19 Dec
2019
19 Dec
'19
7:10 p.m.
Hello All,
Seems like my father[1] got scammed by "Telstra". They asked for the
model and serial number of our ADSL modem, and asked him what lights
were flashing. They had him install "Any place control 7.5" on his
Windows computer, gave them remote access. In doing so his screen went
blank, which makes me very suspicious. Then he left his computer on with
the remote access still enabled. As a result, we have no idea what the
attacker may have done. They said we could have free fibre connection
for $5 delivery fee, which finally got him suspicious, but he still
didn't think of turning off the computer or disconnecting the network
connection.
We don't have any account with Telstra, and there is no reason why they
should be calling.
I think we cannot trust that copy of Windows anymore. I have recommended
he use Windows from his old hard disk[1] that wasn't plugged in at the
time. I am not sure what to do about his data files (Word + Excel),
other then do a full virus scan.
He also has a backup copy of the files that was not available to the
attacker, and was going to compare file sizes. I might suggest he
install a program that compares files in two directories, and run that.
(any recommendations?).
I might also block unknown telephone numbers on incoming phone calls by
default. Sure we might miss some important calls (callers these days
generally refuse to leave voice mail), but I think it will be safer. I
think this could easily happen again.
Is there anything else we should be doing?
Regards
Notes:
[1] This the same father who just recently purchased an external USB
device, plugged a 12V power supply into it - instead of 5V, and fried
the device and his motherboard in his good computer at the same time.
--
Brian May <brian(a)linuxpenguins.xyz>
https://linuxpenguins.xyz/brian/
19 Dec
19 Dec
7:25 p.m.
Brian May <brian(a)linuxpenguins.xyz> writes:
I might also block unknown telephone numbers on
incoming phone calls by
default. Sure we might miss some important calls (callers these days
generally refuse to leave voice mail), but I think it will be safer. I
think this could easily happen again.
Actually not sure this is going to work in the long run. We seem to have
got a calls from a number of caller ids during this time period. My
guess is that they will keep trying different fake caller ids (or
anonymous) until they find one that works.
--
Brian May <brian(a)linuxpenguins.xyz>
https://linuxpenguins.xyz/brian/
7:34 p.m.
Hello Brian,
On 12/19/19, Brian May via luv-talk <luv-talk(a)luv.asn.au> wrote:
Hello All,
Seems like my father[1] got scammed by "Telstra". They asked for the
model and serial number of our ADSL modem, and asked him what lights
were flashing. They had him install "Any place control 7.5" on his
Windows computer, gave them remote access. In doing so his screen went
blank, which makes me very suspicious. Then he left his computer on with
the remote access still enabled. As a result, we have no idea what the
attacker may have done. They said we could have free fibre connection
for $5 delivery fee, which finally got him suspicious, but he still
didn't think of turning off the computer or disconnecting the network
connection.
Therein is the issue with Microsoft, whomever has access, local or
network, has total freedom to do as they please, for good or ill.
Migrate him to a limited account on a Linux box, that can mean only
his account gets compromised, and then primarily the data rather than
the OS.
We don't have any account with Telstra, and there
is no reason why they
should be calling.
I think we cannot trust that copy of Windows anymore. I have recommended
he use Windows from his old hard disk[1] that wasn't plugged in at the
time. I am not sure what to do about his data files (Word + Excel),
other then do a full virus scan.
Also the data files, do not neglect the vulnerabilities through Visual
Basic for Applications, it can reintroduce all sorts of things when a
document is opened. I would strongly suggest Office Libre instead of
the Microsoft offerings, even on Windows.
He also has a backup copy of the files that was not
available to the
attacker, and was going to compare file sizes. I might suggest he
install a program that compares files in two directories, and run that.
(any recommendations?).
Does he have enough competence to do that, and comprehend the results.
Some will vary legitimately, some compromises will deliberately make
the resulting file exactly the same size. It might take using
something like MD5 sums to see what is changed.
