SN Listener Forever (ME) Makes ~TWO Security Mistakes

  • SpinRite v6.1 Release #3
    Guest:
    The 3rd release of SpinRite v6.1 is published and may be obtained by all SpinRite v6.0 owners at the SpinRite v6.1 Pre-Release page. (SpinRite will shortly be officially updated to v6.1 so this page will be renamed.) The primary new feature, and the reason for this release, was the discovery of memory problems in some systems that were affecting SpinRite's operation. So SpinRite now incorporates a built-in test of the system's memory. For the full story, please see this page in the "Pre-Release Announcements & Feedback" forum.
    /Steve.
  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in please checkout the “Tips & Tricks” page for some very handy tips!

    /Steve.
  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)

rfrazier

Well-known member
Sep 30, 2020
566
194
Hi all. I've been a SN listener forever. I have a policy of trying to share things I learn to help others. Today I made ~TWO security mistakes. Everything is fine and it all worked out. But, I wanted to share this so you can tweak your mental shields and recognize that even security conscious people can get caught off guard.

I'm a member of a national organization which is politically active on some key issues I'm concerned about. I've been reviewing some finances and had decided to make some contributions to some organizations. So, I get an email from this organization and it says important things are happening and they need some money. It also says give over a certain donation limit and get a free gift. Click here. We're not talking about a lot of money here. It was $ 24.

So, I clicked the link. SEMI-MISTAKE #1. So, I'm thinking it will go to a web page and say, here's your donation, review, enter data, click pay. But, it didn't. In actuality, BOOM, it instantly went to a web page and said thank you for the donation you JUST MADE. No data entry. No review. No confirmation. Nothing.

So, I said WHAT THE HECK? I didn't even know that was possible. Note that clicking the email itself, not the web page, did the deed. So, I looked at the thank you page and found the phone number and called it. MISTAKE #2. So, I got hold of customer service and told them I had a complaint about this instantaneous transaction. She even anticipated what I was calling about.

Now the rest of the story. The email was legitimate. The donation was legitimate. And, everything is OK. But, afterwards, I was mentally slapping myself for making the semi-mistake of clicking on the email and the mistake of calling them back at the phone number they gave me.

Now, here are a few things in my defense. 1) I use custom TO emails, which cannot be faked, for all organizations. So, the email came to the proper address. 2) The original email had the last 4 digits of my credit card number (which I only noticed after I clicked). 3) Their answering service sounded like what I'm used to (which I didn't know until after I'd made the mistakes). 4) The rep was able to tell me my membership expiration date (which I didn't know she could until after I'd made the mistakes).

So, I feel highly certain it was legit. And, frankly, the correct TO address gives me a large amount of confidence to click on the email. It's HIGHLY unlikely for anyone else to send me email at that address. But, I really should have separately looked up the phone number to call rather than using the one presented to me.

So, take this for what it's worth and remember, you're never invincible to mistakes and attacks.

May your bits be stable and your interfaces be fast. :cool: Ron
 
  • Like
Reactions: mfalkvidd
So, I clicked the link.
I think we have all done that in the past, but not now in this day & age!

I remember 20 years ago I had an email from what I thought was my paragliding instructor. We were both into films, and the Matrix had been released. The link in his email was pointing to "The Matrix screensaver", the one where all the green letters fall from top to bottom of the screen. Wow this was cool, and without a thought I clicked the link, and guess what, nothing happened, while, I thought that was the case. So I clicked it again, three times in total, and still nothing. Thought no more about it and switched off the computer. The next day Zonealarm was asking permission to let MTX have access to the net, it then dawned on me what I had done! A little research proved this was malware, but the way the attack was carried out was not very sophisticated, I found three lines in my Autoexec.bat file trying to run MTX! The point is because I thought I knew the person who sent it I was off my guard, I would not have done it if it was a random email............. We all live & learn.
 
The YouTuber Linus from LLT ended up getting scammed out of thousands of dollars because someone managed to break into a company email system he was doing business with in terms of his new house renovations. It was a case of if there was a 2fa style protection was in place, he would not have went through with the transaction. I think the nature of the scam was that he could save some money by putting down a huge payment now or something.

So emails from people you except can still be scams. He was lucky enough to get his money back because the bank he wired the money to had reason to investigate something on their end unrelated to his case. (I'm guessing that they noticed they were being used by lots of scammers)
 
I recently encountered what is probably not a scam, but rather a slick way for an outside company to collect a lot of financial information on you. The company doing the data collection is called Plaid. They have already been sued for having more information on people than needed, and from I can tell they are at it again. Their rather long 'disclosure' statement is probably how they are getting away with it. Following are the details, a bit of which may sound familiar from a past post on HTTPS fingerprints.

