Saturday, May 21, 2016

Convenience, shredding, and security

A couple of weeks ago I was walking and saw a row of blue recycling bins. The the businesses around the path I was taking are very big on recycling, so it makes sense to have many of those bins which were labelled for what they are supposed to take: normal printed paper, aluminum cans, cardboard, glass, plastic of a certain composition, and so on. On the top of the one for plain paper, I saw a bag full of shredded paper shoved into it. It did not go that far into the bin -- perhaps because it was a massive bag or perhaps the bin was full -- which made for a nice photo.

I think it is a bit of a stretch calling that shredded paper. In fact, the contents of that bag would be a great gift for a kindergarten: those kids would have fun making some fake hair using those thin strips. In this day and age, there is no place for a strip-cut paper shredder. For comparison, let's see the contents of a better, yet personal/small size, shredder:

With all of that said, sadly it is better than nothing. And nothing is still the norm. Maybe not as much in the office, satisfying some kind of requirements to do business with a government entity comes to mind, but it is the case at home. I could post some statistics here but instead let's do a little exercise:

  1. Do you shred documents and papers before throwing them out?
  2. Do your 10 closest friends or nearest neighbors (at least the ones you talk to) do it?
  3. Out of 10 business you go to, how many do shred their documents?

How many "nope"s did you get? Probably quite a few. Of those, ask for the reasons; I would expect you to get back something on the lines of:

  • It takes too much time.
  • I pay my staff to work, not to waste time!
  • Why someone would bother with a small fry like me where there are juicer targets?
  • I have nothing to hide!
  • It only happens to someone else.
  • It is too complicate.
  • It is too expensive.

What those translate to is a perception that it is not needed to shred those. Of course as soon as someone uses the improperly shredded documents to hurt a company where it matters most -- wallet -- the knee-jerk-reaction rule dictates said company will go full paranoid mode, fire a few employees, and throw a ton of money on who ever promises to sell them a magic bullet. Sounds familiar? But, it does not have to be that way.

Why to shred paper to begin with?

That's easy to answer: you shred documents when those physical documents are no longer needed but for whatever reason you do not want others to get to them. One example would be your bank statements after, say, 7 years. Other would be old credit cards and driver's licenses and anything that has your signature and personal info. Another is medical records. Criminals can use them to get lines of credit -- car loans and credit cards -- or even transfer money from your bank account.

Of course you might decide you do not want to destroy those documents before you trash them; that is up to you, but any decision you make has consequences. I will leave the moral decision to you. Remember that at least in the US, dumpster diving is legal.

Reconstructing a document from its shredded version is like working on a puzzle. You start with a bunch of pieces and then looking for patterns to help finding out where pieces go. If you find enough you can then try out the remaining pieces until they all have a place to go.

Can we make this puzzle a bit harder?

Shredding Suggestions

If I get your puzzle pieces and now add pieces about the same shape and size but from a different puzzle into the pile, and maybe take a few out, things get quite more problematic. And that can be done quite easily and cheaply if you want to put the time and accept some might think you are a bit odd. The following list are examples of how to increase randomness hopefully on a budget without being too time consuming.

  1. Do not shred documents you might still need. Information has a lifetime, which is why you employ different security procedures based on the length of time you need to keep said data protected. You only shred a document when you no longer need it. The receipt for a sandwich may not need to be kept as long as your tax supporting documents. So, it might be OK to shred the sandwich receipt a few years earlier than the tax ones.

    If others will be using the shredder, do help them understand when to shred.

    I have the utility bills from where I lived some 10 years ago. I think it is time for them to go meet Shredder-chan.

  2. Place your shredder close to where you (or your family/staff) will use. Make it convenient to use.
  3. Buy a shredder that can handle at least 20 pages and cuts them into confetti. Shredder size is determined by amount of paper you plan on shredding every day (double it to be on the safe size). Confetti is the largest size you want to cut your documents.

    If you have to choose (budget constraints) between capacity and size of the shredded paper, get the one that cuts the paper into the smallest pieces.

