Tag Archives: security

Fake TalkTalk Frequently Asked Questions

I use TalkTalk for broadband and landline – though I never signed up with TalkTalk, I signed up with a smaller provider that was taken over – and recently I have been plagued with calls from people claiming to be from TalkTalk, but who in fact have malicious intent. If I am busy I just put the phone down, but sometimes I chat with them for a while, to discover more about what they are trying to do.

Rather than write a long general piece about this problem, I thought the best approach would be a Q&A with answers to the best of my knowledge.

Why so many fake TalkTalk calls?

I have two landline numbers, and until recently only the non-TalkTalk number ever got called by scammers. This makes me think that the flood of TalkTalk calls is related to data stolen from the company, perhaps in October 215 or perhaps in subsequent attacks. Some victims report that scammers know their name and account number; in my case I don’t have any evidence for that. On a couple of occasions I have asked the caller to state my account number but they have given me a random number. However I do think that my telephone number is on a list of valid TalkTalk numbers that is circulating among these criminal companies.

How do I know if it is really TalkTalk?

My advice is to assume that is it not TalkTalk. If you think TalkTalk really wants to get in touch with you, put the phone down and call TalkTalk customer service, either from another number or after waiting 15 minutes to make sure that the person who called you has really terminated the call.

How does the caller know my Computer License ID?

A common part of these scripts is that the caller will show that he knows your “computer license ID” by guiding you to show it on your screen and then reading it to you. They do this by getting to you open a command window and type assoc:

image

The way this works is simple. The number you see next to .ZFSendToTarget is not a license ID. The abbreviation stands for Class ID and it is part of the plumbing of Windows, the same on every Windows PC.

What about all the malware errors and warnings on my PC?

This is a core part of the fake TalkTalk (and fake Microsoft) script. Our server has picked up warning messages from your computer, they say, and they show you a list of them.

The way this works is that the scammer guides you to open a Windows utility called Event Viewer, usually via the Run dialog (type eventvwr). Then they get you to filter it to show “Administrative events” which filters the log to show only errors and warnings.

Now, you have to agree that the number of errors and warnings Windows manages to generate is remarkable. My PC has over 9,000:

image

However, these messages are not generated by malware, nor are they broadcast to the world (or to TalkTalk servers). They are simply log entries generated by the operating system. If you have time on your hands, you can look up the reason for each one and even fix many of them; but in most cases they are just noise. Real malware, needless to say, does not make helpful logs of its activity but keeps quiet about it.

What does Fake TalkTalk really want to do?

Once your fake TalkTalk caller has persuaded you that something is wrong with your PC or router or internet connection, the next step is invariably to get remote access to your PC. They do this by guiding you to a website such as Ammyy or Logmein Rescue, and initiate a support session. These are legitimate services used by support engineers, but unfortunately if you allow someone untrustworthy to log onto your PC bad things will happen. Despite what the caller may tell you, these sessions are not just for messaging but enable the scammer to see your computer screen and even take over mouse and keyboard input.

Windows will generally warn you before you allow a remote session to start. You have to pass a dialog that says something like “Do you want to allow this app to make changes to your PC?” or similar. This warning is there for a reason! For sure say No if fake TalkTalk is on the line.

Note though that this remote control software is not in itself malware. Therefore you will see that the software that is trying to run is from a legitimate company. Unfortunately that will not protect you when someone who means you harm is at the other end of the connection.

OK, so Fake TalkTalk has a remote connection. What next?

Despite my interest in the goals of these scammers, I have never gone so far as to allow them to connect. There are ways to do this relatively safely, with an isolated virtual machine, but I have not gone that far. However I have seen reports from victims.

There is no single fake TalkTalk, but many organisations out there who do this impersonating. So the goals of these various organisations (and they are generally organisations rather than individuals) will vary.

A known scam is that the scammer will tell you a refund is due because of your slow internet connection. They show you that the sum has been paid, via a fake site, but oh dear, it is more than is due! For example, you are due £200 but have been paid £1200. Oops. Would you mind repaying the £1000 or I will be fired? So you send off £1000 but it turns out you were not paid any money at all.

Other possibilities are that your PC becomes part of a bot network, to be rented out to criminals for various purposes; or that the “engineer” finds such severe “problems” with your PC that you have to purchase their expensive anti-malware software or service; or your PC may be used to send out spam; or a small piece of software is installed that captures your keystrokes so your passwords will be sent to the scammer; or the scammer will search your documents for information they can use for identity theft.

Many possibilities, so for sure it is better not to let these scammers, or anyone you do not trust, to connect to your PC.

Who are the organisations behind Fake TalkTalk?

When I am called by TalkTalk impersonators, I notice several things. One is that the call quality is often poor, thanks to use of a cheap voice over IP connection from a far-off country. Second, I can hear many other calls taking place in the background, showing that these are not just individuals but organisations of some size. In fact, a common pattern is that three people are involved, one who initiates the call, a supervisor who makes the remote connection, and a third “engineer” who takes over once the connection is made.

One thing you can be sure of is that the are not in the UK. In fact, all the calls I have had seem to originate from outside Europe. This means of course that they are outside the scope of our regulators and difficult for police or fraud investigators to track down.

If you ask one of these callers where they are calling from, they often say they are in London. You can have some fun by asking questions like “what is the weather like in London?” or “what is the nearest tube station?”, they probably have no idea.

What is being done about this problem?

Good question. I have reported all my calls to TalkTalk, as well as using “Report abuse” forms on LogMeIn with the PIN numbers used by the criminals. On one occasion I had a scammer’s Google email address given to me; there is no way I can find to report this to Google which perhaps shows the limits of how much the company cares about our security.

I am not optimistic then that much of substance is being done or can be done. Addressing the problem at source means visiting the country where the scam is based and working with local law enforcement; even if that worked, other organisations in other countries soon pop up.

That means, for the moment, that education and warning is essential, imperfect though it is. TalkTalk, it seems to me, could do much better. Have they contacted all their customers will information and warnings? I don’t believe so. It is worried, perhaps, more about its reputation than the security of its customers.

DatAshur encrypted drives: protect your data but be sure to back it up too

The iStorage DataAshur USB flash drive is a neat way to encrypt your data. Lost USB storage devices are a common cause of data theft anxiety: in most cases the finder won’t care about your data but you can never be certain.

image

The DatAshur is simple to operate but highly secure, presuming it meets the advertised specification. All data written to the drive is automatically encrypted with 256-bit AES CBC (Advanced Encryption Standard with Cipher Block Chaining) and meets the US FIPS 140-2 standard. The encryption is transparent to the operating system, since decryption is built into the device and enabled by entering a PIN of 7 to 15 digits.

Note that a snag with this arrangement is that if your PC is compromised a hacker might be able to read the data while the drive is connected. If you are really anxious you could get round this by working offline, or perhaps using Microsoft’s clever Windows to Go (WTG) technology where you boot from a USB device and work in isolation from the host operating system. Unfortunately DatAshur does not support WTG (as far as I know) but there are alternatives which do, or you could boot into WTG and then insert your DatAshur device.

Normally you enter the PIN to unlock the drive before connecting it to a PC or Mac. This does mean that the DatAshur requires a battery, and a rechargeable battery is built in. However if the battery is exhausted you can still get your data back by recharging the device (it charges whenever it is plugged into a USB port).

OK, so what happens if a bad guy gets your device and enters PINs repeatedly until the right one is found? This will not work (unless you chose 1234567 or something like that) since after 10 failed tries the device resets, deleting all your data.

You should avoid, then, the following scenario. You give your DatAshur drive to your friend to show it off. “I’ve just updated all my expenses on this and there is no way you’ll be able to get at the data”. Friend fiddles for a bit. “Indeed,and neither can you”.

Here then is the security dilemma: the better the security, the more you risk losing access to your own data.

The DatAshur does have an additional feature which mitigates the risk of forgetting the PIN. You can actually set two PINs, a user PIN and an admin PIN. The admin PIN could be retained by a security department at work, or kept in some other safe place. This still will not rescue you though if more than 10 attempts are made.

What this means is that data you cannot afford to lose must be backed up as well as encrypted, with all the complexity that backup involves (must be off-site and secure).

Still, if you understand the implications this is a neat solution, provided you do not need to use those pesky mobile devices that lack USB ports.

