Lain (is Bams) Who's getting hacked today thread

Discussion in 'tech' started by Lain, 11 Jun 2011.

  1. Mulch

    Mulch Why does the drum come hither?

    well... all i can say is i hope that 1535 customers had enough brains to back up their own websites.

    i dont know if you missed this part, but he said his local backups were mounted when the command was run

    no mention of offsite backups
    • Like Like x 1
  2. Lain

    Lain End of line. #resist

    I did read that. As one commenter pointed out 'backups' for the purpose of disaster recovery are not remote mounted shares.

    True disaster recovery scenarios, as I'm sure you know being a server operator, require a three tier system with two of the three backups utilizing removable or otherwise segregated media.

    Any jackass should know how rsync works if your claiming to be a Linux administrator.

    Furthermore, only a jackass executes wildcard scripts that have been untested and fettered out on a non-production system before deploying it.

    Laziness combined with stupidity is the core catalyst for the large majority of 'accidents'.
    • Agree Agree x 2
  3. Mulch

    Mulch Why does the drum come hither?

    • Like Like x 2
  4. Lain

    Lain End of line. #resist

    OMFG can yet another jackass use the "more power in a cell phone than we took to the moon"?

    We get it, you have no original ideas. Stop regurgitating shit you saw on Facebook.

    And SS7 is hardly " little known", as is common knowledge amongst hackers that hacking the phone directly is usually the stupidest way to handle it and the easiest way to get pinched.

    Interesting read for n00bs.

    Last edited: 18 Apr 2016
  5. Lain

    Lain End of line. #resist

    • Agree Agree x 1
  6. Lain

    Lain End of line. #resist

    Some of the comments are comedy gold.
  7. Lain

    Lain End of line. #resist

    Another good comment.
  8. Lain

    Lain End of line. #resist

    OK so smartassery aside, let's give this some perspective.

    There's a comment by an individual claiming to be an SS7 engineer, I was going to quote it but lost my place and refuse to go back and search.

    The basics are as such..... This isn't something script kiddies from the Interwebz are doing with a throwaway handset they bought from Walmart and some random app they nabbed from a sketchy webserver.

    Hacking SS7 is not only next level stuff, but the system is monitored more closely than the Internet.

    This is not to say that it isn't possible, but carrier access is needed and a host of uber skills that most people will never be able to grasp in their lifetimes.

    Think political targets, corporate sabotage, really valuable stuff, no one is hacking to listen to your phonesex calls.

    As far as localized phone and device security, I think we do a decent job of covering that here.

    Keep Bluetooth off when you're not using it. Don't use Bluetooth in busy public areas and the same goes for Open wifi networks.

    Store your RFID enabled (contactless) credit cards in special sleeves. There is software that will allow someone to scan the card through a purse or wallet from several feet and beam the contents to another device at a POS for making purchases with the information.

    Here's a gem, don't fucking execute attachments in text messages from unknown sources. How long have we been banging on this drum?

    • Like Like x 2
    • Agree Agree x 1
  9. Lain

    Lain End of line. #resist

    Who's getting hacked today? Possibly you.

    I'm sure I've addressed this before, but due to both the increased number of credit card fraud incidents and the ease of which any halfwit with a rooted phone can steal your stuff, it's worth a revisit.

    If you are using contactless (RFID) credit cards you have two options. Stop. Or put them into special sleeves to stop the card from being vulnerable to the following.

    Using any rooted phone, some work better than others, any person can scan the information from a contactless card from as far as six to eight feet. At which point the information can be beamed to another person who can use the information at a contactless POS terminal and steal your money.

    This attack is easy to perform, does not have any way for the target to know they have been hit ( it's contactless), takes a mere six seconds with a good handset and is immediately exploited by another unknown assailant.

    Credit card companies have known about this since 2012. They were given solid demonstrations of how this works, and how hard it is to track the assailant.

    Credit card companies stand behind the one shot security measure. That is, the information read from the card is only exploitable until the cards next use.

    Each time the card is used a random transaction code is applied so once the card is scanned the information must be used before the card is legitimately swiped by the target or the information will fail and the assailant will be caught.

    However, this is so obviously easy to workaround that it's laughable.

    Scenario: I am in the mall with a partner. Say Mulch. We are using the malls public wireless to communicate and throwaway phones we bought with the last card we swiped. There's literally no way to know who we are.