  4. Don't shred only important documents. Mix non confidential -- Chinese Restaurant take out menus, spam, ads from local car dealership, grocery list, homework -- stuff with the confidential documents. Yes, it takes more work, but it makes it much harder for someone to find the good stuff inside a bag of shredded documents. You are making the haystack where your needles are much larger.
  5. If you have more than one shredder in your office/home, mix their contents. This can be as simple as having one of those large blue recycling bins from the first picture and pour the contents of the different shredders into it in the end of the day.
  6. Find neighbors (home or business) who shred documents and suggest to mix all of your shredding together.. Same as the previous step, but think of it as an excuse to get to meet new people!
  7. Divide the content into smaller bags and drop them at different locations. If you only shred paper, why not take some to one of those paper recycling drop places. And maybe to a dumpster by the local Chinese fast food place we mentioned before. Or maybe see if someone wants to use it as pet bedding. Try to be as random as you can when filling the bags.

Final thoughts

If you want to shred documents, I hope this gave you ideas of how to make the shredded output more secure. Or at least got you started. I a a firm believer that just throwing money at a problem hoping to make it go away usually does not work as one expects.

So I know this shredder company. You know the kind: they come to you, get documents you put in a supposedly secure bin, and will shred your documents. One thing they are particular is that they do not want you to put pre-shredded documents in their bin. Why?

Saturday, April 16, 2016

Telemarketing Cold Call Gone Wrong

I have a feeling most of us who live in the US had to deal with telemarketers one time or another. On my side, that usually happens when a company I dealt with sold my info out. And example would be when I buy a domain. Last time I did it, which was for this very site, the next three weeks were filled with calls to my home trying to sell me services. And the same happens at work. The tactics change depending on where they are calling you at:

  1. If calling your home/cell number they will try to appeal to emotions such as greed "you have won a prize! Please stand by to provide the personal info we seek" or fear "there is a warrant for your arrest! Call us back immediately at this number."
  2. If calling at work they might try to generate the lead by offering a white paper or a webinar if you, or who has purchasing authority, provide them with info. We do get the whitepaper one a lot at work.

On April 13 I received one of those calls. I twitted about that once it was over, but I thought it deserved a longer/better entry. The story begins with a telemarketer who works for a company selling "secondary storage solutions" from what I had gathered from the questions; but since he was doing a bit of recon, he did not identified himself as so. I wish I had a way to record the conversation, but that was company's phone. In any case, it went something like this (I will put my thoughts in itallics):

  • Telemarketer:I am doing research and my deadline is this Friday. Can I talk to the IT manager?

    As we know, any good social engineering campaign relies on pressing some sense of urgency onto their victims so they are compelled to act before thinking. I am not one of those experts with years of experience in the field, but my BS detector is well trained. However, by default if I receive a call of an unknown number I assume scam. To give the benefit of the doubt, I decided to ask a few questions. Note that I also broke the expected handshaking flow.

  • Me: Oh really? Which organization are you with?
  • Telemarketer: I am from the University of the United States.

    When I heard that reply, the first thing that came to my mind was that scene in Coming to America when Eddy Murphy tells the Shari Headley he attends The University of America, which she has never heard of. In other words, scam. So, game on!

  • Me: Oh really? I have never heard of it. Where is it located?
  • Telemarketer: Santiago.
  • Me: You mean, as in Chile?
  • Telemarketer: Sure. I want to ask a few questions about your storage for my research that is due on Friday. this should take 30 seconds. Which storage system do you use for your secondary storage?

    His research is due on Friday! This needs to be done now! Oh the urgency! And technical terms like "Secondary Storage!" I am confused and being compelled to divulge info! What should I do?

  • Me: PickleNAS.

    Don't hate me; that's the best fake name I could come up with under so overwhelming pressure. It would be funny if that actually exists, so you there! Go create the PickleNAS! Now!

  • He did make me spell it out. I wonder when he will realize what I was up to? I was begin to have a hard time holding my laugh; but I was going to prevail!
  • Telemarketer: How much storage do you use?
  • Me: 1 3/4TB
  • Telemarketer: One and three-quarters?
  • Me: Yeah, we don't read much here.

    I was dropping hints but he would not get it.

  • Telemarketer: I see. Are you the IT Director, Manager, or in a Decision Position?
  • Me: Nope.
  • Telemarketer: I see, so you make recommendations. What is your title?
  • Me: Food taster.

    I swear that was my reply.

At that point, I hung up. I could not go on and needed to burst out laughing. Funny thing is that the same person -- at least the number on the callerID was the same -- called again. She was a bit nicer to him and just told him to bugger off.

Moral of the Story

Good question; I really have no good sensible and proper security advise. I guess that once you realize you are dealing with telemarketing or some spam/phishing call, I see nothing wrong with turning the table around and having fun at the attacker's expense.

