Perpetual IT

Remember the Capital One breach?

We did, though we felt sure it had happened a long time ago.

Indeed, when we checked, it had: the story first broke almost three years ago, back in July 2019.

At the time, the company reported:

Capital One Financial Corporation announced […] that on July 19, 2019, it determined there was unauthorized access by an outside individual who obtained certain types of personal information relating to people who had applied for its credit card products and to Capital One credit card customers.

And we noted that:

So far, there are no details to suggest what sort of vulnerability was exploited, and therefore no indication of what has now been changed and how permanent or effective the fixes might be.

Was the breach down to an unpatched security bug, poor password choice, incorrrect access control, a cloud-related configuration blunder, or what?

All we knew back then was that this was a huge breach by any standards, affecting at least:

• 100,000,000 users in the USA
• 6,000,000 users in Canada
• Any consumer or small business who applied for a credit card in the previous 14 years.
• Personal data including names, addresses, zip codes, phone numbers, email addresses, dates of birth, and income.

Some customers also lost yet more intimate personal information such as credit scores, credit limits, balances, payment history, contact information, social security numbers (SSNs) and bank account numbers.

Fortunately, if that’s the right word in a case like this, “only” about 150,000 victims actually had their SSNs exposed (in the US, SSNs are effectively lifelong unique national ID numbers), meaning that about 99.9% of victims escaped that fate.

The cost of the breach

This breach cost Capital One dearly in more than one way.

Even though the company was itself the victim of a cybercrime, it was ultimately hit with a $190,000,000 class action settlement plus an $80,000,000 fine from the US Office of the Comptroller of the Currency (OCC).

The OCC noted:

[We] took these actions based on the bank’s failure to establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment and the bank’s failure to correct the deficiencies in a timely manner. In taking this action, the OCC positively considered the bank’s customer notification and remediation efforts.

As you will notice from the OCC’s remarks above, the breach ultimately came down to poor cloud security, with data apparently exposed due to being shifted from a privately-controlled data store into the cloud.

There’s no reason why a public cloud deployment can’t be done securely, of course, but the potential consequences if it isn’t are huge.

A publicly visible cloud server is open to a much broader ranges of probes, attacks and hacks – what’s known in the jargon as “having a much larger and more exposed attack surface”.

Intriguingly, the fact that this was a cloud-related breach was quickly revealed after Capital One notified its customers of the attack, because the alleged perpetrator was soon arrested.

Cloud “anti-security” scanning

Paige Thompson, who was 33 at the time, was accused of the attack, apparently using what you might call “anti-security” tools of her own devising to scan cloud providers for vulnerable and misconfigured services, and from there to recover access credentials, gain acccess, exfiltrate data and infiltrate malware.

At the time, the US Department of Justice (DOJ) suggested that Thompson hadn’t tried to sell on the stolen data, but that she had used compromised services for what’s known as cryptojacking.

That’s where crooks deliberately install cryptomining software on other people’s devices – all the way from laptops and mobile phones, through powerful gaming rigs, to physical and virtual servers.

The victims end up paying for the electricity, cooling and server time, while the crimimals accumulate any cryptocurrency that gets earned in the process.

Anyway, the DOJ has just announced that Thompson has now been convicted, though she will only be sentenced in September 2022:

Thompson was found guilty of [w]ire fraud, five counts of unauthorized access to a protected computer and damaging a protected computer. The jury found her not guilty of access device fraud and aggravated identity theft.

Using Thompson’s own words in texts and online chats, prosecutors showed how Thompson used a tool she built to scan Amazon Web Services accounts to look for misconfigured accounts. She then used those misconfigured accounts to hack in and download the data of more than 30 entities, including Capital One bank. With some of her illegal access, she planted cryptocurrency mining software on new servers with the income from the mining going to her online wallet. Thompson spent hundreds of hours advancing her scheme, and bragged about her illegal conduct to others via text or online forums.

In the DOJ’s words, “Far from being an ethical hacker trying to help companies with their computer security, she exploited mistakes to steal valuable data and sought to enrich herself.”

