TechByter Worldwide

If you enjoy today's article, please share it!

Program Date: 19 May 2013

Before Clicking, Think (You'll Be Glad You Did)

The message looked legitimate. The TrustWave logo was present and in almost well-written English, it said "This is an auto-generated letter to notice you that the scheduled TrustKeeper vulnerability scan of YOUR COMPANY NETWORK has completed and is not compliant." The recipient was offered a link. The recipient did not click the link. The question is why.

Click for a larger view.Why didn't the recipient click the link? The person who received the message works for an extremely large corporation that handles financial transactions for hundreds of thousands of businesses worldwide, so this would seem to be an important message about network security.

The recipient didn't click the link because he knew it was fraudulent and maybe that's the most important part of this account.

The recipient knew that the message was fraudulent because his duties at the gigantic company do not include network administration or security at any level. He knew that a legitimate warning message such as this would not be sent to anyone other than corporate network administrators or to corporate management. So without looking for any of the tricky little telltale signs that I like to talk about, he knew not to click the link.

Instead, he forwarded the message to corporate network security administrators, local managers, and me.

And the message is an excellent forgery, as you can see. The message was reasonably convincing: "IMPORTANT: During the scan, TrustKeeper Disclosed that your network is at risk. Trustwave strongly recommends you review these findings as your overall PCI DSS compliance status may be affected."

If you're not a banker or someone who's involved in financial transactions, you might not know what PCI is. The Payment Card Industry (PCI) Data Security Standard (DSS) has been mandated by major credit card providers with the goal of protecting card-holder data. PCI DSS compliance requires adhering to specific standards. And institutions that fail to company may be fined up to half a million dollars per incident or have their processing privileges revoked.

So anyone who's in the business and who has just enough knowledge to know that the PCI DSS is a critical part of the operation could be tricked into clicking without thinking. Doing anything without thinking is almost always a bad idea.

The link that the recipient was offered appeared to go to the TrustWave website, but (as I'm sure you already suspect) that's not where it went. Instead, the link went to a compromised website in Austria. I discovered by by reading the contents of the link's target into a PowerShell variable and then inspecting the contents of the variable.

Anyone who followed the link would have seen a message that said "You will be redirected to [the] process. We must complete [a] few security checks to show your transfer details. Be sure you have a transfer reference ID. You will be asked to enter it after we check the link. Important: Please be advised that calls to and from your wire service team may be monitored or recorded. Redirecting to [c]omplain[t] details... Please wait..."

Only a few telltale signs exist to suggest that this message was written by a non-native speaker of English. While the recipient is reading the message, the browser is being silently redirected to a compromised directory on what appears to be the Mumbai (India) Transit System (Mumbai Local Train Timetable). This is the location that would try to install malware on the user's computer, but the malware is served from a directory that the operators of the Mumbai Local Train Timetable are probably unaware of.

Click for a larger view.Again, I tried to load the contents of the target into a PowerShell variable and, as expected, my antivirus application refused to allow the connection.

Near the end of the message the fraudster exhibited a bit of genius that might have been associated with the famous not-by-P-T-Barnum quotation*, "There's a sucker born every minute."

The message continued: "Note: If you monitor your network for activity, note that the TrustKeeper scan may originate from IP addresses in these ranges:
200.17.202.0/24
66.30.233.0/24"

The first IP address block (200.17.202.0/24) is located in Brazil and is licensed to Universidade Federal do Paraná; the second (66.30.233.0/24) is in the United States and is licensed to Comcast.

This is a bit of cleverness that's worth noting because, after the initial malware is installed, zombie computers in either (or both) of those IP address blocks will probably try to contact the computer, possibly to install additional malware or for command-and-control functions. If the user has a firewall, the firewall might display a warning. The user, having been warned to allow access from those IP addresses, could reasonably be expected to defeat the firewall and allow the connection.

This is what we're up against and it's why it's so important never to click a link without first considering its legitimacy.

