Posted on

Reporting Cybercrime

This week I received the nastiest email I have ever personally received. For the sake of brevity, I will assume the spammer was male, although there was nothing in the spam that indicated the gender. He claimed to have infected my computer with malware and to have used my computer’s camera to record a compromising video of me. He threatened to send the video to my family and friends if I did not post him two thousand dollars in Bitcoin.

This was not mere spam (unsolicited commercial email). It was extortion. A felony in every state in the US. Spam is one thing, this is another.

To begin with, I knew that the video as described was impossible, the malware was unlikely, and a number of statements in the email were wrong.

First Response

My first reaction was to scan my computers for malware, just in case. I doubted that malware had been installed, but I am set up to run malware scans easily, so I did. I ran both Windows Defender and MalwareBytes scans on my two Surface tablets. Why I choose MalwareBytes and Windows Defender is a subject for another blog. I did not bother to run scans on my desktop and Linux machines—they have no video recording facilities. I let scheduled daily scans take care of them. My Android phone was not likely to have been involved in the threat, so I skipped scanning it, although I would have scanned it, if I had the slightest suspicion that it might be infected.

Basic computer hygiene

The scans, as I expected, came up clean. If malware had been detected, the urgency of the situation would have increased. Why was I so sure my machines were not infected? Because I follow basic computer hygiene rules:

  • I don’t open questionable network links in emails.
  • I don’t open email attachments unless I am certain of their origin.
  • I don’t visit dodgy click bait sites.
  • I don’t download anything until I am sure the source is legit.
  • My passwords are strong and not duplicated.

Follow those rules and you are unlikely to get malware. Scan regularly and you are even safer.

I did not feel threatened, but I was annoyed. I like technology and the computer networks, and I do everything I can to see that criminals who abuse computers are stopped.

Local law enforcement

Although I felt safe, I was not done. My next step was to call the local police. I knew calling was unlikely to get results because few local law enforcement agencies have staff trained for dealing with cybercrime. However, I have great respect for local law enforcement, in this case, the Ferndale Police Department. I checked the Police Department website for advice. They suggest calling 911 for any reason to speak with an officer. That’s not good advice everywhere. Some 911 dispatch units want only emergencies. But I called 911, saying upfront that it was not an emergency and explained what had happened. 911 was glad to take my call. We live in a nice place. A Ferndale police officer called me a short time later. He explained, as I expected, that there was little Ferndale or Whatcom County could do, but he mentioned the FBI. That was what I expected.

The FBI

I am familiar with the FBI IC3 site. The name stands for Internet Crime Complaint Center. It is a central clearing house for cybercrime reports. Most cybercrime crosses state and national boundaries. This is one reason state and local law enforcement are ineffectual against cybercrime. In my case, I had done some research and found clues pointing to Thailand as the origin for the email, although I am far from certain. Successfully detecting and prosecuting a foreign extortionist from a single email is unlikely, but these guys never make only one threat. I could tell from the email that it was a template that was sent to many potential victims. They do it over and over again, and each threat is a data point that the feds can use to triangulate on the criminal and eventually catch him and his gang.

Filling out the EC3 report took less that ten minutes.

When reporting email crime, the most important evidence is the email header. Users don’t ordinarily see full headers. Email systems are a “store and forward” relay system. The email you send does not hop from your computer to the computer of the recipient. Often, email goes through several computers (servers), each forwarding to the next until the email finds its way to a server that you connect with. Each of these hops is recorded in the email header. You can get to it from your email client like Outlook or Gmail. The exact method depends on the client, but look around for something that says, “Show Detail” or “Full Header” or “Show original”. Click there and you will get something that looks like this:

Delivered-To:xxxxx@gmail.com Received:by 2002:a67:30c2:0:0:0:0:0 with
SMTP id w185csp3264948vsw; Mon, 8 Apr 2019 00:55:42 -0700 (PDT)
X-Google-Smtp-Source: 
APXvYqzG1OlfaefurTjEEX80PMgA3k53DcELE8674Psd+hb9+Rb3Y1QsBpv2ljr
zP3M5Xwk= X-Received: by 2002:ab0:1d82:: with SMTP id 
l2mr15233348uak.120.1554710142365;    Mon, 08 Apr 2019 00:55:42 
(PDT) Authentication-Results: mx.google.com;

And a lot of other similar stuff. I copy and pasted the full header and email into the EC3 form.

