Shhh… Anatomy of a Hack – What Should You Do After You're Hacked?

Ever wonder what happens when one’s hacked?

Here’s an insightful chilling account of how one victim attempted to trace the hacker who invaded into his onlife life and Bitcoin wallet.

Hacked-AnatomyOfAHack

Anatomy of a Hack

In the early morning hours of October 21st, 2014, Partap Davis lost $3,000. He had gone to sleep just after 2AM in his Albuquerque, New Mexico, home after a late night playing World of Tanks. While he slept, an attacker undid every online security protection he set up. By the time he woke up, most of his online life had been compromised: two email accounts, his phone, his Twitter, his two-factor authenticator, and most importantly, his bitcoin wallets.

Davis was careful when it came to digital security. He chose strong passwords and didn’t click on bogus links. He used two-factor authentication with Gmail, so when he logged in from a new computer, he had to type in six digits that were texted to his phone, just to make sure it was him. He had made some money with the rise of bitcoin and held onto the bitcoin in three protected wallets, managed by Coinbase, Bitstamp, and BTC-E. He also used two-factor with the Coinbase and BTC-E accounts. Any time he wanted to access them, he had to verify the login with Authy, a two-factor authenticator app on his phone.

Other than the bitcoin, Davis wasn’t that different from the average web user. He makes his living coding, splitting time between building video education software and a patchwork of other jobs. On the weekends, he snowboards, exploring the slopes around Los Alamos. This is his 10th year in Albuquerque; last year, he turned 40.

After the hack, Davis spent weeks tracking down exactly how it had happened, piecing together a picture from access logs and reluctant customer service reps. Along the way, he reached out to The Verge, and we added a few more pieces to the puzzle. We still don’t know everything — in particular, we don’t know who did it — but we know enough to say how they did it, and the points of failure sketch out a map of the most glaring vulnerabilities of our digital lives.

Mail.com

It started with Davis’ email. When he was first setting up an email account, Davis found that Partap@gmail.com was taken, so he chose a Mail.com address instead, setting up Partap@mail.com to forward to a less memorably named Gmail address.

Some time after 2AM on October 21st, that link was broken. Someone broke into Davis’ mail.com account and stopped the forwarding. Suddenly there was a new phone number attached to the account — a burner Android device registered in Florida. There was a new backup email too, swagger@mailinator.com, which is still the closest thing we have to the attacker’s name.

For simplicity’s sake, we’ll call her Eve.

How did Eve get in? We can’t say for sure, but it’s likely that she used a script to target a weakness in Mail.com’s password reset page. We know such a script existed. For months, users on the site Hackforum had been selling access to a script that reset specific account passwords on Mail.com. It was an old exploit by the time Davis was targeted, and the going rate was $5 per account. It’s unclear how the exploit worked and whether it has been closed in the months since, but it did exactly what Eve needed. Without any authentication, she was able to reset Davis’ password to a string of characters that only she knew.

AT&T

Eve’s next step was to take over Partap’s phone number. She didn’t have his AT&T password, but she just pretended to have forgotten it, and ATT.com sent along a secure link to partap@mail.com to reset it. Once inside the account, she talked a customer service rep into forwarding his calls to her Long Beach number. Strictly speaking, there are supposed to be more safeguards required to set up call forwarding, and it’s supposed to take more than a working email address to push it through. But faced with an angry client, customer service reps will often give way, putting user satisfaction over the colder virtues of security.

Once forwarding was set up, all of Davis’ voice calls belonged to Eve. Davis still got texts and emails, but every call was routed straight to the attacker. Davis didn’t realize what had happened until two days later, when his boss complained that Davis wasn’t picking up the phone.


Google and Authy

Next, Eve set her sights on Davis’ Google account. Experts will tell you that two-factor authentication is the best protection against attacks. A hacker might get your password or a mugger might steal your phone, but it’s hard to manage both at once. As long as the phone is a physical object, that system works. But people replace their phones all the time, and they expect to be able to replace the services, too. Accounts have to be reset 24 hours a day, and two-factor services end up looking like just one more account to crack.

Davis hadn’t set up Google’s Authenticator app, the more secure option, but he had two-factor authentication enabled — Google texted him a confirmation code every time he logged in from a new computer. Call forwarding didn’t pass along Davis’ texts, but Eve had a back door: thanks to Google’s accessibility functions, she could ask for the confirmation code to be read out loud over the phone.

