• CRYPTO-GRAM, September 15, 2022

    From TCOB1@618:500/14 to All on Mon Sep 19 21:20:52 2022

    Crypto-Gram
    September 15, 2022

    by Bruce Schneier
    Fellow and Lecturer, Harvard Kennedy School schneier@schneier.com https://www.schneier.com

    A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.

    For back issues, or to subscribe, visit Crypto-Gram's web page.

    Read this issue on the web

    These same essays and news items appear in the Schneier on Security blog, along with a lively and intelligent comment section. An RSS feed is available.

    ** *** ***** ******* *********** *************
    In this issue:

    If these links don't work in your email client, try reading this issue of Crypto-Gram on the web.

    $23 Million YouTube Royalties Scam
    Remotely Controlling Touchscreens
    Zoom Exploit on MacOS
    USB "Rubber Ducky" Attack Tool
    Hyundai Uses Example Keys for Encryption System
    Signal Phone Numbers Exposed in Twilio Hack
    Mudge Files Whistleblower Complaint against Twitter
    Man-in-the-Middle Phishing Attack
    Security and Cheap Complexity
    Levels of Assurance for DoD Microelectronics
    FTC Sues Data Broker
    High-School Graduation Prank Hack
    Clever Phishing Scam Uses Legitimate PayPal Messages
    Montenegro Is the Victim of a Cyberattack
    The LockBit Ransomware Gang Is Surprisingly Professional
    Facebook Has No Idea What Data It Has
    Responsible Disclosure for Cryptocurrency Security
    New Linux Cryptomining Malware
    FBI Seizes Stolen Cryptocurrencies
    Weird Fallout from Peiter ZatkoΓÇÖs Twitter Whistleblowing
    Upcoming Speaking Engagements

    ** *** ***** ******* *********** *************
    $23 Million YouTube Royalties Scam

    [2022.08.15] Scammers were able to convince YouTube that other peopleΓÇÖs music was their own. They successfully stole $23 million before they were caught.

    No one knows how common this scam is, and how much money total is being stolen in this way. Presumably this is not an uncommon fraud.

    While the size of the heist and the breadth of the scheme may be very unique, itΓÇÖs certainly a situation that many YouTube content creators have faced before. YouTubeΓÇÖs Content ID system, meant to help creators, has been weaponized by bad faith actors in order to make money off content that isnΓÇÖt theirs. While some false claims are just mistakes caused by automated systems, the MediaMuv case is a perfect example of how fraudsters are also purposefully taking advantage of digital copyright rules.

    YouTube attempts to be cautious with who it provides CMS and Content ID tool access because of how powerful these systems are. As a result, independent creators and artists cannot check for these false copyright claims nor do they have the power to directly act on them. They need to go through a digital rights management company that does have access. And it seems like thieves are doing the same, falsifying documents to gain access to these YouTube tools through these third parties that are ΓÇ£trustedΓÇ¥ with these tools by YouTube.

    ** *** ***** ******* *********** *************
    Remotely Controlling Touchscreens

    [2022.08.16] This is more of a demonstration than a real-world vulnerability, but researchers can use electromagnetic interference to remotely control touchscreens.

    From a news article:

    ItΓÇÖs important to note that the attack has a few key limitations. Firstly, the hackers need to know the targetΓÇÖs phone passcode, or launch the attack while the phone is unlocked. Secondly, the victim needs to put the phone face down, otherwise the battery and motherboard will block the electromagnetic signal. Thirdly, the antenna array has to be no more than four centimeters (around 1.5 inches) away. For all these reasons the researchers themselves admit that the ΓÇ£invisible fingerΓÇ¥ technique is a proof of concept that at this point is far from being a threat outside of a university lab.

    EDITED TO ADD (9/12): The project has a website.

    ** *** ***** ******* *********** *************
    Zoom Exploit on MacOS

    [2022.08.17] This vulnerability was reported to Zoom last December:

    The exploit works by targeting the installer for the Zoom application, which needs to run with special user permissions in order to install or remove the main Zoom application from a computer. Though the installer requires a user to enter their password on first adding the application to the system, Wardle found that an auto-update function then continually ran in the background with superuser privileges.

    When Zoom issued an update, the updater function would install the new package after checking that it had been cryptographically signed by Zoom. But a bug in how the checking method was implemented meant that giving the updater any file with the same name as ZoomΓÇÖs signing certificate would be enough to pass the test -- so an attacker could substitute any kind of malware program and have it be run by the updater with elevated privilege.

    It seems that itΓÇÖs not entirely fixed:

    Following responsible disclosure protocols, Wardle informed Zoom about the vulnerability in December of last year. To his frustration, he says an initial fix from Zoom contained another bug that meant the vulnerability was still exploitable in a slightly more roundabout way, so he disclosed this second bug to Zoom and waited eight months before publishing the research.

    EDITED TO ADD: Disclosure works. The vulnerability seems to be patched now.

    ** *** ***** ******* *********** *************
    USB "Rubber Ducky" Attack Tool

    [2022.08.18] The USB Rubber Ducky is getting better and better.

    Already, previous versions of the Rubber Ducky could carry out attacks like creating a fake Windows pop-up box to harvest a userΓÇÖs login credentials or causing Chrome to send all saved passwords to an attackerΓÇÖs webserver. But these attacks had to be carefully crafted for specific operating systems and software versions and lacked the flexibility to work across platforms.