*P. T. Barnum Didn't Actually Say It

According to the History Buff website, it was actually a banker named David Hannum who said "There's a sucker born every minute," and if you want to read the entire story of how P. T. Barnum was credited with making that statement, you'll find it on the History Buff site.

When Somebody Steals Your Cell Phone ...

Cell phones and other portable devices are attractive to thieves because they're easy to take and they can be converted to cash with relative ease. Although it varies from state to state, there's not much police can do to help even if you track your phone down.

Consider Columbus, for example. I noticed a story by Allison Manning in the Columbus Dispatch in mid April. A man had gone to a police substation on April Fools Day to report that his Android phone had been stolen but that he knew where it was.

A tracking option showed him almost exactly where the phone was, but it was in an apartment complex. Police said they couldn't go door to door in an apartment complex to recover the phone so the man continues to be able to track the phone's location but not to recover it.

It's all the more frustrating because various services are available to track a missing device. Some of them even take pictures to help with the recovery but unless the phone's value exceeds $500, theft is a misdemeanor and police investigations are limited. It used to be $1000 but new legislation dropped the limit to $500 about a year and a half ago. Columbus police are working with a central Ohio legislator to update the Ohio Revised Code so that thefts of computers and telecommunications devices would be a felony.

In New York City, theft of a cell phone is a minor offense and a low priority for police but in early May, reporter Michael Nagle of the New York Times described an incident that started with the theft of an Iphone and brought back memories of the chase scene in French Connection.

About 16,000 cell phones are stolen every year in New York City.

A thief grabbed a phone from the hands of a woman in Queens, who flagged down a police officer and provided a description. Another officer pulled out his Iphone and used a service to track the woman's phone. It was about a block away, so the police went to look for it.

When they arrived, though, they saw that the phone was moving and the #7 subway (elevated in Queens) had just left the station. The officers drove to the next station but were too late to catch the train.

Reporter Nagle put it this way: "Onward the officer drove, around cars beneath the subway tracks, like Gene Hackman’s character, Detective Popeye Doyle, in 'The French Connection.' Of course, Popeye was after a cop-killing henchman for a drug smuggler, while Officer Hamid was chasing a teenager who had stolen a woman’s iPhone. But, as they say, the city has changed."

Click for a larger view.Fast-forward a bit. A police sergeant called the Metropolitan Transportation Authority and asked to have the train held short of the next station. Police arrived, boarded the train, and spotted someone who fit the description. But there was no probable cause to search him.

What to do? One officer called the stolen phone. The guy's backpack rang.

The guy with the ringing backpack said he'd boarded the train in Brooklyn. Bad guess. The #7 runs from Flushing, Queens, to Times Square in Manhattan; it never enters Brooklyn. He was given an all-expense-paid trip to Rikers Island and was not allowed to pass Go or collect $200 on the way. From there, on a clear day he might be able to see Queens and part of the Bronx, but not Brooklyn.

By the way—more than 40 cellphones were stolen in New York City that day. One was recovered.

Short Circuits

Dance to the Google

Google, the company that wants to be everything to everyone all the time has started streaming music. The company's developer conference began on Wednesday in San Francisco and that's when the music started.

The plumbing was already in place via Google's Play Store and, of course, YouTube is a Google division.

Operations such as Spotify and Pandora allow users to listen for free (with commercials) or to pay for commercial-free listening. The services then pay royalties to the labels.

Google launched a music service in 2011 that sells individual tracks and albums. The new offering will be for paid or free subscribers to have access to libraries of songs.

Google's Engineering Director Chris Yerga said that the service will offer a wide variety of music for users of Android devices. Calling it "radio without rules," Yerga said that users can either listen in what he termed "leanback" mode or take as much control as they want.

Although Google's app works only with Android devices, any device that has a Web browser can be used. And there's an option to upload your own music to Google so that you can listen to it anywhere and at any time. If you're old enough to remember when it was a big deal to be able to carry around an hour's worth of music on a cassette tape, try to imagine what you would have thought if—back then—someone had said this would someday be possible.

