Showing posts with label digital detective. Show all posts
Showing posts with label digital detective. Show all posts

06 December 2020

The Skating Mistress Affair, Part I


bank vault

Some people don’t seek trouble, but it finds them. That’s how I viewed fraud cases that came my way. Hired to hunt down computer anomalies, I didn’t enter a contract thinking criminal intent, but occasionally I stumbled upon crimes. This episode outlines my most challenging case, a battle of wits with a very smart adversary.

It started with a phone call.

In a cultured, south-of-Mason-Dixon accent, the man said, “Call me Chase; my daddy’s Mr. Franz. I’m marketing director of a software venture owned by a major Virginia bankshares concern. We own a product, a big one. We need a specialist to figure it out and support it.”

“A banking program?” Visions of Cobol or badly written C++ sprang to mind. “Sorry, I work with operating systems, not applications.”

“No, no, we’re talking systems software, not an app. The bank’s investment division floated the venture capital internally.”

“What’s the name of this product?”

“I can’t reveal that.”

“What does the software do?”

“I can’t tell you that either, not until we have your signature.”

“That’s all you can say? Why the secrecy?”

“Take a bank’s perspective of confidentiality, marketing paranoia, and a technical product we need to get a handle on, you get secrecy.”

“Who developed it? In fact, where is the developer in all this?”

“Well, that’s part of the problem. It was developed by a low-profile dude in North Carolina, really eccentric. He’s difficult to work with and we can’t seem to get his full attention. After selling us the package, he doesn’t want to be bothered with it.”

Only a few dozen independent software designers populated the top of the pyramid and we all knew each other, at least by name and reputation. I didn’t recall anyone in the Carolinas.

“You must not be paying much.”

“We bought the program dirt cheap, figuring he’d gouge us with ongoing support fees, but he’s not done that. He shows no interest in the product.”

“Your startup software group purchases an untried product from an unnamed author? How do you know the product is viable and isn’t trash?”

“Our bank’s systems run this software and no one, not even our lead systems programmer, can comprehend the program– it’s way too advanced. We sold copies to multiple Fortune 1000 companies, companies that use it and like it. But we found bugs. We desperately need enhancements and alterations as systems grow and evolve. We’ve got no one capable of maintaining it.”

“And your bank’s worried someone will wise up and expose your exposure.”

“That’s a huge concern. Spending venture capital is one thing, but discovering critical vulnerabilities implies liability. A number of jobs hang in the balance, mine included.”

“Written in C or what?”

“Assembler. 50,000 lines of machine code for the nucleus. With support utilities maybe hundred thousand lines for the old OS version and double that for the new, plus somewhat more for add-ons and extensions.”

“You’re saying a quarter million lines of code?”

“Uh, not exactly. The old and new versions cover a lot of duplication, so figure maybe one fifty to two hundred thousand unique lines.”

“That no one understands?”

“It’s costing us already. We need to put this right.”

The Plot Thickens

Locally, nothing exciting was happening with current clients. Steady income was nice, but I liked challenges.

Their tech division was named Data Corp. We exchanged non-disclosure agreements, eventually reaching an accord and a paranoia contract that required my cutting ties with other parties.

From Boston Logan, I flew a geriatric jet into Charlotte, Virginia, where I hired a car for a drive deep into the Shenandoah Valley. I passed beautiful horse farms and Mennonites in their buggies before I came to markers of American civilization – McDonald's, KFC, and WalMart.

The bank’s data center dominated a charming downtown in Harrisonburg, Virginia. I gave the receptionist my name and glanced around.

To the left of the lobby extended the glass room where the main computers lived, MICR check readers, networking and transmission units, 6000 square feet, perhaps 550 square metres, nicely laid out. It looked outwardly secure short of a terrorist attack.

From stairs at the right of the lobby descended a man about 5’5 of economical build. My salesman alert Early Warning System sounded. Scientists and engineers regard salesmen barely a step removed from slithering politicians. The two aren’t so much cats and dogs as cobras and mongooses. That mutual distaste would play a key part in the drama about to unfold.

Even so, Chase seemed a decent sort. He cultivated a brooding mien like a mantle of poetic melancholy, the kind that tenderizes feminine hearts and moistens girls’ eyes. Sporting a black, closely trimmed beard, he might have portrayed a weekend Civil War reenactor captain or river boat gambler.

He toured me around the complex, introducing me to bank presidents and vice presidents, those who plump out the top of the pyramid in financial institutions. He chatted up a half dozen girls who seemed in various stages of thrall. His magnetism short-circuited the female EWS.

“The product,” I said. “Let’s take a look.”

Chase offered me a seat in his office. He busied himself sipping coffee, winding his Swiss chronograph, twiddling a pen. I waited. Finally he said, “What we have here is a print spooling subsystem. A good one. Cool, huh!”

I understood why they wanted me. Not only did I work on operating systems, I had contributed code to two competing packages, a key operating system component in the evolution of computers.

Like a priest revealing the Dead Sea Scrolls, Chase reverently set a six-inch thick binder before me. He opened it. “This is our baby.”

My response came out less than reverential. It could be summed up as “WTF?”

No titles. No headings. No comments. No register notation. No meaningful labels. No reference points.

“I told you, Sandman, the developer, doesn’t need all that. He’s an amazing genius. He doesn’t document his work because his eidetic memory remembers everything.”

“Except for those who come after,” I said.

The lack of labels troubled me most of all. Normally programmers use real world identifiers such as Minutes, Seconds, Distance, Height, Weight, Brightness, etc. This had gobbledegook.

“Who does this?” I said.

“I told you, he’s a genius. They mean something to him, but he’s way above our level.”

“This is attempting ancient Egyptian without a Rosetta stone. This is insane,” I said.

Chase beamed. “You confirm what I’ve been saying. Sandman is genius above other geniuses; he’s beyond brilliant, absolutely off the scale. Our own people say his high-level abstract symbolism is far beyond their comprehension.”

“Even Einstein used standard identifiers, e = energy, m = mass. This has, for example, ‘rtgq233x.’”

“Sandman isn’t a merely an Einstein. Your challenge is, are you someone who can come to understand this or are you giving up?”

“Like hell.” Candidly, I wasn’t sure which part of the question I should answer.

Mystification

As a digital detective, I first confirmed the original assembly language matched the binary machine code in the executable module. I looked at a hundred different values scattered throughout the programs. They matched.

I profiled the program, I ran traces. I floated one other idea to Chase.

“Does Sandman speak Arabic or some language that omits vowels? Or Welsh? Polish? Russian? A language with unusual combinations of letters?”

“I imagine not,” said Chase. “He’s short, sandy hair, fair complexion. I doubt he’s visited out of the country. He’s barely travels outside of North Carolina. He’s so fearful of flying, he always takes a train.”

I had seen computer programs written in French and German. The mix of English and other languages looked a little unusual, but they ultimately made sense.

“Perhaps foreign abbreviations…”

“Look, stop going on about labels. Maybe they are in Klingon or Tolkien Elvish. Maybe they’re random or perhaps they’re nothing at all. With an impenetrable genius mind like Sandman’s, the labels themselves appear opaque to us and we simply don’t know.”

I didn’t accept that for a moment, but there was one other avenue to understanding the code– weeks of immersion in it. I packed the programs in my bag and headed back to Boston.


Over the next two weeks, I pored over 150,000 lines of assembly code. Some days I dissected routines line-by-line, noting, studying, analyzing. Other days I propped my feet up on the sofa and absorbed the gestalt.

Reading a program offers a unique peek into the author’s thought process. This mind meld can provide a strangely disquieting experience. A virtual voyeur can determine a precise mind opposed to a sloppy one, bold versus fearful, brilliant versus not so much, and lucid v losing it. This code contained all these elements and more. Although tightly written, it radiated a surreal aura and umbra, a sense of someone hiding in the shadows.

The Rosetta Stone

“The name of the song is called ’Haddocks’ Eyes.’”

“Oh, that’s the name of the song, is it?” Alice said, trying to feel interested.

“No, you don’t understand,” the Knight said, looking a little vexed. “That’s what the name is called. The name really isThe Aged Aged Man.’”

“Then I ought to have said ‘That’s what the song is called?’” Alice corrected herself.

“No, you oughtn’t: that’s quite another thing! The song is called ’Ways And Means’, but that’s only what it’s called, you know!”

“Well, what is the song, then?” said Alice, who was by this time completely bewildered.

“I was coming to that,” the Knight said. “The song really isA-sitting On A Gate’, and the tune’s my own invention.”

Through the Looking-Glass (1871) chapter VIII, Lewis Carroll

I kept coming back to the labels. They held significance, I felt certain. I could sense a pattern as if glimpsing a phantasm from the corner of my eye. Sometimes, I almost grasped a meaning, only to lose it as I shifted to focus on it.