    The newest Rubber Ducky aims to overcome these limitations. It ships with a major upgrade to the DuckyScript programming language, which is used to create the commands that the Rubber Ducky will enter into a target machine. While previous versions were mostly limited to writing keystroke sequences, DuckyScript 3.0 is a feature-rich language, letting users write functions, store variables, and use logic flow controls (i.e., if this... then that).

    That means, for example, the new Ducky can run a test to see if itΓÇÖs plugged into a Windows or Mac machine and conditionally execute code appropriate to each one or disable itself if it has been connected to the wrong target. It also can generate pseudorandom numbers and use them to add variable delay between keystrokes for a more human effect.

    Perhaps most impressively, it can steal data from a target machine by encoding it in binary format and transmitting it through the signals meant to tell a keyboard when the CapsLock or NumLock LEDs should light up. With this method, an attacker could plug it in for a few seconds, tell someone, ΓÇ£Sorry, I guess that USB drive is broken,ΓÇ¥ and take it back with all their passwords saved.

    ** *** ***** ******* *********** *************
    Hyundai Uses Example Keys for Encryption System

    [2022.08.22] This is a dumb crypto mistake I had not previously encountered:

    A developer says it was possible to run their own software on the car infotainment hardware after discovering the vehicleΓÇÖs manufacturer had secured its system using keys that were not only publicly known but had been lifted from programming examples.

    [...]

    ΓÇ£Turns out the [AES] encryption key in that script is the first AES 128-bit CBC example key listed in the NIST document SP800-38A [PDF]ΓÇ¥.

    [...]

    Luck held out, in a way. ΓÇ£Greenluigi1ΓÇ¥ found within the firmware image the RSA public key used by the updater, and searched online for a portion of that key. The search results pointed to a common public key that shows up in online tutorials like ΓÇ£RSA Encryption & Decryption Example with OpenSSL in C.ΓÇ£

    EDITED TO ADD (8/23): Slashdot post.

    ** *** ***** ******* *********** *************
    Signal Phone Numbers Exposed in Twilio Hack

    [2022.08.23] Twilio was hacked earlier this month, and the phone numbers of 1,900 Signal users were exposed:

    HereΓÇÖs what our users need to know:

    All users can rest assured that their message history, contact lists, profile information, whom theyΓÇÖd blocked, and other personal data remain private and secure and were not affected.
    For about 1,900 users, an attacker could have attempted to re-register their number to another device or learned that their number was registered to Signal. This attack has since been shut down by Twilio. 1,900 users is a very small percentage of SignalΓÇÖs total users, meaning that most were not affected.

    We are notifying these 1,900 users directly, and prompting them to re-register Signal on their devices.

    If you were not notified, donΓÇÖt worry about it. But it does bring up the old question: Why does Signal require a phone number to use? It doesnΓÇÖt have to be that way.

    ** *** ***** ******* *********** *************
    Mudge Files Whistleblower Complaint against Twitter

    [2022.08.24] Peiter Zatko, aka Mudge, has filed a whistleblower complaint with the SEC against Twitter, claiming that it violated an eleven-year-old FTC settlement by having lousy security. And he should know; he was TwitterΓÇÖs chief security officer until he was fired in January.

    The Washington Post has the scoop (with documents) and companion backgrounder. This CNN story is also comprehensive.

    EDITED TO ADD: Another news article. Slashdot thread.

    EDITED TO ADD (9/2): More info.

    ** *** ***** ******* *********** *************
    Man-in-the-Middle Phishing Attack

    [2022.08.25] HereΓÇÖs a phishing campaign that uses a man-in-the-middle attack to defeat multi-factor authentication:

    Microsoft observed a campaign that inserted an attacker-controlled proxy site between the account users and the work server they attempted to log into. When the user entered a password into the proxy site, the proxy site sent it to the real server and then relayed the real serverΓÇÖs response back to the user. Once the authentication was completed, the threat actor stole the session cookie the legitimate site sent, so the user doesnΓÇÖt need to be reauthenticated at every new page visited. The campaign began with a phishing email with an HTML attachment leading to the proxy server.

    ** *** ***** ******* *********** *************
    Security and Cheap Complexity

    [2022.08.26] IΓÇÖve been saying that complexity is the worst enemy of security for a long time now. (HereΓÇÖs me in 1999.) And itΓÇÖs been true for a long time.

    In 2018, Thomas Dullien of GoogleΓÇÖs Project Zero talked about ΓÇ£cheap complexity.ΓÇ¥ Andrew Appel summarizes:

    The anomaly of cheap complexity. For most of human history, a more complex device was more expensive to build than a simpler device. This is not the case in modern computing. It is often more cost-effective to take a very complicated device, and make it simulate simplicity, than to make a simpler device. This is because of economies of scale: complex general-purpose CPUs are cheap. On the other hand, custom-designed, simpler, application-specific devices, which could in principle be much more secure, are very expensive.

    This is driven by two fundamental principles in computing: Universal computation, meaning that any computer can simulate any other; and MooreΓÇÖs law, predicting that each year the number of transistors on a chip will grow exponentially. ARM Cortex-M0 CPUs cost pennies, though they are more powerful than some supercomputers of the 20th century.

    The same is true in the software layers. A (huge and complex) general-purpose operating system is free, but a simpler, custom-designed, perhaps more secure OS would be very expensive to build. Or as Dullien asks,
    ΓÇ£How did this research code someone wrote in two weeks 20 years ago end up in a billion devices?ΓÇ¥

    This is correct. Today, itΓÇÖs easier to build complex systems than it is to build simple ones. As recently as twenty years ago, if you wanted to build a refrigerator you would create custom refrigerator controller hardware and embedded software. Today, you just grab some standard microcontroller off the shelf and write a software application for it. And that microcontroller already comes with an IP stack, a microphone, a video port, Bluetooth, and a whole lot more. And since those features are there, engineers use them.