What to do?

• If you want to get started in cybersecurity, read the rules and follow them. Many companies publicly endorse research-style “hacking” against their systems, and offer to pay so-called bug bounties to ethical researchers who responsibly report any holes they find so they can be fixed before they can be exploited by cybercriminals. But bug-bounty programmes almost always have explicit rules and clear limits to what is considered in scope. If you don’t follow the rules (for example, if you try to use your findings as a form of “bug blackmail”, or if you deliberately disrupt services or steal data when that wasn’t necessary to prove your point) then you are unlikely to be treated with much sympathy.
• Routinely and regularly scan your own on-line assets for security weaknesses. As this case shows, if you don’t scan your cloud resources to look for configuration errors and exposed data, then the crooks will do it for you.
• Practise what you will say and how you will react if you do get breached. Even though Capital One ended up with an $80m fine in this case, the regulators did note that they “positively considered the bank’s customer notification and remediation efforts”, meaning that things would almost certainly have been much worse if Capital One had tried to sweep things under the carpet. Prompt reaction may also give law enforcement a chance to collect evidence before it can be destroyed.

Planning in case you fail doesn’t mean that you are planning to fail, and you’ll probably find that your preparations make it less likely that you will fail, anyway.

Sick of the unending stream of email and phone calls you receive from scammers claiming to represent your bank? Amazon? Microsoft? The tax office? The police?

We sympathise – we’re sick of them too, especially landline calls that could be a loved one calling for help or advice, and thus need to be answered…

…but that rarely, if ever, turn out to have a familiar voice at the other end.

Perhaps you’re one of the 40,000,000 or so viewers of famous science-and-engineering YouTuber Mark Rober’s video entitled Pranks Destroy Scam Callers – GlitterBomb Payback?

Rober makes some alarming but entirely believable claims of just how much money [a] a top call-centre scammer can make if they hit their on-target earnings and [b] just how much a typical call centre of this sort turns over each day.

If you haven’t seen it, the video starts with the words, “I have 100 cockroaches here, and I placed them in this James Bond-style contraption,” so you can probably imagine how things end.

Despite the not-very-threatening outcome when Rober later releases the insects inside a scam call centre where he has access to footage from the CCTV feed, the video gives a good visual indication of just how industriously and unrelentingly these scammers operate. (When not driven from their work pods by roaches, that is.)

Fake refund scams

The scammers in Rober’s video seem to go in mainly for what are known as “fake refund” tricks, which go something like this:

• Scammers “refund” you an impressive but believable amount, say $2000, for an “over-billing” for a product or service you actually use.
• They then “help” you login to your bank account to ensure that the transaction went through.
• They sneakily edit the HTML in your browser so the page shows a transaction for ten times the amount originally mentioned.
• They cry out in alarm, claiming they themselves must have typed in an extra zero and that they’ve accidentally refunded too much.
• Then they burst into tears, or turn on the emotional blackmail, claiming they (or you!) will be liable for the massive difference, so please, oh! please! won’t you help?

Their goal is to lure, browbeat, wheedle, threaten, cajole, beg and convince you to refund the “extra” money out of your own account.

After all, you can see the giant refund is there… except that it isn’t, because the item on the page is fake, with the HTML modified in memory to show a huge deposit and a vastly increased balance.

You’re scammed into thinking that they’ve made a mistake that will definitely get them in trouble, and could get you into trouble, too.

The crooks therefore hope to persuade you to help them “cover up” their mistake by withdrawing the “excess” from your own account and paying the non-existent “difference” back to them via some other channel.

While you might be sure that no criminal would ever catch you out with an apparently obvious trick like this, you’ll probably admit that, like most things, this sort of scam is only truly obvious the second time you see it or hear about it.

Travelling by bus is easy. Billions of people do it all over the world every week. But if you’ve ever taken a bus in a new town or city, you’ll know the uncertainty you face the first time you make a journey. Do you get off at this stop? Perhaps the next one is a bit closer? But what if the bus swoops into a tunnel and your next stop is hundreds of metres past your destination? How can you tell? And the simple answer is that you either need to ask someone else and trust their answer, or do an experiment and find out for yourself. Your next journey, if there is one, will be easy and certain. It’s during your first outing that you don’t know quite what to look for, and therefore when you are most likely to make a mistake.