    As I traverse the mall the Bluetooth headset I am wearing let's me hear the ping when my handset scans a valid target card. Pressing the button on the BT transmits the data to Mulch, who is in a random shop waiting to make a purchase, milling about until he gets the beep I'm his ear that a card is waiting to be exploited.

    He makes the purchase, scans the phone over the terminal, replaying the data I sent him and validating his purchase against whatever card I just grabbed. Move shops, repeat process.

    On a busy day a good team can hit hundreds of targets especially if they are using more than one partner to make purchases.

    How do you protect yourself? Don't use the cards, or keep them in special sleeves or wallets to block the scans.

    • Like Like x 1
  10. nina

    nina still prettier than you

    Untrusting the Blue Coat Intermediate CA from Windows (and mac)
  11. Kita

    Kita Should Update Title

    Seeing a lot of cool stuff at work!

    Was present live this time for a Crypto infection attempt. This client is full of boneheads. Webroot, our standard deployment, will happily allow Crypto processes to run. We have seen this time and time again. Though I haven't seen this live, I personally have seen Webroot living happily on systems with virus, worms, and other payloads that were picked up by a simple Malwarebytes scan. In one case, it was the payload of a worm that is very old and well known, waiting for it's trigger. REALLY WEBROOT?? I would never recommend that piece of shit, and can't wait for our contract to be up next year so we can start to sell Cylance. As a side note/ question for Lain-- what do you currently recommend for endpoint protection? Both free and paid? I am seeing a lot of ESET being deployed lately too. Is that any good?

    Anyways, once again, MULTIPLE idiots opened an infected .zip they received in email in order to 'see what it is'. But we were prepared with this client this time. We had deployed a Fireeye device and Cylance endpoint (which I LOVED after my last job). The fireeye immediately exploded with alerts, allowing us to quickly find the systems and get them off the network and shut down. Analysis was being done with Cylance on Friday to determine how much/ if any infection snuck through. Wipe and reload for most computers, but OFC, one of them was where accounting stored all the things... even though they have tons of network storage... but I digress!

    I went through the Fireeye output out of curiosity. Tons of JSON and JS files-- so writers of this Crypto are using Javascript. Even more fascinating is the number of references to Jetpack api! This is a wordpress addon. I poked a little more to see if this had been seen before, and saw no sign of it. Very fascinating. I think someone was using poisoned components of the addon to do all of the cryptography functions, as well as an attempt to mask.

    Anywho, this time they didn't get ransomed. Seems like the Fireeye and Cylance one-two punch has some serious balls. We caught it immediately, and nothing hit the network. Most clients cannot afford this solution, which is why they use crap-tastic Webroot. There has to be something better! Plus, I would like to hear some free solutions for personal use I can recommend to friends and family.

    Oh, and for the curious, we keep a bitcoin purse for paying these ransoms for our clients. Real world fact is that most people DO pay it. It is in the best interest for Crypto makers to follow through and decrypt, because they have effectively created a market. If people knew that paying didn't do anything, people would stop sending them money. But they do follow through with decryption, so most that get hit need their data badly enough for the ransom to be worth it. A true criminal enterprise, and it is utterly RAMPANT. It is THE infection of utmost concern for every company right now, because it is making easy money for criminals. No databases to fence or a few card to try to burn before they are caught-- it is simply untraceable cash deposited directly to them, without a need to know how to do anything except pay for a program and send it to targets. Hell, I am terrified of it even with my home computer! This shit is brutal if it slips past, and there is no mopping up. You pay to get your data back, pull out the important stuff, then nuke your system. It blows.
    • Like Like x 1
  12. Lain

    Lain End of line. #resist

    Sounds like your having a good time.
  13. Kita

    Kita Should Update Title

    What are your current recommendations for endpoint protection, both paid and free?
  14. Lain

    Lain End of line. #resist

    Wow. That's big topic. ESET seems to be gaining traction and has good statistics to back up their rep.

    Until someone finds a way to break it and then everyone will be hopping to the next big thing.

    The problem with endpoint protection is that no method can successfully contain the most problematic portion of the system, the carbon based element behind the endpoint.

    I agree with your comments on WEBROOT, it's a pile of shit. Kapersky is deployed at many financial institutions my team works with I believe they have a free version.

