Anachostic

My tagline, let me show you it.

Tag Archives: security

Never Let Your Guard Down

Today, I learned I had been “hacked”.  I say “hacked” in a figurative sense because there wasn’t really a whole lot of hacking involved.  I somewhat left the door open and someone just fiddled around and got in.

I have my own email server that manages a few domains.  I have one domain I don’t do anything with, and on that one, I had created a couple of test accounts for, well, testing.  The problem is, I never disabled them when I was done.  It’s been a while since I did that, so either I didn’t think about the consequences or assumed that since I was working on an inactive domain, no one would try accessing it.  You can’t assume that.

Since “hackers” just use a bunch of scripts to automate “hacking”, they can just let the scripts run and go eat some more pizza.  And that’s what happened to me, probably.  A script found my domain, then immediately went to work trying out different common username/password combos.  And although I have security features that will temporarily blacklist an IP address after so many failures, that had no effect.  The script will just wait until the ban is lifted then continue on.  Time is not a concern.

So, once they got some working credentials, then it was time to deliver the spam.  And boy did they ever.  I had gigabytes of log files and 22k email messages queued for delivery.  How I learned I was hacked was by chance.  I happened to try sending an email during one of the spamfests and got the email returned with the message:

DED : You’ve reached your daily relay quota

At the time I got that message, I thought it was being returned by the domain I was sending to.  Later, on a whim, I decided to check my own server and was shocked at what I saw.  I immediately shut down the email service and started clearing out all the trash.  Then I changed all the account passwords and disabled all the unused accounts and restarted the server.  The log files showed someone trying to log in using test2@mydomain.com and failing.  Bastards.

It’s my own fault, for sure.  But it’s terrible that you can’t stop being paranoid for a second on the Internet.  They’re always out to get you.

SpamBastard–1aauto.com

I had an application idea at one time and actually finished writing it, but ended up never doing anything with it once it was live.  It was spambastard.com and its purpose was to catch companies that would sell, lose, or otherwise mishandle your email address info.  The concept was simple.  You sign up for their site using their domain name @spambastard.com and if any email comes in with a mismatch between the FROM domain name and the TO domain name (as the username, before the @), the email address would be considered compromised.

That domain and application is long dead, but I’ve been able to replicate the same concept with my personal email domain.  That eliminates the hassle of creating a second account for every site I sign up for (one with my real email and one with a spambastard email).  To date, I’ve only had a few cases where I’ve had to take action.  Those cases are:

  • albumartexchange.com – There are many people including myself who posted on their forum and complained that they received PayPal phishing emails to their unique email address.  The website did not respond.
  • lakelandlelectric.com – That debacle was chronicled already.  The utility company did follow up with an explanation of how it happened and how the process was unfortunately legal.  They said they would push for tougher laws on keeping customer information private.  This prompted a follow-up email from the spammer who was incredulous that government would try to reduce transparency.  See, transparency is only good when it works in your favor.
  • paypal.com – This got compromised after only nine people knew of its existence.  Whether it was sold or stolen, I don’t know for sure, but I am pretty confident that some eBay seller has a compromised account and a spammer is looting their customer list.

Now we can add to the list – 1aauto.com.  I placed an order with their site in January (remember when the punks broke the mirror off my car?).  Today, I get a political email from John Kasich’s New Day For America to that email.  So I immediately send a message to 1aauto.com saying they’ve either sold or given away my info or their customer database has been hacked.  So which is it?  I got a pretty quick response.

Hello and thank you for your email.

I do apologize that you received a spam email to your account. I can assure you that your information is secure and we have not experienced any kind of hacking. We do keep our customer information confidential and secure and have several measures put in place to prevent against fraud and stolen identity.

Thank you for notifying us. We will keep tabs on this and look into what we can do to prevent this from happening in the future.

So, I guess the answer is the owner sold out his customers to promote his choice of political candidate.  The fact that this happened at all negates the statement “We do keep our customer information confidential“.  As far as what they can do to prevent it from happening in the future, that’s simple.  Don’t do what you did again.

Thanks to spam law requirements, the spam email footer confirms the email address that it was sent to.  It tells me that I was added to the list on 2/24/16 via opt-in (gee, I don’t remember that), and gives me ways to unsubscribe.

There’s no sense in unsubscribing.  The email address is out in the wild and is now worthless.  Do I want to spend my life unsubscribing from every email campaign that gets that email or do I want to kill off the email?  The choice is pretty simple.