While analyzing the program line by line, I stumbled across the name of a known operating system routine declared in a constant. The name of the routine was $$BEOJ, which stood for ‘Broker End of Job’. Unnecessarily, the program invoked this routine directly. The author had allowed himself a moment of ego. Instead of the standard, run-of-the-mill method available to any programmer, the coder had showed off his knowledge of operating system internals and triggered this segment explicitly.

I understood the inner workings, but the label of the constant, $$XYAU, grabbed my attention. Could this, perhaps, be the name of the name? Could XYAU someway represent BEOJ?

I poked around, trying the David Edgerley Gates’ Sunday Jumble and Crypto-Quote letter swaps on other labels. Sometimes it seemed to work, more often it didn’t. I combed the program in earnest, searching for obvious constants that might zero me in.

The hunt suffered from a paucity of information, but slowly clues accumulated as I harvested two more paired constants and labels, four, and then six out of three thousand six hundred. Patterns, it was all about patterns. I glimpsed the edges of a picture. No label contained more than eight characters, and something peculiar happened to the letters in each label.

Oddly, B often meant X but it also appeared to be F at times. In rare cases, it didn’t seem to be either. I ripped another sheet off a legal pad and tried again.

I phoned and left a message for Chase. He hadn’t called in days. I sensed his dismay.

I sat up that night, the next two nights, devouring Chinese food for nourishment and Coca-Cola caffeine to feed my notorious ADD. I clocked six hours sleep out of seventy-two. My hair matted, my smelly T-shirt could startle bad-tempered water buffalo.

Everything changed. Like a submerged enemy submarine hiding in deep waters, computerdom’s trickiest puzzle broke the surface. I faced the most fascinating computer game of my career.

On the fourth day, I messaged Chase a couple of times in the morning. I made a few more notes, then toppled over and slept until mid-afternoon.

Demystification

“What?” I barked into the phone a bit too sharply. My eyes seemed glued shut.

“Hey, it’s me, Chase. I got your messages. Whatcha got?”

“How much did you pay for this program?”

“Well…” He hesitated.

“You either paid way too much or way too little. Either way, you got screwed.”

Defiance mixed with defensiveness, he mentioned a figure barely larger than a month’s salary, paid for a program that took someone a year or two of 60-90 hour weeks pouring out one’s soul.

“Why do you ask?”

“Like I said, you got screwed. Sabotaged. Someone has encrypted the labels and stripped the meaningful information out of this program.”

“Bullshit. I don’t believe it.”

“Embrace it. You think it’s a coincidence comments are missing? There’s no register notation? Not a single artifact of meaningful evidence?”

“My people asked him about that. He’s one of those super smart guys who never comments his code.”

I grimaced. For that alone, the program should never have been accepted. I no longer believed the legend.

“Look,” I said. “Labels have been encrypted. I’ve got examples of equates in which one is assigned to 5 and five is assigned to 10.”

“It’s his genius level of abstraction. And what do you mean encrypted?”

“’His genius level of abstraction nonsense’ is getting old. I mean encrypted like the cryptogram puzzles in the newspaper, A equals S and B equals M and so on. A substitution cipher they call it, like Sherlock Holmes’ Dancing Men, only a factor far, far more complex. I’m still working it out, extrapolating clue by clue; it appears the bastard’s used at least two translation tables I'm sure of plus a couple of other frills, kind of a mental oubliette.”

“I don’t believe it. Look, we better rethink this contract. This can go one of two ways. Option one, we terminate our relationship. Option two, other than these conspiracy theory labels you go on about, the positive side is you now know more about the software than anyone other than the author. Come on down here, show us what you’ve got, and we’ll move forward.”

Enter Sandman

From DC, again I boarded another deafening jet into Charlotte. Where did USAir salvage these museum pieces? Maybe they explained why Sandman refused to fly.

The girls at the banking complex greeted my return engagement warmly, speculatively. The town librarian had mentioned the region suffered a serious shortage of males.

Chase, a bit aloof, escorted me into his office.

“I phoned Sandman,” he said coolly.

“And?”

“Says your theory– your accusation– is nonsense. Says he never ever uses comments, can’t afford time for them. Says those equates you mentioned, one equates to 5 and so on, just a coding convenience when in a hurry. Told me if we want to make insinuations, his lawyer can tell us to get stuffed. We can’t afford to get on his bad side.”

I snorted. “Coding convenience? How did you approach him? Did you ask if he sabotaged the code?”

“Of course I asked him. What was I supposed to say?”

“When you asked rather than told, he knew he’d bluffed you. I know he sabotaged the code, so I don’t need to ask.”

“He denies your allegations. Look, you’re a guy I hardly know. You make unbelievable accusations about a fellow I’ve known for years who says your notion is ludicrous. You tell me; how am I supposed to believe you?”

“I’ll show you proof.”

At the end of an hour, I’d further confused Chase rather than convinced him. He still believed Sandman. My stacks of tables and colored diagrams decorated with fine-tipped arrows left him unmoved. He couldn’t entertain the slightest possibility he’d been fooled or the other guy committed malfeasance.

I said, “I want to talk to Sandman myself, geek to geek.”

“That’s unwise. If he breaks off contact, we’re done for. He might even sue our asses.”

“You’re already done for– that’s why you hired me. Anyway, I’m not going to ask him if he encrypted the program, I know he did. That gives me an advantage.”

He reluctantly agreed to my calling with the condition he silently listen in. Like me, Sandman worked nights, so Chase and I grabbed dinner at a great restaurant as we waited for Sandman to come alive in the night.

One lichee duck later, we strolled back to the data center. I sat in his office while Chase lounged outside at the secretary’s desk listening in on her phone. He promised not to interrupt no matter what– I made him swear to stay quiet.

I dialed the Greensboro number he gave me. The call connected. Dan Sandman’s voice at the other end sounded pleasantly curious.

He said, “So you’re the guy they hired to develop the app.”

“Yep, I’m the sucker. Brilliant program, by the way.” I kept my voice light, pleasant.

“Thanks. I’ve heard of you by reputation. Boston, right? So how are you making out?”

I chuckled. “Dan, you left me one tricky puzzle. I’m still working it out, but your encryption scheme is brilliant, harder than hell to break.” I shook my head admiringly, not that he could see it. “Thus far I’ve identified two different translation tables. That’s ingenious.”

No hesitation, no prevarication, he broke into laughter. “Three actually.”

Through the window, Chase blanched, then darkened. I put my finger to my lips in case he felt like an outburst.

Danny continued. “You haven’t been working on it long. I’m astounded you got that far.”

“Three translation tables explain why I still have a thousand or so labels to crack.”

He chortled. “God damn, you smart dog. I used the first character of each label as a selector, picking the cryptographic table based upon which third of the alphabet the first character fell in.”

Outside the office, a purplish Chase was working on a serious case of TMJ.

I complimented Sandman. “I’ve never come across that idea before. Man, figuring out those tables can give one fits.”

“I didn’t want anyone to break it. Can’t believe you’re two-thirds of the way there. How did you figure it out?”

“$$BEOJ.”

“What? Oh, yes. I’d debated making a special case for it, but didn’t imagine anyone would ever get that far. What did you think of my equates?”

“Annoying.”

He laughed. “I trust that’s mildly put.”

“Right you are. There’s the obvious question, of course.”

“You mean why? Why screw up my own program?”

“You weren’t seeking job security.”

“I did it because I can’t stand that salesman, Chase. He’s such a bullshitter, all monies for himself, benefit the investors and screw the inventors. Flying around the country like an exec, trying to hustle the package, spending other people’s money, hogging the biggest slice off the top– I got fed up.”

Chase’s blood vessels looked ready to burst in an apoplectic fit. When he opened his mouth, I frantically waved him to silence. I tried to remember what Chase had told me.

Into the phone, I said, “You worked with him before?”

“Yeah, he found out about my package and begged to sell it. He couldn’t bother working the phones, doing sales fundamentals. Figured he was a Steve Jobs executive, jumping on a plane just to give a demo. I sold more copies than he did and I never left Greensboro, never tried to promote it, only word of mouth. Know what Chase did? He took the salesman cut anyway. He spelled that out in the agreement he wrote. Now ask me again why I’m pissed at him.”

Outside the door, Chase turned magenta. He could barely refrain from screaming into the phone.

Sandman continued. “So anyway, Chase was burning through money when he approached that bank in Virginia. He convinced them he had a hot product and urged them to buy out his contract. Chase wouldn’t change his ways, though. He wasn’t going to pay me what it was worth and I knew I’d never see royalties. My girlfriend, she said screw him. So I got this idea and I did. It wasn’t ransom, it was revenge. Sold it for almost nothing, figured he’d do himself in.”

“How much did he pay?”