Authy should have been harder to break. It’s an app, like Authenticator, and it never left Davis’ phone. But Eve simply reset the app on her phone using a mail.com address and a new confirmation code, again sent by a voice call. A few minutes after 3AM, the Authy account moved under Eve’s control.

It was the same trick that had fooled Google: as long as she had Davis’ email and phone, two-factor couldn’t tell the difference between them. At this point, Eve had more control over Davis’s online life than he did. Aside from texting, all digital roads now led to Eve.

Coinbase

At 3:19AM, Eve reset Davis’s Coinbase account, using Authy and his Mail.com address. At 3:55AM, she transferred the full balance (worth roughly $3,600 at the time) to a burner account she controlled. From there, she made three withdrawals — one 30 minutes after the account was opened, then another 20 minutes later, and another five minutes after that. After that, the money disappeared into a nest of dummy accounts, designed to cover her tracks. Less than 90 minutes after his Mail.com account was first compromised, Davis’ money was gone for good.

Authy might have known something was up. The service keeps an eye out for fishy behavior, and while they’re cagey about what they monitor, it seems likely that an account reset to an out-of-state number in the middle of the night would have raised at least a few red flags. But the number wasn’t from a known fraud center like Russia or Ukraine, even if Eve might have been. It would have seemed even more suspicious when Eve logged into Coinbase from the Canadian IP. Could they have stopped her then? Modern security systems like Google’s ReCAPTCHA often work this way, adding together small indicators until there’s enough evidence to freeze an account — but Coinbase and Authy each only saw half the picture, and neither had enough to justify freezing Partap’s account.


BTC-E and Bitstamp

When Davis woke up, the first thing he noticed was that his Gmail had mysteriously logged out. The password had changed, and he couldn’t log back in. Once he was back in the account, he saw how deep the damage went. There were reset emails from each account, sketching out a map of the damage. When he finally got into his Coinbase account, he found it empty. Eve had made off with 10 bitcoin, worth more than $3,000 at the time. It took hours on the phone with customer service reps and a faxed copy of his driver’s license before he could convince them he was the real Partap Davis.

What about the two other wallets? There was $2,500 worth of bitcoin in them, with no advertised protections that the Coinbase wallet didn’t have. But when Davis checked, both accounts were still intact. BTC-e had put a 48-hour hold on the account after a password change, giving him time to prove his identity and recover the account. Bitstamp had an even simpler protection: when Eve emailed to reset Davis’s authentication token, they had asked for an image of his driver’s license. Despite all Eve’s access, it was one thing she didn’t have. Davis’ last $2,500 worth of bitcoin was safe.


Twitter

It’s been two months now since the attack, and Davis has settled back into his life. The last trace of the intrusion is Davis’ Twitter account, which stayed hacked for weeks after the other accounts. @Partap is a short handle, which makes it valuable, so Eve held onto it, putting in a new picture and erasing any trace of Davis. A few days after the attack, she posted a screenshot of a hacked Xfinity account, tagging another handle. The account didn’t belong to Davis, but it belonged to someone. She had moved onto the next target, and was using @partap as a disposable accessory to her next theft, like a stolen getaway car.

Who was behind the attack? Davis has spent weeks looking for her now — whole afternoons wasted on the phone with customer service reps — but he hasn’t gotten any closer. According to account login records, Eve’s computer was piping in from a block of IP addresses in Canada, but she may have used Tor or a VPN service to cover her tracks. Her phone number belonged to an Android device in Long Beach, California, but that phone was most likely a burner. There are only a few tracks to follow, and each one peters out fast. Wherever she is, Eve got away with it.

Why did she choose Partap Davis? She knew about the wallets upfront, we can assume. Why else would she have spent so much time digging through the accounts? She started at the mail.com account too, so we can guess that somehow, Eve came across a list of bitcoin users with Davis’ email address on it. A number of leaked Coinbase customer lists are floating around the internet, although I couldn’t find Davis’ name on any of them. Or maybe his identity came from an equipment manufacturer or a bitcoin retailer. Leaks are commonplace these days, and most go unreported.

Davis is more careful with bitcoin these days, and he’s given up on the mail.com address — but otherwise, not much about his life has changed. Coinbase has given refunds before, but this time they declined, saying the company’s security wasn’t at fault. He filed a report with the FBI, but the bureau doesn’t seem interested in a single bitcoin theft. What else is there to do? He can’t stop using a phone or give up the power to reset an account. There were just so many accounts, so many ways to get in. In the security world, they call this the attack surface. The bigger the surface, the harder it is to defend.

