Tuesday Jul 25

Posts Tagged ‘J! True Stories’

Jul
03/08
Grande Theft Auto… What Was He Thinking?
Last Updated on Monday, 21 July 2008 11:37
Written by JJ
Thursday, July 3rd, 2008
Share

Well, it didn’t happen to me- but here’s another J! True Security Story for you…

I went to the salon today to ‘get my nails did’ and was greeted with quite a ruckus. The entire staff is Vietnamese- no big surprise there- but the owners and most employees speak English extremely well and so everyone is always chit-chatting throughout the salon.

The wife side of the husband-wife team was especially giddy as she shared a little gem of a story with me today… and I didn’t feel I’d be doing you justice to keep it to myself. 

They (the salon staff) all live in one of the larger cities here in NC. One of their friends (a middle-aged guy) was out shopping Monday and was sitting in his car in a parking lot during a coming- or going- to a store. A young girl (mid-20’s) came up to his car and motioned to ask for use of his cell phone.

Now, at this point in the story, I could have told you the rest…

photo_girlcell.jpgHe opened the window a bit and the young lady asked to borrow his phone for a moment to call a family member. Turns out she had some car troubles and needed a ride. Being the nice gentleman that he is, he lent her the phone and she took a couple of steps away to make the call. Only… she didn’t stop. Evidently she got about 4 cars down the row before our chivalrous guy got out of the car and gave chase.

When he got in reach, she pushed him down to the ground and – yep – ran back to his car, phone still in hand… and drove away.

He now has no car and no phone. So, ironically enough, he then had to approach a stranger and politely ask for the use of their cell to phone home and let the group know he was bamboozled. A few tears were shed, but his wife assured him it would be fine and he shouldn’t be scared. (No, I’m not making that up).

I was giggling right along with her (and the guy’s wife, who happened to be there).

Moments later I thought to myself, “I hope that doesn’t happen to me!” Almost in the same instant I realized… it probably wouldn’t. I’ve been a bit of a paranoid freak since I was little, thanks probably in most part to having two ex-military intelligence parents. For all my life I’ve been raised with ‘the security mindset’ as Schneier refers to it.

Always suspicious… always calculating… always aware… and certainly never underestimating a situation.

And so then I had to muse… WHAT WAS HE THINKING leaving the car running and unlocked to go after the siren with the cell? For the sake of politeness, I kept my question to my ‘inside voice’, but I do have to wonder why you’d sacrifice the security of a vehicle for a $50 cell phone.

The moral of the story…  There are two. 1) Involve someone with a ‘security mindset’ and 2) Your security is only as strong as your people. A sweet damsel in distress… social engineering at it’s finest…

# # #

Tags: , ,   |  Posted under J! True Stories  |  Comments  No Comments
Jun
09/08
PCI, PII, a Roofer and a SSN
Last Updated on Monday, 21 July 2008 11:43
Written by JJ
Monday, June 9th, 2008
Share

Yet another J! True Security Story for you…

This weekend I met with a roofer at my rental property to take measurements, see what needed to be done and get an estimate. When we met at noon, it was over 100 degrees there in central North Carolina and we spent just short of 3 hours going over everything.

The roofer, let’s call him Ross, was from one of the larger commercial home improvement stores. This particular store was offering a consumer credit program with 12 months interest-free financing. There was also a full window replacement project to follow right behind the roof. While I was prepared to pay cash for the roof and/or windows, the no-interest option offered an advantage, so I read the terms and conditions and gave the go-ahead.

Before I realized what was going on, my friendly roofer Ross was filling out a consumer credit card application for me. I remembered thinking this was odd, as we leaned against his truck, still outside in the heat. I think I mumbled something to the effect of “oh, it’s strange they make you guys do this part too..”. He had asked for all the usuals- my current and previous addresses, annual income and – of course- my Social Security Number. And, after standing in 100+ degree heat for 3 hours, I gave it all to him without batting an eye. As soon as he had it all, he called into to the mothership and was processing my credit app over the phone as I stood by to answer any new questions.