I have a Coinbase account with a low balance bank account used primarily for them and some bill payments. I went to make a transaction on Coinbase recently and got a notice that they are now using Plaid for banking transactions and I needed to re-verify my bank info. I read a lot of the 'privacy' info from Plaid and it did not sound good. A window said Plaid would allow for faster more secure transactions. All past transactions worked perfectly fine so I did not see their purpose. I raised the question to Coinbase support after deleting my bank account from Coinbase. Their reply was to delete the bank account and put it back in- which did not work. I also tried to manually re-verify and it said my account could not be manually verified.

Some internet searches on Plaid indicated the extent of what they were doing, and from a security and privacy viewpoint it was not good. They were also sued for their collecting too much info. Since then I've noticed that when I try logging into Chase their login screen doesn't match GRC's fingerprint or the list I keep from GRC. I tried login variations and finally the simple www. Chase.com fingerprint matched. Since I use Bitwarden my logging has always been the same.

Now I am wondering if Plaid did not plant a fake Chase Bank certificate on my computer so they can do a man in the middle attack. At this point I am at the limit of what I know about certificates. Could Plaid have put a certificate on my machine, and if so is there a way to find and delete it?

I just had the idea to try logging into Chase from my work laptop and see if the fingerprints match or not. My work machine has never logged into Chase, but then again being a work machine they may be monitoring what gets done on it. In any case I'll give that a try and post what I find. Any information on locating a 'fake' certificate would be appreciated. Thanks
 
I don't think Plaid's business model would be sustained if they were misusing any private information they gather. Mostly they deal with bank routing information, which would be useful for fraudsters, but not really the kind of information that anyone like an advertiser would want access to. On the other hand, they disintermediate a bunch of businesses that want to be able to put money in or take money out of bank accounts, without those businesses having to be in the banking information protection business. In some sense they are acting like a password manager, but for banking info.
 
These things happen to the best of us. My company sends out phishing emails and, as it looked related to something from last year that was official, I clicked on it (the topic being 2 days extra holiday :D).

I then proceeded to fuzz the URL that was personalised for me and questioned whether the campaign provider was using sequential codes ..... because if they were, HAHAHAHHAHAHAHHAH!1

It's funny that you're supposed to be required to do extra training if you click but the team thanked me for my feedback and honesty for admitting getting caught. I've not seen an ask for training since then.....
 
  • Haha
Reactions: PHXdNelson
My wife's company sends out test mails like that. I've pretty well convinced her to never click something she doesn't know. Sometimes she asks me about things. They can look VERY real. A few times, she's reported the emails as looking suspicious and gotten a thanks back from IT and an acknowledgement that it was a test. As @Lob said, the hardest ones are those that look official and look like you should expect them.

I wrote a letter to security researcher Bruce Schneier a couple of years ago. I said that we should just make it impossible for a "click" to turn into a "disaster". He's very busy and doesn't give long replies, if at all. But, he replied and essentially said, great idea, we just don't know how to do that.

I worked at a technical college at one time as a Professor. They used a product called Deep Freeze (if I recall) on the lab computers. It snapshots the whole machine and freezes it. A power off and reboot every night goes back to a known state every morning. It was pretty cool, and would wipe out anything malicious that got into the hard drive. That kind of thing is hard to use for most people since we all change our computers and data. But, for that purpose, it was nice.

May your bits be stable and your interfaces be fast. :cool: Ron
 
They used a product called Deep Freeze (if I recall) on the lab computers. It snapshots the whole machine and freezes it. A power off and reboot every night goes back to a known state every morning. It was pretty cool, and would wipe out anything malicious that got into the hard drive. That kind of thing is hard to use for most people since we all change our computers and data. But, for that purpose, it was nice.

Back in the XP/Vista era, Microsoft had a free product called "Windows SteadyState" that was similar.

I set up SteadyState for a local real estate office back in those days. While the established agents had their own offices and computers, the rookies shared a bank of 8 computers in a common area. Each was configured with specialized software for searching the county property records, the Multiple Listing Service, creating the company's listing presentation packages, and more. It was no use trying to install or store anything on the shared computers, as each night they were rebooted and reverted themselves to the predefined "Steady" state. To save their own records, the rookies learned to carry around their own personal floppies or USB sticks.

And you're right -- for that kind of purpose, it was a really good solution.
 
Deep Freeze was on my college's computers too but in some of the computer classes the instructor would come over and enter a password disabling it so we could install Visual Studio for the rest of the semester. Since it would let you install anything while it was on or off and because I was 17, I key logged that password which was the same anywhere on campus of course. I used it to install Age of Mythology permanently on a few key machines for a couple of friends of mine. Now I guess kids would install a bitcoin miner or grab peoples' credentials until it rebooted. It was a horrible security model back then and Administrators were lulled into a truly false sense of security.
 
Some more information about Plaid:

This is a Court-approved Legal Notice. This is not an advertisement.
A Settlement has been proposed in class action litigation against Plaid Inc. (“Plaid”). Plaid enables connections between a user’s financial account(s) and approximately 5,000 mobile and web-based applications (“apps”). This class action alleges Plaid took certain improper actions in connection with this process. The allegations include that Plaid: (1) obtained more financial data than was needed by a user's app, and (2) obtained log-in credentials (username and password) through its interface, known as Plaid Link, which the litigation alleges had the look and feel of the user’s own bank account login screen, when users were actually providing their login credentials directly to Plaid. Plaid denies these allegations and any wrongdoing and maintains that it adequately disclosed and maintained transparency about its practices to consumers.

