Hacked - What to do if you're a target

Discussion in 'privacy general' started by Mover, Dec 13, 2008.

Thread Status:
Not open for further replies.
  1. Mover

    Mover Registered Member

    Joined:
    Oct 1, 2005
    Posts:
    180
    What would you do if you're being targeted by hackers ?

    I was discussing this with someone the other day. Viruses/spyware/rootkits etc are sent out by hackers in an attempt to infiltrate PCs (anyones PC).

    Eventually, security companies (ie Mcafee, Norton) spot them in the wild and come up with signatures for them to add to their databases.

    But what if you are the target of some malicious group of hackers who use virus/spyware kits to create a custom virus/rootkit/etc that is only distributed to you or a low volume of people?

    Antivirus/Antispyware would not be able to protect you due to there being no signature for the virus/rootkit/etc (the virus/rootkit/etc would probably remain off the antivirus companies radar because of its low distribution).

    Opinions ? Solutions ?
     
  2. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    That's where i keep a leg up on them.

    My IP and range is easily changed due to my custom technique where they might try to record it to target me but they'll never find me.

    Online targetters go after addresses they can rely on that never change.

    And i do all this without a proxy.

    They have no way to target you if your direct line can double also as a ghost. :D

    Key is stay one step ahead of them at all times and make it easy on yourself and machine.
     
  3. Mover

    Mover Registered Member

    Joined:
    Oct 1, 2005
    Posts:
    180
    What if they target a persons email address without the person knowing it ?
    Antivirus/antispyware software would be useless in stopping anything malicious as there would be no signature created yet.

    Other than the obvious (deleting questionable email), what protective measures could be taken to best stop this particular approach ?

    (... great idea on constantly shifting the range. :thumb: )
     
  4. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,213
    Hello,
    When you're personally targeted - or just general Internet noise?
    Answer 1) use firewall 2) do not click on bullshit and infect yourself.
    Mrk
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Since you state the obvious, there should be nothing more to discuss, for if one violates basic security policies about email, well, what else is there to say?

    But a related situation deserves mention: the non-questionable email, that is, if the email does seem legitimate. Several exploits using MSWord documents have targeted companies in the past, where the company email list was compromised. The email with the MSWord document attachment had as its subject a topic relevant to the company's business. These types of communication were not uncommon. In this case, however, opening the MSWord document resulted in infection by a trojan file embedded in the document.

    Are there protective measures that can prevent this exploit?

    Recently, I learned of a person who was targeted in this way some time ago. He checked his email from his laptop while away from his office, opened the MSWord document and immediately received a Software Restriction Policy (SRP) alert.

    Here is what a SRP alert looks like. This was sent to me by someone else while doing a test:

    [​IMG]

    [​IMG]
    __________________________________________________________________________________

    I've been impressed in recent months by examples of how SRP can protect against all types of remote code execution exploits. It requires no additional software, because it is built into XP PRO. (I'm not sure about VISTA).

    The sad part of this incident, I learned, is that the company computers were not locked down like this and the malware was not detected by their AV, resulting in many computers becoming infected.

    There are other ways that a user can be fooled into thinking that received electronic communication is OK, as in
    communication from a known person's compromised email, social networking profile, and other messaging formats.

    There are other ways besides MSWord, of course, to sneak in a trojan.

    And there are many other protective methods to prevent such exploits. You can argue that the simplest protection is to just avoid running as Adminstrator!

    The person in this example likes SRP because of it's potential to set many other policies; it also happens to be an effective in-house way of taking care of these worst-case scenario situations.



    ----
    rich


    REFERENCES

    Unpatched Word Vulnerability
    http://isc.sans.org/diary.html?storyid=4696

    Targeted attack: experience from the trenches
    http://isc.sans.org/diary.html?storyid=1345

    Microsoft Office Security, part one
    Sample mechanism of an attack
    http://www.securityfocus.com/infocus/1874
     
    Last edited: Dec 14, 2008
  6. Dogbiscuit

    Dogbiscuit Guest

    SRP is available in Vista Business/Ultimate/Enterprise Editions.

    As far as I know, there is nothing like pcwGPinst for Vista Home editions.
     
  7. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Someone would have to want you pretty bad to resort to creating malware just for you. Even if this is true, a rootkit, trojan, keylogger, etc is either its own process or uses an installer of some form, which is also a process. Any of the security measures that prevent an unknown process from executing will be effective. Even then, you would still have to launch it, or have your system configured so insecurely that it's allowed to launch an unknown process.

    The other possible scenario would be to use an unpatched exploit in a user application to launch the code. Using such an exploit on a single individual would be an incredible waste from a crackers point of view. Such exploits sell for big money and are first used against high value targets. Their value is short lived. Even then,as Rmus mentioned, software restriction policies are very effective here. A default-deny security policy that isolates attack surfaces is also effective.

