dictionary. That was what I did in high school when I didn’t know how else to start a paper and it’s an appeal to authority that isn’t very useful in this type of discussion. Languages evolve and definitions change all the time and pretending otherwise isn’t a winning strategy. I think the actual problem he has with the term ‘evangelist’ is shown about 3/4 of the way through his rant where he talks about the term ‘heretic’:

“Perhaps this is all we know, we people who still follow a book so closely that now has the masses up in arms about the issue of people of the same gender wanting equality … A book mind you, written by people barely able to understand nature around them so they made stories up to fill in the gaps. Really? 21st century? Yeah.. Right.”

I get his argument against religion (and I’m assuming the Bible) and I don’t disagree with him on this point[1] but I think getting this worked up over the term evangelist doesn’t make sense. The wikipedia article for the more generic term “Technology evangelist” has this opening definition:

“A technology evangelist is a person who builds a critical mass of support for a given technology, and then establishes it as a technical standard in a market that is subject to network effects.”

The article goes on to establish the link to the word evangelism by suggesting it is “due to the similarity of relaying information about a particular set of beliefs with the intention of converting the recipient.” Think Steve Jobs or even today Vint Cerf.

This part rings pretty true for me. Infosec [2] is a cloudy term that encompasses a lot more people than it did when I learned it in the 1990′s, however; most of us do hold beliefs about security. These beliefs translate into practices like “hardening a server” or “using passphrases instead of passwords”. So a security evangelist is someone who tries to convert those with poor security practices to our way of life.[3]

Perhaps I have an easier time dealing with portmanteaus or even updating definitions as words find their way into computer specific lexicons. I fought similar fights when I was at Akamai and trying to implement biostatistical analysis and epidemiological methods to make the company more secure. I was told that the words I used were medical jargon (eg. Sensitivity and Specificity) and it was too confusing for them. But our industry specific language has dealt with this for a long time and I doubt it will stop anytime soon. [4]

So how do people, especially those that hate the term ‘evangelist’, feel about the term ‘virus’? Want a link to the Wikipedia article or an OED definition? You probably won’t find anything related to non-biological organisms unless you look at ‘Computer Virus’. Or how about ‘sales engineer’?

Again citing Wikipedia, an engineer is “a professional practitioner of engineering, concerned with applying scientific knowledge, mathematics, and ingenuity to develop solutions for technical problems. [5] What do SE’s build again? I’ve been an SE in my career and other than sales demos there wasn’t much I did to really deserve the E part of my title.

Krypt3ia isn’t alone in his disgust with the term however. As I scanned through Twitter I found other notables (particularly Space Rogue of curmudgonley fame) saying one should never ever admit they were an evangelist. There is a hint of anti-charlatanism in their tone that can’t be missed. [6] I think the real answer to the animous against this term lies here. The sense I’m getting is those opposed to the term think security evangelists are those that don’t have the skills to be real hackers/infosec professionals and therefore listening to them is both a waste of time and potentially dangerous. I think nothing displays that more than this anigif.

Footnotes:
[1] At the best of times I’m an atheist but occasionaly I’m just agnostic.

[2] I don’t know if someone has written about the transition of the 1990′s hacker to infosec so I’ll leave this here as a reminder to write about it if an article isn’t already extant.

[3] I do this all the time without thinking about it. Last month it was when speaking with the CFO of my nonprofit when she asked about using online banking. My advice was to boot up a liveCD and bank from there.

[4] The biggest push back I got was using the term “computer disease” instead of malware/badware/trjoan/etc. It makes a lot of sense if you think about it.

[5] In case you’re wondering “engineer is derived from the Latin roots ingeniare (‘to contrive, devise’) and ingenium (‘cleverness’).”

[6] Anyone who knows him understands that he isn’t shy about opining on what is right or wrong and who in the industry is an actual charlatan.

Wireless Mic Research

During Source Boston I became fascinated by the idea of using SDR to listen in on wireless mics. It occurred to me that corporate meetings in hotels with lots of sensitive information are probably vulnerable to that type of eavesdropping. I looked into encrypted wireless mics but they are very expensive and I can’t imagine a lot of people outside of the Fortune 10, military, and some parts of the government can afford them.
My first find was a page of wireless mics that were in the 700Mhz range and now banned by the FCC for intruding upon emergency communications. [1] @0xabad1dea pointed out rather quickly this wasn’t the list I thought it was. But I had also scraped together another list from product pages I’d browsed the previous evening.
G1 Band 470-530 Mhz
H4 Band 518-578 Mhz
J5 Band 578-638 Mhz
L3 Band 638-698 Mhz

Once I get a better grasp of GnuRadio I can probably cobble together a wireless mic scanner for the next conference I visit. Or maybe just hang around hotel lobbies and look for stray conversations.