Other common scams

Other common phone scams include:

• Emailing you with an “receipt” for a fake transaction, such as a $79 Amazon charge you never made, but offering a “helpful” telephone support number you can call to disupte the “payment”.
• Claiming to be from the tax office to discuss the “late payment” of the tax “penalty” in your latest “assessment”.
• Pretending to be a police officer and reading out a list of “criminal charges” that could lead to your imminent arrest unless “fines” are swiftly paid.
• Pressurising you into putting money in “high return” investment schemes, often backed by legitimate-looking but utterly bogus websites or mobile phone apps that simulate a healthy return.

Regular Naked Security readers know that these calls are just a pack of lies, so that although they’re a disruption and an annoyance, they’re not a direct danger.

But does your {child, grandparent, favourite aunt, cousin, not-so-technical friend} know they’re made-up garbage?

Perhaps not, if you look at Interpol’s latest report about cracking down on social engineering fraud.

Interpol’s definition of social engineering fraud is very much like our own, namely that it refers to “scams [that] manipulate or trick people into giving out confidential or personal information which can then be used for criminal financial gain.”

In a recent two-month global operation, dubbed First Light 2022, Interpol says that:

76 countries [took] part in an international clampdown on the organised crime groups behind telecommunications and social engineering scams. Police in participating countries raided national call centres suspected of telecommunications or scamming fraud, particularly telephone deception, romance scams, e-mail deception, and connected financial crime.

Although results are still coming in, Interpol claims that the operation has so far resulted in:

• About 1770 locations raided worldwide.
• About 3000 suspects identified.
• About 2000 arrests of operators, fraudsters and money launderers.
• About 4000 bank accounts frozen.
• About $50,000,000 of illicit funds intercepted.

As Interpol notes, one of the scam back-stories used by these criminals is pretending to be from Interpol itself.

In some cases we’ve written up before, this sort of scam is sometimes used as a follow-up in order to rip off scared victims for a second time, by pretending to offer an “official” legal lifeline to recover some of the money they lost in the first part of the scam.

Of course, the reason that the “investigators” are so familiar with the details of how the scammers operated and how much the victim lost is not the result of good police work, but simply that the fake “police” are part of the same group that conducted the original scam.

What to do?

As Mark Rober’s video (see above) makes clear, busting 2000 suspected scammers and grabbing hold of $50m in ill-gotten gains is only a start.

Sadly, there are plenty more crooks where those 2000 came from, so:

• Never be in a hurry to hand over personal information. Remember these two simple jingles: Stop. Think. Connect. And: If in doubt, don’t give it out!
• Make sure your friends and family know where to look for genuine advice on how to spot scams. Don’t let them “learn” about scams by wandering into the hands (or onto the websites) of the scammers themselves.
• If your friends or family warn you that you might be getting scammed, hear them out. Don’t let the scammers divide you from your loved ones as well as your money.

MORE ANTI-SCAM ADVICE FOR FRIENDS AND FAMILY

A few hours ago, we recorded this week’s Naked Security podcast, right on Patch Tuesday itself.

It was just after 18:00 UK time when we hit the mics, which meant it was just after 10:00 Microsoft HQ time, which meant we had access to this month’s official June 2022 Security Updates bulletin from Redmond itself just before we started.

According to this bulletin, the CVEs fixed this month, listed in increasing numeric order, are as follows:

 CVE-2022-2007 CVE-2022-2008 CVE-2022-2010 CVE-2022-2011 CVE-2022-21123 CVE-2022-21125 [. . . .] CVE-2022-30184 CVE-2022-30188 CVE-2022-30189 <---jumps from this CVE-2022-30193 <---to this CVE-2022-32230

As you can see, CVE-2022-30190, popularly known as Follina, isn’t on the list.

