A call from Microsoft Support

This morning i had a call on my mobile from a number in new york – i picked up because i thought it was a friend who was calling. I was quite surprised to hear an indian woman on the other side of the phone. The conversation went along these lines.

Caller: Hello I am from Microsoft technical support. I am calling because i understand you have a problem wih your computer – it contain viruses and is running slow.

Me: oh gosh, no viruses? what do i do….

Caller: Go to your pc and switch it on. Find the Ctrl key… and press Ctrl + R and tell me what comes up on the screen.

…at this point i hung up. i would have played along a little further but i couldn’t be assed to actually boot up a pc, no matter how interested i was in what she was trying to get me to do. I wasn’t about to let her know i was running on a mac either. Its the first time anyone has actually phoned me trying to give me information to allow them go gain access to my PC.

I say this now to my less techy friends – Microsoft doesn’t just call you up to offer you technical support out of the blue and its a bad idea to do anything on your computer that a random caller asks for. I am shocked by this behaviour but really do not know what to do  – Ive no idea where they got my phone number from, or who i would report such things to.  I am sure there are people out there that do get caught out by this kind of con – it makes me fairly angry, and want to do something about it, actually knowing that theres a person out there – a seemingly harmless indian woman who is willing to help someone hack me – it makes it personal, and offensive – that someone i don’t know wants to cause me harm. Social engineering – actually doing what someone tells you is probably the easiest pay off for a hacker – rather than try to compromise your systems they actually manipulate you into giving key information – be it an actual password or tricking you into installing “diagnostics” software.

There are bastards out there. Be careful!

Scamming me on Skype.

I recieved the following on Skype of all things lag night:

Hello Owen am George Boateng a Chartered Accountant by profession with over sixteen (16) years working experience in the Ghana banking sector, however i have with me an important business to share with you which will be of great benefit to both of us because it is in connection with your name and a citizen of your country called Mr. Shafi A. Owen who had a fixed deposit with my bank in 2006 valued at over $14,400.000 Million United state Dollars which the due date for this deposit contract was on the 16th of September 2009. Sadly Mr. Shafi was among the death victims in the May 12th 2008 China earthquake that left over 67,000 people dead.

My bank management is yet to know about his death and i knew about it because am his account officer who open the account for him, meanwhile Mr. Shafi did not mention any Next of Kin / Heir when the account was opened and last week my Bank Management requested that Mr. Shafi should give instructions on what to do about his funds and this is why have been looking for a means to handle the situation because if my Bank Management happens to know that Mr. Shafi is dead and do not have any heir they will take the money for their personal use and i don’t want such to happen.

That was why when i saw your name i was happy and am now seeking your co-operation to present you as Next of Kin to the account since you have the same name with him and my bank will release the account to you with my help in activating your full name in to our bank data base system as the beneficiary to Mr. Shafi so as to enable you to claim the funds and this transaction will be executed under a legitimate arrangement that will protect you from any breach of law, It is better that we claim the money than allowing the Bank management to take it. I am not a greedy person so I suggest we share the funds equal 50% / 50% to both parties, let me know your mind on this and do treat this information as Top Secret while i send to you the full details and documentation once i receive your urgent response by email.

Best Regards George Boateng

Email: georgeboateng1960@gmail.com

…how stupid do these people think we are – variations on this scam have been going on for years, and the frightening thing for me is that if they keep trying this they must have some kind of success rate even if it’s small. I am sure I have ranted about hoaxes before when people send me this stuff through the net without even trying to verify it.

Please, if anyone ever recieves one of these please discard it. If your tempted to take it seriously at least google the details of the mails with the works hoax and scam. If it sounds to good to be true it normally is – thought in the case above there are several reasons it looks stupid!

Passwords

Breaking into Windows.

Restricting physical access to computers and password protecting the BIOS is essential – it doesn’t matter if your running windows Xp, windows 7, windows server 2008 or any other operating system!  
 
The other day at work we had a server that had a broken domain connection and we had no idea of the system password. Literally we downloaded a tool, burned it to DVD and just restarted the computer – from there within 5 minutes we had reset the admin password and gained system access. 
 
There are some important lessons there that would have stopped or slowed us down 
 

  1. Encrypt your system drive using something like bit locker – if we couldn’t access the SAM on the local operating system we couldn’t have done it.  
  2. Make sure your BIOS disables booting from anywhere but your system drive – we could have done this from a USB or CD  
  3. Make sure your BIOS is password protected  
  4. Restrict physical access to the system – even with all the measures above there are ways in if you are imaginative with some knowledge of hardware
  5. Bear in mind we can do the same trick with virtual machines

 
As I said in our case we had permission to access the system – but someone with bad intentions could also get in the same way. Security is commonly not given importance until an incident when it is suddenly too late. 
 

Advanced searching with Google

There are lots of really powerful things you can do with google, particularly if your a bad person, and don’t care about the law! I present a few things here because many administrators and site owners pay little attention to securing their sites, and theres a mistaken perception in some places that obscurity is a form of security – this couldn’t be further from the truth. So some things you may have missed – try typing them into google search! These are examples to prove a point.

Finding Music, ebooks, and videos

Finding webcams that haven’t been properly secured:

Find all the images on a site:

http://images.google.com/search?hl=en&q=site%3Aowenrichardson.com&gbv=2&biw=1892&bih=1102&sei=TzLtTvyrF6fU4QSo5eTwCA&tbm=isch

… change the site name in red, to whatever site pleases you.

Other Cool Search Operators:

  • link:URL = lists other pages that link to the URL.
  • related:URL = lists other pages that are related to the URL.
  • site:domain.com “search term = restricts search results to the given domain.
  • allinurl:WORDS = shows only pages with all search terms in the url.
  • inurl:WORD = like allinurl: but filters the URL based on the first term only.
  • allintitle:WORD = shows only results with terms in title.
  • intitle:WORD = similar to allintitle, but only for the next word.
  • cache:URL = will show the Google cached version of the URL.
  • info:URL = will show a page containing links to related searches, backlinks, and pages containing the url. This is the same as typing the url into the search box.
  • filetype:SOMEFILETYPE = will restrict searches to that filetype
  • -filetype:SOMEFILETYPE = will remove that file type from the search.
  • site:www.somesite.net “+www.somesite.net” = shows you how many pages of your site are indexed by google
  • allintext: = searches only within text of pages, but not in the links or page title
  • allinlinks: = searches only within links, not text or title
  • WordA OR WordB = search for either the word A or B
  • “Word” OR “Phrase” = search exact word or phrase
  • WordA -WordB = find word A but filter results that include word B
  • WordA +WordB = results much contain both Word A and Word B
  • ~WORD = looks up the word and its synonyms
  • ~WORD -WORD = looks up only the synonyms to the word

I can’t take the credit for compiling the information above – i dug most of it out of marcandangel.com because to be honest i don’t see the point of reinventing the wheel. Google has a lot of power under the hood that is easy to miss, and its also easy to abuse – that said using some of the operators above can transform your whole search experience.

%d bloggers like this: