Social Engineering – Hacking – How to Protect Yourself

Posted on July 24, 2011

I feel it necessary to educate you on one of the more popular “hacking” methods currently used by a variety of groups all around the world. While normal hacking methods are still an on-going threat, hackers are intelligent and innovative and you should be prepared for “Social Engineering”.

-------------------

Social engineering is the art of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical cracking techniques. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim. In the United Kingdom, social engineering using impersonation (e.g. to gain information over the phone) is known informally as blagging. In addition to criminal purposes, social engineering has also been employed by debt collectors, private investigators, bounty hunters and tabloid journalists.

A study by Google researchers analyzing fake AV distribution found that up to 90% of all domains involved in distributing fake antivirus software used social engineering techniques.

Sourced from: Wikipedia.org.

-------------------

In our industry, the most dangerous and commonly used method of Social Engineering is the “Fake Helpdesk”, or more accurately described as “tricking employees into thinking the person on the phone is a legitimate helpdesk technician from the IT department.”. It’s VERY common to find employees doing exactly what the fake support technician requests without any inquiry as to the reason for the support work, or a request for identification.

Even with all the right infrastructure in place including firewalls, intrusion prevention packages, real-time monitoring solutions, and strict password policies, a simple phone call from a patient and polite hacker can penetrate your entire network in minutes. We’ve seen it, this should be taken very seriously.

How to protect yourself

1)      Ask for identification (name, company, phone number and website).

2)      If you receive a call or email from anyone requesting you complete a task or provide information and you do not recognize the caller, start asking questions.

3)      If you receive a call or email, NEVER give out your information.

4)      If you receive a call or email, NEVER accept technical support unless you are 100% confident the person is someone you’ve dealt with before. If you haven’t, see 3).

5)      If you receive a call, the caller should have no objection letting you call them back at their head-office after you find the number yourself (use their website).

6)      Verify the user calling is from a company you normally deal with.

7)      If something doesn’t feel right, call your manager.

8)      Call your IT Department to verify the legitimacy of the call.


Educate Your Team

Ensure your staff are aware of the threat and educate them. Make sure they possess the knowledge to ask the right questions and contact the right people if something doesn’t add up.


Test You Staff

Be pro-active and attempt a “Social Engineering” hack at your locations. How difficult it is to acquire information from your staff? More training may be required. Take the time to educate your team, this threat is real and you need to take precautions.

Did you know?

1)      Caller ID can be faked (or in fancy terms, SPOOFED)? Although it might say “Royal Bank” or “SIRKit Ltd”, this can easily be manipulated.

2)      Banks and Government agencies will never call you and ask for your personal information. You will always have to call them.

3)      Banks and Government agencies will never e-mail you a request for information. You will always have to call them, or use their website.

4)      Legitimate organizations will never e-mail you with a link to change your password or provide login details.

5)      E-mail is rarely encrypted. Never send sensitive information via email. EVER.

6)      You will never be notified by e-mail that you’ve won anything of significance. It’s pretty much guaranteed to be fake.

7)      E-mail addresses can be faked. Although your e-mail application says billgates@microsoft.com or kris@sirkit.ca, it’s not guaranteed that the e-mails originated from these addresses.

8)      When you click on a link in an e-mail, verify the web address AFTER the page loads. Always look at the name right before the .com, .net, .org or .ca. This is the TRUE domain.
Hopefully this gives you a bit of insight into the threat.
If you have any questions at all, please do not hesitate to contact us.

Trend Micro – Worry Free Business Security – Firewall Port Ranges Failing/Not Working

Posted on July 18, 2011

We recently applied an upgrade from Worry Free Business Security 6.0 SP3 to 7.0. After the upgrade we noticed whitelisted Ephemeral and other port ranges in the firewall policies were not allowing traffic in. After numerous hours verifying everything was correctly setup we got in touch with Trend Micro and they sent back a patch to resolve the issue. We haven't seen this online yet, so I figure this may help a few of you.

--------------------------------------------------------------------------------

Good Day.

Please apply the attached Hotfix to the WFBS Server. Unzip password: novirus
Let the agents update afterwards then observe if the issue persists.

