Worrying Caller...................

[Chester]

Hi

 

Just had a caller on the door step claiming to be a free lance reporter from one of the Sunday papers. Had ID but don't know if genuine.

 

Knew my name and my wife's name.

 

Said he was investigating instances of peoples PC being hacked and he had screen shots of the folder structure and details of some of the files from my NAS - which was correct!!!!!

 

I keep my home network locked down fairly tightly with MAC address filtering on my wifi and run Symantec AV and firewall. Fairly certain that I haven't been hacked.

 

He left after I denied that it was my folder structure and file names.

 

He then came back a few minutes later and told me what the make of my hard drive is (actually its a NAS).

 

Again I denied it was the correct make.

 

I suspect, if I invited him in he would want access to my PC to 'check' on certain things! The rest then would be history as they say.

 

I work in IT and co-authored the ISMS (to ISO27001 standards) at the company I work for so have a reasonable understanding of IT security. In fact I'm considering getting a CISM/CISP or Lead Integrator qualification.

 

What I don't understand is where he has got the info from!!!!!!!

 

Any suggestions?

 

Mark

[softscoop]

Is your nas accessible via the internet?

Are there any known back doors to your model?

[Chester]

NAS in not accessible from the net for security reasons.....................

[Clunkclick]

Did you ask to see his press card ?

 

Presume No USB sticks, media transiting home to office and Vicky verky, no-office wifi, no mobiles in the office then, including tradesmen and visitors ?

 

If not its leaky.Witness the Santander exercise recently.

 

Or this could be a  RFI/electrical induction situation with a guy standing outside with a directional aerial or something, like an RFI  amplifier/repeater "Inadvertently" left in the office.

 

Would by any chance the Network software be Microsoft based ?

 

Nick

Edited 21 August, 2015 by Clunkclick

[Macdemon]

Hi

 

Just had a caller on the door step claiming to be a free lance reporter from one of the Sunday papers. Had ID but don't know if genuine.

 

Knew my name and my wife's name.

 

Said he was investigating instances of peoples PC being hacked and he had screen shots of the folder structure and details of some of the files from my NAS - which was correct!!!!!

 

I keep my home network locked down fairly tightly with MAC address filtering on my wifi and run Symantec AV and firewall. Fairly certain that I haven't been hacked.

 

He left after I denied that it was my folder structure and file names.

 

He then came back a few minutes later and told me what the make of my hard drive is (actually its a NAS).

 

Again I denied it was the correct make.

 

I suspect, if I invited him in he would want access to my PC to 'check' on certain things! The rest then would be history as they say.

 

I work in IT and co-authored the ISMS (to ISO27001 standards) at the company I work for so have a reasonable understanding of IT security. In fact I'm considering getting a CISM/CISP or Lead Integrator qualification.

 

What I don't understand is where he has got the info from!!!!!!!

 

Any suggestions?

 

Mark

 

 

Hi Chester, you're the IT expert, so you will have a MUCH better idea of where the 'reporter' got the screen prints from.

 

I find it very worrying that he did that, I would have invited him/her inside while my wife called the police

[vxh26]

If I had a "caller on the door step claiming to be a free lance reporter from one of the Sunday papers" with detailed knowledge of ANYTHING inside my house I think I would be a wee bit more proactive about investigating than you seem to be.

 

The fact you are an alleged "IT Expert" at your place of work and are thinking of gaining some worthless certification adds further insult to the concept of IT Expertise. Experience, common sense and an inquisitive personality are worth far more :(

 

 

As a matter of interest, do you subscribe to the view that "Life is short"?

[Aspman]

Just because you know your stuff doesn't mean everyone in your house does.

 

Having the structure of your drives suggests you have a RAT. (Remote Access Trojan).

 

However I'd havve been demanding how the reporter got the infor and since it is personal information how he is planning on staying compliant with the DPA. I'd be tellinghim he'd better remove all that information and that you'll be following that up with an SAR and a letter to the ICO.

 

I've just started studying for my CISSP. Pointless but gets you jobs.

 

Shouldn't be to hard to track down the reporter, especially if he's freelance.

Edited 22 August, 2015 by Aspman

[deecee]

Did you make a record of his ID details or get his car number .