    ** *** ***** ******* *********** *************
    Levels of Assurance for DoD Microelectronics

    [2022.08.29] The NSA has has published criteria for evaluating levels of assurance required for DoD microelectronics.

    The introductory report in a DoD microelectronics series outlines the process for determining levels of hardware assurance for systems and custom microelectronic components, which include application-specific integrated circuits (ASICs), field programmable gate arrays (FPGAs) and other devices containing reprogrammable digital logic.

    The levels of hardware assurance are determined by the national impact caused by failure or subversion of the top-level system and the criticality of the component to that top-level system. The guidance helps programs acquire a better understanding of their system and components so that they can effectively mitigate against threats.

    The report was published last month, but I only just noticed it.

    ** *** ***** ******* *********** *************
    FTC Sues Data Broker

    [2022.08.30] This is good news:

    The Federal Trade Commission (FTC) has sued Kochava, a large location data provider, for allegedly selling data that the FTC says can track people at reproductive health clinics and places of worship, according to an announcement from the agency.

    ΓÇ£DefendantΓÇÖs violations are in connection with acquiring consumersΓÇÖ precise geolocation data and selling the data in a format that allows entities to track the consumersΓÇÖ movements to and from sensitive locations, including, among others, locations associated with medical care, reproductive health, religious worship, mental health temporary shelters, such as shelters for the homeless, domestic violence survivors, or other at risk populations, and addiction recovery,ΓÇ¥ the lawsuit reads.

    ** *** ***** ******* *********** *************
    High-School Graduation Prank Hack

    [2022.08.31] This is a fun story, detailing the hack a group of high school students perpetrated against an Illinois school district, hacking 500 screens across a bunch of schools.

    During the process, the group broke into the schoolΓÇÖs IT systems; repurposed software used to monitor studentsΓÇÖ computers; discovered a new vulnerability (and reported it); wrote their own scripts; secretly tested their system at night; and managed to avoid detection in the schoolΓÇÖs network. Many of the techniques were not sophisticated, but they were pretty much all illegal.

    It has a happy ending: no one was prosecuted.

    A spokesperson for the D214 school district tells WIRED they can confirm the events in DuongΓÇÖs blog post happened. They say the district does not condone hacking and the ΓÇ£incident highlights the importance of the extensive cybersecurity learning opportunities the District offers to students.ΓÇ¥

    ΓÇ£The District views this incident as a penetration test, and the students involved presented the data in a professional manner,ΓÇ¥ the spokesperson says, adding that its tech team has made changes to avoid anything similar happening again in the future.

    The school also invited the students to a debrief, asking them to explain what they had done. ΓÇ£We were kind of scared at the idea of doing the debrief because we have to join a Zoom call, potentially with personally identifiable information,ΓÇ¥ Duong says. Eventually, he decided to use his real name, while other members created anonymous accounts. During the call, Duong says, they talked through the hack and he provided more details on ways the school could secure its system.

    EDITED TO ADD (9/13): HereΓÇÖs Minh DuongΓÇÖs Defcon slides. You can see the table of contents of their report on page 59, and the schoolΓÇÖs response on page 60.

    ** *** ***** ******* *********** *************
    Clever Phishing Scam Uses Legitimate PayPal Messages

    [2022.09.01] Brian Krebs is reporting on a clever PayPal phishing scam that uses legitimate PayPal messaging.

    Basically, the scammers use the PayPal invoicing system to send the email. The email lists a phone number to dispute the charge, which is not PayPal and quickly turns into a request to download and install a remote-access tool.

    ** *** ***** ******* *********** *************
    Montenegro Is the Victim of a Cyberattack

    [2022.09.02] Details are few, but Montenegro has suffered a cyberattack:

    A combination of ransomware and distributed denial-of-service attacks, the onslaught disrupted government services and prompted the countryΓÇÖs electrical utility to switch to manual control.

    [...]

    But the attack against MontenegroΓÇÖs infrastructure seemed more sustained and extensive, with targets including water supply systems, transportation services and online government services, among many others.

    Government officials in the country of just over 600,000 people said certain government services remained temporarily disabled for security reasons and that the data of citizens and businesses were not endangered.

    The Director of the Directorate for Information Security, Dusan Polovic, said 150 computers were infected with malware at a dozen state institutions and that the data of the Ministry of Public Administration was not permanently damaged. Polovic said some retail tax collection was affected.

    Russia is being blamed, but I havenΓÇÖt seen any evidence other than ΓÇ£theyΓÇÖre the obvious perpetrator.ΓÇ¥

    EDITED TO ADD (9/12): The Montenegro government is hedging on that Russia attribution. It seems to be a regular criminal ransomware attack. The Cuba Ransomware gang has Russian members, but thatΓÇÖs not the same thing as the government.

    ** *** ***** ******* *********** *************
    The LockBit Ransomware Gang Is Surprisingly Professional

    [2022.09.07] This article makes LockBit sound like a legitimate organization:

    The DDoS attack last weekend that put a temporary stop to leaking Entrust data was seen as an opportunity to explore the triple extortion tactic to apply more pressure on victims to pay a ransom.

    LockBitSupp said that the ransomware operator is now looking to add DDoS as an extortion tactic on top of encrypting data and leaking it.

