Scam Call Center @ 1-855-332-0777

I recently posted a message in an online technical forum run by Google about an issue I’m having making outbound voice calls with the “Home” devices. Within an hour, I received several messages from different forum “members”, all saying that I should call technical support at 1-855-332-0777 for further assistance.

I “Googled” the number, and it seems to come up as a technical support contact number for every software and hardware product ever created. Too good to be true? Oh yes, especially this reference in a Microsoft forum.

Naturally, I called to see what kind of scam this is. The background sounded like a typical noisy offshore call center with the agent accent to match (yes — I know I am making a broad assumption here). I started to explain my issue and it was clear that the agent did not know a Google Home device from a Palm Pilot. I gave him a simplistic overview of my problem but terminated the call as soon as he started asking for my name and other identifying information.

So, be aware of any scams that refer to the number in question, or any other suspicious responses that you receive to support queries, even in reputable manufacturer sponsored forums. The responders were reported as spammers and their responses removed.

Facebook Fails the Third Party Risk Test

Information security professionals often examine “third-party risk”. Simply put, associations with business partners and contractors can present outside risks to the data, financial, and/or physical security of an organization. The risk may be contractors with access to secure areas or sensitive business processes. The risk can be shared data in the temporary custody of a partner. The risk can be virtual access to a network or a facility without adequate audit.

Today I was informed by Facebook that my privacy could have been compromised because “friends” of mine used an application platform profiling app called “This is Your Digital Life”. I wish I could tell you more or show you the notification, but in typical arrogant Facebook fashion, the notification was a fly-by. It was presented on the screen of my smart mobile device. I put the phone in my pocket and headed to my office to compose this piece, but once the Facebook feed refreshed I can no longer find it. It is not on my notification list. So much for transparency. So much for ease of use. Now you see it, now you don’t.

So what does this mean? Well, in this case Facebook allowed a third party that I did not authorize to access my profile data. They allowed the third party because a second party (my Facebook friends) accessed an application that pulled the data. They allowed this even though I opted out of the Facebook application platform and therefore had a reasonable expectation of data privacy. Facebook fails. And my mom was right. You are impacted by the actions of your friends.

What is the answer? Take ’em down. Let’s see a class action lawsuit financially impact Facebook. There are enough of us in this potential class that have, by Facebook’s own admission, suffered harm. Congress is not likely to impose a satisfactory regulatory solution any time soon. So let’s take it to the courts and show companies that a willful direct and careless violation of our data privacy will be the most expensive mistake that their companies can make.

Decode HD Radio on RTL-SDR!

During my 2017 SWL Fest presentation, I mentioned that there is no way to decode either HD Radio or ATSC HD Television using software designed for the RTL2832U dongles. The explanation I provided is that both protocols are covered by patents and that the holders have not been forthcoming on providing necessary details to the open source community.

A cybersecurity researcher, Theori, has cracked the codec used by the NRSC-5-C standard for US based terrestrial digital radio. I am now listening to HD Radio via an RTL SDR dongle. It takes a decent signal, so I’m not getting too many stations using an inside whip antenna, but there are enough to experiment with. It also takes a better dongle with good frequency stability. An older dongle without the TCXO was not up to the task, even on an i7 based system.

The discovery is summarized on the RTL SDR Blog. You’ll need some familiarity with building packages under Linux to grab the source from github and to compile it on your system. So far, I’ve compiled under Debian x86_64, Fedora x86_64, and Raspbian! Next, I want to get it running under Cygwin so that I can use it on the Windows 10 computer in the radio room.

It is a blast to be able to decode the alternate program streams. Audio quality is better than Sirius XM.

Thanks Theori!

Wanna Cry Patches for XP

In case you still have an XP machine running somewhere that you just cannot upgrade right away, Microsoft has released a patch for the Wanna Cry vulnerability. This is the vulnerability that was exploited in recent days to hold up the United Kingdom’s National Health Service and many other organizations for for ransom.

Although Microsoft stopped official support for Windows XP some time ago, the release of this patch for an unsupported product underscores the severity of the matter. The tool used is said to have come out of the United States National Security Agency.

