Three short cyberstories + bonus scam

Since we are in the holiday season, let me share three small cybersecurity related stories, which you can read by the fireplace with a hot cocoa in hand and laptop on your lap. Enjoy!

The one where I don't (really) know my password

My laptop shut down unexpectedly and didn't want to boot ever again, not even when asked nicely. Since it was only few months after the purchase, I decided to send it back to the shop for repairs. Now, you have to know something about me that might surprise you, as it's coming from a cybersecurity professional. I'm a little bit paranoid. So, I decided to disconnect the hard drive and take it out from my laptop before sending it in. My paranoia also led me to create a long and complex firmware password for my drive. This is the point where all of my problems started, but I haven't realized it up until that unfortunate day.

I first tried to connect the hard drive to my old computer. BIOS prompt popped up asking me for my password. Hey, that's a good sign, right? However, it turned out that for one reason or another, person developing BIOS decided that the user could only enter 8 characters in the password field. No more. After entering the ninth character computer let out an angry beep, presumably warning me that it won't allow a longer password. But my password had more characters! I decided to abandon that way and try another computer. Maybe the BIOS developer there was a bit more flexible on the password length.

I found a second computer and indeed, this time the BIOS had a longer password entry field. I enter my password and lo and behold it did not work. I tried again - still the same error message. I didn't want to become a definition of insanity, so I decided to ask for help. My colleague advised me to try and unlock the drive using an hdparm tool. So I happily tried (highly EXPERIMENTAL) hdparm option to unlock the hard drive and I entered my password again, this time in plain text as an hdparm parameter. It didn't work. I mean, come on, I see that I didn't make any mistake in the password, it's there on the monitor!

I browsed the Internet a little and found out that some older HDDs (though definitely not mine) lowercased the password before using it. I decided to give it a try, because all other ways failed and I just wanted to get access to the hard drive. I put in my password, all in lowercase, and finally it worked! So, apparently, another BIOS software engineer decided that she will lowercase the password before passing it to the hard drive. You know, to reduce the bruteforcing complexity. Just for fun...

The one where someone is tracking me (and it's not paranoia)

I went to the Paris Google office for Botconf. If you're feeling jealous, you should - it was a great conference. I took with me my company's laptop with our Enterprise VPN Solution(TM) client installed. If you're wondering why I didn't take my computer, you've put too much rum in your hot cocoa and you're not paying attention. Organizers provided us with a WiFi Internet. As you may now know, I'm a little bit paranoid. Almost immediately after connecting to the WiFi I also connected to the VPN and I was happily browsing the Internet.

At some point one of my friends decided to send me a file using Google Drive. I clicked on it and it downloaded almost instantly. At first, that didn't surprise me. After all, I was in the Google office, they should have a fast link to the Google Drive, right? Then I noticed something odd - Google (as in their services, not the actual people) seemed to know that I'm in Paris. How could that be? I was using VPN after all and my company was in a whole other country. 

Now, the incredible connection speed to Google Drive started to feel a bit odd. My company definitely didn't have such a high speed connection. I decided to dig a little deeper. After a while, it turned out that the WiFi DHCP server has assigned two public IP addresses to my laptop - one for IPv4 and one for IPv6. Furthermore, I was connecting to Google services using the IPv6 protocol. Which, as it turned out, Enterprise VPN Solution (TM) did not support. Hence, my IPv6 traffic was leaking from the VPN connection. This explained all of the weird stuff that was happening.

What is disturbing here is that you cannot simply tell which of the sites you're browsing are using IPv6 and which of them are using IPv4. Surprisingly, Android VPN client (from the same company) didn't have that problem. It simply turned off the IPv6 altogether.

I informed our administrator about the traffic leak and his answer was that "it's not a leak, since you can turn off IPv6" and "you don't know what you're saying". To which one of my friends responded: "password leak also isn't a leak, because you can always change password, right?"

The one where my new intercom becomes smarter

I've heard a lot of stories of accidental hacking of different IoT things: TVs, Blu-ray players etc. However, my story is about a different accidental hacking. I hacked my apartment's intercom by not being in my apartment when the repairman came. It was as simple as that.

My apartment building has an intercom. A standard one, without any fancy video cameras, iris scans or whatever is in right now. It just lets you call any apartment, transmit voice and let someone in. You also can open the doors by typing a special code on the main unit. However, the old intercom tended to break really frequently. At some point, all of the apartment owners got together and decided it's high time to replace the old intercom system with a new one. You know, a top-of-the-line, but still in budget.

