NetEqualizer News Blog

By Art Reisman

About six months ago, I was trying to access a web site when I got the infamous message: “Your Flash Player is out-of-date”.  I was provided with a link to a site to update my Adobe Flash Player.  At the time, I thought nothing of updating my Flash Player, as this had happened perhaps 100 times already. That begs the question as to why my perfectly fine and happy Adobe Flash Player constantly needs to be updated?  Another story for another day.

In my haste, I clicked the link and promptly received the Adobe Flash update for my Mac and installed it. For all intents and purposes, that was the end of my Mac.  This thing just took it over, destroying it.  It would insidiously let me get started with my daily work and then within a few minutes I would receive a barrage of almost constant messages popping up telling me I had a virus and to call some number for help.  Classic Ransomware.  At the time I did not think Macs were vulnerable to this type of thing, as the only viruses I had contracted prior were on my Windows machines, which I tossed in the scrap pile several years ago for that very reason.

My solution to this dilemma was simply to re-load my Mac from scratch.  I was up and running again in about one hour.   A hassle yes, the end of the world – no.

Now you might be wondering what about all my data programs and files I store on my Mac?  And to that I answer what data files?  Everything I do is in the Cloud, nothing is stored on my Mac, as I believe that there is no reason to store anything locally.

Gmail, Quickbooks, WordPress, photos, documents, and everything else that I use are all stored in the Cloud!

For backup purposes, I periodically e-mail a list of all my important Cloud links to myself.  Since they are stored in Gmail, they are always accessible and I can access them from any computer.  Data recovery amounts to nothing more than finding my most recent backup list e-mail and clicking on my Cloud links as needed.

By Art Reisman

CTO, APconnections

Inspired by the recent accusations regarding  the alleged Russian Hacking of the DNC e-mail servers, I ask the question, is it really possible for our intelligence  agencies to say with confidence exactly who hacked those servers?  I honestly don’t think so. To back up  my opinion, I have decided to  take our faithful blog readers through the mind and actions of  a professional hacker,  intent on breaking into a  corporate e-mail server, without leaving a trace. From there you can draw your own conclusions.

My  hacking scenario below is based  on actual techniques that our own ethical hackers use to test security at corporations. These companies  contract with us to deliberately  break into their It systems, and yes sometimes we do break in.

First we will follow our hacker through the process of a typical deliberate illegal break in, and then we will  analyze the daunting task of a forensic expert must deal with after the fact.

Here we go….

Phase I

• First I need a platform for the first phase  of my attack. I want to find a computer with no formal ties to my identity. Just like  the public telephone booth of the 70’s and 80’s were used for calling in bomb threats,  the computers in your   public  libraries can easily conceal my identity.
• To further cover my trail, I bring my own  flash memory with me to the library, it contains a software program commonly referred to  as  “BOT”. This allows me to move data programs onto the library computer without doing something like logging into my personal e-mail , which would leave a record of me being there.  In this case my BOT  specializes in crawling the Internet looking for consumer grade desktop computers to break into.
• My BOT  searches the Internet at random looking for computers which are un-protected.  It will hit several thousand computers an hour for as long as I let it run
• I don’t want to go to long with my BOT running from the Library,  because all the outbound activity it generates, may be detected as a virus by an Upstream ISP. The good news in my favor is that  BOTs both friendly and malicious are very common. At any time of the day there are millions of them  running all over the world.

Note, running a bot in itself is not a crime, it is just bad etiquette and annoying.  It is extremely unlikely that anybody would actually be able to see that I am trying to hack into computers (yes this is a crime)  with my BOT , because that would take very specialized equipment , and since I chose my Library at random the chances of drawing attention at this stage are minuscule. Typically a law enforcement agency must attain a warrant to set up their detection equipment.  all the upstream provider would sense is an unusual high rate of traffic coming out of the library.

•  Once my bot has found some unprotected home computers and I have their  login credentials, I am ready for phase 2 . I save off their IP addresses and credentials, and delete the bot from the computer in the Library and leave never to return.

You might be wondering how does a BOT get access to home computers?  Many are still out there running very old versions of Windows or Linux and have generic passwords like “password”. The BOT attempts to login   through a well  known service such as SSH ( remote Login) and guesses the password. The BOT may run into 1,000 dead ends or more before cracking a single computer. Just like a mindless robot should,  it works tirelessly without complaint 

Phase II

•  I again go to the Library and set up shop. Only this time instead of a BOT I come armed with phishing scam e-mail on my Flash.  From a computer in the library I   remotely login into one of the home computers whose credentials I attained in Phase 1 and set up shop.
• I set up a program that will send e-mails from the home computer to people who work at the DNC with my  trojan horse content.