“I bet you already know that. And he was gleeful at the fire sale price, ecstatic. The greedy bastard couldn’t believe the advantage he’d seized over his so-called partner. The slime-ball acted right proud of himself.”

“Dan, it’s affected other people. Plus other companies depend on the product.”

Sandman sounded almost regretful. “Yeah, I know. That’s why I agreed to partially support it until they found a replacement for me. I didn’t figure they’d bring in you.”

“Thanks, I think.”

He giggled dryly. “It’s tough maintaining it. I made the source code such an abortion, I find it nearly impossible to debug. They send me a trace or a dump and I spend a couple of days pulling my hair out. I provide just the minimum, which hasn’t been good enough, certainly insufficient to support new equipment coming out.”

The full significance of that statement wouldn’t register until much later: By implication, he’d orphaned this program and was developing a parallel version with enhancements.

“Dan, you know I have to tell the investment bank about this.”

“Figured you had already. Did Chase convince them otherwise? I successfully put him off when he called, but I gathered you were on to me. Yeah, talk to them. Maybe we can work something out, something fair and equitable. I’d like that.”

Witness to the Ascension

If Chase wasn’t pleased, the bankers were apoplectic. The vice president called the president. The president called the chairman. The chairman called the board. The board called the holding company and they called a meeting. In the meantime, the president asked me to stand by. “Don’t leave town,” he said.

Chase departed on a trip. He begged me to stay at his house and care for his dog, one with a bad case of separation anxiety. Shenandoah Valley girls were very hospitable. Over the next few days, I accepted kind invitations to luncheons, dinners, a bluegrass festival, a Mennonite market, and a community fair.

On Monday, the chairman called the president who called the vice president who called me. “Go home for a few days while we sort out what to do.”

I departed almost regretfully.


A few days became two weeks. I spent the time picking at the listings, painstakingly peeling the masks off characters in this exquisite puzzle. That’s what I liked best about programming, me against the machine, taking its rules and making it do what I wished, bending the beast to my will, solving abstract puzzles others couldn’t see. Usually it was me versus the computer; now I faced a clever human adversary.

Sandman called once to ask what the bank decided. My guess was gnashing their teeth, but I confessed I didn’t know.

People found it easy to talk to me, sometimes revealing personal things that seemed surprising later. He opened up.

We ended up chatting about nothing but learning about each other. Topics included girls, cars, his fear of flying and his enthusiasm for roller skating. We discussed fueling software with good Asian food. Our liquid Ritalin was cola, Coke for me, Pepsi and Moon Pies for him. He revealed a passion for Shostakovich. In the wee hours of the morning, he confessed frustration at his girlfriend’s lack of libido. He hesitantly admitted she was married.

On Friday, the VP called from his scratchy speaker phone. “Leigh, I got Chase and the president here. We want you to hop down to Greensboro and negotiate for the source code. Just you and Sandman– you’re the only one he has rapport with, the only one he respects.”

“What are the guidelines of the negotiations?”

“Obviously try to ransom our source, pay as little as practical for it, low five digits if possible.”

“Cap it at one-twenty, maybe twenty-five,” someone in the background said, probably the bank president.

“If things turn too unreasonable,” continued the vice president, “just walk out and we’ll haul his tail into court.”

“D’accord,” I said. “Shoot me a letter defining the limits.”

The VP said, “Do you anticipate a need to involve the police? Should we hire a private detective, perhaps a non-threatening girl his age?”

Chase spoke up in derision. “He just a little squirt, a pussy, a…”

The VP must have waved him to silence. “Okay. Buy it if you can, walk out if you can’t.”

No one had any notion of the unreal turn negotiations would take.


Next week: Part II, Skating Follies

06 January 2019

Chasing Pennies


bank vault
I've written about exploits in banking and brokerage fraud with further articles to follow. Bad banking practices don’t feature well in my write-ups. Institutions change only when they’re forced to.

Recently my fraud expertise touched upon the personal. A good friend fell victim to gaping holes in one of New York’s largest financial institutions, J.P. Morgan Chase & Co.

Lily is smart, pretty, and unattached. Two out of three is pretty good, but she means to win the trifecta. She doesn’t advertise, but merely hopes to attract the right kind of guy. She appears on social media: Facebook, Pinterist, and a singles’ site that’s been around some thirteen years, MeetMe.com, where she met an interesting fellow.

Telling the good from the bad isn’t always easy. By the time our malefactor (male factor or dirtbag are also suitable) stepped into the light, he already knew critical pieces of information about Lily: her real name (thanks to odious Facebook requirements), where she’s lived, family relationships, and importantly– her birthday.

MeetMe.com
For a few weeks, ‘Antonio Sanchez’ from ‘New Jersey’ wooed our lass on MeetMe. He didn’t do anything crass like ask her bank account number or credit card information; thanks to Chase’s security ‘features’, he didn’t need to.

As Thanksgiving approached, Lily traveled across the country, stopping to visit relatives in Greenfield, Indiana, home of another Lilly, the famed pharmaceuticals company. Our heroine happened to check her bank account and found it unexpectedly fourteen hundred fifty dollars richer.

Lily, not only smart but honest, sought clarification at the Greenfield branch of Chase. Greenfield couldn’t fathom the problem.

bogus check 1 (808869)
check 1 of 6 #808869
“You put money into your account in the early hours of the morning. Looks like you needed it. What’s the problem?”

“I didn’t deposit anything.”

“But you did.” Greenfield regarded her suspiciously. “You’re saying you didn’t?”

“Exactly. I didn’t do any such thing.”

“Well, lucky you. Someone likes you well enough to put coins in your account.”

*click* Instantly Lily knew who’d made the deposit.

A couple of hours later, the situation reached me. By then, other deposits had appeared. Curiously, monies were rapidly shifting among Lily’s three accounts. My fraud alert alarms clanged.

“If you make a withdrawal,” I advised, “calculate only what you own to the penny and not a cent more.”

“What’s the problem?” friends asked. “A handsome guy sending Lily money? Does he have any brothers?”

I spoke adamantly. “There is no money, no boyfriend in New Jersey, no gold at the end of the rainbow.” When I explained the con, Lily agreed to join me for a visit to the Indiana State Police.

Indiana State Police
The man manning the reception desk told us all detectives were out of the office and wouldn’t return until the next day. Lily asked if she could file a report.

The grizzled trooper brought forms out to us in the lobby. He stood by as Lily tried to explain the situation.

He interrupted her. “A guy giving you money is no crime. No crime, you can’t file a report.”

I said, “There is no money. It’s a con…”

The trooper threw up his palm in a ‘Talk to the hand’ gesture. Cops are trained to seize and maintain control, even when counterproductive. He went on to lecture Lily, not so much accusing her of wasting police time, but of being silly.

“May I explain?” I said as levelly as I could. “There is no money, only fake deposits. He will use that false balance to pay himself.”

The cop paused, considering. “Wouldn’t work,” he said. “If I deposit a check, I have to wait a few days to withdraw funds.”

“That’s why he’s moving money around her accounts. Some banks, perhaps including Chase, lose track of new deposits as they’re moved around. The technique is called seasoning, losing the new deposit tag and making the money look like it’s aged on account.”

“I’m a road warrior,” said the trooper. “I’m not up on these things. Yeah, I’ll have a detective phone you.”

Virtually next door to State Police Headquarters, we’d noticed a Chase branch. Lily made the wisest decision of the day, visiting the bank for an update.

The young woman listened attentively. She quickly grasped the situation. “Oh my God,” she said. “I received a notice exactly like yours of a deposit early in the morning. I need to check my own account before I go home today.”

Together, the three of us discovered additional deposits and further shifting around of money. By then, funds had been used to buy the first Western Union money order made out to an unknown and very foreign name.

“Let me guess,” I said. “The money’s sent to Nigeria?”

“If Lily didn’t give this jerk her personal information,” the young lady said, “how did he get into her account?”

I explained one hypothesis. I’m a vocal critic of the so-called security questions routinely forced upon on-line customers. “What city were you born in?” “What was the name of your first pet?” “What’s your favorite team?” “What’s your favorite color?”

With the slightest information, bad guys find it ludicrously easy to guess the answers. The favorite color question often includes a helpful drop-down menu of eight colors. No one chooses black or white, so a malefactor can guess the answer in six tries or less.

The young branch manager rang the fraud department. She posed the same question to them, who replied “There are so many ways to breach an account…”

bogus check 2 (808870)
check 2 of 6 #808870
The bank gave us copies of the checks. One peculiarity came to light. Chase said it appeared the Nigerian repeatedly deposited the same two checks over and over, fooling Chase and highlighting another flaw in their security, a defective filter for detecting duplicate deposits.

Chase froze Lily’s accounts, leaving her stranded without travel money in the midst of a cross-country trip. But wait, we’re not done.

Lily awoke the next morning, finding her accounts unlocked and a half dozen or so deposits burgeoning her balances.