This scenario makes me pity people who only have a single email address, like @gmail.com or @outlook.com or @yahoo.com.  They don’t have the option of closing their account or changing their address.  Consider how easy it is for me, every email (except my personal email) is known to exactly one company.  Email gets compromised, only one place to change it.

But It Was The Right Thing To Do

I’m sorry, Kaitlynn.

WP_20151115_005

Your ATM card is dead.  You left it in the Publix parking lot tonight.  There were no other cars around, so I couldn’t try and find you.  I had a thought to turn it in at the customer service counter and see if you would call and say you left your card there.  Instead, I called your bank.

Bank of America.  What a great bank.  In their phone queue, they ask for my (your) account number.  I enter it from the card.  They ask for the last four of your SSN.  Hell, I don’t know.  I said 0000.  I was wrong.  So they start to blow me off (a machine, saying eff off –  wonderful) and I say “operator” (that’s supposedly a trick to get to a human).  Sorry, their customer service center is closed and no one can help me (or you).  Instead of getting pissed off and hanging up, I got pissed off and listened to the rest of their message.  I could report a stolen or lost card by saying “lost card”.  Bingo!

The lady handling the situation was pleasant.  She said she would deactivate your card right away.  I said that deactivating a card could result in a huge hassle.  Can’t you call the person and tell them their card will be waiting at the Publix service desk?  Nope.  Who knows who’s seen and copied the information on that card already before I found it.  Fair enough.  Goodbye, ATM card.  Goodbye, scheduled online payments.  Goodbye, electronic means of buying cigarettes (my assumption).  Oh, and they’re not going to call you either and say your card was found.  They’ll just wait for you to notice it’s gone and report it missing.  Seriously, that’s what they said.

So, I’m sorry.  But you should be happy it ended like this instead of the alternative.  Also, you need to sign your card before using it.  It says right on it: “Not valid unless signed.”

Happy holidays.

My Level Of Security

I’ll admit, I get around on the web.  I go places that you shouldn’t go.  But for the activity that I do, I’m pretty safe.  There’s only a few precautions I take and I don’t think it’s all that difficult for anyone else to do.

First and foremost, I installed the MVP Hosts file.  This file does a system-level blocking of any network application that tries to access an internet address that is considered advertising or malware.  This makes nearly everything better, because websites don’t get bogged down with ads.  There are some times that I do need to disable it, but those times are few and far between.  Because it’s system-level, that means IE, Chrome, Firefox, or any other application is immediately protected.

If you go looking for it, there is a growing argument that ads should not be blocked on websites, especially legitimate content sites.  I disagree.  I recently read an article on the analysis of the spread of an unpatched vulnerability.  The malware authors used a legitimate ad service that was utilized by many legitimate websites.  This means that there is no ad service that can be fully trusted.  My position is, if you want to display ads, you host them on your domain and you will take full responsibility for their content.  And because the ads are on the same domain as the content, I can’t and won’t block them.  Even if the ads aren’t malicious, legitimate ad services still serve up misleading ads, designed to trick you into clicking them.  They make them look like authentic messages or toolbars or status bars.  That’s not advertising, that’s flat-out deception.

Back to my security.  Next, I block Flash, Java, and all other plugins by default on all websites.  I used to do this in IE by changing the Flash plugin from blacklist to whitelist, but have come to prefer the ActiveX Filtering feature.

And I’m sure certain people would be screaming “You’re using the most insecure web browser evar!”  I would respond with a hearty rolling of the eyes.  Of the three precautions I take, this is the only one I perform at the browser level and without ActiveX, the majority of exploits are defeated.  That leaves JavaScript exploits.  How are these exploits delivered?  Through ads.  Ads that are blocked by the MVP Hosts file.

So, what’s the last piece of defensive software I use?  Microsoft’s EMET utility, which blocks vulnerabilities at the code level.  This is a really low-level utility and is not exactly user friendly, so I pretty much just run it at the default level.  It’s hard to tell if EMET is working because it’s so low-level.  I’ve seen it do its job twice.  Once, when I was using a Java applet on Verizon’s pages to play my voicemail and another on a sketchy website where it looked like the website was trying to perform an SVG image exploit.  I admitted already, I go to bad places sometimes.

Because I take these precautions, I hadn’t thought about being attacked in quite a while.  On a whim, I ran MalwareBytes and it came back with zero results.  My database was over 2 months old, if I saw correctly.

The only thing that I am vulnerable to is downloading Trojans and installing them myself.  And that is simply a personal fault – no fault of my computer or software. I will comment that downloading software from websites has really become a minefield, with sites displaying many different “Download” buttons at once.  You have to study the page and find the correct context for each button to make sure you are choosing the right one.