The product tested has a capacity from 4GB to 32GB and has a smart, strong metal case. The plastic personal edition runs from 8GB to 32GB and is less robust. An SSD model offers from 30GB to 240GB, and larger desktop units support SSD or hard drive storage from 64GB to 6TB, with USB 3.0 for fast data transfer.

Prices range from around £30 inc VAT for an 8GB Personal USB stick, to £39.50 for the 4GB professional device reviewed here, up to £470 for the monster 6TB drive or £691 for a USB 3.0 external SSD (prices taken from a popular online retailer). The cost strikes me as reasonable for well-made secure storage.

More information on DatAshur is here.

Review: Kingston DataTraveler Locker+G2 secure USB Flash drive

Ever lost a USB Flash drive? Do you even know? There are so many around now that it would be easy to drop one and not to notice.

Most of the time that does not matter; but what if there is confidential data on there? This can be hard to avoid. Perhaps you want the drive for backup of your most important stuff, or to exchange data with a business partner.

The obvious solution is to encrypt the data. There are a variety of approaches, but the advantage of the Kingston DataTraveler Locker+ G2 is that you (or your staff) have no choice: if you do not set a password, you cannot use the drive.

image

The actual drive is a smart metal affair which is surprisingly weighty for its size. You can attach it to a key ring with a supplied loop. Stick it into a Mac or PC (no Linux support sadly) and two drives are detected, one a tiny 10MB drive and the other apparently empty. In order to setup the drive or access the data, you have to run Kingston’s DTLocker utility.

image

The password requirements are a minimum of 6 characters with at least three of upper case, lower case, numeric and special characters.

While 6 characters seems weak it is not too bad considering that after 10 wrong attempts the device will block access and require a password reset. When the password is reset the device is automatically reformatted. In other words, if a bad guy gets your Flash drive, he will be able to reset the password and use the device, but will not see your data.

If a good guy finds your device, he can read your contact details and get in touch to return it to you.

image

The general approach seems reasonable, and is a great improvement over sticking confidential data on a Flash drive and hoping for the best. However I did encounter an issue where the utility refused to run. Another drive which also appears as two drives was already connected, and somehow this tripped up the DTLocker utility. When I disconnecte the other drive, all was well. It is something to do with available drive letters, even though I still had plenty free.

Once set up, the DTLocker stays resident and offers a context menu in the Windows notification area.

image

The device formats as FAT32 but I successfully reformatted it as NTFS, just to see if it would work. It did. I also had success using the DataTraveler on a Mac.

With five year warranty and an inexpensive price, the DataTraveler Locker+ is easy to recommend. There are a couple of caveats. Kingston’s firmware could do with a bit of work to overcome occasional drive letter problems. Second, I would like to see more information about the type of drive encryption used. What if a determined data thief stripped down the drive and read the data? The absence of more information suggests that Kingston is aiming this at those who want casual data protection, not the highest level of security. In normal circumstances though, it is more than enough.

Want a free Data Traveler Locker? Look out for our competition coming soon.

   

Document security and Apple iCloud

I have just set up iCloud on three Apple devices: a Mac, an iPad 2, and an iPhone 4.

image

On the iOS devices I was asked if I wanted to use iCloud, and when I agreed, watched as all my documents were transferred from the device to iCloud.com.

I then went to the iCloud website, signed in with my Apple ID – username and password – and saw that all my documents were there ready for download.

I also tried editing a document on the iPhone. In moments, the edited document was also updated on the iPad.

All very convenient; but I realised that I’d just sent up to the cloud a couple of documents that include information I do not want to share. How safe is it on iCloud? Does Apple encrypt the documents?

I looked at Apple’s iCloud information and on the support site and found nothing about security on a quick look, other than that traffic is SSL encrypted, so here are my own observations.

First, access to iCloud.com is protected only by the username and password which form your Apple ID. Sony recently reported a breach of 93,000 accounts on the PlayStation network, apparently based on a list of username/password combinations that a hacker found elsewhere. In other words, some other popular site(s) suffered a security breach, and the hacker automated an attack on the PlayStation Network on the assumption that the same credentials might be used there. The majority failed, but 93,000 succeeded, demonstrating that this is not a small risk.

