Hello All, Seems like my father[1] got scammed by "Telstra". They asked for the model and serial number of our ADSL modem, and asked him what lights were flashing. They had him install "Any place control 7.5" on his Windows computer, gave them remote access. In doing so his screen went blank, which makes me very suspicious. Then he left his computer on with the remote access still enabled. As a result, we have no idea what the attacker may have done. They said we could have free fibre connection for $5 delivery fee, which finally got him suspicious, but he still didn't think of turning off the computer or disconnecting the network connection. We don't have any account with Telstra, and there is no reason why they should be calling. I think we cannot trust that copy of Windows anymore. I have recommended he use Windows from his old hard disk[1] that wasn't plugged in at the time. I am not sure what to do about his data files (Word + Excel), other then do a full virus scan. He also has a backup copy of the files that was not available to the attacker, and was going to compare file sizes. I might suggest he install a program that compares files in two directories, and run that. (any recommendations?). I might also block unknown telephone numbers on incoming phone calls by default. Sure we might miss some important calls (callers these days generally refuse to leave voice mail), but I think it will be safer. I think this could easily happen again. Is there anything else we should be doing? Regards Notes: [1] This the same father who just recently purchased an external USB device, plugged a 12V power supply into it - instead of 5V, and fried the device and his motherboard in his good computer at the same time. -- Brian May <brian@linuxpenguins.xyz> https://linuxpenguins.xyz/brian/
Brian May <brian@linuxpenguins.xyz> writes:
I might also block unknown telephone numbers on incoming phone calls by default. Sure we might miss some important calls (callers these days generally refuse to leave voice mail), but I think it will be safer. I think this could easily happen again.
Actually not sure this is going to work in the long run. We seem to have got a calls from a number of caller ids during this time period. My guess is that they will keep trying different fake caller ids (or anonymous) until they find one that works. -- Brian May <brian@linuxpenguins.xyz> https://linuxpenguins.xyz/brian/
Hello Brian, On 12/19/19, Brian May via luv-talk <luv-talk@luv.asn.au> wrote:
Hello All,
Seems like my father[1] got scammed by "Telstra". They asked for the model and serial number of our ADSL modem, and asked him what lights were flashing. They had him install "Any place control 7.5" on his Windows computer, gave them remote access. In doing so his screen went blank, which makes me very suspicious. Then he left his computer on with the remote access still enabled. As a result, we have no idea what the attacker may have done. They said we could have free fibre connection for $5 delivery fee, which finally got him suspicious, but he still didn't think of turning off the computer or disconnecting the network connection.
Therein is the issue with Microsoft, whomever has access, local or network, has total freedom to do as they please, for good or ill. Migrate him to a limited account on a Linux box, that can mean only his account gets compromised, and then primarily the data rather than the OS.
We don't have any account with Telstra, and there is no reason why they should be calling.
I think we cannot trust that copy of Windows anymore. I have recommended he use Windows from his old hard disk[1] that wasn't plugged in at the time. I am not sure what to do about his data files (Word + Excel), other then do a full virus scan.
Also the data files, do not neglect the vulnerabilities through Visual Basic for Applications, it can reintroduce all sorts of things when a document is opened. I would strongly suggest Office Libre instead of the Microsoft offerings, even on Windows.
He also has a backup copy of the files that was not available to the attacker, and was going to compare file sizes. I might suggest he install a program that compares files in two directories, and run that. (any recommendations?).
Does he have enough competence to do that, and comprehend the results. Some will vary legitimately, some compromises will deliberately make the resulting file exactly the same size. It might take using something like MD5 sums to see what is changed.
I might also block unknown telephone numbers on incoming phone calls by default. Sure we might miss some important calls (callers these days generally refuse to leave voice mail), but I think it will be safer. I think this could easily happen again.
And they are spoofing the numbers. There are reports of scam calls where the caller ID shows the correct number for the purported calling identity. He needs an education regarding "social engineering", see if you can get a copy of "The Cuckoos Egg" by Clifford Stoll, not recent, but still relevant.
Is there anything else we should be doing?
From the note, consider something permanently on with the requisite features, that is Linux based, that he cannot add to, nor remove from, except for toggling network connectivity. I believe the Raspberry Pi 4 is desktop capable, and runs on about 4 amps of 5V USB power. It does need a screen and keyboard and monitor, and should have a USB drive for the home directories. You would need to do the administrative work, but hopefully less of an issue than the cleanup on Windows. If he cannot install anything, nor open access ports and the like, and the unnecessary ones are not enabled, he should be less able of making such a mess.