If I am smart, I do a little research on their back ground(s) of the poeple I sending to so as to make the e-mails as authentic as possible. Most consumers have seen the obvious scams where you get some ridiculous out of context e-mail with a link to open some file  you never asked for, that works for mass e-mailing to the public, hopeing to find  a few old ladies, or the computer illiterate, but I would assume that people who work at the DNC , would just think it is a spam e-mail and delete it.  Hence, they get something a little more personalized.   

How do I find the targeted employ e-mails at the DNC ?  That is a bit easier , many times they are published on a Web site, or  I simply guess at employee e-mails addresses , such as hclinton@dnc.com.

• If any of the targeted e-mails I have sent to a DNC employee are opened they will, unbeknowest to them, be  installing  a keystroke logger that captures everything they type. In this way when they login into the DNC e-mail server I also get a login and access to all their e-mails

 How do I insure my victim does not suspect they have been hacked ? Stealth , Stealth , Stealth.  All of my hacking my tools such as my keystroke logger have very small inconspicuous footprints. I am not trying to crash or detroy anything at the DNC.  The person or persons who systems I gaing entry through most likely will never know.  Also I will only be using them for a very short period of time, and I will delete them on my way out.

• Getting e-mail access. Once the keystroke logger is in place I have it report back to another one of my hacked personal computers. In this way the information I am collecting will sit on a home computer with no ties to back to me. WHen I go to collet this information , I again go to a Library with my flash card and download key stroke information, eventually I directly load up al the e-mails I can get onto my flash drive while in the Library.  I then take them to the Kremlin ( or whoever I work for and hand over the flash drives containing 10’s of thousands of e-mails for off line analysis.

Debunking the Russian Hacking Theory

The FBI purports to have found a  “Russian Signature file ” on the DNC server?

•  It’s not like the hacking community has dialects associated with their hacking tools.  Although  If I was a Chinese hacker I might make sure I left a path pointing back at Russia  , why  not ? . If you recall I deleted my hacking tools on the way out, and yes I know how to scrub them so there is no latent foot print on the disk drive
• As you can infer from my hacking example , I can hack pretty much autonomously from anywhere in the US or the world for that matter, using a series of intermediaries and without ever residing at permanent location.
• Even if the FBI follows logs of where historical access into the DNC  has come from, the trail is going to lead to some Grandma’s computer at some random location. Remember all my contacts directly into the DNC were from my Hijacked Grandma computers. Perhaps that is enough to draw a conclusion so the FBI can  blame some poor Russian Grandma.  As the  real hacker all the better for me, let Grandma take the diversion, somebody else is going to get the blame.
• Now let’s suppose the FBI is really on the ball and somehow figures that Grandma’s computer was just a shill hijacked by me. So they get a warrant and raid Grandma’s computer and they find a trail .  This  path is going to lead them back to the Library where I sat perhaps 3 months ago.
• We can go another step farther, suppose the library had video surveillance and they caught me coming and going , then just perhaps they could make an ID match

By now you get the idea, assuming the hacker was a foreign sponsored professional and was not caught in the act, the trail is going to be impossible to make any definite conclusions from.

To see another detailed account of what it takes to hack into a server please  visit our 2011 article “Confessions of a hacker“

The recent Apple iPhone versus the FBI case being tried in the court of public opinion is an interesting example of the fact that encryption, and the use of encryption, can be created by any individual or any business to protect their data.    All those spy movies where computers easily crack password codes are just plain fantasy.  A well-engineered encrypted password cannot be broken. Unless, of course, the person that created the encryption is forced to put in a back door for the FBI.

The point is, if I really wanted to encrypt something from all entities, I would not rely on a commercial encryption version provided by Apple or my browser, because, as we have seen, the FBI will use whatever muscle they have to make sure that they can get in.

When you are done with the the encryption exercise  below, you can go ahead and tattoo your bank password on your face without a worry that anybody would ever figure it out.