This day happened to be Ross’s wife’s birthday and they had some afternoon plans once our appointment was over. I was his last appointment of the day before he headed home to the missus for her birthday celebrations. I thanked him for his time, wished him a happy weekend and went on about my day.

What was wrong with this picture? I didn’t quite figure it out until a tall glass of tea cooled me down and returned my brain to normal operating temperature. What in the name of security did I just do? All my information (including my new credit card number) was written down on that credit form and tucked into his little notepad with the other miscellaneous papers, product glossies and forms he was carrying around… in his personal truck… on a weekend… D’OH.

I’m sure it will be fine (that’s what we all tell ourselves, right?). But in the off chance something happens… well, let’s not even go there.

# # #

Tags: , , , ,   |  Posted under J! True Stories  |  Comments  2 Comments
Mar
02/08
Security ‘In the Bag’?
Last Updated on Tuesday, 12 August 2008 03:45
Written by JJ
Sunday, March 2nd, 2008
Share

Another J! True Story…

I recently refinanced a house, and had paid a visit to my local bank branch to get a certified check for the closing. It’s a process that takes a few minutes, so as I waited at the counter, I began looking around and checking out all the happenings at the bank. It was pretty quiet, one other customer at the other end of the counter, and a bank rep adjusting some brochures hanging from a display.

As I looked around, a middle-aged Hispanic woman walked in… with a fairly crinkled McDonald’s bag in hand. No purse, no bank pouch, nothing else. It immediately struck me as odd- to walk into a bank, empty-handed except for this drive-through souvenir. This bag had lived out its useful life, so I assumed she brought it from the car to chunk it.

But she didn’t. And when she walked past the trash can and approached the counter, I knew what was coming.

Out of the crinkled fast food sack, emerged a large zip lock bag containing – something – about the size of a deposit booklet or stack of checks. Maybe there was a stash of cash amongst the contents, I’m not really sure. I tried not to stare but I was thoroughly amused at this shenanigan… and extremely curious.

I returned to my previous thought- how was this secret op mission she devised supposed to conceal the contents? Is an overtly re-used McDonald’s bag less obvious than a purse or small bank bag? All the rest of us females entered with purses and envelopes… only 1 entered with a Secret Sack. Had I been a thief planning to pounce on an opportunity, would the Secret Sack not be more interesting than a basic purse? Probably- that’s what I thought anyway.

The Secret Sack definitely made the patron feel safer about carrying around the contents, but from an outside perspective, I found it obvious and counter-productive. Instead of throwing a would-be perp off the trail, I suspect it would have served as bait. In her mind though, security was ‘in the bag’. Maybe now, instead of ‘Black Bag Ops’ we can call them ‘Golden Arch Ops’?

Remind you of any IT Security Policies you’ve seen? I can think of a few… And from now on, we will call them – you  guessed it- Golden Arch Security Policies.

# # #

Tags: , ,   |  Posted under J! True Stories  |  Comments  2 Comments
Jan
02/08
A Garage Door Hacking, Bombs and a Rolling Code
Last Updated on Tuesday, 12 August 2008 03:18
Written by JJ
Wednesday, January 2nd, 2008
Share

You have to read this one, don’t you? The title is just too catchy to let go.

If you read my recent post on “Ignorance Without Bliss”, you know I was helping out one of my SMB friends, the owner of ‘This Office’ in the story. In my follow up, I told you about the vandalization of the business. And I told you that story so I could tell you this one.

I was at my office the day they found the business had been vandalized. After staying late to work out the password issues and finish up with their PC, I actually had to head straight over to our local ISSA meeting. It was our annual wrap-up and board elections, so it lasted a bit longer. After the meeting, I went along my merry way to This Office to deliver their clean and accessible PC. Finally, I made it home just before midnight.