Regards
Notes:
[1] This the same father who just recently purchased an external USB device, plugged a 12V power supply into it - instead of 5V, and fried the device and his motherboard in his good computer at the same time. -- Brian May <brian@linuxpenguins.xyz> https://linuxpenguins.xyz/brian/
Regards, Mark Trickett
For locked down computers that are fairly easy to use you could try a chrome book. Word documents can still be a problem though so a cloud service might be necessary if they can't switch to libre office. Cancelling credit cards and changing passwords might be required if they were saved in a browser. Andrew On Thu, 19 Dec 2019, 7:34 pm Mark Trickett via luv-talk, < luv-talk@luv.asn.au> wrote:
Hello Brian,
On 12/19/19, Brian May via luv-talk <luv-talk@luv.asn.au> wrote:
Hello All,
Seems like my father[1] got scammed by "Telstra". They asked for the model and serial number of our ADSL modem, and asked him what lights were flashing. They had him install "Any place control 7.5" on his Windows computer, gave them remote access. In doing so his screen went blank, which makes me very suspicious. Then he left his computer on with the remote access still enabled. As a result, we have no idea what the attacker may have done. They said we could have free fibre connection for $5 delivery fee, which finally got him suspicious, but he still didn't think of turning off the computer or disconnecting the network connection.
Therein is the issue with Microsoft, whomever has access, local or network, has total freedom to do as they please, for good or ill. Migrate him to a limited account on a Linux box, that can mean only his account gets compromised, and then primarily the data rather than the OS.
We don't have any account with Telstra, and there is no reason why they should be calling.
I think we cannot trust that copy of Windows anymore. I have recommended he use Windows from his old hard disk[1] that wasn't plugged in at the time. I am not sure what to do about his data files (Word + Excel), other then do a full virus scan.
Also the data files, do not neglect the vulnerabilities through Visual Basic for Applications, it can reintroduce all sorts of things when a document is opened. I would strongly suggest Office Libre instead of the Microsoft offerings, even on Windows.
He also has a backup copy of the files that was not available to the attacker, and was going to compare file sizes. I might suggest he install a program that compares files in two directories, and run that. (any recommendations?).
Does he have enough competence to do that, and comprehend the results. Some will vary legitimately, some compromises will deliberately make the resulting file exactly the same size. It might take using something like MD5 sums to see what is changed.
I might also block unknown telephone numbers on incoming phone calls by default. Sure we might miss some important calls (callers these days generally refuse to leave voice mail), but I think it will be safer. I think this could easily happen again.
And they are spoofing the numbers. There are reports of scam calls where the caller ID shows the correct number for the purported calling identity. He needs an education regarding "social engineering", see if you can get a copy of "The Cuckoos Egg" by Clifford Stoll, not recent, but still relevant.
Is there anything else we should be doing?
From the note, consider something permanently on with the requisite features, that is Linux based, that he cannot add to, nor remove from, except for toggling network connectivity. I believe the Raspberry Pi 4 is desktop capable, and runs on about 4 amps of 5V USB power. It does need a screen and keyboard and monitor, and should have a USB drive for the home directories. You would need to do the administrative work, but hopefully less of an issue than the cleanup on Windows. If he cannot install anything, nor open access ports and the like, and the unnecessary ones are not enabled, he should be less able of making such a mess.
Regards
Notes:
[1] This the same father who just recently purchased an external USB device, plugged a 12V power supply into it - instead of 5V, and fried the device and his motherboard in his good computer at the same time. -- Brian May <brian@linuxpenguins.xyz> https://linuxpenguins.xyz/brian/
Regards,
Mark Trickett _______________________________________________ luv-talk mailing list luv-talk@luv.asn.au https://lists.luv.asn.au/cgi-bin/mailman/listinfo/luv-talk
Mark Trickett via luv-talk wrote:
Therein is the issue with Microsoft, whomever has access, local or network, has total freedom to do as they please, for good or ill. Migrate him to a limited account on a Linux box, that can mean only his account gets compromised, and then primarily the data rather than the OS.
This is not true. It's entirely possible to run a Windows system as a non-privileged user. Doing a privileged action, such as opening Resource Manager, or installing software, requires you to type in the password for a privileged user. This is equivalent of sudo or polkit. I *think* Windows still gives the first created user the ability to run this as as admin *without* typing in a password, by default, but you can always just make a "admin" user first and a "dad" account second. Regarding Evil Maid attacks (i.e. "local access"), Microsoft Windows has a full "trusted boot" chain available, but in a desktop computer is probably off by default. It is definitely a pain to get going, but doing the same thing with Linux is no less painful.
On Thu, Dec 19, 2019 at 07:10:39PM +1100, Brian May wrote:
Is there anything else we should be doing?