Let’s start with a typical password that you  might use for a bank account “alfred!1”

First we’ll take the alphanumeric value of each letter such that a=01, l=12, f=06, r=18, e=05 d=04. And for the 1 we can use first letter of the alphabet so that 1=A, 2=B etc. So you could just make your password 011206180504!A, which is the numeric representation of alfred!1 (note I just left the “!” alone)

Now lets put some meaningless garbage on the front of the password. Two meaningless letters, such as CD.

Now lets add 2 to the original numbers in the password, so now we get

CD031408200706!A

Now take the day of the month you were born in and add it to the first number. 03+21 = 24, I was born June 21

So now we have CF241408200706!A

Each time you apply a step to the password encryption the more difficult cracking it becomes.  I did not take this one far enough to make it impregnable to a sophisticated hacker,  but hopefully you see the point. Just keep applying  rules to your password changing it at each step. The more steps you apply, the more mathematically safe your password encryption becomes.

The advantage of creating your own encryption scheme is that all you need to do is remember how to unwind these steps to recover your password, you do not need to remember your actual password, so any time the bank forces you to change your password go ahead and change it, and write it down on your hand, or face, or all over your refrigerator. As long as you remember your encoding method, you can keep your passwords in plain site.

Believe it or not I actually write my encrypted pin codes on my ATM cards!

I was just reading an article about a cyber security company that advocates hacker containment. The basic premise of the article is that hackers are going to get into your system and you can’t block them.  At some point they give specific advice that once a hacker is beyond your firewall,  you should lead them around a bit and limit the damage.  But, to be completely honest, I did not read the article far enough to learn exactly what they were proposing as a solution.  Perhaps they are right, or perhaps they have a few screws loose? The point is, their article sparked a novel idea. Why not sting the hackers?  I suspect US counter intelligence is doing this already, but there is no reason why it can’t be done at a corporate level.

Let’s assume they are correct and you can’t block hackers from getting in.  Instead of playing defense, why not play a little offense? Give the hackers a money pack with an exploding ink bomb.

What would this ink stained cash look like in cyber space?

How about a data base of fake financial records, that you carefully protect, but leave a few security holes. Then when you see anybody accessing these accounts, you go after them and prosecute the perpetrators when they try to use the accounts. Suck them into a face-to-face meeting to pick up gold bullion and arrest them, just like with any police sting. This might not stop the hacker, but it would have the effect of making their wares useless on the open market. Think about the drug dealer who rips off his customers, eventually somebody rats them out? Or kills them?

The idea would be instead of spending billions of dollars on security, spend a billion or two on laying traps for hackers that will help expose them and their customers.  If you hide enough ink bombs in your records, it might turn the tables a bit!

A friend of mine sent me a note this morning, asking if our bandwidth shaping device could provide the same type of service as this new DoJo application. Their niche is basically that you cannot trust third-party devices in your home network from being hijacked. For example, the software engineers writing the code that allows you to remote control your dishwasher from your iPhone, are likely not security experts. It is a reasonable assertion that a hacker might exploit a security hole in their software.  The Dojo will detect any smart device breaches and take action, a good idea for sure.

I spent about 20 minutes reading  and thinking about their specification and what value that provides to the home user.  And then it hit me, there is a more obvious precaution to  secure your home network that you might be overlooking.

IN 2016 and going forward THERE SHOULD BE NO REASON TO STORE ANY PERSONAL DATA ON  YOUR HOME NETWORK.

• Gmail in the cloud
• Quick books in the cloud
• Banking in the cloud
• Facebook in the cloud
• Google Docs in the cloud
• Stock Trading in the Cloud

No, nothing is ever completely  secure, and certainly anything you put in the cloud can be hacked, but in my opinion, the level of security afforded by the cloud is far better than anything you can rig together on your home network.

Think about it…

Your bank spends hundreds of millions on staying ahead of hackers. You have secret pictures, secret questions that  challenge you about your second cousin’s favorite hobby.  They know when you coming from new or different IP address.

Gmail now tells you when there is a login from a non standard computer.

These modern cloud applications are about as secure as a consumer could hope for. For the same reason you should not keep wads of cash in a safe in your house, you should not keep any personal information on storage devices in your house. Let your dishwasher go hog wild, who cares. I catch hackers on my network all the time, they have hijacked a few servers to send spam and attack other consumers (my bad), but there is really nothing of interest laying around on any of my devices other than some geezer MP3 music, and my vacation photos on my iPad that nobody else wants to look at anyway.

But if you must secure important data in your home network yes go ahead and invest in a device like the Dojo, it can’t hurt, but before you do that change your habits and use the cloud whenever possible.