In summary, I feel I’m doing pretty good with the tools that are made available: KeePass, VeraCrypt (the replacement for TrueCrypt), MVP Hosts, EMET, and IE’s ActiveX filtering.  I use two-factor authentication whenever it’s available.  It’s not something I did all at once.  I added each little piece as I went.  And in total, it doesn’t slow me down at all.

2014 In Spam

It was in April of 2013 that I made a change to the way I use my email.  Unlike most people, I don’t just have an email address, I have an email domain.  And I use that entire domain namespace by creating a specific email address for every business I deal with.

My email server processes the emails against a blacklist instead of a whitelist.  That means that I can create any email address I want, and it will get delivered to me unless I put it on a list to be blocked.  That reduces the amount of administrative headache I have.

The purpose of this is so that I can tell where my emails are being lost, stolen, or sold.  The instances of this in 2014 were pretty low.  Someone got my paypal email from someone I did business with, some political spammer used a public records request to get my electric company email, and one website’s user database got hacked (and they won’t admit to it).

What I was a little fearful of when creating this wildcard email account was that some automated script would hit my mail server and try a whole slew of predictable emails, like admin@, webmaster@, accounting@, president@, etc.  My wildcard account would catch these and I’d get inundated with mail.  However, this hasn’t happened yet.  I did get some spam by someone who guessed an email address using the firstname.lastname@ structure, so that email was then blocked.

My blacklist only has 6 entries, which I think is pretty good.  And to not have any spam is plenty wonderful.  I just did some checking and it seems my mail server software is rather old.  I think an upgrade will be in order sometime this year.

Prediction

A while ago, the world was abuzz with the celebrity nudes hack.  I was recently reminded of a recent update I had seen for Dropbox.  It’s easily understood that anything that can be used by you for good can be used against you for bad by someone else.  This feature is no different.

The specific feature that was added to Dropbox was “Remote Wipe”, which is intended to be used if you lose your phone or other portable device.  By triggering a remote wipe, your data is no longer available to steal.  That is a good thing.  This is presumably done through the Dropbox website.

But what happens if someone gains access to your Dropbox website account?  They can remotely wipe your data.  Now instead of your portable device being a backup copy if the service ever became inaccessible, now it’s vulnerable whenever the service is accessible.

Naturally, the hacker would either change the password and/or copy off all the files for their own potential ransom request or personal use.  Can you imagine opening up your Dropbox folder one day and have it be empty except for a text file with instructions on submitting a ransom in bitcoin?

I keep saying it one way or another.  The cloud is not to be trusted. 

You need to:

  • Keep your data locally.
  • Have unique usernames at each website – Use a password manager like KeePass
  • Have unique passwords at each website – Use a password manager like KeePass!
  • Keep a PIN on your phone.
  • Keep catastrophic data in an encrypted file – Use TrueCrypt 7.1a

The more of this you do, the more secure you will be, which means the more comfortable you will be. 

It Has Come To Pass

So, something I’ve been expecting has finally happened and now I don’t really know what to do about it.

Back in April of last year, I made the decision to use unique passwords for every web site and at the same time, use a unique email address for every web site.  This wasn’t difficult to do, I just made a catch-all email address on my mail server, then started using unique emails on every website.  For example, amazon.com@mydomain.com would indicate to me that the email was from my amazon account registration.

And yesterday, I get a piece of spam from paypal.com@mydomain.com.  How many people have I shared this email with?  Exactly nine.  I don’t make a bunch of purchases via paypal.  So now, I don’t know what to do.  I don’t know exactly who sold off my email address or if they didn’t even sell my email, but their computer was hacked and their address book stolen.  Maybe they use a 3rd party cloud-based POS system and that was hacked.  The bottom line is, I don’t know. 

I’m going to work on the assumption that they were hacked.  Someone got into their EBay account (like they did for me) and mined their recent customer list.  This makes sense because I can’t imagine any of the people I dealt with having a large enough customer list to monetize it for any decent value.

I would love to email each of them and tell them what’s happened.  Someone out there has compromised my personal information.  They wouldn’t be able to do a whole lot of damage, but they probably have a full profile of me: name, address, phone, email.  That sucks.

So now, I have to set up a blacklist on my server for paypal.com@… and create a new email, like paypal.com2@…  That sucks, too.

Windows 8.1 and IE11

Ok, I ran into my first significant issue with Windows 8.1 specifically, IE 11.  On all my machines, I use the MVP HOSTS file, which blocks ads at the system level by redirecting requests for common ad-serving websites to your local machine, which should be “not found” and just continue on.