Second, I wondered if I could mitigate the risk by encrypting my iCloud documents. I cannot find a way to set a password on a Pages document in iOS, but I can do so on the Mac. I password-protected a document, and then uploaded it to iCloud. Next, I opened this on the iPad. I was prompted for the password – good. However, I then modified the document in Pages on the iPad. This automatically updated the document on iCloud, but it was no longer password protected. I do not recall seeing a warning about the password protection being removed. It looks as if password protection does not iWork if you use iOS.

Third, I found this statement in Apple’s terms of service for iwork.com. It is repeated in the terms for MobileMe, and which I cannot yet find terms for iCloud.com it may well be the same there too:

Access to Your Account and Content

You acknowledge and agree that Apple may access, use, preserve and/or disclose your account information and Content if legally required to do so or if we have a good faith belief that such access, use, disclosure, or preservation is reasonably necessary to: (a) comply with legal process or request; (b) enforce these TOS, including investigation of any potential violation thereof; (c) detect, prevent or otherwise address security, fraud or technical issues; or (d) protect the rights, property or safety of Apple, its users or the public as required or permitted by law.

I guess what this means is that if you have confidential documents, iCloud.com is not a sensible place to keep them.

I would like to see some way of disabling cloud sync for specified documents, but as far as I can tell there is no such feature yet.

Further, if your Apple ID is the same username and password that you use on dozens of other sites on which you have been required to register, it would be worth changing it to something long and unique. I would also suggest reviewing the insecurity questions, which are not for your protection, but to reduce the number of password reset requests which support have to deal with. The best answers are those which are not true and therefore potentially discoverable, but made-up ones, as essentially these are secondary passwords.

New Sony PlayStation Network hack: not as bad as you may have heard

Sony’s Chief Security Officer Philip Reitinger has reported a new attack on the PlayStation network leading to headlines stating Sony hacked again. Has the company not learned from the incidents earlier this year?

Actually, it probably has; the new hacking attempt does not exploit any weakness in Sony’s network unless you consider any system reliant on username/password to be weak – not an unreasonable opinion, but given that the likes of Apple and Amazon and PayPal still use it, hardly fair to single out Sony.

If you read the statement carefully, it says that somebody obtained a large list of username/password pairs and ran them against Sony’s network. Further:

given that … the overwhelming majority of the pairs resulted in failed matching attempts, it is likely the data came from another source and not from our Networks

Because of the large number of PlayStation users, there were still 93,000 successful matches, which to its credit Sony says it detected – presumably there was a pattern to the attack, such as a limited range of source IP numbers or other evidence of automated log-in attempts.

If Sony is right, and the list of passwords came from another source, there is no reason why the hacker might not try the same list against other targets and this is not evidence of a weakness in the PlayStation network itself.

As Reitinger notes:

We want to take this opportunity to remind our consumers about the increasingly common threat of fraudulent activity online, as well as the importance of having a strong password and having a username/password combination that is not associated with other online services or sites. We encourage you to choose unique, hard-to-guess passwords and always look for unusual activity in your account.

It is good advice, though can be impractical if you have a very large number of online accounts. Something like PasswordSafe or Keypass is near-essential for managing them, if you are serious about maintaining numerous different combinations.

From what we know so far though, this is not evidence of continued weakness in the PlayStation network; rather, it is evidence of the continued prevalence of hacking attempts. Kudos to Sony for its open reporting.

An iOS security tip: tap and hold links in emails to preview links

Today I was using an iPad and received a fake email designed to look as if it were from Facebook. It was a good imitation of the Facebook style.

image

In particular, the links for sign in look OK.

Outlook on Windows displays the actual link when you hover the mouse pointer over the link. As you can see, in this case it is nothing to do with Facebook:

image

How do you do this on iOS? There is no mouse hover (though it could be down with a proximity sensor) but if you tap and hold on the link, iOS pops up a dialog revealing the scam:

image

Worth mentioning as tapping and holding a link to inspect it is not obvious and some users may not be aware of this feature.

The iPad is still worse than Outlook for email security. Outlook does not download images by default. Downloading the image tells the spammer that you have opened the message:

image

The iPad mail client downloads all images.

image

In mitigation, most malware on web sites will not run on iOS. However you could still give away your password or other information if you are tricked by a deceptive web page or fake login.