At 11:48 pm I pulled up to my house. With all the neighbors already asleep, it was dark and lonely at the end of our cul-de-sac. As I got to the middle of the circle I stopped- my garage door was wide open. The position of the house and the garage made it’s gaping hole obvious from all parts of our street, and the next one up. It was also garbage day, leaf pickup day and recylcing day, so I have no clue how many strangers passed by. Nor did I have a clue how long it had been exposed like that- possibly since I left for work at 8:00am – potentially 16 hours of a poor defenselss house. Which may not have been an issue, had it not been my habit to leave the door from the garage to the house unlocked – all the time.

It was freezing outside, so I sat in my warm car while I thought about my options. I called a couple of local friends, but got no answer. My normal instinct would be to go on inside, check it out and move on with life. But with the recent ‘issues’ at This Office, including the breaking, entering and vandalizing the day before, I did some re-thinking and called the non-emergency number for the local police department. I explained I felt pretty sure someone’s opener happened upon my code but… better safe than sorry.

Everything was fine. Three uniformed officers came. They came, they searched, they conquered the empty house and then let me inside.

So it got me thinking. What are the chances of a modern rolling-code garage remote ‘stumbling’ upon another code?  Old garage door openers were just remote transmitters, like those used in bomb detinators. Then I guess we moved to coded sets, programmed with dip switches on the transmitter and receiver. (I used to use one of my Dad’s old red plastic dip sticks to put my hair up in a bun) :)

But now…. NOW we have rolling code systems that should make it practically impossible (so they say) to open the wrong garage door with a stray remote. There are about 9 houses which could be in ‘clicking distance’, including 3 angled from other streets.

So, is my garage door opener a dumb bomb detinator? Do I need to dig up that dip stick again? Is it likely someone was trying to ‘hack’ my garage door? Or, are the probabilities of a duplicated code-hopping remote being within range of my house the most likely answer to today’s riddle?

Who knows. But, my lesson was learned. Now I religiously lock the door inside the garage… just in case.

# # #

Tags: , ,   |  Posted under J! True Stories  |  Comments  13 Comments
Dec
04/07
Ignorance Without Bliss: a J! True Security Story
Last Updated on Tuesday, 12 August 2008 03:15
Written by JJ
Tuesday, December 4th, 2007
Share

Sometimes when I’m flipping through the television stations, I see the ‘E! True Hollywood Story’ shows, in my case on Time Warner’s channel 62. If you haven’t seen them, the series offers a documentary-style look at the ‘true’ lives of Hollywood’s top A-listers and their story of chasing fame and fortune.

Perhaps not quite as interesting, but equally puzzling an outrageous, I’ve decided to log my own chronicles of astounding and crazy true InfoSec stories- henceforth to be known as: a J! True Security Story.

 

A J! True Security Story Episode 1: Ignorance Without Bliss, an SMB Security Schmuck

I don’t get worked up often, but when I do it’s quite an occasion for friends, family, co-workers and customers (if they get to witness it). Today is one of those days.

Being in ‘the IT” industry as we are, we get regularly volunteered by friends and family to ‘fix computer problems’. That infamous question…. “hey, I’m having problems with my ___, could you look at it for me?”. Feel free to fill in the blank- computer, printer, router, Internet, vcr– sometimes even toaster. UGH. Usually I cringe within the first few syllables, and politely inform the requestor that I’m actually a network person, not a computer person, and I’m blonde and – therefore, know nothing about computers themselves. Sometimes it works, sometimes- not so much. However, there are a few friends, mostly some key SMB owners, that I enjoy helping and am genuinely interested in their success. So, for these few, I offer my advice and help whenever needed.

And this, my friends, is how Episode 1 begins.

Names and locations have been changed to protect the innocent (if there are any). We’re going to call this business This Office. This Office is a small business, with several nice people, including the owners. There is also the target of my rants, ‘the security schmuck’ we’ll call him Stan. Stan is an employee of This Office.  

I found, during several trips to This Office to fix various things, that Stan had been habitually abusing the poor office computer. To give you a general idea of what I had been dealing with (for example) Stan had at one point uninstalled Window XP Pro and installed Windows ME. Stan also uninstalled Symantec AV and installed several free-ware antivirus programs… and a keylogger (yep, I had at least 2 people’s Bank of America logins just from glancing at the log file). The list continues.

