IT Support Scammers

IT Support Scammers

No matter how strong your technical security is (antivirus, firewalls, security headers, well-written applications, etc) there is always one sure route to failure, social engineering. If a privileged user can be convinced to perform nefarious acts on a system that system is compromised. That being said most professionals are not going to fall for that (although I know one who did fall for a variant the old Nigerian finance scam to the tune of several thousand pounds); the less initiated are a different story and we as IT professionals have a duty to help them!

IT Support scams appear to be on the rise again; I am aware of at least ten people who have received calls claiming to be from Microsoft in the last year. Luckily for them (and me) most of them realised what was going on before it was too late, some were less savvy and their machines required a lot of my time.

What is a support scam?

IT support scams almost always start off with an unsolicited phone call. The scammers have either acquired the victim’s number on the black market (data breaches, stolen files, etc) or they are just simply dialling every number one at a time (read about auto-dialers here).

Once a scammer gets ahold of their intended victim they claim to be from a trustworthy firm, typically Microsoft (or Apple, Google, etc). The scammer uses the victim’s trust in a well-known firm to build a conversation and start engineering their way into the victim’s system.

How many of the uninitiated (think your grandparents or that little old lady who is a friend of your mothers) understand half of the notifications their laptop shows them? The scammer preys on this; telling them that “Microsoft has detected some problems with your machine”, asking them if they spotted that “update alert” the other day. The odds are that windows update has popped up an alert (or perhaps some anti-virus software has) in the last week and the user has ignored it. The scammer will walk the victim through some screens on their machine claiming that common files are viruses or getting them to look at the system event log to see all the “critical system errors” it shows (we know that badly written applications like to error, your grandparents do not).

Eventually, when the scammer has convinced the victim that they are at risk they encourage them to install some remote access software, sometimes a custom remote access trojan (RAT)) other times just something simple like TeamViewer. With remote access the scammer can do as they please, stealing documents, leaving malicious payloads (ransomware, keyloggers, etc), once they become embedded they often ask the victim to hand over their credit card details to pay for “a cleaning service” which they have no intention of providing.

How can we stop the spread?

Simply put making the vulnerable users security as simple to understand as possible is the first step; if they know they are secure because someone they trust told them so (hopefully they trust you) and showed them how to know they are secure then they are less likely to be scared into acting by a scammer. Most importantly tell them about these scams, make sure they understand that anyone who calls them about their computer is almost certainly lying if they have any doubt they should hang up and call you for assistance!

Make sure they have antivirus and firewall

For most standard users the built-in Windows 10 security software is more than enough, especially from a firewall perspective. If you want to go one step further and install one of the many free antivirus programs be careful which one you pick. All the freemium products try and force their paid for products on you with every update, our potential victims are just going to click past the update messages because they mention spending money. Pick an antivirus program which is not just free as a hook for the paid software; Sophos provide a good product which is less needy (thanks to their top line coming from corporate subscriptions and not one-off payments). Depending on who the user is (friend or family) you may be willing to install the good stuff, add them to your personal subscription (I use ESET Nod for security and it costs all of $5 a year to add another user) that way they will never get nagged about converting to a paid subscription.

Keep them up to date

Provide a simple way for them to keep all the little bits of software (Adobe, Java, etc) up to date. The more up to date their software the more secure they will be, free programs such as Adobe Software and Java are often filled with security holes, keeping them updated is especially important. I use a product called Ninite Pro to silently push updates to family machines, for the machines that I do not want to spend money on (think friends rather than family) I place a copy of the Ninite Updater on their desktop named “UPDATE” and tell them to run it once a week, this ensures all those little programs are kept up to date without the user having to understand what they are!

Educate!

Explain how to be secure online, what to do and what not do to (don’t forget the dangers of oversharing on social media!). Antivirus is useless if they don’t understand the popups, show them what they look like and explain the jargon (write it down for them).

But most of all, tell them to contact you if they are concerned! It may seem like an invite for countless support calls but one or two calls a year which can be dealt with over the phone are better than a week of extracting malicious software from their laptop (and them being scammed out of a few hundred pounds).

TLDR;

  • Educate your friends and family about IT support scams so they don’t fall victim!
  • We need to work together on this!

The header image on this post was provided for free by @rawpixel via unsplash.com. I chose it because it looks like us all fist bumping when we agree to work together on this!

Read more

WCF Service aborted by the server

WCF Service aborted by the server

An error occurred while receiving the HTTP response to http://localhost:12345/SomeService.svc. This could be due to the service endpoint binding not using the HTTP protocol. This could also be due to an HTTP request context being aborted by the server (possibly due to the service shutting down). See server logs for more details.

This evening I spent more time than I would care to admit working on a problem in a WCF Service I am building. The service has been working well for a number of weeks whilst it has all its functions ironed out; suddenly today after adding in one of those functions it stopped working in debug. I blame tiredness and a busy day in the office for me not realising the error faster, but for those who like me get tired here is the cause of the above error (or at least this version of the error).