 

 

[MickA]

The title of the thread says it all, but very worrying I'd say.

 

And didn't you at least follow it up as suggested in the last 2 replies?

[fabdavrav]

Personally I'd have invited him in & called the police & if he got nasty I would have banged him around the head & made a citizens arrest. Basically he has just proved even if he is genuine that he deals in hacked personal details, not clever.

 

As for security, don't broadcast the SSID, mac filter, good alphanumeric password. Have you noticed any dodgy looking cars/vans with people sitting inside for awhile?

[andypandypoos]

Personally I'd have invited him in & called the police & if he got nasty I would have banged him around the head & made a citizens arrest. Basically he has just proved even if he is genuine that he deals in hacked personal details, not clever.

 

As for security, don't broadcast the SSID, mac filter, good alphanumeric password. Have you noticed any dodgy looking cars/vans with people sitting inside for awhile?

 

good luck with that

[fabdavrav]

good luck with that

 

I presume the part about restraining him.............been there & done that working in shops over a few decades I have had to deal with drunks, druggies etc. Had to keep one druggy in the shop whilst the police came around as he tried to leave the shop without paying for items he had acquired under his coat!

 

If in my home, then I will fight..........had one nasty situation years ago when younger with a nutty neighbour smashing my fathers car up & getting into the house, managed to corral said person & their friend in the kitchen, should have seen the number of police that turned up!! Three patrol cars full!!!..............they got nicked..............

[Immelmann]

I'd be running around changing passwords ect. Might also be worth shutting down the NAS drive for a while too.

If he calls again get more info out of him and phone the police, though they may not be interested to be honest. Also rember as stated previously he's broken the law by breaking data protection laws.

Get checking all your networked devices in the house, wired and wireless. Kids devices, wifes and yours too.

Change your wireless credentials and settings. Also do you have any ethernet powerline adapters? Get them unplugged asap.

[fabdavrav]

I'd be running around changing passwords ect. Might also be worth shutting down the NAS drive for a while too.

If he calls again get more info out of him and phone the police, though they may not be interested to be honest. Also rember as stated previously he's broken the law by breaking data protection laws.

Get checking all your networked devices in the house, wired and wireless. Kids devices, wifes and yours too.

Change your wireless credentials and settings. Also do you have any ethernet powerline adapters? Get them unplugged asap.

 

If they are in to the systems, then you also need to change your SSID, and other settings, The thing is if they are in they could still be in when you are changing all the settings, so they will know all the new stuff! Personally I'd disconnect all Wi-Fi, & put a metal tub over the router aerial. Then using cables to all devices reset all the computers security etc then when running all ok remove the metal tub on the Wi-Fi aerials.

[Aspman]

Story in the Daily Fail today on this.

 

Flaw in some iomega / Lenovo NAS drives making them internet accessible.

 

http://www.dailymail.co.uk/news/article-3207396/Thousands-exposed-massive-new-data-hack-s-not-just-adulterers-outed-web-PC-hard-drive-risk-Google-hackers.html

 

Shodan - http://www.shodanhq.com/

 

The Lenovo vuln isn't new, so possibly the Shodan service is just coming to light.

[Chester]

Thanks for all of the replies!

 

Quick update - contacted the Mail who confirmed they did have a reporter call to see me.

 

http://www.dailymail.co.uk/news/article-3207396/Thousands-exposed-massive-new-data-hack-s-not-just-adulterers-outed-web-PC-hard-drive-risk-Google-hackers.html

Edited 24 August, 2015 by Chester

[Aspman]

Nothing in the trade press about anything new. What kind of NAS do you have? Is it a proper NAS or just a USB drive?

 

I've seen similar vulnerabilities for Iomega/Lenovo and Seagate now but nothing new.

http://www.theregister.co.uk/2015/03/10/seagate_that_remote_0day_aint_so_bad_well_patch_it_in_two_months/

 

I've got a WD USB box at home but I don't use any of the manufacturers tools to manage it.

 

Iomega search is coming up high on the suggested sites for Shodan so if you still have the box I'd get it offline or behind a firewall sharpish.