We are looking forward to your reply.

Technical Support – Worry-Free Products and Services Trend Micro, Inc. “Securing Your Journey to the Cloud”

--------------------------------------------------------------------------------

Download: http://www.sirk.ca/downloads/WFBS_70_WIN_All_HFB1461.zip

After applying this patch and allowing the update to propagate down to the clients, the port ranges started allowing traffic through.

Windows 2008 R2 – cryptosvc – the service name is invalid – windows backup fails – sfc fails – windows updates fail

Posted on July 11, 2011


The title of this article sounds ... well just terrifying. If you run into a system with this many issues, its likely easier to just rebuild it from scratch, right? WRONG! I'm stubborn and figure some things are worth the challenge. Ultimately, this was a fairly critical exchange server that would take a lot of work to rebuild.

To approach a problem like this, we follow the trail of issues.

First noticed issues: Windows Backups are failing and Windows Updates will not install.
The system is Windows 2008 R2 64bit Enterprise Edition with Exchange 2010 SP1.

1) Verify the system filesystem integrity using SFC

C:\>sfc /scannow
Windows Resource Protection found corrupt files but was unable to fix some of them.
Details are included in the CBS.Log windir\Logs\CBS\CBS.log. For example
C:\Windows\Logs\CBS\CBS.log

From this you would normally interpret corruption and seek out the affected files by using the following command:

C:\Windows\system32>findstr/C:"[SR] Cannot repair member file" %windir%\Logs\CBS\CBS.log

The interesting thing in our case was the "findstr" command returned nothing. So we skipped this step and moved onto the next one for the time being. Who wants to dig through tens of  thousands of lines? not me!

2) Diagnose and attempt to repair the Windows Backup issues

The Windows Backup utility was failing with "The operation was stopped. Detailed Error: The System Writer is not found in the backup". System State Backup Failed. 

First thing to check is THAT exactly.

c:\> vssadmin list writers

You're looking for this:

Writer name: 'System Writer'
   Writer Id: {e8132975-6f93-4464-a53e-1050253ae220}
   Writer Instance Id: {05407ce0-b537-4973-a731-e7ed614a9a9e}
   State: [1] Stable
   Last error: No error

If your list does not include the "System Writer", that's a problem. A fairly common one at that. The windows backup utility requires this tool.

If you dig around online you'll find an arsenal of articles outlining permission errors on a specific set of windows folders that cause the System Writer to fail. We've done the research for you. The following script will reset permissions on those folders back to default.

Create a batch file called "fixPermissions.bat" and copy/paste the following:

------------------------------------------------------------------------------------------------------------
Takeown /f %windir%\winsxs\filemaps /a

icacls %windir%\winsxs\filemaps  /grant "NT AUTHORITY\SYSTEM:(RX)"
icacls %windir%\winsxs\filemaps  /grant "NT Service\trustedinstaller:(F)"
icacls %windir%\winsxs\filemaps  /grant "BUILTIN\Users:(RX)"
icacls %windir%\winsxs\filemaps  /grant "Administratoren:(RX)"
Takeown /f %windir%\winsxs\filemaps\* /a
icacls %windir%\winsxs\filemaps\*.*  /grant "NT AUTHORITY\SYSTEM:(RX)"
icacls %windir%\winsxs\filemaps\*.*  /grant "NT Service\trustedinstaller:(F)"
icacls %windir%\winsxs\filemaps\*.*  /grant "BUILTIN\Users:(RX)"
icacls %windir%\winsxs\filemaps\*.*  /grant "Administrators:(RX)"
Takeown /f %windir%\winsxs\temp\PendingRenames /a
icacls %windir%\winsxs\temp\PendingRenames  /grant "Administrators:(RX)"
icacls %windir%\winsxs\temp\PendingRenames /grant "NT AUTHORITY\SYSTEM:(RX)"
icacls %windir%\winsxs\temp\PendingRenames /grant "NT Service\trustedinstaller:(F)"
icacls %windir%\winsxs\temp\PendingRenames /grant "BUILTIN\Users:(RX)"
Takeown /f %windir%\winsxs\temp\PendingRenames\*.* /a
icacls %windir%\winsxs\temp\PendingRenames\*.*  /grant "Administrators:(RX)"
icacls %windir%\winsxs\temp\PendingRenames\*.* /grant "NT AUTHORITY\SYSTEM:(RX)"
icacls %windir%\winsxs\temp\PendingRenames\*.* /grant "NT Service\trustedinstaller:(F)"
icacls %windir%\winsxs\temp\PendingRenames\*.* /grant "BUILTIN\Users:(RX)"

net stop cryptsvc && net start cryptsvc
------------------------------------------------------------------------------------------------------------