Lily phoned Chase to let them know further monkey business was afoot in her reactivated accounts. They quickly closed the window and her accounts, again cutting off her funds.



Big banks and little people, comes now the pathetic part. Instead of expressing gratitude for Lily’s quick action of notifying them of fraud, Chase blames Lily for the leaking of money from the bank. Their stance is that Lily either worked with the malfeasant Nigerian to defraud Chase, or at the very least handed over her account information to the bad guy. As you now know, that doesn’t have to happen. All it takes is sloppy banking.

Besides seizing Lily’s bank balance, Chase now demands another $600 in compensation for their losses. Good move, Chase: encourage honest citizens to rush in to report fraud made possible by your own shortcomings.

It’s a great day for banking. Have you had similar experiences?

18 March 2018

The Digital Detective, Banking part 3


bank vault
This continues a series of articles about computer fraud. Originally I practiced a career of systems software design and computer consulting, but I sometimes came upon a more shadowy world, that of computer crime. I seldom sought out fraud but I sometimes stumbled upon it, picking up undetected clues others missed.

This episode doesn’t deal with crime, per se, but it includes a con, minor as it is. The scheme required a little ‘social engineering’ and, though the word might be Yiddish, no one can schmooze like Southerners.

The story came to my attention while consulting for banks, this one deep in Virginia’s Shenandoah Valley. My landlord for part of the stay was an eccentric but colorful codger. He talked about a neighbor who leased farm land from him but failed to pay his rent. Outsiders might expect he pulled on a jug of rye whiskey as he talked, but all he did was lean back in his recliner, sip beer, and twirl a never-lit cigarette while a cheerful woman less than half his age clattered in the kitchen. I jotted down his story long before I became a writer, so kindly forgive error and stylistic issues as I strove to capture his dialogue.
corn picker
1950s era corn picker
Damn Ernie. I hounded that man all summer long for the rent. Finally last fall, I hooked up my corn picker and started up the corn rows. Now a corn picker ain’t a quiet machine, and lo and behold, neighbor Ernie come dashin’ out of his farmhouse yellin’ and cursin’ that I’m stealing his corn.

I said to him I couldn’t possibly be stealing corn off my own land, unrented land at that. He steamed and stormed and said the seed and planting labor had been his, and anyway he was just a little late with the rent, three or four months, maybe four or five, weren’t nuthin.

I told him that I was just going to keep picking corn for myself until someone showed up with rent money. He dashed off like banshees themselves chased him. Pretty soon he comes back waving his checkbook.

I said, “Ernie, are you sure there’s money in that account?” Oh yes. He told me twice there was, so I said there’d better be, and he said he wanted the corn I’d picked. I told him to consider the already picked corn interest and collection fees. Fact is, I finished the rest of that row, which he just hated.

So the skinflint S.O.B. hustled off to hitch up his combine and wagon, and I find myself a few bushels better off than I was before. I cleaned up and headed in town to the bank, right past Ernie who’s racing his machinery through the fields.

At the bank, I always get in Molly’s line. She’s a sweet, buxom lass, and I’d been thinking about asking her out.

Anyway, I get up to her teller window and she said the account’s a bit short to cover the check. I asked her exactly how short, and she said she wasn’t allowed to tell me that.

So darlin’, I cajoled, is this check completely worthless, or did Ernie at least come close? Looking at her computer, she said he was purty close.

Well, I says to her kind of reflectively, I want to tell my neighbor Ernie how much he needs to cover my check. Like would he have to deposit only $10? No, she said, ten dollars wouldn’t cover it.

Well, says I, would $20 or $30 do? No, she smiled at me, it’s not quite enough.

Hmm, says I, I wonder if $40 or $50 would suffice? Um, she said to me, that first amount ought to cover it.

Thank you, I says, I’ll tell that rascal he needs to put $40 in the bank. By the way, sweet thing, can I have a deposit slip? And you think maybe I can call you up? For, uh, you know, maybe dinner Saturday?

So I walked out of there with a bounce in my step, a deposit slip and her phone number. I was feelin’ purty good. What I did was get in my car and circle around through the bank’s drive-thru. I already had Ernie’s account number on the check, so I just filled out the slip and shot it through the air tube with two $20 bills. Sure enough, the receipt came back showing $1002.39. Good on Molly.

But wait, I say, I almost forgot to cash a check. I send over Ernie’s $1000 check and this time I got back a thousand dollars.

Fair enough. I probably had $40 in shelled corn and a lesson I ain’t gonna rent to Ernie no more.

Ernie got stupid, though, and instead of being grateful I didn’t bounce his worthless ass along with his worthless check and turn both over to the sheriff for collection, he raised holy hell at the bank yelling someone manipulated his account.

I took Molly to the horse show that Saturday. Now I tell you personal like, you want to get a lady in a receptive mood, bein’ around horses will do it. Something about women and horseflesh– just a word to the wise.

Anyway, Molly, she confided the bank said it was apparent someone had taken liberties, but they couldn’t blame the girl who took the deposit and they couldn’t blame the teller that cashed the check. They just gave everybody a stern reminder warning.

Ernie wanted to call the authorities, but the branch manager explained Ernie’d be the one in trouble for writing bad checks. He didn’t mention Molly could have gotten in trouble if they’d figured out her role.

Molly said she knew I’d manipulated her and wanted to know if I’d asked her out from obligation or guilt. I said I didn’t want to sully a relationship thinking I used her. She needed a lot of reassurance about that, and so Friday nights and Saturday nights we just get romantic and I give her plenty of reassuring. Been about a year now. Figure we can go on with this for a long, long time.
And he winked at the cheerful lass in the kitchen doorway.



Commonly in Virginia’s Shenandoah Valley, ‘out’ sounds are pronounced like a Scottish ‘oot’. Thus he really said, “I’d been thinking aboot asking her oot.”

22 January 2017

Yet Another Computer Scam


 WARNING A scam involving Google and clever programming sleight-of-hand has hit the scene. It’s not entirely new– a prototype showed up in 2014– but it fools many professionals. Apologies in advance for the technical parts below.

A new month, a new scam, this one brought to our attention by a reader. Although widely reported, this scam hasn’t shown up in the ACM Risks Digest yet. Surprise– the scheme starts with your GMail where a note from a friend or colleague contains a link to another page or document. You click and receive a message you must log in again. Happens every so often, annoying but sign in again for security.

false URL

A Google log-in page shows up– the URL field (web page address) contains google.com. Enter your name, enter your password. Click. The document your compatriot sent now appears.

You may not know it, but you just lost exclusive control of your Google account. Your pal didn’t send that email and the link was plucked out of your emails.

Let’s look at the sign-on dialogue boxes again. Which one is counterfeit? Hover your mouse over them for the answer, but the fact is, they’re indistinguishable.

fake sign-in box
real sign-in box

The insidious part is that email web sites– Yahoo and AOL included– train us by periodically forcing us to relog in. Hold on… didn’t the URL box contain google.com?

Yes. Over the years we’ve seen clever fraudsters incorporate target domain names similar to this:

http://w5.to/google.com

The trick here is that the real domain, web address of the bad guys, is w5.to. The google.com is only a web page set up to fool you. Other examples might look like the following:

http://citibank.net.w5.to/index.html

This is a variation of the bad guy’s domain, w5.to, above.

http://citybank.net

Here the bad guys registered a variation of the real name made a little easier by CitiBank using a non-standard spelling. These three examples are reasonably clever and some scammers don’t take that much trouble. However, this new one can catch even professionals by surprise:

data:text/html,https://accounts.google.com/ServiceLogin

The clue something is very wrong lies in the first three words, data:text/html – you shouldn't see that at all. The opening letters of an URL don’t have to be http – they can be file, data, help, about, chrome, gopher or possibly another protocol, but ‘data’ is the only hint the page is abnormal.

Browsers have become more sophisticated over the years, so web pages might include additional capabilities such as setting preferences. The ‘data’ keyword allows HTML to be embedded in the URL field, but more insidiously, it allows JavaScript, and that’s how this particular exploit fools us. Following the ServiceLogin part of the URL are dozens upon dozens of spaces so you can’t see what comes next. Far beyond the right side of that URL field is where the real sorcery begins with <script…>. This malware program throws up a fake Google sign-in page to capture your ID and password.

Expect Google to quickly mount an update, but beware, look ever more critically at URLs when you’re asked to type in your credentials. It might save your on-line life.

17 April 2016

RansomWare 3,
Recovery


 WARNING  In part 1, we discussed a nasty type of malware (malicious software) called ransomware and in part 2, we recommended preventive steps. In this final article, we explore options in the event your computer is attacked.