    ΓÇ£I am looking for dudosers [DDoSers] in the team, most likely now we will attack targets and provide triple extortion, encryption + date leak + dudos, because I have felt the power of dudos and how it invigorates and makes life more interesting,ΓÇ¥ LockBitSupp wrote in a post on a hacker forum.

    The gang also promised to share over torrent 300GB of data stolen from Entrust so ΓÇ£the whole world will know your secrets.ΓÇ¥

    LockBitΓÇÖs spokesperson said that they would share the Entrust data leak privately with anyone that contacts them before making it available over torrent.

    TheyΓÇÖre expanding: locking people out of their data, publishing it if the victim doesnΓÇÖt pay, and DDoSing their network as an additional incentive.

    ** *** ***** ******* *********** *************
    Facebook Has No Idea What Data It Has

    [2022.09.08] This is from a court deposition:

    FacebookΓÇÖs stonewalling has been revealing on its own, providing variations on the same theme: It has amassed so much data on so many billions of people and organized it so confusingly that full transparency is impossible on a technical level. In the March 2022 hearing, Zarashaw and Steven Elia, a software engineering manager, described Facebook as a data-processing apparatus so complex that it defies understanding from within. The hearing amounted to two high-ranking engineers at one of the most powerful and resource-flush engineering outfits in history describing their product as an unknowable machine.

    The special master at times seemed in disbelief, as when he questioned the engineers over whether any documentation existed for a particular Facebook subsystem. ΓÇ£Someone must have a diagram that says this is where this data is stored,ΓÇ¥ he said, according to the transcript. Zarashaw responded: ΓÇ£We have a somewhat strange engineering culture compared to most where we donΓÇÖt generate a lot of artifacts during the engineering process. Effectively the code is its own design document often.ΓÇ¥ He quickly added, ΓÇ£For what itΓÇÖs worth, this is terrifying to me when I first joined as well.ΓÇ¥

    [...]

    FacebookΓÇÖs inability to comprehend its own functioning took the hearing up to the edge of the metaphysical. At one point, the court-appointed special master noted that the ΓÇ£Download Your InformationΓÇ¥ file provided to the suitΓÇÖs plaintiffs must not have included everything the company had stored on those individuals because it appears to have no idea what it truly stores on anyone. Can it be that FacebookΓÇÖs designated tool for comprehensively downloading your information might not actually download all your information? This, again, is outside the boundaries of knowledge.

    ΓÇ£The solution to this is unfortunately exactly the work that was done to create the DYI file itself,ΓÇ¥ noted Zarashaw. ΓÇ£And the thing I struggle with here is in order to find gaps in what may not be in DYI file, you would by definition need to do even more work than was done to generate the DYI files in the first place.ΓÇ¥

    The systemic fogginess of FacebookΓÇÖs data storage made answering even the most basic question futile. At another point, the special master asked how one could find out which systems actually contain user data that was created through machine inference.

    ΓÇ£I donΓÇÖt know,ΓÇ¥ answered Zarashaw. ΓÇ£ItΓÇÖs a rather difficult conundrum.ΓÇ¥

    IΓÇÖm not surprised. These systems are so complex that no humans understand them anymore. That allows us to do things we couldnΓÇÖt do otherwise, but itΓÇÖs also a problem.

    EDITED TO ADD: Another article.

    ** *** ***** ******* *********** *************
    Responsible Disclosure for Cryptocurrency Security

    [2022.09.09] Stewart Baker discusses why the industry-norm responsible disclosure for software vulnerabilities fails for cryptocurrency software.

    Why canΓÇÖt the cryptocurrency industry solve the problem the way the software and hardware industries do, by patching and updating security as flaws are found? Two reasons: First, many customers donΓÇÖt have an ongoing relationship with the hardware and software providers that protect their funds
    -- nor do they have an incentive to update security on a regular basis. Turning to a new security provider or using updated software creates risks; leaving everything the way it was feels safer. So users wonΓÇÖt be rushing to pay for and install new security patches.

    Second, cryptocurrency is famously and deliberately decentralized, anonymized, and low friction. That means that the company responsible for hardware or software security may have no way to identify who used its product, or to get the patch to those users. It also means that many wallets with security flaws will be publicly accessible, protected only by an elaborate password. Once word of the flaw leaks, the password can be reverse engineered by anyone, and the legitimate owners are likely to find themselves in a race to move their assets before the thieves do. Even in the software industry, hackers routinely reverse engineer MicrosoftΓÇÖs patches to find the security flaws they fix and then try to exploit them before the patches have been fully installed.

    He doesnΓÇÖt have any good ideas to fix this. I donΓÇÖt either. Just add it to the pile of blockchainΓÇÖs many problems.

    ** *** ***** ******* *********** *************
    New Linux Cryptomining Malware

    [2022.09.12] ItΓÇÖs pretty nasty:

    The malware was dubbed ΓÇ£ShikitegaΓÇ¥ for its extensive use of the popular Shikata Ga Nai polymorphic encoder, which allows the malware to ΓÇ£mutateΓÇ¥ its code to avoid detection. Shikitega alters its code each time it runs through one of several decoding loops that AT&T said each deliver multiple attacks, beginning with an ELF file thatΓÇÖs just 370 bytes.

    Shikitega also downloads Mettle, a Metasploit interpreter that gives the attacker the ability to control attached webcams and includes a sniffer, multiple reverse shells, process control, shell command execution and additional abilities to control the affected system.

    [...]

    The final stage also establishes persistence, which Shikitega does by downloading and executing five shell scripts that configure a pair of cron jobs for the current user and a pair for the root user using crontab, which it can also install if not available.