The FBI investigators can use the header information to identify the origin of the email, even though the criminal usually tries to hide it. Also make sure the body of the email is included. In my case, the criminal included a Bitcoin address. Although Bitcoin transfers are vaunted to be anonymous, some arrests are made based on Bitcoin information. Flaws in software implementations don’t always favor the crooks.

What happens next?

What is likely to happen to my complaint? If mine is the only complaint against this guy, probably nothing. But if enough complaints come in, each complaint builds the profile of the criminal and eventually the pieces may fall into place and they will nab him. The US has an extradition treaty with Thailand, so the crook is not safe there.

A citizen’s duty

Most important, resources will never be allocated to crack down on cyber crime if citizens remain silent when crime occurs. That applies on every level. I wanted it on record with the Ferndale Police that had occurred in Ferndale just as much as I wanted it on record with the FBI. Ferndale is a wonderful place with friendly people everywhere, but we are still vulnerable to these sleezoids and I want the FPD to know.

As citizens, we have a duty to our community to report crime when it occurs. Law enforcement can do nothing to prevent unreported crime.

If you have more questions about cybercrime, visit “Computers & Troubles” at the Ferndale Public Library from 3pm to 4pm the first and third Wednesday of every month and talk to me about it. I’m there to help you with all your computer problems. My grandson Chris usually is there to help. (We plan to take June, July, and August off. I hope the problems do also.)

Posted on

My Blood Ran Cold This Morning

I live 4 miles from one oil refinery and 6 miles from another. I don’t think about it much. But I did this morning when I read an article in the MIT Technology Review on the Triton malware.

I don’t know much about the two refineries. Forty years ago, when I was a carpenter I worked for a few months on a construction project inside one of them. That was probably the safest construction site I ever worked on. There, we followed safety rules unheard of on other sites. Forget to snap on your safety rope doing high work and somebody would yell at you before you got your hammer out of your belt.

And the rules had teeth. As I remember, intentionally break a safety rule and you were outside the gate, which was not trivial. Industrial carpenter work paid way more than residential or commercial work and double-time overtime was regular. I think I got triple-time for working overtime on a Fourth of July.

That was in the early 80s when OSHA work rules were a cat and mouse game construction workers played for fun. If I had followed OSHA rules regularly then, instead of trying to avoid them, or landed more refinery jobs where they were serious about the rules, I probably wouldn’t wear a hearing device today and fewer of my brother carpenters would be missing body parts or have died from asbestos cancer.

So. I have not thought much about safety in the refineries. I’ve seen my share of sloppy computer security in industrial plants of in past years: default passwords, work stations left unlocked without attendants, and unpatched or outdated software were all common in plants where products I worked on were installed, but I never connected the dots to the refineries next door, which I thought of as paragons of safety.

I did this morning.

Triton is malware that was discovered in a refinery in Saudi Arabia. Hackers breached plant computer security in 2014 and began to infiltrate the system with the Triton malware. They caused a plant shutdown in June 2017, which raised suspicions but did not lead to detection. A second shutdown in August 2017 revealed the Triton attack. Neither of the shutdowns caused more than inconvenience, but the subsequent investigation revealed that the hackers were prepared to wreak massive damages and deaths.

To explain how Triton works, I have to explain how modern industrial control works today. In some ways, industrial plants are much safer than they were when I was a carpenter. Something called a SCADA (Supervisory Control And Data Acquisition) controls many industrial processes today.

One summer during college, I was SCADA in a pea freezing plant. They called me a “tunnel man.” My job was to walk a circuit in a refrigerated freezing belt tunnel, checking temperatures, salinity levels, and progress over the belts. I reported to the refrigeration engineers several times an hour with the measurements. If something jammed the belt, I had to sound the alarm so that the engineers could turn down the refrigeration units so the belt would not freeze up solid.

In those days, I was fairly responsible, and I took my job seriously. I realized that if I messed up, the damage could be great. However, the truth was that the job was totally mindless and boring after the first week. A trained pigeon could have done the job at least as well as I did.

The old pea freezing plant closed decades ago, but today the tunnel man would be replaced by SCADA. Sensors would relay temperatures and salinity to a control dashboard, other devices would detect issues on the belt, and most of the control would be automated. A SCADA system monitors continuously instead of my periodic inspections and react quicker and more precisely than the engineers listening to some kid inaccurately describe ice buildup on the Kelly belt. Freezing plants may still have tunnel men as backups, although with labor costs today, I doubt it.