Don’t Pay

That’s the advice of most professionals. Besides filling criminal coffers, a better reason leaps out. FireEye Security and technical advisor Alain Marchant estimate only 60% of payees get their computer back intact. BitDefender estimates even dimmer odds, as few as half of those who pay see their files returned. Symantec hasn’t published figures but they’re also not optimistic about the odds of success.

The poor odds of successfully retrieving files has drastically impacted the ‘business’ of extorting stolen files. TeslaCrypt perps have taken two unusual steps.
  1. They set up a secretive TOR ‘dark web’ message center to facilitate payment.
  2. To prove they can actually decrypt files, they offer to decrypt a small (very small) file of the user’s choice.
Yet, as they try to extract payment, their pages hint at the myriad failures and pitfalls: «If step 2 goes wrong, then attempt this and if that goes wrong then try that and maybe try again in 10-12 hours… which may exceed the allotted time… blah, blah.»

Then consider the matter of who reaps the stunning profits from ransomware. It’s tempting to blame ordinary criminals but in fact, ransomware funds terrorist groups like Daesh/ISIS and al-Qaeda. State-sponsored extortionists include the obvious suspects, China, North Korea, and Russia. Technical authors Gregory Fell and Mike Barlow further accuse Iran and Israel of sponsoring attacks at the expense of the rest of us.

Ransomware is an international problem. The Russian security firm Kapersky Lab was reportedly hit with ransomware and thus turned their attention to addressing the problem. French security consultant Alain Marchant, who goes by the name xépée and cheerfully admits Marchant may not be his real name, has developed a client base of victims ranging from individuals to major companies. Here at home, developers of anti-virus products have trained their sights to the problem.

The Costs

Worldwide, malware sucks more than a half-trillion dollars out of the annual economy. Some target individual countries like Japan (TorLocker) and Russia (Kryptovor), but others are indiscriminate. The US alone loses $100-billion annually.

Cyber crime is lucrative and safe. While one or two man operations bring in as little as $1100-5500 daily, Symantec traced one revenue stream that amounted to $35 000 a day, a number consistent with a study by FireEye Security. At the upper end of the scale, Cisco’s Talos Group calculated the Angler exploit (CryptoWall, TeslaCrypt) each day targets more than 90 000 users, pulling in $100 000… every day.

Losing family photos is one thing, but businesses have lost their files, charities their revenue, hospitals their patient records, government agencies their data, and– in at least three cases– people their lives.[1],[2]

Practicalities

Acquaintances of ‘Mark’, a victim mentioned in last week’s article, casually recommended caving to demands and paying off, ignoring the odds and consequences. Those acquaintances may be well-heeled and untouched by ordinary concerns like money and terrorist funding, suggesting if one can afford it, why not? Fortunately, Mark had a friend to help see him through the worst of a bad situation.

If you are a victim, only you understand your circumstances or desperation, but treat pay-offs only as an absolute last resort. Be prepared for the worst– your payment may go for naught.

Easy Pickings

Chances are you’ve seen web pages or pop-up windows that claimed your computer has been damaged or compromised and to call ‘Windows’ or ‘MacOS’ where ‘professionals’ for a fee will help you stamp out this insidious nuisance, one they created, although they don’t tell you that.

These are usually simple browser attacks– JavaScript on a web page seizes control of your Edge browser, or Internet Explorer, Safari, Chrome, FireFox, etc. The good news is they’re relatively easy to defeat, although getting out of the situation can puzzle an average user.

In these cases, don’t panic and don’t call the toll-free number the bad guys so thoughtfully provided. You may want to call a friend for technical assistance, but you may be able to solve it yourself.

The key to recovery is killing the script, the little program abusing your browser. You may be able to simply close the page, and if so, job well done.

Another approach is to open the browser Preferences or Options and disable JavaScript. Once JavaScript if paused, you can close the web page at your leisure, alt-ƒ4 or the more nuanced ctl-w for Windows, cmd-w (⌘-w) for the Mac. Unfortunately, FireFox made the decision to remove the option to disable JavaScript, but add-ons like QuickJS, NoScript and Ghostery give users that option. For the Mac, typing command-comma (⌘,) normally brings up preferences, but the malicious script may thwart that move.

What happens if you can’t close the web page and can’t disable JavaScript? You have no choice but to kill the browser and restart with a goal of stamping out the offending window. Use the Macintosh Force Quit (⌘-opt-pwr) or the venerable Windows Task Manager (win-shft-esc). You may be able to right-click on the program icon to close it. When restarting Safari and Edge, use finger dexterity to close the offending window– you may have to force-quit and restart a couple of times to succeed. FireFox is helpful here: They provide a dialogue box asking which pages you want to reopen (or not).

Note that you may have to smack down more than one browser window. At least one exploit deploys two pages using one to reopen the other if it’s closed. Both pages need to be killed.

Trust Issues

As with other ‘exploits’ (short for exploitations in professional parlance), you can (and should) take the preventive measure of downloading an alternative browser to your computer, say Opera, FireFox or Chrome. If a bad script has nailed your Safari or Edge browser, you can fall back on an alternative until you can get help.

The other key step is not to download anything you don’t trust. Don’t fall for messages claiming your Java or Flash or SilverLight player needs to be updated. Be extremely shy of web mail that offers to upgrade Windows 10. The safe way to update is not to click on the helpful button, but to locate the official web sites and manually download any updates yourself. Make certain the URL says java.com, adobe.com, or microsoft.com (with or without the www.) and no variation like javaupdate.com.

In the past, professionals have disdained automatic updates and that’s fine for them. Let them micromanage if they will, but for the average user, I break with my colleagues and suggest automatic updates might prove safer. The reason is that if you already trust a program, then its updates are reasonably safe as well. At worst, you may get a message saying that FireFox must be restarted, although if you don’t restart immediately, the updates will kick in after you quit your current session.

Apple and Microsoft occasionally check for updates. While I approve of the automatic mode, I suggest running the update check one time manually so you know what to look for.

RansomWare

Thus far we’ve discussed the simplest form of ransomware that merely subverts your browser. At present, you’re more likely to encounter web exploits than the really nasty kind that takes over your computer by encrypting files and user programs.

True ransomware programs demand payments ranging from $200 to over $2300 ($475 appears average) in untraceable digital payments, up to tens of thousands of dollars when targeting hospitals, corporations, and crippled city and county governments. There is no single flavor of ransomware. At least half a dozen strains are extant plus offshoots and variants. Each makes up its own rules and demands. Early models sought cash transfers via Western Union and later Ukash, MoneyPak, and PayPal My Cash, but nearly all now demand payment in anonymous digital money– BitCoin.

The other characteristic found in most ransomware is the imposition of a deadline, after which the bad guys state they’ll refuse to restore your files altogether and at least one variant claims it will permanently ruin your hard drives, not merely beyond recovery but beyond formatting (a highly dubious claim).

The time limit serves one primary purpose, to apply pressure and rattle the victim, to preclude the user from thinking his way out of the dilemma. A time limit makes it difficult to gather information, tools, and help. The target may not have sufficient opportunity to order recovery tools or a second drive to work from or a create a bootable disc.

Besides your backup, you will need a reinstallation disc. These days, few computers come with installation DVDs. Some computers feature a bootable partition that contain tools and recovery programs. In other cases, you must download a so-called ISO file from the internet to burn to an optical drive (Blu-Ray DVD, etc)– but you can’t safely do that from your compromised system– you either need to boot from a trusted drive or ask someone to download a recovery ‘disc image’ for you.

As far as the threat to permanently wreck a hard drive, it’s hypothetically possible but unlikely. Black hats may alter your boot tracks or drivers, but those can be repaired with a disc formatting program. In the unlikely case that bad guys were to zap your drive’s firmware, they’d have to strike after the time limit they imposed. Long before then, an aware user should have powered down his computer.

Demanding Money with Menaces

British use the term “demanding money with menaces” regarding blackmail, extortion, and kidnapping for ransom. The threat of ransomware is clear: If you don’t pay, you lose your files. But if you do pay, you may still lose your files. Damned if you do, damned if you don’t, the track record is not good.

Beyond the substantial risk a victim will never see his files after payment, there are sound reasons for not paying or attempting to communicate in any way. The victimized may inadvertently expose more information than realized such as passwords and bank account information. My colleague Thrush says paying or trying to reach out tells the bad guys “they have a live fish on their line.”

If a victim attempts to reach his bank on-line, an infected computer can forward passwords and account information to the miscreants. Because the bad guys have control of their subject’s computer, they may be able to extract injurious information. A wise solution is to quickly disconnect from the internet to interrupt the outflow of information.

One-Way Communication

Security consultant Alain Marchant says about 12½% of victims opt to pay, but less than ⅗ of those cases see the return of their files even after payment. He suspects the percentage may be considerably worse because of under-reporting.