Hiding links is a feature built into HTML. The designers of HTML figured out that we would rather see a friendly plain English link than a long URL. Unfortunately this feature, and related ones like the ability to make an image a link, play into the hands of the scammers and it is necessary to look at the real link before you follow it.

A better solution would be authenticated email, so that fake Facebook emails would be detected before they are displayed. Unfortunately we are still a long way from using authenticated emails as the norm.

Monitor your home when away: Jabbakam IP camera service reviewed

About to head off for your summer break? What may happen back home is always a concern; but if you want a bit more piece of mind, how about a live webcam view of what is going on in places you care about?

Of course you can easily purchase a security camera kit from your favourite electronic hobbyist store, but it is not a complete solution. Recording video to a hard drive is all very well, but what if the thief takes a hammer to it or even nabs it? Further, returning home to find two-week old footage of a break-in is of limited use compared to a live alert.

In other words, you need not only a camera but also a service. This used to be expensive, but does not need to be in the internet era. What about a cheap camera that sends images to a web site, enabling you to log in from anywhere and check what is going on? And how about an email or SMS alert triggered by motion detection?

This is exactly what Jabbakam does. The basic kit costs £59.95 and £5.95 per month, for which you get an IP camera and 14 days of video footage stored online. You can also use your own camera if you have a suitable one; the main requirement is that it supports motion detection, enabling the alerting feature, and reducing the number of images that need to be sent to the web service. More expensive subscriptions store video for longer; £13.95 per month gets you 90 days. SMS alerts cost extra.

Developed by a company based in Guernsey, the product is not so much the camera, but rather the web application and service. The camera itself is a simple but well-made affair, with a wall-mountable bracket and a swivel joint that lets you angle it. You can also adjust focus by twisting the lens.

image

Under the webcam are ports for wired Ethernet and power.

image

Given that the serial number starts YCAM I have a hunch it may be made for Jabbakam by Y-cam.

The camera must be wired to your broadband router. If you are on a business network you may have firewall issues; I tried on my own network and found it did not work behind the firewall, but have not investigated in detail.

So how about the service? I signed into Jabbakam and found that set-up was pretty much IJW (It Just Works). The camera was detected and I could view live images. Video is a slightly generous term, since each image is one second apart, and the quality is not fantastic, but gives you a good idea of what is happening. You can add additional cameras if you want fuller coverage of your home or workplace.

I also set up email alerting. This seems to work well. When the camera detects movement you get an email with a still image attached. Click the link in the email, and you can view the video. There is also an iPhone app that shows recent images. Advanced settings let you schedule alerts, for example to avoid having them active when you yourself are moving around.

image

Jabbakam is not just intended for security. The web service also has the concept of networks, which enable you to share your camera with others. The number is small at the moment, but I did see one called Birdboxes of Jabbakam which I guess is for ornithology enthusiasts.

There was one aspect of Jabbakam that I found troubling. A mash-up with Google Maps lets you see where cameras of other users are installed, and clicking on a camera gives you the name and address of the user and a link to send a private message:

image

I discovered that this information sharing is on by default:

image

This surprised me, as I would have thought that a typical Jabbakam user would be sensitive about sharing these details.

Finally, I should mention that Jabbakam has a RESTful API for developers, though the documentation is incomplete at the moment and the application showcase is empty. Apparently this is being worked on, so watch the space if you are interested.

A good buy? On the plus side, Jabbakam seems to me nicely done, easy to set up, and delivers what is claimed: remote video monitoring of any indoor location. The alert service is particularly useful, though this only works if the camera is pointing somewhere that should normally be motion-free. For example, pointing the camera at a car parked on the street outside your home might seem a good idea, except that the alert would go off every time someone walked by. I should also observe that the supplied camera only works indoors, so it would need to be at a window.

There are questions of course about the effectiveness of CCTV security. Blurry pictures of hooded figures may not do you much good in terms of identifying the villains, though the alert service could be an advantage.

What are the social implications if large numbers of people choose to stick surveillance cameras all over their homes? I am not sure, but it is a question worth reflecting on.

That said, for someone on holiday who would like the ability to check that everything is in order at home, this seems to me a neat and smart solution.