    Shikitega also uses cloud hosting solutions to store parts of its payload, which it further uses to obfuscate itself by contacting via IP address instead of domain name. ΓÇ£Without [a] domain name, itΓÇÖs difficult to provide a complete list of indicators for detections since they are volatile and they will be used for legitimate purposes in a short period of time,ΓÇ¥ AT&T said.

    Bottom line: Shikitega is a nasty piece of code. AT&T recommends Linux endpoint and IoT device managers keep security patches installed, keep EDR software up to date and make regular backups of essential systems.

    Another article.

    Slashdot thread.

    ** *** ***** ******* *********** *************
    FBI Seizes Stolen Cryptocurrencies

    [2022.09.13] The Wall Street Journal is reporting that the FBI has recovered over $30 million in cryptocurrency stolen by North Korean hackers earlier this year. ItΓÇÖs only a fraction of the $540 million stolen, but itΓÇÖs something.

    The Axie Infinity recovery represents a shift in law enforcementΓÇÖs ability to trace funds through a web of so-called crypto addresses, the virtual accounts where cryptocurrencies are stored. These addresses can be created quickly without them being linked to a cryptocurrency company that could freeze the funds.

    In its effort to mask the stolen crypto, Lazarus Group used more than 12,000 different addresses, according to Chainalysis. Unlike bank transactions that happen through private networks, movement between crypto accounts is visible to the world on the blockchain.

    Advanced blockchain-monitoring tools and cooperation from centralized crypto exchanges enabled the FBI to trace the crypto to where Lazarus Group tried to cash out, investigators said.

    The money was laundered through the Tornado Cash mixer.

    ** *** ***** ******* *********** *************
    Weird Fallout from Peiter ZatkoΓÇÖs Twitter Whistleblowing

    [2022.09.14] People are trying to dig up dirt on Peiter Zatko, better known as Mudge.

    For the record, I have not been contacted. IΓÇÖm not sure if I should feel slighted.

    ** *** ***** ******* *********** *************
    Upcoming Speaking Engagements

    [2022.09.14] This is a current list of where and when I am scheduled to speak:

    IΓÇÖm speaking as part of a Geneva Centre for Security Policy course on Cyber Security in the Context of International Security, online, on September 22, 2022.
    IΓÇÖm speaking at IT-Security INSIDE 2022 in Zurich, Switzerland, on September 22, 2022.

    The list is maintained on this page.

    ** *** ***** ******* *********** *************

    Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries, analyses, insights, and commentaries on security technology. To subscribe, or to read back issues, see Crypto-Gram's web page.

    You can also read these articles on my blog, Schneier on Security.

    Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and friends who will find it valuable. Permission is also granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.

    Bruce Schneier is an internationally renowned security technologist, called a security guru by the Economist. He is the author of over one dozen books -- including his latest, We Have Root -- as well as hundreds of articles, essays, and academic papers. His newsletter and blog are read by over 250,000 people. Schneier is a fellow at the Berkman Klein Center for Internet & Society at Harvard University; a Lecturer in Public Policy at the Harvard Kennedy School; a board member of the Electronic Frontier Foundation, AccessNow, and the Tor Project; and an Advisory Board Member of the Electronic Privacy Information Center and VerifiedVoting.org. He is the Chief of Security Architecture at Inrupt, Inc.

    Copyright © 2022 by Bruce Schneier.

    ** *** ***** ******* *********** *************

    --- BBBS/Li6 v4.10 Toy-5
    * Origin: TCOB1 - binkd.thecivv.ie (618:500/14)
  • From Arelor@618:250/24 to TCOB1 on Tue Sep 20 17:15:57 2022
    Re: CRYPTO-GRAM, September 15, 2022
    By: TCOB1 to All on Mon Sep 19 2022 09:20 pm

    The scam involving PayPal sounds scary because a lot of people could fall for it. I mean, if you get the
    phone number for solving the dispute from an official email you are more likely to trust it, if you are
    not familiar with PayPal's procedures.

    Also, it sucks about Signal. I have been saying for long that using phone numbers as a poorman's user ID
    is lame as fick.

    --
    gopher://gopher.richardfalken.com/1/richardfalken
    --- SBBSecho 3.15-Linux
    * Origin: Palantir * palantirbbs.ddns.net * Pensacola, FL * (618:250/24)
  • From August Abolins@618:250/1.9 to Arelor on Tue Sep 20 19:47:00 2022
    Hello Arelor!

    ** On Tuesday 20.09.22 - 17:15, Arelor wrote to TCOB1:

    Re: CRYPTO-GRAM, September 15, 2022
    By: TCOB1 to All on Mon Sep 19 2022 09:20 pm

    The scam involving PayPal sounds scary because a lot of
    people could fall for it. I mean, if you get the phone
    number for solving the dispute from an official email you
    are more likely to trust it, if you are not familiar with
    PayPal's procedures.

    But the email is NOT necessarily "official email" from Paypal.
    It's someone just using the Paypal invoicing system to send you
    something with the intent to fool you. But I agree, at first
    sight, some people could fall for it. After all, that's what
    scamming is all about - trying to snare a victim.


    Also, it sucks about Signal. I have been saying for long
    that using phone numbers as a poorman's user ID is lame as
    fick.

    But noone can really do anything if they know your phone number
    except call you. But then, you have the power to block
    undesired incoming calls.

    Telegram uses a cellphone number system to "register" accounts
    too. But you don't really need to use that number ever again.
    The number is just needed to receive an SMS text message with
    the registration code.