Marchant’s stats are highly consistent with FireEye reports. He attributes failures to restore hostage files to a number of factors.
  • There may be no hidden server that can unlock the files. The victim has only the criminal’s word such a server exists. Maintaining servers exposes the bad guys to risks they may not be willing to take.
  • Perpetrators may simply not bother. A one-man operation can easily bring in a minimum of thousands of dollars (or euros or pounds) a day, millions a year without lifting a mouse-finger. An extortionist whose biggest problem is hiding money from authorities may feel no obligation to release hostage files.
  • Hidden servers, if existing at all, may be taken down by its ISP, by government raid, by weather, by a denial-of-service (DoS) attack, by power failure or other outage, or by the bad guys themselves to evade detection. Perpetrators, particularly those on the move, may rely on laptops that are on-line only for brief periods. A perpetrator who can’t connect can’t repair the damage.
  • Because of a restricted ability to test malware, perpetrators’ programs may be bug-ridden and unable to recover the data. FireEye reports that files encrypted and then decrypted by TeslaCrypt turn out corrupted.
  • Perpetrators may not have the sharpest grasp of time zones, which may cause a premature trashing. Problems are exacerbated within one time zone of the Greenwich meridian and worldwide during daylight savings time changes. Ransomware does not take into account weekends, holidays, and banking hours.
  • Perpetrators may not have the sharpest grasp of exchange rates. For example, a ransom page may demand $300, but with worldwide reach, may receive $300 Canadian instead of US dollars and therefore not release the files.
  • Victims’ machines may be knocked off-line by the same problems above that affect perpetrators’ servers.
  • Victims’ drives may be so badly damaged, that recovery becomes impossible. Moreover, perpetrators may encrypt the very keys or tokens victims need to communicate with their bank.
  • Victims usually don’t possess a clear understanding of bitcoins. Some attacks require users to install modified TOR browsers to arrange payments. While these measures help perpetrators hide from authorities, victims lose time and possibly their files while trying to figure out the process.
  • Victims’ anti-virus software may belatedly catch and delete the ransomware program making recovery impossible.
  • Multiple malware infections may collectively interfere with each other. Victims may inadvertently exacerbate the problem by researching malware on the internet, triggering secondary infections that make recovery impossible.
  • Victim’s computers may reinfect themselves as drives are brought on-line.

Recovery

Clearly the odds of recovery are better with anti-ransomware programs, assuming data hasn’t been deliberately damaged beyond encryption. If at all possible, create and work from an external drive. You may find better success removing the computer’s hard drive and hooking it up to a clean computer. The idea is to keep the virus dormant while attempting to remove it and correct the damaged files.

At the end of the countdown period (typically 72 or 96 hours), some malware strains sabotage the rest of the hard drive, erasing boot tracks and directories. Marchant suggests it might be possible to turn back the clock in a PC BIOS by several hours to extend the period of analysis and recovery. For this to work, the computer must remain disconnected from the internet.

If there is an extant key, it may not reside in a remote server at all but could be buried in your machine. That can help assist programs in decryption.

Following are a few Mac and Windows resources to help in preventing and recovering from ransomware.

Be safe out there!

10 April 2016

RansomWare 2,
Vampires and Zombies


 WARNING  Last week, we discussed a particularly vicious type of virus, one that poses a severe risk to your computer’s contents. It’s called RansomWare and it’s coming to a computer or cell phone near you. This week, we offer specific steps to protect yourself.

Zombies vs Vampires
To infest and infect, one of the givens of vampires is that they must be invited into one’s home. Dracula and his ilk may mesmerize or seduce, but only when a victim throws open the window can the creature waft in.

Viruses– and more typically a variant called Trojan horses– work the same way. A colleague hands the victim a flash drive, or she (or he) clicks a disguised download button or the attachment of an email. Voilà, she’s unknowingly invited the devil into her life.

Sometimes the effects are relatively minor– they may quietly turn the target into a zombie server, a computer that sends out spam, illicit files, and even malware without the owner’s knowledge. The truly bad infections can suck the lifeblood out of the system. Ransomware falls into this latter category.

Recently, Dale Andrews received an apparent email from Velma with an attachment. Strange… she rarely emails and I knew our secretary hadn’t emailed anything since the beginning of the year. Fortunately Dale didn’t open the attached payload. It may have been nothing more than a Nigerian scam letter… or it could have been considerably worse.

Pleadings

My colleague Thrush keeps enough computers to power Bulgaria, nearby Serbia and Romania. He thinks like a pro; he takes security very seriously.

His friend Mark phoned– he’d been hit with ransomeware. Arriving home in the evening, Mark had sat down at his computer, tired and less than alert. One of his emails raised the spectre of a lawsuit; it included attached court documents.

He downloaded them and… innocently unleashed the wolves. Whatever had been attached, they weren’t pleading papers. A screen popped up… his computer had been encrypted by ransomware, demanding a few hundred dollars to return his goods.

The man immediately detached his computer from his local network (LAN), one that included his backup mechanism and his wife’s computer, which fortunately contained their most critical files. His desktop was done for, but quick action saved their most important files.

Defense

The best protection against malware (malicious software) and ransomware in particular is to prepare your fortress now.

I. Backups

Back up, back up often. I previously mentioned it’s critical to back up to drives or discs that can be detached. The reason is that if your backup drive is on-line when malware strikes, you could lose your backup and everything on it.

A simple strategy used in the early days of computing is to make grandfather-father-son backups: You cycle through your discs (or tapes or other media) reusing your oldest backup each time. This includes one vulnerability in that you may back up defective or damaged files without realizing it. For that reason, archive a backup each month or so. Tuck it in a drawer or bank vault and exclude it from the recycling.

Consider using Blu-Ray discs with write-once technology. Those discs are not only less expensive than rewritable discs, they’re safer in that they cannot be later altered and their life span could last for decades.

The Macintosh includes a backup program called Time Machine. It can operate in manual mode, which is useful for detachable drives. It also offers a continuous mode in which changed files are backed up every hour to an attached drive, the cloud, or a NAS (network area storage) unit. Continuous backing up is great unless ransomware attacks the backup files.

A method of safe continuous backup is possible for desktop computers using these steps:
  1. Ensure files you want backed up are either in your public folder or outside your home folder altogether. In other words, make sure items to be backed up are visible beyond the confines of your user folder.
  2. W-D USB back-up drive
    W-D My Passport back-up USB drive
    Establish another user account called Backup. If set up properly, it should be able to see the files and folders you want backed up. Keep things pure. Do not use this account to surf, read email, or shop on-line.
  3. Attach a back-up drive, cloud storage, or NAS using a password. Only the Backup account should have the passwords readily available. Don’t access these drives from your main user account(s). (Western Digital external drives not only provide good back-up programs, they also allow the drive to be password protected.)
  4. Start the back-up program, providing its security services with passwords if needed. Don’t log off the Backup account when returning to the main user account.

While you’re working, the Backup account will quietly save your data. If you are attacked, malware won’t be able to get at the back-up drive. You need only consider this for continuous automatic back-up programs like Time Machine.

II. Modems, Routers, and Firewalls

The Backup account acts as a sort of firewall to seal off back-up drives from the rest of the machine. Chances are your router as well as your computer contain software firewalls. Because of the variety of manufacturers, I won’t attempt to address specifics other than to suggest learning how or seeking help in using them.

With the router, keep open ports to a minimum. Use long passwords for both your modem and your router. Be careful whom you let into your network. Some wireless routers allow ‘guests’ with imposed limitations. If both your router and your guest’s computer, tablet, or phone features a WPS button, you can permit guests to connect without giving out a password.

III. Computer Settings


Besides judicious sharing and firewall settings, a seemingly minor option offers major potential. By default, both Windows and the Mac don’t display common extensions (.doc, .rtf, .gif, .mp3, .exe, .app, etc.) An invisible extension might look a little prettier, but that extra piece of information might help you save your computer.

Say you get a breezy email purportedly from a friend containing an attachment called FamilyFotos.jpg. You start to open it but, if you’ve activated the showing of extensions, you’ll see the full name is FamilyFotos.jpg.app … uh oh!

Or, say you visit SexyBuns.com, download HunkyGuys.mp4 (yes, I’m talking about you, Jan Barrow Grape of 103 Rodekyl Lane, Armadillo, Tx 78657) and spot that the complete file name is hunkyguys.mp4.exe

These are big clues that those files are not friendly.

Show extensions by visiting Control Panels Files and Folder Options (Windows) or Finder Preferences (Mac) and checking the appropriate box. Now you can have more confidence that LegalPapers.pdf is truly what it claims.

MacOS Finder prefs
MacOS X show extensions
Use extra caution with .doc and .docx files. Unknown files may contain malicious macros and may even suggest you turn macro support on if it’s not. More recent variants reportedly can leap the divide from MS Word to infecting the rest of your computer.

