Freemors Blog

Musings of an East Coast Techie
Posts tagged as security

P.S.A Re: Sextortion E-Mail Scam

2018-10-14 by Freemor

This is just a quick posting to alert those that read my blog that sextortion spammers have changed tactics.

They still claim that they hacked your life but are now claiming to have done so by breaking into an email account. As proof they offer the fact that the "From:" header shows the e-mail as coming from your account.

The important thing to know is that the "From:" header is completely and trivially spoofable. Anyone can send an e-mail with anything they want in the From: line.

Do Not Fall For this.

Here is the raw (source version with all the headers shown) version of one of these spams that hit my mailbox.

From freemor@freemor.ca Sat Oct 13 06:05:01 2018
Return-Path: freemor@freemor.ca
X-Original-To: freemor@freemor.ca
Delivered-To: freemor@freemor.ca
Received: from 213-174-110.netrunf.cytanet.com.cy (213-174-110.netrunf.cytanet.com.cy [213.149.174.110])
by server (Postfix) with ESMTP id 4127571C
for freemor@freemor.ca; Sat, 13 Oct 2018 06:05:01 -0300 (ADT)
Message-ID: <5F7026344D09625F7026344D09625F70@PSFB91RPS>
From: freemor@freemor.ca
To: freemor@freemor.ca
Subject: freemor@freemor.ca was hacked
Date: 13 Oct 2018 13:34:07 +0200
MIME-Version: 1.0
Content-Type: text/plain;
charset="cp-850"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Windows Live Mail 15.4.3508.1109
X-MimeOLE: Produced By Microsoft MimeOLE V15.4.3508.1109
Status: RO

Hello freemor@

My nickname in darknet is sauveur16. I'll begin by saying that I hacked this mailbox (please look on 'from' in your header) more than six months ago, through it I infected your operating system with a virus (trojan) created by me and have been monitoring you for a long time.

Even if you changed the password after that - it does not matter, my virus intercepted all the caching data on your computer and automatically saved access for me.

I have access to all your accounts, social networks, email, browsing history. Accordingly, I have the data of all your contacts, files from your computer, photos and videos.

I was most struck by the intimate content sites that you occasionally visit. You have a very wild imagination, I tell you!

During your pastime and entertainment there, I took screenshot through the camera of your device, synchronizing with what you are watching. Oh my god! You are so funny and excited!

I think that you do not want all your contacts to get these files, right? If you are of the same opinion, then I think that $500 is quite a fair price to destroy the dirt I created.

Send the above amount on my bitcoin wallet: 1MN7A7QqQaAVoxV4zdjdrnEHXmjhzcQ4Bq As soon as the above amount is received, I guarantee that the data will be deleted, I do not need it.

Otherwise, these files and history of visiting sites will get all your contacts from your device. Also, I'll send to everyone your contact access to your email and access logs, I have carefully saved it!

Since reading this letter you have 48 hours! After your reading this message, I'll receive an automatic notification that you have seen the letter.

I hope I taught you a good lesson. Do not be so nonchalant, please visit only to proven resources, and don't enter your passwords anywhere! Good luck!

Even though both "From" lines say it came from me there are several important facts.

The "Received:" line clearly shows that it actually came from 213-174-110.netrunf.cytanet.com.cy which is not my mail server. It is a computer in the Republic of Cyprus, Most certainly not where my mail server lives. And from the looks of the domain name probably from someone's home.

So let me say it again. The "From:" line in an email means Nothing. It is Trivial to spoof. Anyone with even a tiny bit of knowledge can send e-mails that claim to be from you, or Plato, or the Easter bunny. This type of sextortion scam is just trying to scare you into paying for no reason.

What You Need to Know About efail

2018-06-15 by Freemor

I am writing this because there is a lot of hyperbole about efail

Are GPG/PGP and S/MIME broken?

No. efail is an attack on the mail client. Not on the cryptography. Although there is some mussing with the cryptographic elements That would be very apparent, signatures would fail, etc.

Are my Private Key Compromised, Does this lead to a compromise of the keys?

No. This tricks email reading programs into sending the clear text of the message once it is decrypted back to the attacker.

Is my email program affected?

Maybe. Not all are. There is an excellent chat on page 11 of The official report

Should I disable/stop using GPG or S/MIME?

That depends.

The real problem is HTML rendering in some email clients. Check the list Document mentioned above to see if yours is effected

Patches are coming on-line quickly so check that your E-mail client is up to date

If you are comfortable doing so turn off HTML rendering of E-mail. This will almost completely mitigate the issue. The researchers did not get a non-HTML rendered E-mail to be effected but they do suggest other more complicated things that MAY be able to do that.

Keep in mind that is a complicated Man-in-the-middle attack that requires the attacker to have access to your stored E-mails on the server or your computer or the ability to capture them in transit. This is not something generic hackers will be doing. It is something that Governments and places like the NSA will be interested in. If you are worried about them I'd strongly suggest making sure you are using a non-effected client and disabling HTML rendering.

But for the average person that isn't worried about nation states and spy agencies actively trying to get their stuff I'd say keep using GPG or S/MIME. Apply the patches as they become available. Turn Off HTML Rendering. or move to an unaffected client.

It's better to send encrypted and force people to work at decrypting it then just say fuck it and send everything in the clear and let them have it all with no effort.

The Bullet points

  • The attacker must have access to your E-mails either on the server or in transit
  • Not all email programs are effected
  • Patches are coming quickly
  • This is not a problem with the encryption. It a problem with the E-mail programs
  • Turning off HTML rendering almost completely neuters this attack (except for some theoretical attacks)
  • For the average person this is a low priority and easily mitigated attack.
  • Take the appropriate precautions like moving to a non-effected E-mail reader, patching, plus turning off HTML rendering and keep encrypting.

What You Need to Know about Meltdown and Spectre

2018-01-04 by Freemor

I am writing this because there is a lot of hype, click bait and other stuff going on around Meltdown and Spectre. I want to put out the info in plain simple terms.

First and Foremost

Your computer is not broken or defective.

Intel DID NOT screw up.

The fact that Out-of-order Execution has been around since the '70s and in modern PCs since the mid '90s and the exploit is only now being found shows that this is a extremely clever, highly technical, exploit that builds on much more modern concepts like "CPU cache timing attacks for side channel leakage of information.".

There are software patches already on the way to mitigate the problem. The "performance hits" talked about are not well documented and as the mitigations improve any performance hit will be reduced.

Is it bad?

It is a serious issue. It is not the end of the world, or your computer, or the internet.

What is it?

Both techniques take advantage of a feature of many (not all) modern processors called Out-of-order execution. Which is a technique that most modern CPUs use to get things done more efficiently and faster.

It is NOT a technique to get code on your machine. It is a technique that code that has already gotten on your machine can use to access information that is usually protected.

Access to such information would let the code then bypass several other protections to gain more privileges or steal information from other processes.

What should I do

Breath. Relax. There is no evidence that these have been exploited in the wild yet. Patches/Fixes are coming online quickly.

Apply patches as they become available. Many people are working on ways to mitigate these problems.

What about all the noise.

Sadly this is the type of exploit that makes for great attention grabbing headlines and news coverage. But the facts are much more complex then the mainstream media want to cover. It is much easier to say "Every Intel Processor is effected but this bug." than "There is a highly technical side channel attack on processors that support Out-Of-Order Execution that leads to the leakage of privileged information. This would let them steal information or use information about the layout of system memory to use another advanced technique called Return Oriented Programming to gain full control of the system."