[1] http://www.fcc.gov/encyclopedia/wireless…

Is Korean Law Driving Policy at Blizzard?

US customers of game maker Blizzard are up in arms tonight as news of a new policy is set to require all posts on the Blizzard forum to use their Real ID system. That means that every post is accompanied by the real first and last name of the user. People are unsure what to make of this and I haven’t seen any communication from Blizzard stating why they are making this change.
I’m going to make the suggestion that South Korea’s Real Name System [is a driving force behind this decision]*. In 2009 South Korea’s government created a law that was meant to curb online defamation by insisting that all users who comment on sites with greater than 100,000 users per day must use their real name. The first US company to feel the effects of this law was Google. South Korea insisted the Youtube comments require all users to post with their real first and last name. Google got around this law by forbidding anyone with a South Korean IP address from posting to Youtube. Recently South Korea backed down and exempted Youtube from the Real Name system.
Given these facts it might not make sense why South Korea might enforce the Real Name system on Blizzard. My guess would be that the government is very aware of the immense popularity of Starcraft in South Korea. Some have joked it is their national sport. South Korea even has professional SC leagues with sponsors and packed arenas. I don’t think Blizzard can take the Google approach here and just ban South Korean users from posting to their forums. The South Korean market must make a ton of profits for Blizzard and unlike Google they don’t have revenue coming in from other sources.

* edit: fixed that sentence

Pax Musicana

Over the years friends have asked what I have against music services like iTunes. A week or two ago the term Pax Musicana crept into my subconscious and it captures the issue perfectly. My general disdain for digital services like iTunes, Amazon Kindle, and the like is that I am locked into a service and should I decide to wander to the next big thing I would have to rebuild my collection from scratch. I would have to abandon all the value I stored in that service because they refuse to let me take my purchases with me.
The term Pax Musicana came to me as a concept of what these services should be. If I buy a song from one vendor my “license” to listen/download/stream that song should extend to all legitimate online services. Billboard.biz even has an article advising ISPs to start music/media stores to lock customers in and reduce their churn rate. The dying copyright bastions like Sony, EMI, Warner, Vivendi, et al are laughing their collective asses off because consumers who wish to stay legal have to repurchase the same album from iTunes, Walmart, or wherever they go next instead of repurchasing when media formats change (cassette -> cd, etc). The article implies that disgruntled customers will stick around just so they don’t lose the value they invested into those songs.
Sure they could export those mp3s to their computers but what exactly is the point? As we all move into the cloud it would make more sense for users to have the ability to log in and stream their music from wherever they are in the world. And should they decide that the next big thing in music store surpasses their current one all their licenses should move with them.
The music industry has made a big deal about the sale of music being more a licensing agreement than a transfer of property. You don’t own the album you just paid for so much as have a right to listen to the music (privately). As we extend this metaphor to movies and books this concept becomes far more powerful.
When a friend of mine got a Barnes and Noble Nook for his birthday I had to hold my tongue as he showed it off. None of the titles he purchased on his Kindle would transfer over. I suppose pax mediacana would be more apt for this post’s title but it doesn’t have quite the same ring.
Interestingly the Wikipedia article on the original term “pax romana” says that the “Romans regarded peace not as an absence of war, but the rare situation that existed when all opponents had been beaten down beyond the ability to resist.” So perhaps we are there already. It seems that consumers today are so beaten that they will accept whatever terms are dictated to them. They buy media online without thought to the limitations of how far that media can travel with them. They sign (click) away all their rights to resell the media when it is no longer interesting to them (see First Sales Doctrine). I hope this changes soon. Until it does don’t expect a penny from me in terms of this disposable media. It simply isn’t worth it.