Edited 24 August, 2015 by Aspman

[Chester]

It's a Iomega NAS that is patched with the latest firmware that 'should' prevent such attacks.

 

Remote access is disabled. Security is enabled.

[sw8296]

Perhaps they got the info before it was patched?

 

Does your router have firewall rules allowing you to block external traffic to/from the NAS? Or even just necessary ports?

[andypandypoos]

I presume the part about restraining him.............been there & done that working in shops over a few decades I have had to deal with drunks, druggies etc. Had to keep one druggy in the shop whilst the police came around as he tried to leave the shop without paying for items he had acquired under his coat!

If in my home, then I will fight..........had one nasty situation years ago when younger with a nutty neighbour smashing my fathers car up & getting into the house, managed to corral said person & their friend in the kitchen, should have seen the number of police that turned up!! Three patrol cars full!!!..............they got nicked..............

that's really not the same thing though

[Aspman]

FK Me!

 

Just spent 2min on Shodan and even without an account you can get a list of internet connected devices.

It even shows the landing screen name i.e. "Log in"

 

If there is no password set then you go straight in.

 

Gives you the live IP of the device too, so even if it is locked you've got the target IP and the device name to use any known vulnerabilities.

 

I'll need to have a dig now to make sure none of the work stuff is on there.

 

IOT what a **** idea

[Chester]

Router has firewall rule blocking incoming access to the NAS. Logging was not turned on but is now so I'm keeping an eye on the logs to see if anything shows.

[Aspman]

Might be worth a look on Shodan to see if your IP pops up any more.

[fabdavrav]

Thanks for all of the replies!

 

Quick update - contacted the Mail who confirmed they did have a reporter call to see me.

 

http://www.dailymail.co.uk/news/article-3207396/Thousands-exposed-massive-new-data-hack-s-not-just-adulterers-outed-web-PC-hard-drive-risk-Google-hackers.html

 

At least the bloke turned to to be genuine!.........a relief then!

 

FK Me!

 

Just spent 2min on Shodan and even without an account you can get a list of internet connected devices.

It even shows the landing screen name i.e. "Log in"

 

If there is no password set then you go straight in.

 

Gives you the live IP of the device too, so even if it is locked you've got the target IP and the device name to use any known vulnerabilities.

 

I'll need to have a dig now to make sure none of the work stuff is on there.

 

IOT what a **** idea

 

So you can search via typing in your own Ip & see  if it is in the list? I vaguely remember when Shodan first hit a few years back, but this is a bit worrying! More for the info that solicitors, etc that I deal with have on their files which might be on the web now.!

 

As for bloat ware, when I build a computer that's the first stuff on the uninstall list, should have seen the carp that came with the new high end Gigabyte Mobo I got..........masses! Ran some too se what it did, then uninstalled! Most of this stuff is supposed to make it easier to do stuff, like alter BIOS stuff in the main WIN environment, but it slows things down! I prefer to run BIOS in BIOS!

 

As for back up hard drives I build my own again, as I hate the stuff that comes on the premade ones as standard!

[gac]

Hi

 

Just had a caller on the door step claiming to be a free lance reporter from one of the Sunday papers. Had ID but don't know if genuine.

 

Knew my name and my wife's name.

 

Said he was investigating instances of peoples PC being hacked and he had screen shots of the folder structure and details of some of the files from my NAS - which was correct!!!!!

 

I keep my home network locked down fairly tightly with MAC address filtering on my wifi and run Symantec AV and firewall. Fairly certain that I haven't been hacked.

 

He left after I denied that it was my folder structure and file names.

 

He then came back a few minutes later and told me what the make of my hard drive is (actually its a NAS).

 

Again I denied it was the correct make.

 

I suspect, if I invited him in he would want access to my PC to 'check' on certain things! The rest then would be history as they say.

 

I work in IT and co-authored the ISMS (to ISO27001 standards) at the company I work for so have a reasonable understanding of IT security. In fact I'm considering getting a CISM/CISP or Lead Integrator qualification.

 

What I don't understand is where he has got the info from!!!!!!!

 

Any suggestions?

 

Mark

 

Many points to be raised here, most of which I expect to be shot down with because of not being one of the "known faces" of Briskoda but hey...

 

If he had screenshots of the folder structure of the files from your NAS, then regardless of your understanding of IT security, you've ballsed up.

 

MAC address filtering is hardly worth bothering with.

AV and firewalls are not foolproof, I'm guessing you're not the only person in the house who uses this equipment? Someone else could have something malicious in their profile on your computer, or on another computer in the house.

You did right to not allow him access to anything, but then if he has your folder structure in front of him, then he essentially already has some kind of access anyway, unbeknownst to you. If he was seriously malicious, he would have cryptolocked your stuff and just held you to ransom, IMO.

The info probably did come from Shodan, it's a fantastic tool (named after what I remember to be a fantastic game, although I last played it 20-odd years ago so there may be some rose-tinted specs involved)

You may have blocked access to the web portal of the NAS, but have you made sure to block all the sharing ports (21, 137-139, 445, 2049 if it does NFS, 443 if it has a secure web server, or WebDAV server, etc). You may find it's leaking information over another port, and you may find that if it's UPnP-enabled then it's just created its own NAT port forward without you even knowing (under the guise of being "helpful")

Have you made sure that all guest access is disabled if you're using an account which doesn't have a valid username/password on the NAS

 

I think Nick's idea of a guy standing outside with an aerial is nonsense, since I assume as an IT professional your wireless network is WPA2 using CCMP encryption? I can only actually remember a single vulnerability in WPA2-CCMP, which was the "Hole 196" vulnerability from 2010 whereby an attacker could potentially receive any particular client's unique private key and decrypt it, but that requires the attacker to actually be on the WLAN in the first place (so more suited for coffee shops, hotels, etc with a public WPA2 "secure" network). There may well be more though.

 

The fact it's an Iomega with "the latest firmware" doesn't fill me with confidence given that iomega.com has been domain-squatted (meaning that a) it was allowed to lapse and no one cared about it any more for the next 2 months where they could have still renewed it even after it expired). I'm guessing that Iomega as a company are now well into end-of-life, and their products even more so. Personally I would be looking into my migration plans to a new NAS - it may be fine now, but it'll die eventually, and you'll be on your own with a set of disks that may well be inaccessible in any other appliance. As above, I prefer my disks in a more generic software RAID, currently I run a nice "self-healing" ZFS mirror, if my box dies I can throw those disks into anything running FreeBSD, Linux, Solaris, OpenIndiana, FreeNAS, Nexenta, etc. I have a ton of options, which you may no longer have if Iomega have indeed kicked the bucket. Personally I think a new NAS should be close to the top of your list. Changing your SSID with an attacker connected is less than ideal, if the router admin page isn't encrypted in its own right then the attacker (if still connected) could sniff out the HTTP POST that you send to the router containing the new SSID/password you want to use, in which case as above they're straight back in again.

 

I couldn't find any solid reference to Nick's "Santander exercise" as I seem to recall he never provides useful links to the guff he refers to, but I assume it's this - http://www.theguardian.com/money/2015/aug/22/santander-withdrawals-fraud

 

It informed me, however, that the transactions had been made from the same IP address I used to access my internet banking, and they quoted me what they said was my IP address, and that my “Verified by Visa” password had been used. The implication seemed to be that I had made these transactions. On 6 July, I received a letter confirming it would not be reimbursing me. I appealed, categorically denying I had made these transactions and pointing out that my IP address was not the one it quoted. But it rejected my appeal.

I find this extraordinary as Santander alerted me to the fraud in the first place. It must have come about by a third party hacking into my computer or into my Wi-Fi network, and I find it very unfair that the bank will not reimburse me. 

 

Home IP addresses are almost always dynamic, so just because the IP doesn't match NOW doesn't mean it didn't match at the time of the offence, given that there was a delay between the fraud and the receipt of the letter saying the customer wouldn't be refunded. Also if someone had hacked the WiFi or their computer, then it WOULD have been their IP address on the transaction. So the assertion in the last line is complete balls; if the IP address of the fraudulent access was not your IP address, then someone has your banking credentials but not necessarily access to your network (still bad, obviously, but in a different way). When done correctly, modern wireless networks are pretty secure so access is unlikely given OP's status as an IT professional.