    Regardless of the method used, for an attack to successfully compromise your PC, a process that's unknown to your system will have to run. It may be disguised as something else but anything that checks a signature such as an MD5 will detect that. Any decent security app that controls processes will notice that.

    Is this a theoretical question, something that has/is happening, or someones threat to do this?
     
  8. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Simple.

    Use only internet email. That's what i do, forget Outlook.

    Theres plenty of programs to read all your internet mail accounts and they are much easier scanned IMO then something slipping through Windows tethered way.

    EASTER
     
  9. Mover

    Mover Registered Member

    Joined:
    Oct 1, 2005
    Posts:
    180
    The scenario is a theoretical one which, as Rmus pointed out, has happened in the corporate world. The point was to brainstorm ideas to close the vulnerabilities that exist given the situation. Adding some of these solutions to your defenses (ie. Software Restriction Policy as mentioned) can't hurt. If anything, it'll help anyone who finds themselves in this situation.
     
  10. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    In environments other than your personal PC, most of the solutions have controlling user actions at their core, because most of the methods involve getting a user to make a bad decision. In many work and corporate environments, the users have too many administrative abilities. Any security policy that takes administrative abilities away from a user reduces the chances of their compromising the system. I use older operating systems which don't have user controls built in that are very effective. On these, classic HIPS and standard firewalls with passwords can perform the same functions with equal effectiveness, maybe even more.

    Educating users only goes so far. There are just too many ways to deceive a user who isn't computer savvy. Example, how do you educate a user to know the difference between a real AV or system alert from a fake one? In a corporate environment, how does a user know a safe document from an unsafe one when it comes from what appears to be another department or desk?

    IMO, the best solution is a much more defined line between users and administrators, one that prevents the user from doing any installing, updating, etc. One that requires the administrator or IT department to whitelist the user applications and their interactions. When the user doesn't have the ability to make a bad decision, they're no longer a problem. This is not too much to ask of the IT department. It's their job to know the software needs of their employer.
     
  11. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    What you describe is certainly the best solution. I've suggested such in discussions in another place, and IT and system administrators counter that if you restrict company personnel, you have unhappy employees.

    But company policies should have never permitted employees in the first place to use the company computer as if it were their personal computer.

    At least one organization -- a police department -- finally said, Enough is enough.

    http://www.faronics.com/whitepapers/CaseStudy_LAPD.pdf
    The above MSWord exploit I mentioned above would not run in this environment. This takes care of situations where the user can be fooled into opening documents with embedded malware.

    Some educational institutions I've worked at have a similar setup, where Deep Freeze restores the computer lab systems to previous good state at each reboot.

    There is much technology available besides what this White Paper listed -- it takes a company CEO to be strong enough to require IT to use it.


    ----
    rich
     
  12. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I'd bet the company itself doesn't like paying employees to play on the web. A system administrator that makes such a claim is trying to protect his/her own free time, which should be spent doing the job they're being paid to do.
    At a previous job, the company policies prohibited employees from using the shop computers for personal use, but had no mechanisms in place to enforce it. A reasonably knowlegdable user could gain access to most anything on any of their networks. I could install software to any PC, change network settings, browse anywhere, even access the machine assembly programs. On several occasions, some user opened some infected attachment in the personal e-mail and took out entire networks for days. These users supposedly knew better but it wasn't their PCs and networks they were risking. Educating users is one thing. Making them care about what they do on equipment that isn't theirs is a whole different problem. Out of the PCs I've cleaned, the worst problems were caused by these users. The only way I know to prevent it is to take the ability to cause a problem away from them.
     
  13. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,328
    Location:
    Here, There and Everywhere
    Why not use Deep Freeze or some other instant restoration software on these computers? I think that's the argument of the LAPD in the pdf referenced above in the post from Rmus. After reboot, you wouldn't have any cleaning to do!
     
  14. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    That "case study" looks more like advertizing than anything else. Why not enforce the "not for personal use" policy to begin with? If the user can't alter the system, there's no need software that restores it on reboot, frozen snapshots, or anything similar, save a normal system backup. Both software restriction policies and well configured application firewalls (HIPS) are very capable of preventing the user or malware from altering the system while still allowing the system administrator to update or modify it as they see fit. It's not that difficult to set up a PC that the user can't alter, which is what should be done in all non-residential environments. Even in the home environment, it's a good idea, assuming that the PC serves more purposes than just a playtoy.
     
  15. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,328
    Location:
    Here, There and Everywhere
    It's not like this is new. People used to have to argue about using the telephone at work for personal use. Some people abused it and I remember a period in the 80's and 90's (when long distance was expensive) that they could no longer rely on "enforcing policy" only. They added pin-codes to access long distance - sometimes the telephone for outbound use at all. In other words, they used technology. Today - it's computers. If you want to deal with whatever mess some disgruntled employee might leave, or whatever, then don't use anything like Deep Freeze. I think the day will come when any IT department not using instant restore technology will be considered negligent.
     