[DataContract]
public enum LoginResultFlag {
    [EnumMember]
    Success = 100,

    [EnumMember]
    Failure = 200,

    [EnumMember]
    PasswordChangeRequired = 300,

    [EnumMember]
    AccountLocked = 400,

    [EnumMember]
    RequiresChallenge = 500,

    [EnumMember]
    SetupChallengeResponse = 600
}

Can you see the problem; it took me a little while of trial end error before I spotted it the moment I looked at the enum. Enums cannot be null, at their most basic they are integers and take the value 0. If you specify integer values as I have done here without adding a zero value then it cannot be serialized/deserialized through the web service boundary. All I had to do was add the following to the enum:

[EnumMember]
NotSet = 0

Problem solved!

The header image on this post was provided by Maria Freyenbacher on unsplash.com. Thank you Maria!

Read more

Microsoft Surface Book fan noise and overheating

Microsoft Surface Book fan noise and overheating

My work laptop is a first-generation Microsoft Surface Book (the 8GB model); it is by far the best laptop that I have worked with (both personal and professional). Granted there are better devices out there (a few Lenovo models come to mind) but I can’t afford them and my employer is unlikely to authorise them (getting the surface book required a guilt trip!).

Other than the first SB that I had suffering death within a few months (horrid grating fan noises, followed by a replacement) I have not had a single problem that wasn’t related to configuration or an old application not supporting HDPI screens. My employer’s system team can be a little slow at pushing out Windows Updates via WSUS (machines are blocked from accessing the internet variant of Windows Update); since the last “big lump of updates” my device received (I am guessing it included the last Win10 version update) the SBs fan noise has gone through the roof! Within minutes of turning the machine on (without even opening a program) the fans would be screaming along like they were cooling a data centre, and the back of the screen (where all the bits are) would get hot to the touch. After some google based research (and tying a few sets of instructions together) I have found what appears to be a solution!

#Shutting up the fans, and keeping a surface book cool! In their infinite wisdom Microsoft decided to teach Windows 10 that a device in the “Surface Family” is, in fact, a tablet computer (yes they can undock but they are largely used as laptops); to me this is silly. This includes a feature called “Connected Standby” which allows the machine to run in a low power state responding to the “on button” in much the same way as a smartphone or tablet. There are both plus and negative points to “Connected Standby”; one of the negatives being you lose access to all the normal Windows Power Management features (such as hibernate or sleeping).

Step 1: Disable Connected Standby

Disabling “Connected Standby” (CS for short) is as simple as flipping one flag in the registry.

This is a semi-technical article so I will not go into the perils of messing with the Windows Registry; if you are not comfortable in the registry please ask someone who is for assistance. You have been warned.

  1. Start the registry editor (regedit.exe)
  2. Locate the node “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power”
  3. Set the key “CsEnabled” to 0 (zero).
  4. Reboot

Step 2: Less is more

The SB is rather powerful for a low profile “2in1” machine; the problem here being that CPUs generate a lot of heat and that heat has nowhere to go inside the case. This means that the small fans inside the “screen case” have to run at insane speeds to force the hot air out of the sides. When the SB gets too hot (and the fans can’t cool it down fast enough) the processor is put into “thermal throttling”; in simple terms it has it’s maximum speed lowered to prevent damage from excess heat. This means that things take longer to process causing the heat buildup to last longer (the processor takes longer to return to an idle state).

Preventing the processor from getting into the “thermal throttling range” in the first place prevents the artificial slowdown. Many people will know what “overclocking” is, to deal with this problem we are going to use “underclocking”. Now wipe the shocked look off your face, lowering the maximum speed of the processor to prevent thermal throttling will actually give you a net gain in overall average speed! The game we will play here is finding that sweet spot which is low enough to prevent overheating but not so low that we notice the difference. I have found that 90% CPU is about the sweet spot.

How to under-clock the processor

You could use some complicated CPU Voltage management software (Intel provide a program for the SBs CPU), or you could play a less dangerous game and just use the Windows Power Configuration Manager that we unlocked by disabling “Connected Standby” earlier.

  1. Right click on the battery icon in your task tray
  2. Select Power Options
  3. Depending on which power plan you have set, select “Change plan settings” alongside the active plan
  4. Click “Change advanced power settings”
  5. Navigate to “Processor power management > Maximum processor state” and set both options to no higher than 90%

Done, you have prevented the processor from reaching critical thermal levels. Before someone comments about it, I am aware this is not true underclocking but it has had the same effect.

Keep an eye on your CPU Temperature using a tool such as SpeedFan and adjust the percentage as necessary over the next few days until you find your devices sweet spot (all physical machines are slightly different, depending on what you do and how well it was put together!).

The header image for this post was provided for free by Hush Naidoo (@hush52) via unsplash.com. Thanks Hush!

Read more

Content Security Policies

Content Security Policies

This post is part of a series on HTTPS and browser security; it is partly to spread knowledge, but mostly to allow me to learn more about the subject by putting it ‘down on paper’! Enjoy, and please comment, correct, and discuss.

In the last post of this series I wrote about HSTS; like HSTS a Content Security Policy is a browser header (or a tag, but more on that later) which can be used to improve a websites security footing.