Few days after this decision, a technician came and replaced the main unit and also wanted to replace all of the receivers. However, he couldn't replace mine, because I simply wasn't at home. When I came back I noticed that my receiver was behaving weirdly. I could listen on to every single conversation happening on the intercom. No matter who was speaking, I could hear it. While I could hear conversations, I could not open the door. Repairman was so nice to leave his number on a card near my door, so I could call him at my earliest convenience. Which I of course did.

When he came I asked him why I could hear every conversation. He replied: "yeah, this is just a stupid analog receiver, it works like that. This new one is a smart one, it has electronics inside that pick up a correct caller and you only hear conversations addressed to you." So, instead of having an old, analog PBX-like solution, where all of the calls were switched to the right caller in the main unit, we now have a new and smart solution, where the main unit does nothing and the receiver decides whether to pick up the call or not. That's called the future...

BONUS: Paris scam with Louvre in the background

During the last day of my stay in Paris, I decided to sit on a bench, which had a beautiful view of the Louvre and to finish reading the "Spam Nation" by Brian Krebs (I highly recommend it if you haven't read it yet). So, I went through Jardin des Tuileries and sat opposite the Louvre pyramid. I took out my Kindle and a bottle of water from my backpack and sat admiring the stunning architecture. Then, out of nowhere, a young girl came to me asking if I speak English. I replied that I do and she asked me, using her broken English, to sign a petition. I decided not to. Despite her many, many appeals.

I started reading and a second young girl came to me and the conversation repeated itself. I firmly, but kindly refused to sign anything she had and I got back to the book. I started to immerse myself in the world of Russian pharma-spam when the third girl came to me and, again, asked me if I speak English and if I can sign a petition. OK, I now had enough. Three girls asked me to sign a petition during 10 minutes. I politely declined, again, and started to pack my things. Then the fourth girl came to me, as I was packing my stuff, to ask me the same set of questions.

By now it was clear to me that it was some kind of scam. I was curious as to what this scam actually entails and where is the actual scamming part. So, I looked it up and apparently, young girls come to foreigners and ask them to sign some paper. Then, when someone signs it, they say that they just agreed to pay 10 Euros to help poor children or for some other made up cause. Since you provided your name and country of residency, you are now obliged to pay. People apparently do pay the money. Otherwise, if they start to put up a fight, the girl distracts you and her "helper" tries to steal your wallet. So, apart from being interrupted in the middle of an enticing read, you could also get scammed out of you money and documents.

Comments

Post a Comment

Popular posts from this blog

Having fun with AndroidManifest.xml

Image
Before w will get back to Sandrorat let's have some fun. It's weekend after all, or rather it was weekend when I wrote this post. Everyone that ever tried to see the insides of the APK file knows what's an AndroidManifest.xml file is. Some even know that, inside the APK, it's not a real XML, but rather a compressed, binary form of an original XML. This compressed form was first abused in the Android.OBAD malware . Compressed form of an XML differs with the real XML in at least one key aspect, hidden in the String Pool. Let's have a look at a compressed AndroidManifest.xml file of the previously mentioned Sandrorat sample and see if we can do something interesting with it. If you want to skip directly to the fun part, just ignore the next section.
Read more

Android malware based on SMS encryption and with KitKat support

Image
Most of the malware based on the SMS C&C communication channel is not compatible with Android 4.4 KitKat. This is due to the fact that KitKat introduced a concept of one messaging app, which all other apps had to go trough before they send or handle a received text message. This prevented malware from hiding received short messages or sending without saving them in the "Sent" folder. Well, it wasn't hard to predict that this state of affairs wouldn't last long and that malware authors would eventually catch up. Malware described here not only supports KitKat, but also uses an open-source SMS encryption tool  as a basis for its code. Let's have a look at the insides of the new sample (hash: 84e2e9e8430792b583d02d3cc1bf8535 ) and let's call it SmsSecure, just for the sake of brevity.
Read more

Android malware goes Mono (.NET) and Lua!

Image
In December I attended a (really great!) Botconf 2014 conference. During that conferece I gave a  lightning talk about an interesting Android malware sample that (presumably) used Lua and Mono (hence, .NET) as a way of obfuscation. Very recently  @tbiehn  Tweeted to me a solution for a problem that I run into during the analysis. So now, below, you can find details about the weird Lua/.NET/Java Android sample . It says "Please wait, loading data" Quick overview It starts fairly innocent, with an app called Metrics.Me and it has a pretty standard malware permissions, as can be seen on a screenshot below. It uses a VKontakte icon, probably to pose as a kind of social media app. The main and only screen of this app is shown above. Let's start with the usual place: the SMSReceiver . And now things get a little complicated. There are a lot of references to the "monodroid". It turns out that this is actually a Mono (.NET) implementation in Andro
Read more