I might also block unknown telephone numbers on
incoming phone calls by
default. Sure we might miss some important calls (callers these days
generally refuse to leave voice mail), but I think it will be safer. I
think this could easily happen again.
And they are spoofing the numbers. There are reports of scam calls
where the caller ID shows the correct number for the purported calling
identity. He needs an education regarding "social engineering", see if
you can get a copy of "The Cuckoos Egg" by Clifford Stoll, not recent,
but still relevant.
Is there anything else we should be doing?
From the note, consider something permanently on with
the requisite
features, that is Linux based, that he cannot add to, nor remove
from,
except for toggling network connectivity. I believe the Raspberry Pi 4
is desktop capable, and runs on about 4 amps of 5V USB power. It does
need a screen and keyboard and monitor, and should have a USB drive
for the home directories. You would need to do the administrative
work, but hopefully less of an issue than the cleanup on Windows. If
he cannot install anything, nor open access ports and the like, and
the unnecessary ones are not enabled, he should be less able of making
such a mess.
Regards
Notes:
[1] This the same father who just recently purchased an external USB
device, plugged a 12V power supply into it - instead of 5V, and fried
the device and his motherboard in his good computer at the same time.
--
Brian May <brian(a)linuxpenguins.xyz>
https://linuxpenguins.xyz/brian/
Regards,
Mark Trickett
20 Dec
20 Dec
9:59 a.m.
For locked down computers that are fairly easy to use you could try a
chrome book. Word documents can still be a problem though so a cloud
service might be necessary if they can't switch to libre office.
Cancelling credit cards and changing passwords might be required if they
were saved in a browser.
Andrew
On Thu, 19 Dec 2019, 7:34 pm Mark Trickett via luv-talk, <
luv-talk(a)luv.asn.au> wrote:
Hello Brian,
On 12/19/19, Brian May via luv-talk <luv-talk(a)luv.asn.au> wrote:
Hello All,
Seems like my father[1] got scammed by "Telstra". They asked for the
model and serial number of our ADSL modem, and asked him what lights
were flashing. They had him install "Any place control 7.5" on his
Windows computer, gave them remote access. In doing so his screen went
blank, which makes me very suspicious. Then he left his computer on with
the remote access still enabled. As a result, we have no idea what the
attacker may have done. They said we could have free fibre connection
for $5 delivery fee, which finally got him suspicious, but he still
didn't think of turning off the computer or disconnecting the network
connection.
Therein is the issue with Microsoft, whomever has access, local or
network, has total freedom to do as they please, for good or ill.
Migrate him to a limited account on a Linux box, that can mean only
his account gets compromised, and then primarily the data rather than
the OS.
We don't have any account with Telstra, and
there is no reason why they
should be calling.
I think we cannot trust that copy of Windows anymore. I have recommended
he use Windows from his old hard disk[1] that wasn't plugged in at the
time. I am not sure what to do about his data files (Word + Excel),
other then do a full virus scan.
Also the data files, do not neglect the vulnerabilities through Visual
Basic for Applications, it can reintroduce all sorts of things when a
document is opened. I would strongly suggest Office Libre instead of
the Microsoft offerings, even on Windows.
He also has a backup copy of the files that was
not available to the
attacker, and was going to compare file sizes. I might suggest he
install a program that compares files in two directories, and run that.
(any recommendations?).
Does he have enough competence to do that, and comprehend the results.
Some will vary legitimately, some compromises will deliberately make
the resulting file exactly the same size. It might take using
something like MD5 sums to see what is changed.
I might also block unknown telephone numbers on
incoming phone calls by
default. Sure we might miss some important calls (callers these days
generally refuse to leave voice mail), but I think it will be safer. I
think this could easily happen again.
And they are spoofing the numbers. There are reports of scam calls
where the caller ID shows the correct number for the purported calling
identity. He needs an education regarding "social engineering", see if
you can get a copy of "The Cuckoos Egg" by Clifford Stoll, not recent,
but still relevant.
Is there anything else we should be doing?