What is a Content Security Policy?

The easiest way to explain a Content Security Policy (CSP) is with the idea of a whitelist; whitelists act as an allowed set of values for a system. You may have heard of a blacklist before; a list of things which are not allowed, you employer/school will almost certainly have a blacklist of websites you are not authorised to visit (naughty or dangerous ones). A whitelist is the opposite; to use the website blocking analogy a whitelist would contain only the websites you are allowed to access (a much more restrictive setting than a blacklist).

A CSP outlines the resources which a website may use; this whitelist prevents any unauthorised or unexpected resources from being used on a website. These resources may be something as simple as a CSS or JS file served from your server, but they could also be dangerous injected javascript or hijacked third-party resources. A CSP is the first step towards mitigating the risk of unauthorised or unexpected page resources.

Whitelisting content sources

The CSP header is a simple list of resource types and the locations that are authorised to serve them. The most basic of CSPs would be:

Content-Security-Policy: default-src 'self'

This policy states that the website should only load resources from its own URL path (in the case of this page that would be melodiouscode.net). Any resource outside of that path (nastyhacker.com, googleanalytics.com etc) would be blocked by the browser. Although effective this policy is very restrictive; few sites only use their own resources and serving everything yourself is not the most efficient mechanism anymore (think of CDNs, Cloudflare, etc).

The CSP definition contains a number of restriction types, or directives, which can be used to fine-tune your whitelist.

Directives

There are a number of directives which can be used to tailor your websites whitelist the three obvious ones are:

  • default-src: The default directive defines the fallback list of sources; used in the event that you do not specify a specific directive.
  • script-src: The script source is perhaps the most obvious directive; it defines the list of sources which can load script files (javascript), including the use of inline scripts and the ‘eval’ command. By default inline scripts and ‘eval’ are disabled.
  • style-src: The style source defines which sources can load stylesheets (CSS files), including the use of inline style tags and style attributes. By default inline styles are disabled.

In addition to the above three directives there are also directives for images, fonts, connect sources, objects, frames, and several others.

CSPs do not just act as restrictions for resource sources; there are also a number of directives which can be used to upgrade or improve the security of a website such as:

  • require-sri-for: This attribute causes a browser to only load scripts/styles which have Sub Resource Integrity attributes set (more about them in a later module).
  • upgrade-insecure-requests: As you would expect this directive encourages the browser to switch any HTTP requests into HTTPS requests where possible. For a full list of the directives and a playground for creating a CSP header, I suggest taking a look at the CSP Builder provided by report-uri. Report-uri.com is a fantastic resource for anyone using a CSP on their website; not only do they help you to get to grips with the policy but their services allows you to monitor how your policy is enforced.

Testing for and reporting on policy violations

Setting a policy without testing it would be a mistake; you may end up breaking your website without realising (you would have to test every page in every potential scenario to be sure it was 100% sure). Luckily there are two easy ways to review your CSP:

  1. The browser console; all web browsers contain a console which script/etc errors are logged to. The console will list all the violations as they happen; a great way to test your policy on the fly. However not a great way to ensure your website works (other users will see a broken site whilst you are debugging it(.
  2. The report-uri directive allows you to specify an endpoint to which the browser will send violation reports. The report-uri directive can be used in tandem with the Report-Only header which means that the browser will not actually enforce the policy; it will just report on the violations. It should not come as a surprise that Scott Helme’s report-uri.com also hosts a reporting endpoint (he did well getting that domain name).

Why use a Content Security Policy?

If your website only serves static HTML and uses no external elements then a CSP is unlikely to add much to your site. That being said it will also be easy to implement using the ‘default self’ rule!

However if your site uses external scripts over which you have no control then you should be using a CSP; or if your site allows users to enter information that is then displayed (comments, reviews, etc) you should also be utilising a CSP as an extra layer of defence against persistent XSS (cross-site scripting). If a user carefully crafts a comment to contain a piece of javascript and that comment is rendered back into the page a strongly controlled CSP will prevent the code from running (google ‘CSP nonce’ and ‘CSP hash’ for ways of dealing with inline javascript).

A well crafted and strict Content Security Policy, used in tandem with other best practices, will significantly reduce the risk of cross-site scripting (XSS) attacks.

Using a meta tag

I mentioned at the top of this post that a CSP can also be a TAG; not everyone has the ability to edit their browser headers. On shared hosting platforms, you are rarely given the ability to directly control the web server; some platforms such as GhostPro do not allow you any control over the server side configuration. The use of an HTML meta tag can help you to implement a CSP without having to set the actual browser header. The CSP “code” is the same as that for a browser header; the only limitation is that you can not use the report-uri feature to send failure reports. You can, however, look at report-uri.com’s JS which will perform the failure reporting for you!

Summary

In summary, if you run a website which presents dynamic content (be it a large corporate system, or a simple blogging/commenting platform) then you should also be using a Content Security Policy. It should be restrictive and ensure only expected and authorised hosts can be referenced in by your site. You should also make use of the report-uri functions (either self-hosted or using Scott Helem’s report-uri.com) to ensure that you do not cause errors on your website.

Read more