What windows apps does he need to run? Will they run in WINE? if he needs Office apps, can he switch to Libre Office? Is the computer powerful enough to run windows in a VM? If so, do that on a snapshot-capable filesystem (zfs or btrfs) and run a nightly cron job to snapshot the windows VM, and keep old snapshots for at least a month. If he gets scammed again, roll back to the night before. BTW, it's quite easy to set up a windows VM on linux KVM running in full-screen mode, from boot up - so it looks exactly the same as windows running on bare metal. There's a (configurable) keystroke sequence to switch back and forth between the linux console or X, and, of course, you can ssh in to fix any problems (e.g. shutdown the win VM, rollback the snapshot, and start it up again). In short, even though it may not be possible or even desirable to get him running linux, look for ways to minimise his reliance on and exposure to windows, and to minimise the effects of windows security flaws. crap like this scam and ransomware and viruses aren't as big a deal if you can just rollback a snapshot to a pre-compromised version. NOTE: if he runs windows games, or anything else requiring fast 3D graphics, you'll probably need to look into VGA passthrough with a dedicated GPU for the VM. put a cheap CGA card in for the linux side of things, and re-use his existing card for the VM if it's better. there's a minor catch, however: nvidia has some annoying crap in their drivers that make it slighly difficult to run them in a VM (because of bullshit artificial market segmentation reasons), but there are ways to fool the driver that it's running on real hardware. AMD radeon cards don't do this. craig -- craig sanders <cas@taz.net.au>
Craig Sanders via luv-talk <luv-talk@luv.asn.au> writes:
Is the computer powerful enough to run windows in a VM? If so, do that on a snapshot-capable filesystem (zfs or btrfs) and run a nightly cron job to snapshot the windows VM, and keep old snapshots for at least a month. If he gets scammed again, roll back to the night before.
My understanding is that COW file-systems such as ZFS or BTRFS are horrible for VMs, and recommended practise is to turn off COW. How does Windows licensing work such a system? Do you need to purchase another Windows license to use it within a VM? -- Brian May <brian@linuxpenguins.xyz> https://linuxpenguins.xyz/brian/
On Monday, 23 December 2019 4:08:03 PM AEDT Brian May via luv-talk wrote:
Craig Sanders via luv-talk <luv-talk@luv.asn.au> writes:
Is the computer powerful enough to run windows in a VM? If so, do that on a snapshot-capable filesystem (zfs or btrfs) and run a nightly cron job to snapshot the windows VM, and keep old snapshots for at least a month. If he gets scammed again, roll back to the night before.
My understanding is that COW file-systems such as ZFS or BTRFS are horrible for VMs, and recommended practise is to turn off COW.
COW within COW is bad, so don't use BTRFS for the filesystem inside a VM and for the VM data store. Running Ext4 in a VM and BTRFS or ZFS for the VM store works well enough as long as your disk access isn't too intensive. If you use SSD for the storage then performance should be fine. The LUV server is running on a ext4 filesystem in a KVM VM on top of a BTRFS RAID-1 (with snapshot backups) on a pair of SATA SSDs. It works OK.
How does Windows licensing work such a system? Do you need to purchase another Windows license to use it within a VM?
Legally if you have one Windows OS and one Windows license it should be OK but MS might try to stop that with some license terms. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/
Russell Coker via luv-talk wrote:
On Monday, 23 December 2019 4:08:03 PM AEDT Brian May via luv-talk wrote:
My understanding is that COW file-systems such as ZFS or BTRFS are horrible for VMs, and recommended practise is to turn off COW.
COW within COW is bad, so don't use BTRFS for the filesystem inside a VM and for the VM data store. Running Ext4 in a VM and BTRFS or ZFS for the VM store works well enough as long as your disk access isn't too intensive.
Boring additional comments: For btrfs you can set "nodatacow" option on my-disk-image.raw, which has... implications. ZFS doesn't have this, because why would you even. Cool kids might use a zfs dataset (directory tree) instead of a zvol dataset (block device), then export to the guest using virtio-fs [0] or older and much slower 9p [1]. The former requires Linux 5.4+ (or patches), and apparently isn't in BSD yet. PS: the linux page cache is still Fucking Awful because Linux wants to keep supporting embedded systems (which can't afford the RAM flagfall for a modern ARC): https://linux-mm.org/AdvancedPageReplacement https://github.com/Feh/nocache [0] https://virtio-fs.gitlab.io/ https://lwn.net/Articles/788333 [1] https://www.linux-kvm.org/page/VirtFS
Good afternoon All I run Win10 in vbox, and keep getting a warning about not being authenticated. Extracted the licence details from the PC's ROM, but win wouldn't accept it. Still considering options, but I don't use Win often, and the only thing I have found doesn't work is, I can't move the tool bar to the side of the screen. Keith Bainbridge keithrbau@gmail.com +61 (0)447 667 468 On 23/12/19 9:09 pm, Russell Coker via luv-talk wrote:
Legally if you have one Windows OS and one Windows license it should be OK but MS might try to stop that with some license terms.
Brian May via luv-talk wrote:
He also has a backup copy of the files that was not available to the attacker, and was going to compare file sizes. I might suggest he install a program that compares files in two directories, and run that. (any recommendations?).
If the host is compromised, don't plug non-compromised backups into it. That will just result in the backups being compromised, too. Boot some kind of trusted live environment and check things from there.
participants (7)
-
Andrew Worsley -
Brian May -
Craig Sanders -
Keith Bainbridge -
Mark Trickett -
Russell Coker -
Trent W. Buck