If you wish to peek at unknown Word files, use WordPad (Windows) or TextEdit (Macintosh) or equivalent text processors that ignore embedded macros. Whenever possible, use .rtf instead of .doc as a far safer alternative.

Windows File and Folder Options
Windows hide extensions
Email filtering not only keeps annoying mail out of your in-box, but it can also provide a line of defense against malware. Even if you blacklist/whitelist, keep in mind that bad guys may have hijacked a friend’s contacts list and try to spoof their address relying upon your trust.

IV. Too Helpful

Be wary of too-helpful emails and pop-up windows that offer updates to Flash, Silver Light, or Java, and especially shortcut links to your banking web site. If you receive an email supposedly from PayPal, your financial institution, HealthVault, IRS, Social Security, or other site containing personal and financial information, don’t click on any embedded links. Instead, type in the URL address yourself to be assured you’re not accessing a ‘spoof’ site trying to trick personal information from you.

virus infection irony
Consider the irony
Notices urging upgrades– usually employing pop-up menus– can serve as fronts for malware. Don’t fall for the false convenience. Be cautious of notices your computers has been infected with a virus. If your browser screen locks up, get help. Don't call the toll-free number on the screen.

Such notices may try to trick you into installing nasty stuff. If you think you might need a newer Flash player or Java component, then hie directly to their web sites and check for download versions.

V. AntiVirus Protection

Obtain a good anti-malware suite, either free (like AVG) or from Kaspersky Lab, Symantec/Norton, BitDefender, Malwarebytes, or WinPatrol. They each take different approaches. BitDefender’s defense works as a sort of vaccine. The free Panda Ransomware Decrypt Tool tries to restore deliberately damaged files.

If at all possible, remove the wounded drive from its computer, or create and boot from an external drive to work on the damaged device. It’s possible the infection has altered the boot sectors of your hard drive. If you’re able to decrypt your damaged files, move them to a safe place and totally reformat the damaged drive.

The Myth of Customer Service

One of the internet ‘memes’ floating around the web speaks of ransomware ‘customer service’. This irresponsible wording is tantamount to insisting a rapist gives good customer service if he doesn’t kill the victim. Even professional developers who should know better use this expression, an indication of naïveté rather than an expert opinion. A paid criminal that restores files only 50-60% of the time does not exhibit good customer service.

More on that next week. In the meantime, avoid zombies, vampires, and malware.

03 April 2016

RansomWare 1,
The Threat


 WARNING  A particularly vicious type of virus poses a severe risk to your computer’s contents. It’s called RansomWare and it’s coming to a computer or cell phone near you.

Although no longer engaged in software design, I enjoy keeping an eye on technology. RansomWare had risen on my radar as an up-and-coming annoyance, but I hadn’t appreciated the level of threat it’s become.

Virus sophistication has risen from the early cutesy messages to vandalism to zombie-bots… hidden programs that turn your computer into a secret spam server. In the past, viruses were largely preventable and recoverable.

That’s changed. Bad guys have figured out how to monetize infections that can wipe out your photos, movies, letters, tax records, your home and work content. They can obliterate your recorded life.

The viciousness doesn’t stop at the personal level. We know only of attacks made public, but ransomware has assailed small businesses and large, county offices, schools, charities and non-profits.

The criminals behind the scenes have no compunctions. A favorite soft target has been hospitals where lives hang in the balance. Forensic experts believe some of those penetrations were deliberate attacks from the inside. To wit, someone deliberately hand-planted a ransom virus in hospital computers.

Even police agencies have been hit and– to the disgust of many– they paid the ransom. How can criminals be stopped if police dump public money into their coffers? For all anyone knows, the attackers may have been terrorists or state-sponsored Daesh/ISIS or al-Qaeda, China or North Korea, all badly in need of euros and dollars.

Destroying a victim’s computer’s contents can ruin years, even decades of work and study, crucial research and development. RansomWare can devastate careers and ruin lives. It even takes lives, at least three known victims, father-son deaths and a student suicide.

What is RansomWare?

A type of virus or infectious malware, ransomware invades a computer, renames and encrypts your files with mathematical, non-reversible encoding. The malicious program then offers to reverse the damage in exchange for a demand ransom ranging from two- or three-hundred in dollars, euros, pounds sterling, or the equivalent in untraceable bitcoin, into thousands. If the black hats recognize a high-value target like a hospital or government agency, they may demand tens of thousands of dollars. Some programs set a three-day deadline after which they promise to wreck the machine beyond repair.

The ransom virus lingers in the target machine long after the damage is done. Worst of all, victims face a substantial probability that even if they pay the ransom, they won’t get their files back.

At present, the worst of ransomware mainly attacks Windows computers, but Macintosh and Unix/Linux users shouldn’t grow complacent. One Mac malware program contains no mechanism to restore files after payment. Black hats have already breached a major Java component (JBoss) and some ƒ-head will figure out how to devise a devastating Unix-based attack. It takes little more than catching a human in a weak or distracted moment.

W-D USB back-up drive
W-D My Passport back-up USB drive
Now is the time for all good men and women…

Kindly accept today’s article as a heads-up, a wake-up call to take steps now to deal with this eventuality. Writers among us may be able to glean facts for a fine techno-thriller, but safety comes first. We’ll be discussing
  • backup, backup, backup
  • computer settings
  • modems, routers, firewalls
  • virus prevention and ransom software
  • pop-up and email software ‘updates’
Back-up

Next week I’ll share more detail but consider immediately buying one or more external drives for backing up your important files:
  • Western Digital USB Passport series starts about $45 including Mac and Windows back-up programs.
  • Flash drives are conveniently small although speed ratings of larger capacity drives can prove excruciatingly slow. These are convenient if you concentrate on backing up your data rather than your operating system or programs, which you can presumably otherwise recover.
  • Safest and cheapest of all, you can toast a permanent copy of your data to a Blu-Ray DVD if you limit your back-up to data only. Prices start around $120 for single-layer 25gig drives and increase for dual, triple, and quad-layer models. Single-sided media cost less than a dollar a disc; dual-layered discs run less than three dollars.
The key factor is to backup weekly or as frequently as your willingness to risk your most recent data allows. Then, once you’ve taken a backup, disconnect that drive from your system so it won’t fall victim to a ransomware infection.

Take an extra moment and visit your Control Panels (Windows) or Finder Preferences (Mac). Change the default setting to show all file-name extensions. I’ll explain why next week, but it may help you catch malware masquerading as innocent files.

Stay safe. See you next week with malware vampires and zombies.

23 June 2013

The Digital Detective, Wall Street part 2


continued from last week
The Best of Times…

Systems programmers held a unique niche in the multiple mainframe corporate structure. We didn’t practice ordinary commercial programming but were responsible for keeping the software side running– the operating systems, telecommunications, and utilities. The best of us knew assembly language– the cryptic machine instructions that underpin more or less human-readable languages like C, Cobol, Fortran, and Java. We dealt in bits and bytes, binary and buzzwords, not credits, debits, and balance sheets.
77 Water roof

77 Water plane
Plane atop 77 Water St

Walston was flush. Shortly after I joined, they moved into their fancy new skyscraper at 77 Water Street, a few steps south of Wall. It featured an artificial stream, a padded soda dispenser shaped like a floppy-eared dog, elevators illuminated like the night sky, and a full-size sculpture of a biplane on the roof. You can see it in the opening fly-over sequence of the disappointing movie The Forgotten; there you can spot the airplane still atop 77 Water.

Walston’s cast of characters included my boss Alex, his boss and vice president Paul, and an assistant vice president, Jim. Brokerage firms contain nearly as many vice presidents as they do brokers. The wrinkle in the relationship was Jim had originally hired Paul who passed him on the corporate ladder. Nearing his 25th year with the firm, Jim became marginalized, holding down a desk but no responsibility. Upon retirement, he planned to buy a Land Rover, move to South Africa, cultivate a mustache, and live a life of alternating adventure and leisure. As the weeks ticked away, that’s all he talked about.

Lower Manhatan Financial District
Wall Street and Financial District
Walston’s third floor contained two sections: the computer room and offices occupied by Arthur Anderson overseen by a Walston executive with the musical name Glenn Miller. As systems programmer, I was the rare programmer allowed in the computer room. That drew the attention of Arthur Anderson.

It wasn’t unusual for large corporations to provide offices for their accounting firm, but it wasn’t kosher for one’s auditors to use provided offices to perform work for other companies. The rules for AA were different. As one of the accounting wonks said, saving office space didn't hurt anyone. It may have been true, but violating rules exemplified the looseness of managerial oversight.

Toad in the Hole

Walston brought in two consultants, guys who would tell a company the same common sense advice at five times the price of listening to their employees. That’s one reason I later became a consultant– companies pay to listen to you.

As far as I was concerned, this was more background noise, but one day my boss Alex called me into his office. There sat the consultants and two Arthur Anderson guys amid palpable tension. They wanted me to perform a task: write a program to scan files and ‘correct’ fields, i.e, numbers within the file.