Most importantly, resetting a password is still easy, as Eve discovered over and over again. When a service finally stopped her, it wasn’t an elaborate algorithm or a fancy biometric. Instead, one service was willing to make customers wait 48 hours before authorizing a new password. On a technical level, it’s a simple fix, but a costly one. Companies are continuously balancing the small risk of compromise against the broad benefits of convenience. A few people may lose control of their account, but millions of others are able to keep using the service without a hitch. In the fight between security and convenience, security is simply outgunned.

3/5 11:10am ET: Updated to clarify Bitstamp security protocols.

Are You Unique – How to Check Your Browser Fingerprints & Online Privacy?

Think you have taken all measures to remain anonymous and untraceable online? Or are you still (unknowingly) leaving browser fingerprints that can be traced to you and your devices?

The good news is, there’s a way to check and confirm if you are unique in cyberspace.

A browser fingerprint, or device fingerprint, is the systematic collection of information about a remote device for identification purposes, even when cookies are turned off.

There’s a web site “Am I Unique” which you can visit and check by clicking “View my browser fingerprint” as shown below:

Fingerprinting-Browser

That should give much food for thoughts for the Christmas holidays?

According to a recent international survey on 23,376 Internet users in 24 countries, carried out between October 7, 2014 and November 12, 2014, which found some 64 percent confessed they’re more concerned today about online privacy than they were a year ago.

Privacy-survey

That’s one way to gauge the post-Snowden effects. And if you still wonder why privacy matters, I highly recommend the Glenn Greenwald’s TEDTalk on “Why Privacy Matters“.

Shhh… Counting the Costs of FBI's Operation Onymous

Op-Onymous

The FBI announced last week that law enforcement agencies including the bureau, the Department of Homeland Security and Europol have arrested 26-year old San Francisco resident Blake Benthall (below) who was allegedly the operator and administrator – under the handle “Defcon” – of the online drugs marketplace Silk Road 2.0, just a year after the original Silk Road’s alleged mastermind, Russ Ulbricht, was also arrested in San Francisco.

BlakeBenthall

According to related court documents, Benthall was charged last Friday with narcotics trafficking, as well as conspiracy charges related to money laundering, computer hacking, and trafficking in fraudulent identification documents – which Benthall reportedly “admitted to everything”.

“The website [Silk Road 2.0] has operated on the “Tor” network, a special network of computers on the Internet, distributed around the world, designed to conceal the true IP addresses of the computers on the network and thereby the identities of the network’s users,” according to the FBI.

The globally coordinated effort involving 17 nations dubbed Operation Onymous – obviously as opposed to the “anonymous” Tor network – has reportedly led to 17 arrests and a seizure of more than 400 “hidden services” and darknet domains, $1 million in bitcoins, $250,000 in cash plus a variety of drugs, gold and silver.

It later emerged there were actually just over 27 sites seized – including Silk Road 2.0 – instead of more than 400 as initially reported: the FBI spokesperson David Berman later clarified the 400 URLs amounted only to a dozen or so sites.

However, several pertinent questions surfaced:

– Is Tor still safe given the FBI has obviously broken (how?) into it?

– Is the world really a safer place after the FBI shut down a major “darknet” marketplace? What makes the authorities rule out the emergence of a more secure, bigger and effective Silk Road 3.0? (The FBI said in its press release that “Those looking to follow in the footsteps of alleged cyber-criminals should understand that we will return as many times as necessary to shut down noxious online criminal bazaars. We don’t get tired.”)

– How much of taxpayers’ monies were spent to make these 17 arrests in 17 nations with this global operation?

Shhh… Privacy: Tor Guide on Browsing Anonymously

Here’s an interesting chart on how to use Tor to browse the web anonymously:

TorInfographics

The Tor Project is a free software and an open network that shields your online identity and thus helps you maintain privacy by defending against network surveillance:

But Tor can still be compromised and multiple layers of security is recommended:

Shhh… Comcast Set Record Straight on TOR

Amidst widespread reports early this week that Comcast Corporation has been discouraging customers from using the Tor Browser, the anonymous browser favored by people like Snowden and hackers alike, Comcast – the largest broadcasting and cable company in the world by revenue – has clarified that the reports were not true and the company has not asked customers to stop using Tor or any other browser.