So, This Office recently purchased a new computer with Vista and an integrated Credit Card reader that used the PC and its Internet connection to process payments. On a recent trip I find that Stan has installed four (4, fooooor, 1-2-3-4) file-sharing apps, including BitTorrent, Limewire, Sharezza, etc and was using them to download large games. I was called by This Office’s management because they couldn’t browse online or get office email. It also appeared as though Stan was either accessing the office computer remotely from home, or vice versa. I explained to the Onwers what was going on, and why we needed to put a stop to it, with discussions of both PCI Compliance and productivity. With the Owners’ permission, I stopped and uninstalled all the file sharing apps, previously downloaded games and other ‘things’ that didn’t need to be there.

About 3.5 hours and 2 lattes later, we had a fresh start and a functioning PC. The Owners did not wish to lock anyone out or restrict access, so, against my better judgement, I left it as it was. I did send a ‘nasty-gram’ via email the following morning explaining what I uninstalled and why. Included was a list of acceptable and unacceptable uses of the office PC, and the whole thing was to be read at the staff meeting that day.

And it was… And it obviously p***ed off Stan, because the next opportunity he got, Stan designated his account as the only Admin account, created a new low-permission account for the office managers use, locked down their access (even to email and Internet) and re-loaded ALL the file sharing apps again. Bad idea for Stan, because now the owners, the office managers and I are all p***ed off ourselves. Even after much pleading and begging, Stan refuses to deliver the correct password to the admin account to the owners. Stan says it’s “Can’t stop me”, noting the capital ‘C’. After a couple of days, he claims to also be locked out (which is horse poo, because I can see he’s logged in).

Finally an owner lures him into the room, slips out, and gives me 5 minutes alone with him. I try to nicely explain why I’m there, what I do, and that I’m not buying his story. He still insists he doesn’t know the password. We go round & round until I finally tell him he can either magically recall the password now, or I’ll be taking the computer with me and he won’t like the condition of it when it’s returned.

His reply? “Fine, do what you have to- I’ll just break into it again”.

Oh no he didn’t.  I usually have very low blood pressure, but I felt it rising quickly at this point. I let him go, we waited until he left, I disconnected everything and took the computer. (FYI, during the dis-connection I found he had installed an unsecured Linksys Wireless Router to everything too. The Owners were not aware of the wireless device, and This Office is directly adjacent to a couple of hotels, so we took that out too.)

What happened next was pretty fun. I found that Vista does not use the LM hashes for password files (the rainbow tables for which are readily available for free online). It uses NT hash files, and those rainbow tables cost a few hundred dollars. Figuring the Owners didn’t want to spend money on our Schmuck, I extracted the password hash files, saved them, then used a pre-boot utility to create a new Admin account for the system. I was curious if the password Stan kept giving us was close to what it actually was, or if he was just lying.

Luckily some new-found security friends in Switzerland took the hash file that was extracted and ran it against their tables there and discovered the password. In about 15 minutes I received a text on my cell phone “2slow4me”.

When I returned the computer, I reprovisioned the accounts, locked his down and changed his password to ‘2fast4you’.

Hey, I needed some type of amusement after the many hours of dealing with this schmuck. Psychotic.

 

Moral of the Story. I hope my Ignorance Without Bliss story will be an eye-opener for all SMB owners out there. This business did not have an acceptable use policy, nor did they have any knowledge or control over what was being done to their primary office computer. This computer contained a variety of customer information (including some medical data), was processing credit cards, and was left vulnerable to a variety of security threats because of an employee’s actions. Fixing these issues in all could have easily cost a few thousand dollars, and that’s nothing compared to the fines and lawsuits that would have followed an exposure.

# # #

Tags: , ,   |  Posted under J! True Stories  |  Comments  3 Comments

More Content

Find more of my content at
- Low Tech Hacking book
- Dark Reading
- Network Computing
- IANS
- SearchSecurity
- TechTarget

Get Social

RSSFacebookLinkedinYoutube

Subscribe

Enter your email address:

Delivered by FeedBurner

NetworkedBlogs