This confirmed what I found with Chase Bank's login page being 'spoofed' when going through Plaid as an intermediary. Once again, thanks to Steve for making tools available to find things like this. Luckily I stopped short of logging into my bank account thanks to HTTPS fingerprints.
 
Chase Bank's login page being 'spoofed' when going through Plaid as an intermediary.
Well as I said before... if you want this kind of service (a company to interact with your bank and provide you a service) it's probably better to trust one central company to hold bank credentials and act as a proxy than it is to trust every company out there to hold your bank credentials. You're probably wise to avoid these sorts of services in general, but if you want the service (like say that one that helps you know you're paying for subscriptions you "forgot" about), then you're going to be forced to let someone into your bank account to get the service. Plaid simply was the first to negotiate their way into the middle making it easier and safer for the customer. They're back-ending a lot of services... such as I think the Privacy Credit Card, which Steve also recommends.

So to be clear: I don't think Plaid is a great company. I don't think using the services they enable is a great idea. I do think, if you're going to make use of a service that requires this level of access, you would be better off with one monkey in the middle, than dozens.
 
I have started to use virtual cards, which limit the damage, and I can simply generate new cards for repeat accounts, and set a limit on how much they can draw, and even only allow a single transaction to proceed, all others being blocked afterwards. Much safer, as you trust your bank more than any other random site, and losing that trust means you will change to another bank.
 
I love virtual cards, and have been using them for about a decade. Back then, there were many credit card companies offering them, but it's disheartening how few still do today -- Capital One, Citicard, and BofA, AFAIK.

Everything I pay online is done via virtual cards -- water bill, garbage bill, Amazon, etc. My wife regularly supports about three dozen charities, and every one gets donations via a separate virtual card. I have about 60 virtual cards, and my real credit card number is nowhere online except at the credit card company itself.

If Ron had been using virtual cards, he would have had less to be be concerned about in the situation in post #1. If it wasn't a legit email or website, the payment could not have gone through.
 
You have poor banks then in the USA, here in South Africa pretty every bank has them as a free offering, mostly to keep up with the major players, and including the running cost as part of your monthly account fee.

Edit, thinking about it, yes, the USA, still using magstripe for a vast number of transactions, while the rest of the planet has gone to either CNP or tap for the majority. No wonder in the USA you will easily get your card blocked, by simply doing 3 fuel transactions in the same day, and a purchase at any speciality shop.
 
I remember that there was a time when (during Christmas shopping season) my card would get block for a series of transactions, transactions that I would make every other week, so there is a set pattern to my spending to justify said transaction as normal.

Another card I got the fraud thing because I shopped at a different store than normal, but the way they handled it, if my card number was stolen and used in that store without my knowledge, I would wonder what I did to trigger a fraud call with that card. I do remember being annoyed that they didn't even asked about the thousand dollar (or close to it) transaction, but about my normal less than 100 dollar transactions
 
I've since stopped using Coinbase since I refuse to use Plaid. For now I keep the account open in case things change there. I've since tried to re-link my bank account bypassing Plaid and using a manual link, it generates a window I cannot manually link Chase. I suspect using a bank not on Plaid's list will allow a manual process, but I am not going to open another bank account to find out.

Instead I found a different exchange that offered Plaid OR manual link. I chose manual and everything worked just fine. So, now they have my business. The free market, what's left of it, at work. I was tempted to ask Coinbase support why they are using Plaid being that they are being sued. I can guess the answer is financial gain, and that support there would legitimately be in no position to answer.
 
I've been reading some more about Plaid, went to their site to open an account. After asking your country they ask for a cell number which they then use to see if they have any info linked to it. You can do that before actually opening an account. I put in both my cell numbers and they claim to have nothing against either one, my.Plaid.com if anyone is interested. I stopped short of opening an account.

I read some more of what seems to be endless pages of their 'what we do and how we do it' fine print. I still don't like or trust them- my personal opinion. Supposedly if you do open an account with them you can control what information they have and use about you. If anyone is still interested, you can use this link https://www.plaidsettlement.com/search.php to see if any accounts you have deal with Plaid. For now at least I've been able to avoid being in their information grab free for all.
 
When I think about clicking on a link, I usually hover the mouse over the link. My email program will display the url of the link. Might not help much if they took over the site, but most (until now) links will be to some weird domain.

I have been getting a ton of messages that are hard to figure these are attacks. They sound more or less like legit business requests. These would be hard to ignore if you need to do business over the internet. For instance, how do you know if an RFQ is an attack or not? Many include a file (suspicious), but it is a common practice to send a copy. Many are poorly executed, with things like .pdf.exe or .zip.exe lol However, how do you discern a better-executed attack from a real mail?