SCADA systems are not perfect, but they are much better than humans or trained pigeons for mindless relay of information and rote response. Each year SCADA, with the help of advancing sensing and control algorithms, gets better. But suppose, someone tampers with the sensors? Or the control rules? Even in an innocuous vegetable freezing plant, an exploding ammonia tank could be quite dangerous.

Hence the need for security. Current industrial computer security is built in layers. A plant computer system is almost certainly connected to the internet. But good security practice is to divide a plant network into several layers and segments. One layer is connected to the internet behind a firewall like any good business security set up. Inside that perimeter, the SCADA system subject to further security controls and is less accessible. Within SCADA, there are often other segments that are further isolated, usually to the point of “air-gapping,” complete physical separation from other computing equipment. This level of security is usually reserved for critical emergency controls that keep the most dangerous processes within safe limits. In theory, these systems are untouchable.

Now the part that made my blood run cold: Triton delivered control of air-gapped critical safety controls to outside hackers.

One of the truths of modern computing is that air-gapped systems can be penetrated. Essentially, the attacker infects the surrounding systems with software that lies in wait, looking for connections to critical hardware controllers, and pounces when it detects a connection. Without the most stringently enforced human security, eventually some hapless technician connects an infected laptop or similar device to the air-gapped system “just for a minute” and the critical system is compromised. Using this technique, the US and Israel compromised and brought down Iranian uranium centrifuges in 2010. Russians brought down Ukrainian power-plants in 2015.

There is always some uncertainty in tracing this kind of hack, but best current opinion is that control of the Saudi refinery was in the hands of a government industrial institute in Moscow for a period in 2017.

Triton appears to have been neutralized. The controller that Triton targeted has been patched. Security practices at the Saudi plant have been revamped. If you are curious, you can read about many of the details, even Python code for detecting Triton here.

I am not likely to purchase industrial gas masks soon. Homeland Security has been helping critical industries to harden their processes (check it out here) and the US still attracts the best computer engineers from everywhere on the planet.

But this is no time to be complacent. Frankly, I have not been impressed with the sophistication of our government in cybersecurity, but I do everything I can to encourage them to do more. The Russians, Chinese, and North Koreans have invested heavily in cyber-warfare. I’ve sent letters to my congressional delegation urging them to fund support for cybersecurity in general and industrial cybersecurity in particular. I urge you to do so also.

Posted on

Anti-Malware for Apple and Windows

Most Windows users know that anti-malware is necessary, but Apple support implies you don’t need anti-virus or anti-malware installed on your Apple. Well. Mac users do have fewer problems with malware.

A typical Mac-user may go for years without a problem, but that doesn’t mean that Macs are never troubled with malware. From January 1 to January 18, 2019, less than 3 weeks, the Homeland Security central computer vulnerability database recorded 27 new Apple vulnerabilities discovered by security researchers. 7 of these were scored Critical. These are flaws that could be easily exploited to cause serious damage. Macs are not inherently safe.

Macs are less vulnerable

Macs are less vulnerable than Windows for several reasons. First, there are far fewer Apple computers in use than Windows. Hackers follow the money and the money is in hacking Windows. But this is changing. Apple has become more popular, especially among more affluent users, and hackers have noticed.

Second, Apple users tend to stick with installing software from the Apple Store, which Apple polices carefully for security issues. This is safer than the common Windows user practice of downloading software directly from vendors or other web sites.

Finally, Mac OS X, the latest Mac operating system, is based on Unix. Unix (and its most common incarnation, Linux) was designed from the beginning for a multi-user, networked environment where security has always been critical. Windows was originally designed for single user personal computers without network connections. For those early computers, security meant a lock on the front door. Folks worried that a thief would carry off a memory card or the entire machine. Remotely hacking the system was not a thing. That changed when everyone connected to the internet.

Microsoft began to design for security from the ground up about a decade ago. Since then, Microsoft security has made great strides. Windows 10 is much more secure than XP or Vista. Nevertheless, Microsoft is still overcoming years of placing ease of use and rich functionality ahead of security.

The gap is closing

Are Macs still more secure than Windows? I prefer to say that the gap is closing. Also, Mac users may unwittingly transmit email and files that contain Windows malware to Windows computers. Your Mac may be safe, but you could damage your Windows friends. And Windows can transmit Mac malware to Macs. Although Windows and Mac anti-malware products are not interchangeable, most scan for both Windows and Mac issues.

Should Mac users get anti-malware software? If you are a cautious “belt and suspenders” type, you should. If you are a happy-go-lucky risk taker, maybe you can go without and never have a problem, but make no mistake, the risk is there.