I pointed out I didn’t do that kind of commercial programming and this was far more suitable a task for one of the Cobol programmers. No matter, they assured me, they wanted me. I should be flattered.

Who’s the analyst who designed this? I asked, not feeling the least flattered. I’ll talk with him. No, said the consultant, only you. The Anderson guys nodded while my boss frowned.

Reasonably, I protested that the Cobol programmers possessed the pension suite’s data structure templates. Without them, I had no idea what the data was. It would be like blindly machining a part while they withheld the blueprints, which could damage the data.

The Arthur Anderson guys exchanged glances. My boss started to fidget. The background noise sounded like a clanging alarm. Practiced deceivers they weren't. Something felt wonky but I didn’t know what. They didn’t quite say I had no need to know, only I needn’t be concerned.

Where did a shift of responsibility end and liability begin? Were they buying blind loyalty or blindness? A light bulb went on. I raised my last objection. What about the lack of an audit trail, I asked. Assembler language would bypass all the record and financial controls.

Of course they knew that. They went into a huddle. Moments later, my boss said coldly, “We’re done here. You’re dismissed.”

I slogged back to my desk feeling dark and dysphoric. With good reason: shortly the VP called me in. He informed me the firm would cut my salary and no longer pay my tuition. Alan, the office political toady, would replace me.

Fire and Ice

Suddenly I didn't feel so brilliant. A thunderstorm had squalled up out of the blue. A kid like me didn’t make or have a lot of money and I desperately needed my classes. It didn’t dawn on me to ask why they didn’t dismiss me. Maybe they feared what they thought I knew or wanted to keep tabs on me, but my ego suggested they kept me because Alan the toady was incompetent and incapable of doing my job. He didn’t know machine language but he knew Cobol… and probably knew where to find the questionable data templates. Meanwhile, they were slamming me for questioning orders.

My boss and his boss cold-shouldered me. They almost fired me when the payroll department screwed up and continued paying my tuition, but as was pointed out, that was their error, not mine. We were at loggerheads, but they needed me as much as I needed the job.

The VP’s secretaries treated me with surprising sympathy and kindness. I don’t know how much they knew, but one took me out to lunch and the other gave me a small gift. In the cold light of Walston, they radiated warmth.

In the outside world, Ross Perot had been tacking his way through Wall Street, taking over data processing services, a forerunner of out-sourcing. When the F.I. DuPont scandal hit, Perot stepped in and bought the firm.

I received a cagey call from EDS, the company Perot founded, asking if I’d come to work for them. EDS had a rigid stiff-necked (most said 'tight ass') reputation with a dated, regimented dress code– white shirts, narrow dark ties, grey suits, pants with cuffs, shoes with laces. They subjected potential employees and their spouses to a battery of interviews. Creative thinking was not encouraged. EDS employees liked the money but not one I knew liked the company. I politely declined.

We picked up a programmer from DuPont. Perot had arrived in NYC and put his DuPont troops through sort of a surprise dress parade. As he marched down the line of employees, he came across a girl who wore the fashion of the day– a miniskirt– and fired her on the spot. At Walston, we didn’t mind miniskirts and hired her.

Word on the Street

One day, employees awoke to a lead article by the Wall Street Journal announcing Ross Perot would take over the computing facility of Walston. Vice President Paul turned shockingly white– he hadn't heard even a whisper– but brokerage houses mint vice presidents like they print stock certificates. The company denied the story and things sort of returned to normal.

Except an odd and unsettling thing happened. One month from his 25th year and retirement, Jim, the marginalized AVP found himself called into the VP’s office. Paul, the vice president, fired him. Full retirement gone, no Land Rover, no African adventure, no life of well-earned leisure.

Another discreet call came in for me. The woman on the other end asked me to identify myself, asked if I could talk privately, then said, “Please hold for Mr. Perot.”

Despite what I've heard before and since, Ross was polite, even gracious, and I was flattered he asked me to work for him. But, as I pointed out, I attended university full-time, I wasn’t as regimented as his usual workers, I enjoyed a bachelor life, and– thinking of Perot’s cozy relationship with Richard Nixon– our politics didn’t mesh. He’d famously said he didn’t like gunslingers and lone wolves– and I was the epitome.

He said, “Son, thank you for being honest,” and wished me well. I wondered why he wanted me.

Take Two

Once again, employees learned the news not from their own company but from the WSJ: For the second time within weeks, employees woke to a Journal article confirming Perot would be taking over Walston’s computing center. Again, our shocked vice president had been left out of the loop.

When Perot dropped in to inspect the troops, he spotted the same girl in her minidress we’d hired from F.I. DuPont and again fired her on the spot. Can’t say Perot wasn't consistent.

Days later, Walston fired Vice President Paul two weeks from his 25th year– and full retirement. The firm dismissed the consultants and Arthur Anderson's office underwent a shake-up. Programmers found themselves not only locked out of the computer room, but locked out of the computers.

Except for me. A good systems programmer could run the shop without operators, without analysts, without programmers. Perot didn't trust Walston's people, which explained the recruitment calls to me.

A panicked EDS crew asked where certain files could be found. They asked if I could find backups of older versions. They asked if I knew anything about original programs and data alterations. Unsurprisingly, those hotly desired files were the same my bosses asked me to ‘correct.’ The unasked question finally arose: were they corrections or were they coverups?

I dug into the files only to learn what Arthur Anderson already knew. It appeared Walston’s proprietors had embezzled the company’s retirement fund. Now it made sense why they fired the AVP days from his 25th year. That’s why they fired the VP days from his 25th year. The money was gone, reflected in the records my bosses and Arthur Anderson (or certain employees within Anderson) desperately wanted 'corrected'. The scheme was so compartmentalized, I doubted how much any one party in my department knew, remembering my boss, Alex, claimed the instructions came from on high. "Just follow orders," he said.

I'd been lucky: What might have happened to the joker who tampered with the data? Alan had been lucky: Unable to find his assets with both hands, he'd botched the changes although he left an audit trail.

Trinity Church from Wall Street
Trinity Church framed
by Wall Street

How The Mighty Had Fallen

Perot took over Walston, folding it in with DuPont and again saving Wall Street considerable embarrassment. Two and a half years later, he lost his financial shirt and dismantled a hemorrhaging DuPont Walston. Perot arranged for Congress to give him a special late night $15-million tax break, causing an outcry of socialism for the wealthy when the bill became public knowledge.

Dark forces on Wall Street gleefully watched Perot depart, some accusing him of trickery, some suing him on the way. Whatever the truth of that matter, Walston had been rotting internally before Perot arrived.

Arthur Anderson survived with their reputation barely sullied. Indeed, Anderson and Walston’s Glenn Miller caught more flack for the Four Seasons Nursing Centers scandal than the internal decay within their own firms. It would take the Enron affair to bring down Arthur Anderson.

My services remained in demand and I moved on, still on Wall Street, starting my masters degree before joining forces with two of the earliest software entrepreneurs.

Imagination Noir

In imaginative moments, it’s easy to envision the kernel of a mystery intrigue plot. I picture a John Grisham novel, a storyteller's movie in my mind like The Firm. Had Walston’s board reacted viciously and violently, I might have found myself in a dire plot, on the run for my life with a miniskirted damsel as VPs, AVPs, and Anderson drones dropped dead around me. Excited movie audiences would gasp between mouthfuls of popcorn, women would cry, and children would whisper, “He’s so bwave.”

Maybe a dastardly plot isn't so far-fetched considering the mysterious suicide (or assassination?) of Enron executive Clifford Baxter, about to testify before Congress. But in the world of finance, what’s crooked isn’t always an actionable crime. Commit a fraud of sufficient size and business will hush it up rather than prosecute– not unless something can be gained in the guise of ‘investor confidence’.

Footnote

The case ended with a gentler tone: I commuted to Wall Street on the Staten Island Ferry. One surprisingly sunny afternoon, I spotted Paul, the ex-vice president. He said hello and sat down across from me. Once again open and pleasant, he appeared the man I’d once liked– and could come to like again.

We didn’t talk about Walston. He explained he moved with his aging mother to Keene Valley in upstate New York. Turning his back on Wall Street, this former executive now worked as a carpenter. He spoke of small town pleasures where old men sat in front of the local hardware store whittling and discoursing upon merits of lawnmowers. For the first time in decades, he felt relaxed and at peace.

That pleased me. Paul wasn’t a bad man, merely a figure caught up in the machinating machinery of Wall Street. He offered his hand and we shook warmly.

Looking back, I think his chat was sort of penance, kind of an apology without the words. That was decent, more than many people would have done. And it was enough.

Besides, I’d eventually consult for banks, institutions where further fruits of fraud lay concealed beneath a public veneer.