From the note, consider something permanently on with the requisite
features, that is Linux based, that he cannot add to, nor remove from,
except for toggling network connectivity. I believe the Raspberry Pi 4
is desktop capable, and runs on about 4 amps of 5V USB power. It does
need a screen and keyboard and monitor, and should have a USB drive
for the home directories. You would need to do the administrative
work, but hopefully less of an issue than the cleanup on Windows. If
he cannot install anything, nor open access ports and the like, and
the unnecessary ones are not enabled, he should be less able of making
such a mess.
Regards
Notes:
[1] This the same father who just recently purchased an external USB
device, plugged a 12V power supply into it - instead of 5V, and fried
the device and his motherboard in his good computer at the same time.
--
Brian May <brian(a)linuxpenguins.xyz>
https://linuxpenguins.xyz/brian/
Regards,
Mark Trickett
_______________________________________________
luv-talk mailing list
luv-talk(a)luv.asn.au
https://lists.luv.asn.au/cgi-bin/mailman/listinfo/luv-talk
1:56 p.m.
Mark Trickett via luv-talk wrote:
Therein is the issue with Microsoft, whomever has
access, local or
network, has total freedom to do as they please, for good or ill.
Migrate him to a limited account on a Linux box, that can mean only
his account gets compromised, and then primarily the data rather than
the OS.
This is not true.
It's entirely possible to run a Windows system as a non-privileged user.
Doing a privileged action, such as opening Resource Manager, or
installing software, requires you to type in the password for a
privileged user. This is equivalent of sudo or polkit.
I *think* Windows still gives the first created user the ability to
run this as as admin *without* typing in a password, by default, but
you can always just make a "admin" user first and a "dad" account
second.
Regarding Evil Maid attacks (i.e. "local access"), Microsoft Windows
has a full "trusted boot" chain available, but in a desktop computer
is probably off by default. It is definitely a pain to get going, but
doing the same thing with Linux is no less painful.
11:11 a.m.
On Thu, Dec 19, 2019 at 07:10:39PM +1100, Brian May wrote:
Is there anything else we should be doing?
What windows apps does he need to run?
Will they run in WINE?
if he needs Office apps, can he switch to Libre Office?
Is the computer powerful enough to run windows in a VM? If so, do that on
a snapshot-capable filesystem (zfs or btrfs) and run a nightly cron job to
snapshot the windows VM, and keep old snapshots for at least a month. If he
gets scammed again, roll back to the night before.
BTW, it's quite easy to set up a windows VM on linux KVM running in
full-screen mode, from boot up - so it looks exactly the same as windows
running on bare metal.
There's a (configurable) keystroke sequence to switch back and forth between
the linux console or X, and, of course, you can ssh in to fix any problems
(e.g. shutdown the win VM, rollback the snapshot, and start it up again).
In short, even though it may not be possible or even desirable to get him
running linux, look for ways to minimise his reliance on and exposure to
windows, and to minimise the effects of windows security flaws. crap like this
scam and ransomware and viruses aren't as big a deal if you can just rollback
a snapshot to a pre-compromised version.
NOTE: if he runs windows games, or anything else requiring fast 3D graphics,
you'll probably need to look into VGA passthrough with a dedicated GPU for
the VM. put a cheap CGA card in for the linux side of things, and re-use his
existing card for the VM if it's better. there's a minor catch, however:
nvidia has some annoying crap in their drivers that make it slighly difficult
to run them in a VM (because of bullshit artificial market segmentation
reasons), but there are ways to fool the driver that it's running on real
hardware. AMD radeon cards don't do this.
craig
--
craig sanders <cas(a)taz.net.au>
23 Dec
23 Dec
4:08 p.m.
Craig Sanders via luv-talk <luv-talk(a)luv.asn.au> writes:
Is the computer powerful enough to run windows in a
VM? If so, do that on
a snapshot-capable filesystem (zfs or btrfs) and run a nightly cron job to
snapshot the windows VM, and keep old snapshots for at least a month. If he
gets scammed again, roll back to the night before.
My understanding is that COW file-systems such as ZFS or BTRFS are
horrible for VMs, and recommended practise is to turn off COW.