Well, using IE 11, whenever a page had an element that was blocked by the HOSTS file, the browser would hang for as long as 3 seconds waiting for a reply, interrupting the load of the page.  Even on the Dilbert website, it would take sometime 10 seconds to load up.

So I had to find out why this was.  I compared my Windows 7 IE to my new Windows 8.1 IE and disabled all the settings that were new.  The one that fixed the problem: Enable Enhanced Protected Mode.  This is found in the Advanced setting of Internet Options.

image

I did very little research on this after I discovered that it was the fix, but from what I understand, this mode is made to prevent unintended execution of code.  So I guess I can understand that a call from a page from a remote web site, linking to a file on your local computer could be considered suspicious.  But regardless, it is a problem for me.

This is the network trace that I would expect.  These websites are blocked in my HOSTS file, so they return 404 errors because they are not found on my local machine.

image

When I have Enhanced Protected mode on, these requests have a status of Aborted, but that’s after seconds of waiting.

image

So, that solves that mystery.  IE is now just as quick as ever, and I’m pretty sure I’m still going to be safe.

Change For The Good, Right Now

In the “these things happen to other people” news, I’ve been a target of a hacker.  As hacks go, it was fairly significant – my EBay account.  The hacker bought a whole bunch of stuff, surprisingly not using my linked PayPal account.  EBay locked my account quickly, notified me, and took care of most all the issues with fees and listings.  Regardless, I felt obligated to apologize to a bunch of people who got caught up in the mess.  One person had actually shipped the product by the time I emailed them.

I’ve been online a long time and my password strength has grown with the ever-increasing threat.  I’ve felt I’ve had a decent password, but I suffer from what a lot of people probably do, and that is password entropy – using the same password on every site.  Well, that’s not entirely true since I do use a variant of my main password for those sites that don’t support the special characters I used.

Now it’s time to get real.  Just before I discovered my eBay account was hacked, I had dealt with some spammer sending me over 7000 emails of random text.  So I was giving consideration to changing my email address, and why not have a different email address for every site?  So my email address for Bank of America would be bankofamerica.com@mydomain.com and for Expedia it would be expedia.com@mydomain.com.  This would be relatively easy to remember and would identify if anyone sold my email address to another company or if my email was stolen or harvested.

But at the time, I felt a bit overwhelmed with the task of changing ALL my emails.  Now, since I have to change ALL my passwords, I might as well go through with it.  In addition, I’ve decided to use a password manager, KeePass.  It seems to be a pretty slick utility and I’m surprised I never gave it a chance before. I think my main reason for avoiding it was that I never wanted to be unable to access a website because I didn’t know my password.

But upon closer inspection of that fear, it is very similar to other fears that keep you from (positive) change.  The fringe cases override everything.  It seems everyone is afraid of the word “can’t,” because it is only interpreted in its absolute and permanent sense.  It’s not “I can’t do this,” it’s “I can’t do this right now.” And the “right now” part is what makes the modern time so awesome, hectic, and dangerous.

So, with KeePass, I can have a password file on my home computer and there’s a version for my phone that I can keep synched.  That should be well enough to let me do what I need when I need to.  And for the other cases, it’s going to have to be the other person disappointed when I say “I can’t” because I’m not going to let it control me.

Welcome To The Jungle

I have recently moved my web hosting and email to a new dedicated server on GoDaddy.  I’m rather pleased by this because it will allow me complete freedom to do whatever I want with the server, set up as many websites as I want, install any software, and resell hosting services.

But with great power comes great amounts of bullshit.  With my old hosting account, I had the benefit of some decent anti-spam measures.  So now that my mail is off that server, I ‘m now exposed to more spam.  I’m trying to take it with a good attitude, because some of it is clever and some is just downright retarded.

Case in point, the following email received today:

Capture

Edgardo from the USPS is emailing me from his school email account to tell me, in a poorly-constructed sentence, that they couldn’t deliver a package I sent.  He was nice enough to attach a shipment label in a zip file for me to print and collect at their office, wherever that office is.

Example #2:

image

This one is obvious.  You mouse over any link and the address it directs you to is not facebook.com, but some other address where you will get infected.  The best part of the email is that it is a notification for a facebook message posted on December 6, but the email notification was sent 5 hours early, on December 5.  Now that’s advanced technology, like they have in Nigeria, which happens to be in a time zone +6 hours away.  And we just happen to be on Daylight Savings Time here.  Nah, no coincidence.