    Futhermore, unlike Signal, it does NOT need to be the device
    that the app is installed on. You can prepare to install
    Telegram on a desktop, give it the phone number of ANY device
    that you have control of that can receive SMS text, enter the
    received 4-digit code in the desktop app, and you're all set.

    --
    ../|ug

    --- OpenXP 5.0.51
    * Origin: (} Pointy McPointface (618:250/1.9)
  • From Arelor@618:250/24 to August Abolins on Wed Sep 21 01:45:33 2022
    Re: CRYPTO-GRAM, September 15, 2022
    By: August Abolins to Arelor on Tue Sep 20 2022 07:47 pm

    Futhermore, unlike Signal, it does NOT need to be the device
    that the app is installed on. You can prepare to install
    Telegram on a desktop, give it the phone number of ANY device
    that you have control of that can receive SMS text, enter the
    received 4-digit code in the desktop app, and you're all set.

    I have Signal running on a different phone than the one with the registered phone
    number :-)

    Signal also has a desktop app-It is Electron based, which means it should be put to
    the flamethrower, but it exists.


    --
    gopher://gopher.richardfalken.com/1/richardfalken
    --- SBBSecho 3.15-Linux
    * Origin: Palantir * palantirbbs.ddns.net * Pensacola, FL * (618:250/24)
  • From TheCivvie@618:500/14 to Arelor on Fri Sep 23 14:32:28 2022
    Arelor wrote to TCOB1 <=-

    Re: CRYPTO-GRAM, September 15, 2022
    By: TCOB1 to All on Mon Sep 19 2022 09:20 pm

    The scam involving PayPal sounds scary because a lot of people could
    fall for it. I mean, if you get the
    phone number for solving the dispute from an official email you are more likely to trust it, if you are
    not familiar with PayPal's procedures.


    It is scary how clever scammers are getting these days. It is nearly impossible to stay up with them

    Sean


    ... TCOB1 - binkd.thecivv.ie

    --- BBBS/Li6 v4.10 Toy-5
    * Origin: TCOB1 - binkd.thecivv.ie (618:500/14)
  • From Mark Hofmann@618:100/12 to Thecivvie on Sat Sep 24 09:24:14 2022
    It is scary how clever scammers are getting these days. It is nearly impossible to stay up with them

    Especially due to the fact there is so much information available on people just a few clicks away.

    When you have information on the person you are trying to scam, that makes it way easier. For instance if you know the head of finance in a company that approves bill payments, you can contact them posing as a different company that is trying to collect an ourstanding bill that will shut-off some type of important service.

    The person has a higher chance of falling for it when there is background knowledge of the individual names, etc. You can even use names of people in the originazation you found on Linkedin or something just to make it sound more real.

    - Mark

    --- WWIVToss v.1.52
    * Origin: http://www.weather-station.org * Bel Air, MD -USA (618:100/12.0)
  • From Mark Hofmann@618:100/12 to Thecivvie on Sat Sep 24 09:27:44 2022
    It is scary how clever scammers are getting these days. It is nearly impossible to stay up with them

    I have been forwarded many scam bills from our finance department over the years about "domain name protection" invoices. Trying to scam money making it look like a bill for your domain name, if you don't pay it something negative will happen.

    Fortunately finance sends them to me for approval and I promply throw them in the trash.

    - Mark

    --- WWIVToss v.1.52
    * Origin: http://www.weather-station.org * Bel Air, MD -USA (618:100/12.0)
  • From Nick Andre@618:500/24 to Mark Hofmann on Sat Sep 24 13:13:07 2022
    On 24 Sep 22 09:27:44, Mark Hofmann said the following to Thecivvie:

    I have been forwarded many scam bills from our finance department over the years about "domain name protection" invoices. Trying to scam money making look like a bill for your domain name, if you don't pay it something negati will happen.

    Wow I remember getting those too! Accounting/finance paid one by accident and they ended up on the "sucker list" for what seemed to be several years.

    Nick

    --- Renegade vY2Ka2
    * Origin: Joey, do you like movies about gladiators? (618:500/24)
  • From August Abolins@618:250/1.9 to Nick Andre on Sat Sep 24 21:56:00 2022
    Hello Nick Andre!

    ** On Saturday 24.09.22 - 13:13, Nick Andre wrote to Mark Hofmann:

    Wow I remember getting those too! Accounting/finance paid
    one by accident and they ended up on the "sucker list" for
    what seemed to be several years.

    Me too (that is, getting those fake bills)

    Now, a new trick seems to have emerged, and that is to send you
    an email stating "THANK YOU, for your recent payment of [insert service/product] renewal" ..and they state some ridiculus 3-
    figure price and tell you that is was automatically charge to
    your credit card. If you don't approve or think there is an
    error, you are expected to call a 1-800 number to reverse the
    stated charges.

    --
    ../|ug

    --- OpenXP 5.0.51
    * Origin: (} Pointy McPointface (618:250/1.9)
  • From Mark Hofmann@618:100/12 to Nick Andre on Sun Sep 25 11:02:45 2022
    Wow I remember getting those too! Accounting/finance paid one by accident and
    they ended up on the "sucker list" for what seemed to be several years.

    We still get one or two now and then. I think what saved us from paying it is my work is fairly strict on getting someone from the particular department to sign/approve it.

    Everyone knows I take care of all things Network and Internet, so these scam bills were sent to me. I told them they were scam and toss them in the trash.