How does Windows licensing work such a system? Do you need to purchase
another Windows license to use it within a VM?
--
Brian May <brian(a)linuxpenguins.xyz>
https://linuxpenguins.xyz/brian/
9:09 p.m.
On Monday, 23 December 2019 4:08:03 PM AEDT Brian May via luv-talk wrote:
Craig Sanders via luv-talk <luv-talk(a)luv.asn.au>
writes:
COW within COW is bad, so don't use BTRFS for the filesystem inside a VM and
for the VM data store. Running Ext4 in a VM and BTRFS or ZFS for the VM store
works well enough as long as your disk access isn't too intensive.
If you use SSD for the storage then performance should be fine.
The LUV server is running on a ext4 filesystem in a KVM VM on top of a BTRFS
RAID-1 (with snapshot backups) on a pair of SATA SSDs. It works OK.
Is the computer powerful enough to run windows in
a VM? If so, do that on
a snapshot-capable filesystem (zfs or btrfs) and run a nightly cron job to
snapshot the windows VM, and keep old snapshots for at least a month. If
he gets scammed again, roll back to the night before.
My understanding is that COW file-systems such as ZFS or BTRFS are
horrible for VMs, and recommended practise is to turn off COW. How does Windows licensing work such a system? Do you
need to purchase
another Windows license to use it within a VM?
Legally if you have one Windows OS and one Windows license it should be OK but
MS might try to stop that with some license terms.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
24 Dec
24 Dec
12:03 p.m.
Russell Coker via luv-talk wrote:
On Monday, 23 December 2019 4:08:03 PM AEDT Brian May
via luv-talk wrote:
Boring additional comments:
For btrfs you can set "nodatacow" option on my-disk-image.raw, which has...
implications.
ZFS doesn't have this, because why would you even.
Cool kids might use a zfs dataset (directory tree) instead of a zvol dataset (block
device),
then export to the guest using virtio-fs [0] or older and much slower 9p [1].
The former requires Linux 5.4+ (or patches), and apparently isn't in BSD yet.
PS: the linux page cache is still Fucking Awful because Linux wants to
keep supporting embedded systems (which can't afford the RAM
flagfall for a modern ARC):
https://linux-mm.org/AdvancedPageReplacement
https://github.com/Feh/nocache
[0] https://virtio-fs.gitlab.io/
https://lwn.net/Articles/788333
[1] https://www.linux-kvm.org/page/VirtFS
My understanding is that COW file-systems such as
ZFS or BTRFS are
horrible for VMs, and recommended practise is to turn off COW.
COW within COW is bad, so don't use BTRFS for the filesystem inside a VM and
for the VM data store. Running Ext4 in a VM and BTRFS or ZFS for the VM store
works well enough as long as your disk access isn't too intensive. 
12:56 p.m.
Good afternoon All
I run Win10 in vbox, and keep getting a warning about not being
authenticated. Extracted the licence details from the PC's ROM, but win
wouldn't accept it. Still considering options, but I don't use Win
often, and the only thing I have found doesn't work is, I can't move the
tool bar to the side of the screen.
Keith Bainbridge
keithrbau(a)gmail.com
+61 (0)447 667 468
On 23/12/19 9:09 pm, Russell Coker via luv-talk wrote:
Legally if you have one Windows OS and one Windows
license it should be OK but
MS might try to stop that with some license terms.
20 Dec
20 Dec
2:32 p.m.
Brian May via luv-talk wrote:
He also has a backup copy of the files that was not
available to the
attacker, and was going to compare file sizes. I might suggest he
install a program that compares files in two directories, and run that.
(any recommendations?).
If the host is compromised, don't plug non-compromised backups into it.
That will just result in the backups being compromised, too.
Boot some kind of trusted live environment and check things from there.
1192
days inactive
1197
days old
10 comments
7 participants
participants (7)
-
Andrew Worsley -
Brian May -
Craig Sanders -
Keith Bainbridge -
Mark Trickett -
Russell Coker -
Trent W. Buck