My speech at the Works in Progress of Intellectual Property Conference

My notes for the talk I gave to a group of distinguished law professors at the Seventh Annual Works in Progress Intellectual Property (WIPIP)

I am not a law professor
i am and am not a hacker.

the term hacker has undergone significant change in the last two decades so the meaning is ambiguous these days.
let me give you this definition and for the sake of the next 4 mins of my talk consider it to the the authoritative one

hackers are computer users who are adept enough to bend the function of a program to their will.

security researchers are much like the hackers of the 1990′s but unlike what the term has come to mean lately.

when researchers find security flaws in software they will generally contact the manufacturer. they are met with one of three responses:
1) disregard
2) deference
3) contempt

When met with contempt they have been threatened with law suits using a variety of novel legal theories. Reading though our history is like walking through a catalogue of existing IP frameworks. Patent, Trademark, Copyright, Contract and Criminal have all been used in response to an individual making claims that a product contains a security flaw.

examples:
In 2007 Chris Paget of security firm IOActive was going to give a talk at a security conference about the insecurity of HID badges. These badges are ubiquitous in corporate America and the issues he discovered need to be discussed. HID forced his talk to be canceled with the threat of patent infringement.

A few years earlier in 2005, researcher Mike Lynn had discovered a security flaw in Cisco routers. These devices are largely responsible for the backbone of the Internet. Interestingly Cisco had already fixed the flaw yet filed a TRO against Lynn to prevent him from talking about his work to a group of like minded peers at a security conference. In the aftermath of this incident Lynn had to agree to a permanent injunction forbidding him from ever talking about it again.

Lessig famously said that on the Internet “Code is Law”. I would like to reverse that turn of phrase for the real world.
“Law is code”
It is compiled by legislators and debugged by judges

And in this sense what the companies we write about in our paper did was impressive. They hacked the law. The bent these disparate legal frameworks to their will and used seemingly unrelated laws to silence researchers who were making claims that their product was flawed.

what our paper proposes to do is patch the law so that legal hackers can not continue to subvert the legal system anymore. And with that I’ll turn it over to Derek to explain how that would work. [pdf]

Repercussions of bad German laws on security research

This month I’m conducting some research into web hosting security issues and ran into the aftermath of the German law passed in 2007 banning security research publication. The policy has had the effect of silencing security researchers from that country. While investigating issues in PHP security I came upon the Month of PHP Bugs website and when I attempted to download a proof of concept to illustrate what type of security issues PHP had back in 2007 I got an explanation from security researcher Stefan Esser explaining why he no longer feels comfortable publishing results to the Internet.

Instead of summarizing his explanation I’m going to repost it here:

Dear Visitor,

since Friday 10th, August 2007 a new and very troubling law is enforced in
germany.

It is no longer legal to create and/or distribute so called hacking tools in
germany. This includes port scanners like nmap, security scanners like nessus
or simple proof of concept exploits like the MOPB exploits. They are now illegal
because someone COULD use them to commit crimes.

Until today I had hoped that our Bundespresident would stop this insane law with
a last minute veto, but now it is official and our government has rendered germany
more or less defenseless against the threats from outside germany.

Unfortunately our government has been deaf to the warnings from lots of experts
that tried to explain how important these so called hacking tools are not only
for the current generation of security consultants to do their daily job, but
also how important they are for the education of the next generation of
researchers and consultants.

If you do not know how to attack, you will never know how to defend yourself.

Yours,
Stefan Esser

This is incredibly frustrating for someone like me who is doing legitimate research into security problems that are plaguing the Internet. Security research is a rare and valuable skill set which should be cultivated not destroyed. Yet the German law is likely driving away people from this profession due to the impossibility of publication on the Internet without fear of criminal charges. At best the researchers who are turning away in Germany are finding other less beneficial avenues to explore. At worst they are publishing underground only.

I had largely forgotten about this law being passed in 2007 because I too had assumed the President in Germany would come to his senses and repeal it. Germany has had a remarkable history with hackers (see Chaos Computer Club) so it is very surprising they went in this direction.

Some old articles about this:
ars technica
article about aftermath

I need to do some more follow up on this but so far the results look grim.

SECRE.TS

I started developing a random idea over the holidays but never finished it. I’m releasing its description here with the hope that someone will steal and then implement it :)

a hybrid social media platform using rss feeds, twitter style messaging and public, private, and group key pair cryptography. it also solves the paradox of eventual decryption through the use of one time pads and very precise randomization.

secre.ts enables the user to share cryptographically protected messaging to allow use over untrusted publicly accessible networks like the Internet.

As a messaging solution secre.ts produces the greatest assets of email like services with the most secure traits of a virtual private network connection. vpn solutions are fragile connections and cumbersome on both bandwidth and the processor. secre.ts hybrid approach consumes processor but the messages are broadcast in public so connectivity is hugely increased and bandwidth isn’t impacted because the messages are received in cleartext.