Art Reisman

CTO http://www.netequalizer.com

What if we created  a new electronic currency a-la Bitcoin with a twist.   Let’s start by taking an idea from the Federal Government, and put a water mark on our personal funds , something unique that signifies who legally possesses the currency. Cattle ranchers do this with a brand so nobody steals their cattle.  This has worked pretty well for a few hundred years right ?

With our new personal watermark, suppose somebody breaks into your bank, and wires all your money to some idiot in Russia. In today’s world the only way to find that money is to follow the trail, and that takes a huge effort from a banking forensics person, working with International governments.  The money may travel so fast it may not be possible to recover. Now, suppose the funds had an electronic tag that could not be altered by a criminal.   For example currency in your possession  has  a public private encryption key, and only you can authorize a change in possession.

I am not going to spend any more effort on the mechanics of currency ownership, suffice to say it could be done in many different ways. The problem with my proposed solution is the resistance it will meet from all sides.

• The privacy crowd, will beat the drum and scare ignorant people  into thinking that the government will know how much money they have. The flaw with this argument is , unless you are underground and dealing in cash now, every bank transaction you have ever made is visible to the government. In essence, there is no net change here in terms of privacy. I’d also be fine with an optional cash currency for those that want to opt out, I don’t really care. For tax paying citizens with nothing to hide there is no new privacy downside to watermarking your funds.
• The security industry will backdoor fight this tooth and nail. As I alluded to in a previous article , the security business has grown to a magnitude of scale well beyond the assets they protect. In other words the security industry is extorting more funds than the actual threat they are protecting you against.
• Mexico, a country that does 80 billion plus in the drug trade, has no interest in traceable funds. Someplace, some-where, they  will lobby against this change, under the guise of some legitimate reason.
• Politicians and their donors. Despite the rhetoric, there is absolutely no incentive to make this process transparent.

I had just opened up my network to outside requests ,thinking this will only take a few minutes.  The idea was to  attack my home network from the outside, blasting it  with endless loops of rapid queries from external servers in cyber space, thus simulating a DDOS attack  .    It turns out I was not alone in attacking my Network .