Here is a link to the official Microsoft download. Patch away!

Some document management advice for the White House

USA Today reports that in at least 5 instances, copies of Executive Orders published at whitehouse.gov do not match the official versions published in the Federal Register. This is a practical use case where the White House staff should invest in two IT staples — document management software and digital signature software.

Document management software allows for tracking history of changes and approvals to content such as Executive Orders. Microsoft’s widely deployed Sharepoint is just one solution that can be used for document management. Digital signatures are a feature of Public Key Infrastructure and document signing certificates are widely available. Microsoft Word and Libre Office both support document signing.

Mr. President, your Chief Information Officer should be able to quickly help you manage this mess. If he cannot, please find one who can.

Chromecast and Google Home — A Great Combination

Two new toys showed up at the front door today. I took my time deciding between Amazon Echo and Google Home. I decided that Google Home was the my best choice. When I went to order, I saw that the Google Store is offering a discount on a Chromecast dongle purchased along with Home. The discount of $15 is available through midnight Pacific time on January 28.

Google Home is about what I expected, although it currently has some limitations. If your content is on Pandora, YouTube, or Netflix you will love the device. It cannot currently access content on Hulu or the various broadcast network apps. However, you can still access the content via your mobile device and then press the “Cast” button to view the content on your big screen.

The sound quality of Home is good for the size of the device. Setup of home is fairly easy using the Android app. Chromecast connects via an HDMI port but just hangs there. It ought to have some way of attaching it to the rear of the monitor. I may try some 3M double faced tape.

Home integrates with my Google calendar, so in the morning I can say, “Hey Google, what is my day like?” I’ll hear appointments, the weather, and the NPR news. It is supposed to be able to support multiple identities but I haven’t tried this yet. Tina will want to be able to hear her calendar too.

I tried listening to a number of different audio sources via Pandora and TuneIn. It all worked, except for CKTB, a news talk station in the Niagara area that I enjoy. Google thinks I am asking for CK TV and cannot locate it. I was able to cast content from the CBS app installed on my phone with little effort.

I’m sure I’ll learn more about the capabilities of Google Home and Chromecast as the days go on. Home is said to rely completely on the cloud so lacking features such as Hulu ought to be remedied in short order.

If you’re concerned about privacy, you should know that all your searches are logged, but can be deleted via the Google Home Android app. The device also sports a mute button should you wish to prevent Home to hearing private conversations.

If you enjoy varied media content and like to experiment, Chromecast and Home make a great combination and will provide hours of enjoyment.

Installing Certbot on Raspbian Jessie

I wanted to install the Let’s Encrypt certbot package on a Raspbian Jessie installation that hosts my Asterisk PBX. I had manually installed a certificate but decided that the automated certificate installation is advantageous. Certbot is available as a backport.

Step 1 — Add the backport source location:

# echo "deb http://ftp.debian.org/debian jessie-backports main" \
> /etc/apt/sources.list.d/backports.list

Step 2 — # apt-get update

I received the following error:

W: GPG error: http://ftp.debian.org jessie-backports InRelease: The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY 8B48AD6246925553 NO_PUBKEY 7638D0442B90D010

Step 3 — The two bolded keys needed to be added to the gpg keyring:

# gpg --keyserver pgpkeys.mit.edu --recv-key 8B48AD6246925553
gpg: requesting key 46925553 from hkp server pgpkeys.mit.edu
gpg: key 46925553: public key “Debian Archive Automatic Signing Key (7.0/wheezy) <ftpmaster@debian.org>” imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)

# gpg -a --export 8B48AD6246925553 | sudo apt-key add -
OK

# gpg --keyserver pgpkeys.mit.edu --recv-key 7638D0442B90D010
gpg: requesting key 2B90D010 from hkp server pgpkeys.mit.edu
gpg: key 2B90D010: public key “Debian Archive Automatic Signing Key (8/jessie) ” imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)

# gpg -a --export 7638D0442B90D010 | sudo apt-key add -
OK

Step 4 — Update the package list:

# apt-get update

Step 5 — Install the backported package:

# apt-get install certbot -t jessie-backports

Grizzly Steppe

It should come as no surprise to anyone even slightly knowledgeable about information security that the human factor is the biggest risk to unwanted exposure of information. The most dangerous way that a human can put himself or his organization at risk is to read an email. It is way to easy to embed malicious content in an email that can get past the rudimentary security filters that are in place in many organizations and especially on personal devices.

