The Strickland Group

817-224-2020 Facebook Twitter

The Accidental Hacker

by Leave a Comment

A couple of weeks ago I was helping a client with an issue with their VPN.  Basically, a vendor that they use for support of a vertical application could no longer remotely connect to their server.  After investigating the issue and making sure that I could VPN into their network, I called the Software Vendor.  I merely stated,”I am calling from company XYZ and you said that our VPN was not working.” This is where it gets interesting.  I ask the vendor if they are able to connect now that we confirmed the VPN worked, so they tested and informed me that they still could not connect.  I asked the technician if he could open telnet and try to connect to the IP address over port 1723.  He did not know how to do this and I was eager to resolve the problem, so I quickly asked, “Do you mind if I connect to your computer and try to troubleshoot the problem?”  To my astonishment the technician said, “Sure”.  I guided the gullible technician to logmeinrescue and proceeded to walk him through letting ME onto HIS computer.  Once on his computer I tried to pull up telnet but it was Windows 7 and by default there was no telnet application available.  I then asked if I could download Putty so that I could test the telnet ability.  He said, “Go for it.”  I was again astonished at the disreguard for the control he was giving me.  I then confirmed through the use of Putty that telnet was immediately getting dropped.  I speculated that it was their firewall blocking PPTP outbound.  He checked  with an IT guy that was strolling by and confirmed that they were blocking outbound PPTP.  They asked for the IP address so that they could add it to the firewall, so I told them the external IP address of the firewall they were trying to connect to.  Now the icing on the cake, the IT guy uses the computer that I am remote controlling to access their CISCO ASA.  He logs into the web management of the ASA and proceeds to create the rule to allow the PPTP to get through.  Now I am mesmerized by the lack of security.  I even corrected the IT guys spelling on the firewall.

Now that the exciting turn of events are over, I reflect on what happened.  How easy was it for me to get on their network?  Pretty easy.  All I needed was 3 pieces of information:

  1. I needed to know the name of the company who was in need of support.
  2. I needed to know the Key Line if Business Application and the company who made it.
  3. I needed to know the problem.

These 3 things are pretty easy to determine and even ask for and easily get the information about.

This is called Social Hacking.  All I needed was a good attitude, frinedly personality, and a few bits of info and I was able to get on their network.  The point here is that it should not be that easy to get on their computer since I called them. It is not like the called me asking for help.  I called them to give help.  They thought the problem was way down stream at their clients firewall.

Simple rule, never give donations to someone that calls you, always call them to give donations AND never accept techincal support remote control from someone that called you to tell you about a problem that you have that you don’t even know.

By the way, once they added the rule to the firewall, the VPN worked.

Dangers of the Wild, Wild Web

by Leave a Comment

I read an article recently that said that FBI director Robert Mueller doesn’t use online banking at all because he almost fell for a classic “phishing” scam.  According to the article, he received an email that appeared to be from his bank and began following the instructions in the email.  Fortunately for his credit score, he caught on to the scam at the last minute.  In a classic knee jerk reaction, he now refuses to use internet banking at all.  What does this say about the state of internet security if someone with as much access to world-class security software as the director of the FBI is susceptible to internet fraud?

I certainly understand there are high risks to using internet banking.  I’ve read tons of horror stories about people whose financial lives have been ruined by identity theft.  We’ve all seen the fake emails from our bank, or from the IRS that look almost legitimate.  Even so, the convenience of internet banking outweighs the risks for me – as long as my wife and I practice safe computing.

Here are some tips for safe browsing:

  • Don’t click on links or attachments in emails you aren’t expecting.  If you need to do something at yoyr bank, go directly to your bank’s website.
  • Assume any message from your bank informing you that you need to sign in to update your information is junk.  Because of the prevalence of scans, most banks won’t use email to communicate this type of information.  You’ll get a letter in the mail or a pop-up on the website when you sign in.
  • Patch, patch, patch.  Keep your operating system and security software up to date.
  • Watch your account activity.  The best way to know if your accounts are compromised is to keep a close watch on the transactions.  The sooner you know about traffic that’s not yours, the better.
  • Use your annual free credit report.  We all get one free report a year.  Use it to see if any repair needs to be done.
  • If you have wi-fi at your house, don’t leave your computers on.  Wi-fi is a leaky vessel and embarassingly easy to compromise.  If you leave your computers sitting idle, connected to the internet for huge amounts of time, you’re asking for trouble.
  • Everyone needs a good firewall and good antivirus software.  There are plenty of free or cheap options available that do a pretty good job.