    - Mark

    --- WWIVToss v.1.52
    * Origin: http://www.weather-station.org * Bel Air, MD -USA (618:100/12.0)
  • From Mark Hofmann@618:100/12 to August Abolins on Sun Sep 25 11:07:11 2022
    Now, a new trick seems to have emerged, and that is to send you
    an email stating "THANK YOU, for your recent payment of [insert service/product] renewal" ..and they state some ridiculus 3-
    figure price and tell you that is was automatically charge to
    your credit card. If you don't approve or think there is an
    error, you are expected to call a 1-800 number to reverse the
    stated charges.

    We have had social engineering calls directly to people at my work, asked for by name about "a problem with their computer". Acting as if they were being called by our own internal Help Desk.

    They ask them to go to a URL to clean their PC, which then installs remote control software and other spyware. That has happened several times, which typically the user realizes they were scammed and calls IT - or CrowdStrike picks up the annomoly and lets our security team know.

    - Mark

    --- WWIVToss v.1.52
    * Origin: http://www.weather-station.org * Bel Air, MD -USA (618:100/12.0)
  • From bex@618:200/50 to TheCivvie on Fri Sep 23 16:13:00 2022
    TheCivvie wrote to Arelor <=-

    phone number for solving the dispute from an official email you are more likely to trust it, if you are not familiar with PayPal's procedures.

    It is scary how clever scammers are getting these days. It is nearly impossible to stay up with them

    Talent follows money, and there's good money in the scamming community.


    -+- Brightening your day. -Bex <3

    ... "It is not our abilities that show what we truly are. It is our choices." -A
    === MultiMail/Linux v0.49
    --- SBBSecho 3.11-Win32
    * Origin: -=[conchaos.synchro.net | ConstructiveChaos BBS]=- (618:200/50)
  • From Arelor@618:250/24 to August Abolins on Sun Sep 25 15:14:27 2022
    Re: CRYPTO-GRAM, September 15, 2022
    By: August Abolins to Nick Andre on Sat Sep 24 2022 09:56 pm

    Hello Nick Andre!

    ** On Saturday 24.09.22 - 13:13, Nick Andre wrote to Mark Hofmann:

    Wow I remember getting those too! Accounting/finance paid
    one by accident and they ended up on the "sucker list" for
    what seemed to be several years.

    Me too (that is, getting those fake bills)

    Now, a new trick seems to have emerged, and that is to send you
    an email stating "THANK YOU, for your recent payment of [insert service/product] renewal" ..and they state some ridiculus 3-
    figure price and tell you that is was automatically charge to
    your credit card. If you don't approve or think there is an
    error, you are expected to call a 1-800 number to reverse the
    stated charges.

    --
    ../|ug

    --- OpenXP 5.0.51
    * Origin: (} Pointy McPointface (618:250/1.9)

    I have seen that one multiple times. That it is easy to spot for people who is actively watching for scams.

    The worst one I have seen is when they hack or steal actual data from companies you are actually dealing with, and use their resources to pose as them. For example, if you are in the middle of buying something from them, they may pose as your provider and tell you "Let's make it a deal. Send the money <somewhere
    they like>"

    --
    gopher://gopher.richardfalken.com/1/richardfalken
    --- SBBSecho 3.15-Linux
    * Origin: Palantir * palantirbbs.ddns.net * Pensacola, FL * (618:250/24)
  • From August Abolins@618:250/1.9 to Mark Hofmann on Sun Sep 25 16:26:00 2022
    Hello Mark Hofmann!

    ** On Sunday 25.09.22 - 11:07, Mark Hofmann wrote to August Abolins:

    We have had social engineering calls directly to people at
    my work, asked for by name about "a problem with their
    computer". Acting as if they were being called by our own
    internal Help Desk.

    They ask them to go to a URL to clean their PC, which then
    installs remote control software and other spyware. That
    has happened several times, which typically the user
    realizes they were scammed and calls IT -or CrowdStrike
    picks up the annomoly and lets our security team know.

    OMG. So the scammers even call in person and expect you to
    visit a specific site! Incredible.

    I get calls from point-of-sale (POS) exchange companies (they
    claim to offer the lowest rates than anyone else, etc.)

    When they call they ask for "the owner", and never by name -
    that's a clear sign to me that it's a cold call.

    Then they ask "do you operate a POS for debit or credit cards?"

    By then I'm already fed up and simply tell them. "Look, you're
    wasting your time. You should be targetting large department
    stores or car dealerships. And it if I do sign up with you,
    another competitor will call just like you did and want to me
    to sign up with THEM."

    I just say, "No thanks. I don't have time to chat." and hang
    up.

    Besides, there is no assurance that these sight-unseen exchange
    businesses are nefarious and would funnel legitimate funds OUT
    of my business before I realize that I was scammed.

    --
    ../|ug

    --- OpenXP 5.0.51
    * Origin: (} Pointy McPointface (618:250/1.9)
  • From August Abolins@618:250/1.9 to bex on Sun Sep 25 19:04:00 2022
    Hello bex!

    ** On Friday 23.09.22 - 16:13, bex wrote to TheCivvie:

    It is scary how clever scammers are getting these days.
    It is nearly impossible to stay up with them

    But they are not all that much different than the ones in the
    past. They only seem to change to reflect a new emergent
    company/logo or service and try to trick you into thinking that
    they are legit.

    For example, here is one that I got recently:

    https://susepaste.org/12630119



    Talent follows money, and there's good money in the
    scamming community.

    Yeah.. they keep trying don't they. The only real weakness is
    the uninformed like a new generation obtaining computers for
    the 1st time.