  16. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    With the tools that are built in or freely available, if an IT department can't lock down their PCs well enough to prevent personal usage or employee tampering, they're incompetent, lazy, or both. Something like Deep Freeze wouldn't be necessary unless you're allowing personal usage to start with. If not being able to play on the web while on paid time makes employees unhappy, too bad.

    This is going way off the original topic. The only way this applies to
    is if "you" are a business, workplace, etc, and you're being targeted by someone from within.
     
  17. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    This is not the only problem, the main problem is this thing that tracks everything and acts as sort of artificial intelligence. I doubt that anyone can escape this mechanism actually except you would tunnel their tunnel and disable their virus but that would require a clean motherboard and a clean OS, not easy to find nowadays, except you would create it yourself. Ethernet plays a key role for their stealth activities and what about the ISP? Can you trust the line? Proxies are no solution because they manage to smuggle their requests in most cases. Firewalls won´t help they are easily bypassed through http tunneling. Only with permanent SSL there might be a chance to evade the control system.

    Simple answer: That would require that your computer system is 100% clean, if this manchurian chip exists we must think about a by default hardware compromise and a by default software compromise for commercial os of all todays computer systems. Those freezes could not prevent anything that is built in on motherboards by default. IMHO we have a kind of secret service war between USA/Russia (software controller) and China/Taiwan (hardware controller).

    The evil is there already from the scratch. Wake up, this world is perverted. These little nasties built-up by wannabe hackers from av industry and script kiddies are not the real problem at least not for those who are on this board already for a long time.
     
    Last edited: Dec 20, 2008
  18. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Oh great.

    Now national security becomes a real problem for many nations depending on who manufactures the minature chip hardware and/or software setting the stage for a real possibility of the doomsday decision.

    Can you image that all of any nation's active defense Nuclear Silo buried ICBM's were given a secret remote signal from an orbiting satellite secretly coded to trajectory up, around, then straight back down into the nation that depended on it to follow it's designed defense course?

    Can this scenario be so far fetched or off from exaggeration simply because they're/we're to believe that there are solid safeguards in place to prevent such a mishap?

    Definitely food for thought i think.
     
  19. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    How would you prevent malicious updates via PXE ROMs network funcionality?
     
  20. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,213
    Two answers:

    1) Frankie Goes to Hollywood - Relax

    2) Rockwell - Somebody's watching me

    Mrk
     
  21. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    1. Relaxation is not frustration or anger, neither peace or tranquility, not heavy or light, nor is it the center or empty. If this is true than what is relaxation?

    2.The Coasters - Why is somebody pickin on me.

    I like the idea of expansion ROM and PXE ROM because you don't have to install any malware to remain persistent.

    Are you saying that some group is secretly installing picotux at the factory level kinda like the Folgers coffee switch?
     
    Last edited: Dec 21, 2008
  22. Mover

    Mover Registered Member

    Joined:
    Oct 1, 2005
    Posts:
    180
    I'll say it has. :eek:

    Anyway, although still off topic, I found this old white paper on corporate security which describes a similar scenario (bottom of page 6) to the one I originally posted.

    http://www.gfi.com/whitepapers/network-protection-against-trojans.pdf
     
  23. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    From the paper, a targeted email:

    In a home environment, this is easily prevented, one way being SRP as I showed in Post #5.

    However, in a corporate setting, as this paper addresses, it is more problematical. I spoke yesterday with a System Administrator in a large company about some of these issues and current exploits, and he stated that it just wouldn't be practical to restrict the workstations in that way, or even to use a product like Deep Freeze.

    The paper concludes that the solution is:

    And there follows a list on p. 7.


    ----
    rich
     
  24. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,328
    Location:
    Here, There and Everywhere
    Hi Rich,

    That was interesting reading and page 7 listed some important things. But they all involved things they GFI is selling; namely, gateway protection services. I wonder how much can really be done at the gateway without education and use of products at the end-user level. I agree with you about SRP - and even Faronics whitelisting Anti-Executable and other like solutions.

    Trojan proliferation is a growing problem, but I question the abilities of gateway services to handle it. There is a trade-off between security and ease-of-use for employees. An argument can be made that things that seem impractical today may be forced on us in the near future. Too much at risk. Agree? Disagree? It is all what my mom (God rest her soul) used to call a colossal conundrum.

    I've always liked your intelligent and thoughtful posts, Rich. You're a valuable member here.
     
  25. Mover

    Mover Registered Member

    Joined:
    Oct 1, 2005
    Posts:
    180
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.