We said as much in the podcast, and inferred (as we expect you did, too), that Follina either wasn’t really considered a bug, and therefore didn’t get fixed, or was still in the process of getting some sort of fix that wasn’t ready in time.

As you will no doubt recall (and as we will demonstrate and explain in tomorrow’s live Sophos Spotlight security webinar), we like to describe Follina as:

A feature that no one really wanted, combined with a feature no one really needed, to produce a malware implantation exploit than no one really expected.

Simply put (but please join us tomorrow for that 30 minute jargon-free explainer session!), you can use the Object Linking and Embedding (OLE) system in Windows to tell an Office document to fetch and display an HTML web page.

In that web page, you can embed a short JavaScript program that references a little-known proprietary Microsoft URL starting ms-msdt: in order to trigger the Microsoft Support Diagnostic Tool (MSDT).

(This, by the way, is the feature we can’t imagine anyone really wanted, given that OLE is typically used for pulling images into presentations or for embedding live spreadsheet data into documents, not for starting software tests for locally installed apps.)

Unfortunately, that ms-msdt: URL can not only be used to fire up the MSDT app, but also to feed it parameters so the user doesn’t need to choose the troubleshooting settings from the usual menus, including pre-identifying the app that needs testing by providing its precise path and filename.

And in that filename, you can embed a “metacommand” (a bit like Log4Shell or the recent Atlassian Confluence bug) buried inside a $(...) sequence of characters.

That weird sequence $(...)is apparently ignored when the system checks to see if the named app exists, so even though there aren’t any apps with $(...) in their names that could match those characters, and even though the troubleshooter should bail at this point, you don’t get an error and Windows ploughs on regardless.

But when the system actually kicks off its troubleshooting, that weird filename apparently gets re-processed, and the character sequence inside the $(...) markers isn’t used literally.

Instead, it’s executed as a PowerShell command that’s supposed to generate the text that will actually be used at that point in the filename.

(That, of course, is the feature that we can’t imagine anyone really needed, as useful and as “proactive” as it might have seemed at the time.)

Run-what-you-want

Loosely speaking, the embedded PowerShell code can do anything you want it to, from popping up a calculator to opening a reverse shell for a waiting cybercriminal (yes, we’ll show you how that part works in the demo, and how to stop it from happening).

You don’t even need to open a booby-trapped file in Word itself, because simply scrolling to an RTF file in File Explorer with the Preview Pane turned on is enough.

As you see here, moving the cursor to our test file t1.rtf opened up the Windows Troubleshooter automatically and popped up a calculator without any warning or Are you sure? message, based on the sneaky JavaScript URL in the booby-trapped HTML file loaded by our booby-trapped docunent:

Fixed after all

Having recorded the podcast, based on the abovementioned June 2022 Security Update bulletin, we checked with our sister site, Sophos News, where SophosLabs had by then published its own analysis of that security bulletin, covering the CVEs in the official list in useful detail.

But SophosLabs agrees: there was still no obvious sign of CVE-2022-30190 having been attended to!

Anyway, a short while after that, we noticed reports that the Follina bug was apparently “fixed” after all.

So we installed 2022-06 Cumulative Update for Windows 11 for x64 (KB5014697), rebooted…

…and this time, even though previewing our booby-trapped RTF triggered a web download and launched the troubleshooter, the Diagnostic Tool seemed to detect that sneakily-hidden $(...) sequence in the filename specification as an illegal value, and produced error 0x80070057, the numeric code for INVALID_PARAMETER:

So, as far as we can see, the June 2022 Patch Tuesday does suppress this bug, at least in our brief testing.

To make sure that the update was indeed the change that did the trick, we uninstalled KB5014697, and the exploitable behaviour reappeared.

Therefore, CVE-2022-30190 bug does seem to have been recognised as a genuine security flaw by Microsoft, and it has been patched, even if you weren’t sure about that to start with.

You’re welcome.

Marion County, right in the middle of the US state of Indiana, and home to the state’s capital Indianapolis, is also currently home to a tragic court case.

(Thanks to fellow writers at The Register for that link – we couldn’t get to the official court site while we were writing this up.)