Malicious content in an email can masquerade as a harmless web link. It may seem to be from your your bank or from an email provider. It can direct you to a forged page and ask you to update some personal information or to enter a password. Are you sure that email is legitimate?

Malicious content can be easily embedded in a graphic or a pdf. Take a look at your spam folder. See any files with attachments? Subject lines like “Invoice” or “Purchase Order” from people you were not expecting or don’t even know signal trouble. Do not open those files! You may have been spearphished, targeted because of who you are or where you work.

So with all the talk about “Russian hacking”, this Department of Homeland Security Release detailing what they believe to be an organized campaign against employees of critical infrastructure, academia, and business puts the talk in perspective.

It is probable that no vote tally was changed as a result of any “Russian hacking”, but to discount the real threat to American society of organized hacking campaigns by foreign governments is foolhardy.

I Love Ransomware

I had a few minutes to timesink yesterday and was reading stories on Google News. One link leads to another, and before I knew it, I was sucked into a story on 40 little known facts about TV’s most popular situation comedy ever, “I Love Lucy”. What could be more wholesome web viewing?

I rather quickly noticed that the text accompanying the pictures was very poorly written. Words were misspelled and misused with alarming frequency. I was convinced that the writing had been outsourced to an offshore bot that had stolen the content elsewhere on the interwebs.

And then, this happened.

fake-virus

My computer was crazily beeping and there was a fake virus alert displayed on the screen. Of course I took the time to close the browser (despite the false warning that I would not be able to) and make sure that my workstation was not actually infected. Such fun!

A brief Google survey revealed that the call center number displayed, (877) 337-7936, is often connected with malware scam artists. Most of the displayed pages seem to be further attempts to get you to install real malware on your system. Don’t fall for them.

Then I made the call. I was the end user from hell that these cyberpirates deserve. Imagine if Ransomware Inc. got hundreds of calls like this every day? They’d have no time to hold up their other poor victims and their profit margins would take a dive. The obvious annoyance of the Ransomware Agent at about 7 minutes into the call, when he lets out an exasperated “Yeeeeessss”, is priceless.

Remember, October is National Cyber Security Awareness Month. Stay safe online.

Lessons From A Ship’s Captain

What does a ship’s captain know about information security? A lot, apparently, if that Captain is Richard Phillips of Maersk Alabama fame. If you recall, this ship was the target of a failed hijacking attempt by four Somali pirates in April 2009. The ultimate failure of the hijackers, despite their early success in penetrating the perimeter of the ship, was in large part due to the leadership and strategic skills of Captain Phillips.

Captain Richard Phillips, left.
Captain Richard Phillips, left.

I recently had the opportunity to hear Captain Phillips speak at an event where the target audience was information security professionals. The lessons of the Captain’s experience were very relatable to that audience.

When Captain Phillips joined the crew of the Maersk, he took a couple of days to settle in and observe. He was concerned that security seemed a bit loose on board and decided to drill the crew. He did this repeatedly, each time learning from the failures of the previous drills. He and the crew, working together, improved things to a point where each member understood his role and responsibilities in case of an attack.

Sound familiar? Through iterative testing and analysis he helped his crew understand the policies and the actions that would increase their chances of repelling or surviving an attack by intruders. He made sure that any attack had to go through multiple layers of defenses. When the attack came, not everything worked as planned and practiced, but enough worked to ultimately assure the lives and safety of the crew.

From Captain Phillips’ experience, it reminds us of our need to have policies that make sense and procedures that can be followed, especially under the worst of circumstances. He reminds us to educate our teams and organizations on their roles in executing those procedures. We need to test, test and test again. Learn from failures and successes and you and your crew will survive to tell the tale.

Hopefully you won’t need the help of US Navy SEAL marksmen to repel your next attack.