    Even despite that, it too easy to click on a supplied link.
    --
    ../|ug

    --- OpenXP 5.0.51
    * Origin: (} Pointy McPointface (618:250/1.9)
  • From bex@618:200/50 to August Abolins on Tue Sep 27 12:39:00 2022
    August Abolins wrote to Mark Hofmann <=-

    OMG. So the scammers even call in person and expect you to
    visit a specific site! Incredible.

    When they call they ask for "the owner", and never by name -
    that's a clear sign to me that it's a cold call.

    This is one of many reasons I don't answer my phone. Everyone who knows me
    know to text me, and any legit businesses leave me a voicemail after I
    don't answer. It's only damned spammers/scammers who call.


    -+- Brightening your day. -Bex <3

    ... "Pooh sat down on a large stone, and tried to think this out. It sounded to

    === MultiMail/Linux v0.49
    --- SBBSecho 3.11-Win32
    * Origin: -=[conchaos.synchro.net | ConstructiveChaos BBS]=- (618:200/50)
  • From Arelor@618:250/24 to bex on Wed Sep 28 09:09:59 2022
    Re: Re: CRYPTO-GRAM, September 15, 2022
    By: bex to August Abolins on Tue Sep 27 2022 12:39 pm

    August Abolins wrote to Mark Hofmann <=-

    OMG. So the scammers even call in person and expect you to
    visit a specific site! Incredible.

    When they call they ask for "the owner", and never by name -
    that's a clear sign to me that it's a cold call.

    This is one of many reasons I don't answer my phone. Everyone who knows me know to text me, and any legit businesses leave me a voicemail after I
    don't answer. It's only damned spammers/scammers who call.


    -+- Brightening your day. -Bex <3

    ... "Pooh sat down on a large stone, and tried to think this out. It sounded to

    === MultiMail/Linux v0.49
    --- SBBSecho 3.11-Win32
    * Origin: -=[conchaos.synchro.net | ConstructiveChaos BBS]=- (618:200/50)

    There are lots of legitimate callers out there. Some don't leave a message because of
    policy. Sometimes, the fact you called somebody is sensitive information in itself so
    you don't leave message trails.

    This is troublesome because messages are not as resolutive as they are cracked up to
    be. IN order to get unpleasant shit done, you have to talk to people more often than
    not.

    --
    gopher://gopher.richardfalken.com/1/richardfalken
    --- SBBSecho 3.15-Linux
    * Origin: Palantir * palantirbbs.ddns.net * Pensacola, FL * (618:250/24)
  • From bex@618:200/50 to Arelor on Thu Sep 29 10:16:00 2022
    Arelor wrote to bex <=-

    There are lots of legitimate callers out there. Some don't leave a
    message because of policy. Sometimes, the fact you called somebody is sensitive information in itself so you don't leave message trails.

    Except for Caller-ID, of course. And while aller ID can be faked or
    blocked, that's an obvious spam call.

    This is troublesome because messages are not as resolutive as they are cracked up to be. IN order to get unpleasant shit done, you have to
    talk to people more often than not.

    You are correct about this, and I will place outbound calls to businesses
    or organizations that I need to contact. It's incoming calls I don't
    accept.


    -+- Brightening your day. -Bex <3

    ... "Say what again. SAY WHAT AGAIN. I dare you, I double dare you, motherfucker
    === MultiMail/Linux v0.49
    --- SBBSecho 3.11-Win32
    * Origin: -=[conchaos.synchro.net | ConstructiveChaos BBS]=- (618:200/50)
  • From Mark Hofmann@618:100/12 to August Abolins on Tue Sep 27 07:22:01 2022
    OMG. So the scammers even call in person and expect you to
    visit a specific site! Incredible.

    Yes, and most are from other countries. They will get SIP connections from US based providers and use US based cloud services, but their scam origination is over seas. They know they can't and won't get procecuted so there is zero risk on their part.

    - Mark

    --- WWIVToss v.1.52
    * Origin: http://www.weather-station.org * Bel Air, MD -USA (618:100/12.0)
  • From TheCivvie@618:500/14 to Mark Hofmann on Mon Oct 3 11:10:48 2022
    Mark Hofmann wrote to Thecivvie <=-

    It is scary how clever scammers are getting these days. It is nearly
    impossible to stay up with them

    Especially due to the fact there is so much information available on people just a few clicks away.

    When you have information on the person you are trying to scam, that
    makes it way easier. For instance if you know the head of finance in a company that approves bill payments, you can contact them posing as a different company that is trying to collect an ourstanding bill that
    will shut-off some type of important service.

    The person has a higher chance of falling for it when there is background knowledge of the individual names, etc. You can even use names of
    people in the originazation you found on Linkedin or something just to make it sound more real.


    And the more that people interact with stupid Facebook games, the more they gove away. People seem to have become very stupid these days when it comes to security

    Sean


    ... TCOB1 - binkd.thecivv.ie

    --- BBBS/Li6 v4.10 Toy-5
    * Origin: TCOB1 - binkd.thecivv.ie (618:500/14)
  • From TheCivvie@618:500/14 to bex on Mon Oct 3 11:10:48 2022
    bex wrote to TheCivvie <=-

    TheCivvie wrote to Arelor <=-

    phone number for solving the dispute from an official email you are
    more
    likely to trust it, if you are not familiar with PayPal's
    procedures.

    It is scary how clever scammers are getting these days. It is nearly
    impossible to stay up with them

    Talent follows money, and there's good money in the scamming community.


    That is very true

    Sean


    ... TCOB1 - binkd.thecivv.ie

    --- BBBS/Li6 v4.10 Toy-5
    * Origin: TCOB1 - binkd.thecivv.ie (618:500/14)