Tuesday, March 29, 2016

Phishing is too easy

I only remember going in a boat fishing once. And did not catch anything. And had to help with engine problems all the way back to the dock. So I can't claim to be a fisher for I never learned and endured the hours of being pooped by the mocking seagulls while waiting on fishes who were much smarter than we give them credit for fall for the lure and get stuck on the shiny hook by the end of the line. There are many man, women, and children who are very successful in the way of the fish; I am not one of them.

Phishing is a completely different story. It is very easy to do. You can call it caveman-easy but you would be then insulting the cavemen. And yet, it is extremely effective.

Businesses (should) worry about being hacked since a breach costs them money and reputation. So, they (should) do their best to prevent the bad guys to get in by patching servers and services and deploying firewalls and making sure their mail and web servers are will not let anyone try to log in. Of course their problem is exacerbated because while they need to protect against any possible attack, the attacker just need to find one weak point to get in. And the easiest way to achieve that is through social engineering.

Basic Phishing Recipe

  1. Get a free website account. This is kinda important if you are providing a link in the email for your victims to click on. Some of them allow you to use very little or no verifiable info to create said account. So you can use really bogus info.

    Now, if you are doing Microsoft Office Macro attack, this still might be a good idea since it insulates your real addresses. Remember, it is not hard to create code to send collected data from the site to somewhere you want to collect the data.

  2. Select your target. You think that means to select the business you want to attack. Well, you are wrong; thanks to the crusade to push everything to the cloud you really need to think on a larger scale and go for who hosts those companies' emails. Based on what I have seen, the commercial google mail or the Microsoft equivalent (Office 365) are the best bets. First, a lot of businesses are using them, which mean you have to only hit one single target.
  3. Decide how you are going to deploy your payload. Are you going to send an attachment (most of the time a Word document) or a url? What about an executable (badly) disguised as an image? I say badly because I have seen a lot of attachments whose extension is simply changed or have an image extension appended to the filename because of how Outlook presents those attachments.
  4. Write the email. I would love to say this requires you to be creative and spend hours or days to recon the target company to figure out corporate colours, normal email format and language, and even the proper email addresses before launching an email-based attack. The reality is that is not necessary unless you craft it so badly the target's detection system will flag your email.

    People will fall for those emails even if it is badly written. Now, I am not saying everyone will, but those who are really busy and have to be reading and replying to emails every day -- people who order stuff from vendors all the time -- are rather likely to do so. They do not have time to stop and think whether the email makes sense. They will scan, made a decision, act on it, and then move onto the next target.

  5. HTML is your friend. The vast majority of people use email clients that will render a HTML-based email. If they use Office 365, you can disguise your attack links as
    <a href=https://shadysite.com/malware.exe>https://www.safeurl.com</a>
    Sometimes if you hover the link the real url will be shown, sometimes it does not.

References

Friday, March 11, 2016

On Handshaking

Since this blog deals with social engineering and the lesser technical aspects of hacking, your Pavlovian reaction to when I say handshaking is two hands -- no assumptions of where they have been -- holding each other and maybe shaking:

and that is exactly not what I have in mind. Instead, let's leave the realm of squishy beings and go to computers. There when a device wants to talk to another, it starts some kind of handshaking protocol to establish connection parameters and authentication. Once that is successfully established, data transfer begins.

But, how does that apply to people (I was going to say humans but it might be too politically incorrect)? So we have two people, Red and Blue, which are named after the web series of, well, the same name. They meet somewhere and start talking

There are a few subtle variations (Red might reply "I'm fine too!"), but the main point is they may be talking to each other, but they are not yet holding a conversation. In fact, they are in the handshaking phase that, as in networked devices, precedes the actual exchange of data, which is represented above by the "BEGIN TALK" line.

he difference between them and machines is that they really have not said anything; this was just a ritual learned by rote.

If you want to test how mindlessly people go through this handshaking protocol, change a bit your answers and see how they react. Here is an example I have tried at a store:

As you can see, Red

  1. Heard Blue reply but did not listen. As a result.
  2. Assumed the content of the reply matched the standard handshaking
  3. Replied to the assumed reply
  4. Finally realized the carpet has been pulled from under him. In other words, TILT.

The basis of Social Engineering as applied to hacking is to identify the expected pattern and use it to persuade others to help you achieve your goal. Expect to see quite a few examples here.