Run it from an elevated command prompt to ensure you have adequate permissions. As the impressive matrix like text runs down your screen, take notice to the very last command when it all finishes.

"net stop cryptsvc && net start cryptsvc"

You should see this:

The Cryptographic service is stopping..
The Cryptographic service was stopped successfully.
The Cryptographic service is starting.
The Cryptographic service was started successfully.

At this point reboot your system and run "vssadmin list writers" to verify if the "System Writer" is now listed. If so, you can test your backup again and it's likely to be working. If the VSS Writer is NOT Listed, but the "Net start cryptsvc && net start cryptsvc" was successful, you are experiencing a different issue and the following steps are not applicable (Please contact our support team if you require assistance).

In our case, the "cryptsvc" doesn't appear to be registered correctly. Instead or returning the successful stop/start on the Cryptographic service, we received:

The service name is invalid.
More help is available by typing NET HELPMSG 2185.

3) Verify the Cryptographic service is enabled and operating correctly

Start -> services.msc

Wait! "The service name is invalid" actually means it's not registered and you'll likely realize that when you can't find the service in the services list.

At this point you'll likely start wondering how the? where did it go? We honestly couldn't tell you, but it's really easy to fix. Using another Windows 2008 R2 System, export the missing registry values .

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CryptSvc

If you load regedit and browse to this location, you'll notice the CryptSvc is missing. On your secondary system, right click the CryptSvc and export it to a file. You can then double click this file on your problematic system to import the missing values.

If you do not have access to another system, copy the content below into a registry file and double click to load.

File Name: cryptsvc.reg (use whatever you want as long as it ends in .reg)
------------------------------------------------------------------------------------------------------------

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CryptSvc]
"DisplayName"="@%SystemRoot%\\system32\\cryptsvc.dll,-1001"
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
  6b,00,20,00,4e,00,65,00,74,00,77,00,6f,00,72,00,6b,00,53,00,65,00,72,00,76,\
  00,69,00,63,00,65,00,00,00
"Description"="@%SystemRoot%\\system32\\cryptsvc.dll,-1002"
"ObjectName"="NT Authority\\NetworkService"
"ErrorControl"=dword:00000001
"Start"=dword:00000002
"Type"=dword:00000020
"DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,00,00
"ServiceSidType"=dword:00000001
"RequiredPrivileges"=hex(7):53,00,65,00,43,00,68,00,61,00,6e,00,67,00,65,00,4e,\
  00,6f,00,74,00,69,00,66,00,79,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,\
  67,00,65,00,00,00,53,00,65,00,43,00,72,00,65,00,61,00,74,00,65,00,47,00,6c,\
  00,6f,00,62,00,61,00,6c,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,\
  65,00,00,00,53,00,65,00,49,00,6d,00,70,00,65,00,72,00,73,00,6f,00,6e,00,61,\
  00,74,00,65,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,\
  00,00
"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\
  00,01,00,00,00,60,ea,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CryptSvc\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
  00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  63,00,72,00,79,00,70,00,74,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,\
  00
"ServiceMain"="CryptServiceMain"
"ServiceDllUnloadOnStop"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CryptSvc\Security]
"Security"=hex:00,00,0e,00,01

------------------------------------------------------------------------------------------------------------

Once you've loaded the registry file and repaired the missing data, reboot your system. You should now see the "Cryptographic Services" running in the "services.msc" list, "sfc /scannow" will return no errors, the "System Writer" will show up in the "vssadmin list writers" list, and your Windows Backup and Windows Updates will complete successfully.

Hopefully this helps you avoid a complete re-installation!