There's a 30-day free trial and, after that, full access will cost $10 per month ("$9.99"), which is the same price as Spotify Premium. Those who sign up by June will pay $8 ("$7.99") per month. A standard account is available for free ("$0.00") but it eliminates the ability to skip selections or create a personalized station.

Google has licensed music from Sony, Universal, and Warner. Millions of songs are available now. The service went live on Wednesday.

Apple's Itunes store sells music online but doesn't yet have a streaming option, but that could be in the works, too. There are persistent rumors that Apple is talking with several music companies about streaming.

RIM Continues to Survive

Just about everyone had written off Research In Motion, the maker of BlackBerry devices, but the rumors of the company's death may have been premature. This week RIM's CEO, Thorsten Heins, previewed a less expensive BlackBerry and said that the company's Messenger service will soon be available on Android devices and Iphones.

Heins says the apps still must be approved for sale by Google's Play Store and Apple's App Store. More than 60 million people still use the BBM service even though there are many competing services.

A noteDon't expect to see the cheaper device in US stores, though. The Q5 will be available in July but only in Europe, the Middle East, Africa, Asia, and Latin America. In the US, you'll be able to buy a more expensive model, the Q10, starting sometime in June.

Unlike most competing devices, the new models will continue to have physical keyboards. (That's the Q10 at the right.)

Both come with 2GB of RAM, but the Q5 has 8GB of flash memory while the Q10 has double that. Both have 2-Mpxl cameras that face the user, but the Q5 has a 5-Mpxl rear-facing camera while the Q10 ups the count to 8-Mpxl and it can record HD video. Both devices have 3.1-inch displays, but the Q5's is an LCD display and the Q10 uses LEDs.

When RIM introduced the BlackBerry in 1999, it quickly became the dominant smart phone but it has been eclipsed by the Iphone and Android phones.

If Nobody Has Coined the Word Yet: Cybertage

The US Department of Homeland Security continues to ratchet up warnings about attacks on corporate computer systems. Not espionage, they say, but sabotage. Or maybe "cybertage". The source seems to be the Middle East. Note that I did not say China.

The Chinese attacks typically try to extract usable information. Additionally, because China does so much business with US firms, sabotage wouldn't serve their purposes as much as spying does.

The recent Homeland Security warnings say that the attacks from the Middle East are tailored more toward destroying data or causing industrial failures, much like the Stuxnet worm that the United States and Israel pushed into Iran.

The warnings from Homeland Security say that intruders have managed some alarming intrusions that tamper with, among other things, chemical processes. Homeland Security works with ICS-CERT, which has long been active in promoting computer security. The organization notes that the recent probes are attempts to "disrupt business and control systems."

Energy companies have been the primary targets and Homeland Security says it appears that the goal is to find a way to take control of distribution systems from outside.

The exact source of the attacks isn't known and Homeland Security isn't saying whether the work appears to be that of independent criminals or state-sponsored agencies.

Israeli security experts have indicated that they believe the attacks are the work of Iran, possibly in response to the Stuxnet attack.

An Audio Note

A noteYou might have noticed that the audio quality of last week's podcast was a bit below the usual standards. That's because I had to go back to an older process while troubleshooting the source of some extraneous noise. At first it appeared to be a problem with the console that provides audio to the computer and what's called phantom power to a microphone amplifier that's needed to raise the level of a ribbon microphone. Ribbon mics have notoriously low output so the amplification is required.

The phantom power light was flashing on the console and, with each flash, a noise spike occurred on the audio input. Initially, it was the console that was suspect, but additional testing identified the source of the problem as either the cable that connects the CloudLifter CL1 microphone amplifier to the Focusrite Saffire 6 USB console or one of the XLR connectors on either end of the cable. Replacing the cable eliminated the problem.

And that's probably more than you needed (or wanted) to know.