Which anti-malware to choose?

For Windows, the simplest and quite adequate solution is to use Windows Defender, which comes installed and activated with Windows 10. Some people prefer third party anti-malware. There are some excellent products. New vulnerabilities appear daily. All the anti-malware developers, including Microsoft, compete vigorously in swatting down the latest malware. It’s a horse race in which the winner changes daily.

Some products to consider for Macs: AVG, Avast, BitDefender, Sophos, MalwareBytes. Other products are good, no products are perfect, but I know and like these. They all have both Mac and Windows versions.

Automatic updates

Be sure to enable automatic updates so your anti-malware is always prepared to thwart the latest attacks. Hacking is an evolving contest with the good guys. You have to keep up. The same applies to operating systems like Windows and Mac OS X and other applications. If you want to be safe, keep them updated.

Most anti-malware products have a free version. In most cases, the free version is as effective as the premium version you pay for, but less convenient. With the free versions, you usually have to start scans yourself instead of letting the system schedule scans for you. The most convenient anti-malware is always on and checking. You won’t even know the best of the products are there, but you pay for the convenience. If you know how, you can write a DIY script yourself to run a free version automatically.

Final caution

Don’t install two anti-malware products at the same time. They can clash and cause trouble. One exception: MalwareBytes is engineered to be compatible with other products. MalwareBytes has an exceptional reputation for cleaning up infected computers after a hack. I’ve heard that techs at Apple Stores use MalwareBytes to clean infected machines.

I run both MalwareBytes and Windows Defender, wear both a belt and suspenders, and always set my emergency brake when I park.

Posted on

HTTP v. HTTPS

In 2018, you should always use HTTPS (Secure Hypertext Transmission Protocol), right? Well how come Marv Waschke on his sites allows connections using either HTTP or HTTPS? He’s the big advocate for caution on computer networks, isn’t he? So why doesn’t he do what he advocates?

First, allow me to explain what HTTP is and the difference between HTTP and HTTPS. HTTP is a set of rules for exchanging information between a client and a server that is the basis for most communication in the World Wide Web, what you see when you bring up a web browser like Chrome or Firefox.

There are many other protocols that are used on computer networks. HTTP is a very general protocol that can handle many different types of information from straight text to more complex data like sound, photographs, and video. It supports many different kinds of interactions like business transactions on Amazon or live chat. However, a simpler and less flexible protocol will often be faster and more efficient. For example, old fashioned FTP (File Transfer Protocol) will move files from one computer to another with less overhead than HTTP.

In the early and mid-nineties when HTTP was created, the designers quickly recognized that HTTP had significant security flaws. Data is exchanged in clear, unencrypted, text. Anyone with access to the network packet stream can use a packet sniffer like Wireshark to intercept a HTTP data transmission and read it. In the simplest form of HTTP, even passwords are sent in the clear.

Secondly, HTTP offers no guarantee that the sender or receiver is who they say they are. Using HTTP, you may think you are depositing funds into your bank account, but you could just as likely be sending your money to a crook on the other side of the world.

HTTPS was created to close those two gaps. I won’t go into how HTTPS works, but it encrypts data sent over the network and it uses a system of certificates to make it difficult to impersonate web sites. HTTPS is not perfect. The encryption methods used in early versions of the HTTPS standard have been broken, but they are still occasionally used by sites that haven’t kept up with the times. Not long ago, a flaw was found in software used to implement HTTPS (the Heartbleed issue). That flaw has been patched, but you never know when new flaws will be found.

In addition, the certification system is not perfect. Criminals can and do sometimes get certificates. And certificates have to be renewed periodically and not all sites are good about keeping their certificates current.

When HTTPS was first used, both computers and networks were much slower than they are today and therefore HTTPS was considerably slower than HTTP. Consequently, HTTPS was used sparingly. A site like vinemaple.net or marvinwaschke.com where no financial transactions take place and no secrets are exchanged doesn’t need security. The only benefit to using HTTPS is to assure users that they are connecting to the genuine sites, and there isn’t much incentive for anyone to put up a fake site. Since nothing is secret, encrypting doesn’t protect anything.

I currently have both sites set up to use both HTTP and HTTPS. Therefore, no one has to change their old links to my sites and those who would prefer HTTPS security assurances can use HTTPS. Eventually, I’ll phase out the HTTP access, but I’m in no hurry. I encourage you to switch to HTTPS every place you can—it’s a good habit to have. And never perform any kind of financial transaction or convey any data that could be sensitive over HTTP.