    WEBROOT is totally useless against network attacks. Unless you're using all of the latest patches and updates Metasploit will crush it. And even then it's iffy depending on my database of Zero-day goodies.

    I guess we should be thanking Bill for giving us such a bountiful source to work from ;)
    • Like Like x 1
  15. Kita

    Kita Should Update Title

    Webroot just happily allows all kinds of crapware in the background, but also has BS 'features', such as a list of blocked sites we cannot control globally. To unblock, I have to allow the clients to decide if they would like to unblock ANY site. So I have to risk opening a floodgate to let a single drop in. Really, to get past Webroot, all you need to do is get the meathead behind the computer to run something and move it past UAC. Webroot might block attempts from external intrusion, but things that are run internally seem to be allowed free reign. It trusts the trusted zone, and thus the morons behind the keyboard. Thus, numerous crypto attacks for numerous clients without a peep from Webroot (probably just blocked the phone home, but happily allowed the actual encryption)

    I seem to recall Kaspersky being utter shite a number of years back. They must have finally gotten their shit together!

    I scrubbed ESET off of a newly onboarded system a couple months ago. At first, I was annoyed at the difficulty, and thought the idiot had gotten one of those crap fake antivirus programs that is actually just a spyware delivery tool that asks for for more money to block the spyware they inject in your ass. When I did some legwork, I was very happy at the balance of difficulty and ease to remove it-- easy for a tech when you grab the tool, but hard for a bonehead. I found a number of positive comments about it when looking for the tool, most along the line of 'Why the hell are you replacing ESET with x??' It was running alongside some spyware, but also seemed to have been partially deactivated due to the expired license it had. So I am a bit on the fence about it when I haven't seen it in action and have only read comments.

    Where has Comodo fallen for you? You were big on it for a few years. I still have it on my laptop, because WiFi is super slutty and I feel it needs a firewall with more balls.

    Reminds me... I need to make up my mind on the router so I can get a VPN set up. When I start to do on-call, I will need my laptop a lot more, and most likely will find myself in the same boat as other techs-- need to circumvent our own security and Webroot blocks in order to grab legit tools or go to certain sites. Only reliable way to do this is to VPN into our home networks. Real pro there...
  16. Lain

    Lain End of line. #resist

    Comodo is still very strong protection for endusers who want something free that's not super invasive but allows more fine tuning and advanced control. I have it on my Asus running Windows 8.1, it's a bit resource intensive but if you have a moderate to beefy setup it's solid. Occasionally I notice bog downs on the T100. It's an older model Tablet convert that I picked up wanting to put Kali onto it instead (another long exhausting story that ends with, not worth the effort although I do have Ubuntu dual-booting on it with Windows but stupid stuff like Bluetooth and the Rotation are wonky and the sleep/hibernate is shit).

    I have seen ESET deployed and it's solid. If I'm not mistaken Kapersky and ESET are both on the list of Endpoint prot solutions allowed for Banks. That's always a good reference as the standards are pretty rigid. Medical facilities we have audited have ESET deployed as well as Kapersky. I haven't run into too much WEBROOT lately, as stated that's a good thing because any kid with a laptop and a broadband connection can download the tools and some quick directions to pwn Webroot with something like Metasploit.

    I still pack and use TPLink nanorouters for my everyday stuff. I haven't had any issues with them, they're low power, reliable, and lightweight (size of an altoids can). To be fair I do not run massive amounts of throughput over them but they handle my occasional heavy use situations which won;t be discussed here but suffice to say sometimes you need a little bit of bandwidth, and they seem to handle the task.

    Always try to keep in mind that the good guys are always behind the curve by about ten steps. Through no fault of ours, too many unprotected entryways still exist. There's assholes building botnets out of Washing machines and Toasters. Yes, Toasters. You're stupidly Smart toaster that's been slapped onto your UPnP setup without bothering to disable UPnP over the net has now become a soldier in the Army of Widgets, yet another tackhammer we have to smack people with amongst the rush to deploy everything and anything to the IoT.

    Terminator might not be too far off. Instead of machine gun wielding robot skeletons, it's your Refrigerator and the TV set.

    Good Times
    • Like Like x 1
  17. Lain

    Lain End of line. #resist

    It's official. Krebbs goes dark after getting his ass kicked by a zombie army of toasters and DVRs.

    We're beyond totally fucked.
    • Hug Hug x 1

Share This Page