The short version of events is alleged to be as follows:

• Accused decides her partner’s cheating.
• Hides an Apple AirTag in the back of his car.
• Tells partner she’s getting ready to boot him out.
• Partner makes himself scarce.
• Texts him to say she knows where he is.
• Drives to the pub she thinks he’s in.
• Confronts him and attacks the woman he’s with.
• Gets thrown out of pub with the other two because of ruckus.
• Drives off a short way but sees partner in parking lot.
• Drives back and runs him over.
• Traps partner under car.
• Partner suffocates to death.

In the sombre and tragic words of the charge sheet, the court alleges that the accused “did knowingly kill another human being, […], all of which is contrary to statute and against the peace and dignity of the State of Indiana.”

The charge sheet makes interesting reading, and is a fascinating reminder of how old-school policing, such as promptly interviewing witnesses at the scene and securing relevant property that might be neeed in evidence…

…is mixed in with the need for today’s investigators to be familiar with modern technology and to how to involve it right from the start in the evidence they collect.

Dotting the Is and crossing the Ts

Some of the evidence is quite chilling, such as the discrepancy between the claim by the accused that she did drive at the dead man, but “didn’t mean for him to go under the car”, and the claim by other witnesses that after hitting him, she reversed back over him and then drove into him again, at which point he allegedly got trapped under the front of the vehicle, wedged beneath the gearbox.

Presumably in an attempt to “dot the Is and cross the Ts”, a crime-scene technican “measured the distance from the ground to the transmission pan with the [vehicle] sitting level on all four tires at just over six inches [15cm]”, which doesn’t bode well for anyone pinned down under the engine.

(The transmission pan is the bottom section of the oil sump under the gearbox, and forms the lowest part of the transmission.)

The technician also found an empty Apple AirTag container in the accused’s car.

This evidence seemed to line up with a witness statement that the dead man assumed “there was a GPS on his car because [the accused] was texting him that she knew where he was at”.

In the end, the accused apparently decided to co-operate with the police, presumably given the very public nature of the confrontation and the incident.

After denying that she’d AirTagged the dead man’s car, an investigator asked, “if a search warrant was served [for the dead man’s car], would a a tracker […] be located?”

At this point, she allegedly “admitted that she had a tracker on his car, and stated that she placed it in the backseat of his vehicle near the cup holder.”

What to do?

We’ll steer clear of any moral, legal or social pronouncements in what sounds like a tragic case of O! What a tangled web we weave, when first we practise to deceive.

But we have written about AirTags and other tracking devices before, noting that:

• They produce a beeping noise if they’re separated from their owner for a suspiciously long time.
• You’ll be warned if a tag stays with you unexpectedly, assuming you use an AirTag app yourself.

Of course, you might not hear the beeping noise if the AirTag is well-hidden or otherwise muffled.

It’s also possible to buy second-hand AirTags that are modified so the speaker doesn’t work, though the accused in this case doesn’t seem to have done that.

And even if you decide to run an AirTag tracking app yourself, despite having no AirTags of your own, you need to remember to consult the app see if there are any warnings pending.

In this case, the dead man seems to have been aware that he was being tracked, and that his partner would probably be able to find him anyway through knowing his habits.

Lastly, if the person tracking you is someone you expect to meet up with regularly anyway, their device is likely to make contact with the hidden tracker frequently enough to avoid suspicion, which would suppress the alarms it might otherwise give out.

In short, there isn’t a robust and reliable way to detect that you’re being tracked, but if you are worried about getting snooped on via a Bluetooth-based device, you might want to consider a Bluetooth monitoring app that can detect and list any “beaconing” devices in your vicinity.

Unfortunately, in urban areas at least, there are usually loads of Bluetooth devices around, so picking out the suspicious devices from the background noise can be quite hard.

If you’re determined, and you can find a location that’s secluded enough to show no Bluetooth traffic when you stand there alone with your scanner, then you can test your own items one-by-one by bringing them within 10 metres.

LEARN MORE ABOUT AIRTAGS