When I went to my monitor DDOS monitor screen to see my attack, I saw  the chart below.   All those Source Ports showing  22 are the result of a server on my network , randomly attempting to login to computers outside my network .  How ironic , while testing my own DDOS software from an outside attack , I find out that one of my servers has been hijacked to do the dirty work for some other hacker.  I am only showing about 46 attempts  in the table below, but all in all ,there were about 450 of them.  They  appeared all of a sudden out of nowhere.  And then, Comcast shut me down, when I hit their security circuit breaker.  Or so I surmised, because this is not the first time this has happened to me, and I usually get  a call from Comcast telling me to run my virus software.  You know how you are not supposed to talk to strangers ? Well I had been getting these calls out of the blue from somebody claiming to be “Comcast” security , and the sounds in the background during the scratchy call were like one of those Indian boiler plate call centers … so I had been ignoring them, just humoring these people.  But perhaps they really were Comcast ? Or perhaps this was just the coup do grace from the hacker pretending to be Comcast after orchestrating the attack, in order to gain my trust and get my bank account ?  Like a bad Mission Impossible plot I don’t know who to trust anymore.
Index     SRCP    DSTP    Wavg    Avg       IP1           IP2           Ptcl  Port  Pool  TOS
0     46762      22   203   336    191.7.193.69   192.168.1.130  TCP   1   2    1
1     54211      22    29    90    85.25.211.119   192.168.1.130  TCP   1   2    1
2     52734      22    15     0    174.159.244.177   192.168.1.130  TCP   1   2    1
3        22   33388    42     0    192.168.1.130   93.97.181.70  TCP   2   2    1
4        22   49398   238   277    192.168.1.130   125.137.155.50  TCP   2   2    1
5     49184      22    66   152    192.81.170.254   192.168.1.130  TCP   1   2    1
6        22   49184   163   374    192.168.1.130   192.81.170.254  TCP   2   2    1
7     51722      22   142   214    217.92.189.104   192.168.1.130  TCP   1   2    1
8     38133      22    11     0    146.155.249.71   192.168.1.130  TCP   1   2    1
9     55232      22    93   400    178.49.172.175   192.168.1.130  TCP   1   2    1
10     50373      22    20    40    190.81.51.11   192.168.1.130  TCP   1   2    1
11        22   40073    21    35    192.168.1.130   31.45.215.117  TCP   2   2    1
12        22   39950    11    40    192.168.1.130   101.251.207.162  TCP   2   2    1
13        22   51889     9     0    192.168.1.130   169.236.135.241  TCP   2   2    1
14        22   53866   204  1036    192.168.1.130   95.211.215.206  TCP   2   2    1
15     57596      22    93   236    207.244.67.170   192.168.1.130  TCP   1   2    1
16        22   51971   188   384    192.168.1.130   66.242.228.2  TCP   2   2    1
17        22   53617   328   580    192.168.1.130   37.228.133.94  TCP   2   2    1
18     52574      22   206   338    177.21.237.77   192.168.1.130  TCP   1   2    1
19        22   56081    23    93    192.168.1.130   216.104.36.94  TCP   2   2    1
20        22   41126   213   771    192.168.1.130   176.31.199.232  TCP   2   2    1
21        22   33853   209   384    192.168.1.130   71.11.128.190  TCP   2   2    1
22        22   52185   282  2369    192.168.1.130   74.220.208.72  TCP   2   2    1
23        22   54224   224  1032    192.168.1.130   46.32.230.170  TCP   2   2    1
24        22   52065   710   806    192.168.1.130   49.212.12.217  TCP   2   2    1
25     43568      22    28    88    52.2.123.169   192.168.1.130  TCP   1   2    1
26        22   39032   200   558    192.168.1.130   199.34.242.73  TCP   2   2    1
27     53968      22   148   265    37.228.133.94   192.168.1.130  TCP   1   2    1
28     39950      22    17    60    101.251.207.162   192.168.1.130  TCP   1   2    1
29        22   44785   320   464    192.168.1.130   87.230.40.94  TCP   2   2    1
30     41889      22    13     0    70.4.134.198   192.168.1.130  TCP   1   2    1
31        22   35743   233   368    192.168.1.130   141.105.174.210  TCP   2   2    1
32        22   48689   298   373    192.168.1.130   12.11.100.194  TCP   2   2    1
33     36165      22   226   293    200.170.215.154   192.168.1.130  TCP   1   2    1
34     44991      22    53   146    191.5.224.79   192.168.1.130  TCP   1   2    1
35     38500      22   180   345    192.227.164.167   192.168.1.130  TCP   1   2    1
36     50944      22     8     0    199.174.12.17   192.168.1.130  TCP   1   2    1
37     39511      22   168   319    104.128.117.32   192.168.1.130  TCP   1   2    1
38     53820      22    16    30    95.84.153.61   192.168.1.130  TCP   1   2    1
39     47030      22   225   261    190.161.86.105   192.168.1.130  TCP   1   2    1
40        22   38500   367   735    192.168.1.130   192.227.164.167  TCP   2   2    1
41     33165      22   119   248    138.94.144.250   192.168.1.130  TCP   1   2    1
42     51185      22    18    60    46.105.163.187   192.168.1.130  TCP   1   2    1
43     48472      22    18    60    72.249.105.159   192.168.1.130  TCP   1   2    1
44     32890      22    89   174    95.177.200.94   192.168.1.130  TCP   1   2    1
45     57725      22    75   180    88.11.129.198   192.168.1.130  TCP   1   2    1
46        22   55358  1072  1373    192.168.1.130   138.91.57.190  TCP   2   2    1

Just today, I was trying to restore my iPad to factory defaults. I supposedly have 20 megabit business service from Comcast.  While running the restore, I noticed that my download speed was running at about 200kbs max, and yet speedtests were showing no problems with my connection. So I rebooted my computer, started up my VPN, and found out that I am not getting my full 10 megabits.  What can I infer from this ? Well, I can only assume that Comcast has some sort of bandwidth control and is identifying my Apple device download and slowing it down. I was able to repeat this test.

By the way, I did get to watch a movie on my flight – success!  And that was a much needed break from work.

Note: There is one more trick required to un-block for some VPN services and some  streaming sites.  You may need to hide your DNS activities as well, since some blocking services will also block the DNS request before you even get to the site.

For example, the VPN tunnel will hide what you are doing from anybody, but the initial lookup service to get the site may not be hidden, because you are likely using by default your provider(s) DNS service. So, you should also set your DNS service to a third party site other than your provider after you fire up your VPN. In this way DNS requests should also be encrypted.