“We have no policy against Tor, or any other browser or software. Customers are free to use their Xfinity Internet service to visit any website, use any app, and so forth.”

See Comcast’s clarification here.

Shhh… In TOR We (Can Still) Trust?

The BBC reported over the weekend that some NSA and GCHQ sleuths have been covertly tipping off developers of the Tor network as they were tasked to crack the code and find vulnerabilities in the cyber-tool most hated by the US and UK intelligence agencies, following a BBC interview with Andrew Lewman from the Tor Project.

“There are plenty of people in both organizations who can anonymously leak data to us to say – maybe you should look here, maybe you should look at this to fix this,” he said. “And they have.”

The Tor network has been favored by those who sought internet privacy and animosity. The free software conceals the location and usage of its users from anyone conducting network surveillance and traffic analysis. In other words, Tor shields one’s identity: It is difficult if not impossible to trace the internet activity of any Tor users. No wonder Tor is championed by the military, political activists, law enforcements, whistleblowers and of course, Edward Snowden.

Unfortunately, given what Tor is, it is also known as the gateway to the “dark web” as criminals and terrorists love it as well.

So it was no surprise when the Snowden revelations revealed both the NSA and GCHQ have been trying to crack Tor.

In fact, the NSA hates Tor so much it was also reported that the agency was not only targeting and cracking the Tor network but it had been taking digital fingerprints of anyone who are even remotely interested in privacy – including fans of the Linux Journal web site and anyone visiting the homepage of the Tor-powered Linux operating system Tails.

Tails-DVD

So what motivated those NSA and GCHQ spies to secretly contact the Tor developers? Lewman had an explanation:

“It’s sort of funny because it also came out that GCHQ heavily relies on Tor working to be able to do a lot of their operations.
“So you can imagine one part of GCHQ is trying to break Tor, the other part is trying to make sure it’s not broken because they’re relying on it to do their work.

Find out more about using Tor from my earlier column.

Shhh… Heartbleed Check & Fix

The open source OpenSSL project revealed Monday a serious security vulnerability known as the “Heartbleed” bug that is used by two-third of the web to encrypt data, ie. to protect usernames, passwords and any sensitive information on secure websites. Yahoo is said to be the most exposed to Heartbleed but the company said it has fixed the core vulnerability on its main sites. There are several things you would need to do to check for Heartbleed bug and protect yourself from it, apart from changing your passwords. And according to the Tor project, staying away from the internet entirely for several days might be a good idea.

Check these YouTube video clips for more information – and find out how to fix it on Ubuntu Linux.

Shhh… 172 Ways to Keep Your Online Activities Secure

The NSA may now be cracking on the Tor project after the forced shutdown of Lavabit, 2 of the many tools in the arsenal of Edward Snowden and the likes. But there are many other ways to secure your online activities, including secured phone calls in case you are also concerned about eavesdropping.

Here’s a handy list of 172 tools you can use, compiled by the folks at Backgroundchecks.org .

If I Were Snowden

The Art of Hiding and Being Undetectable

The world knows by now Edward Snowden, the former private contractor for the National Security Agency who leaked revelations of massive US clandestine electronic surveillance and eavesdropping programs, is still at large in Hong Kong.

You might wonder how Snowden managed to remain obscure, both in the physical and cyber spheres.

Hong Kong, a former British colony now a major global financial center and Special Administrative Region of China, is one of the most densely populated areas in the world with a population of over seven million spread over just 1,104 square kilometers.

But it is precisely for these reasons that Hong Kong may be the ideal place. One could be easily spotted or located or one could capitalize on the dense crowd and modern infrastructure to negotiate his way unnoticed in the physical, digital and cyber dimensions.

And Snowden sure knows how to do that.

So what would you do if you were Snowden or if you simply needed to hide and remain undetectable for a period of time?

Please read the full column here and there.

DIY Counter Espionage

Spying on Spies

The FBI probe into the scandal involving former CIA director David Petraeus and his mistress may have stolen global headlines the past week.

But there is something else the FBI knows that should warrant more attention. Something closer to those of us less exalted than the boss of the world’s most famous spy agency.

The FBI is known to have video footage, covertly taken in a hotel room somewhere in China, showing how Chinese agents broke in and swept through the belongings and laptop of an American businessman.

There were recent media reports of similar incidents. The FBI is now showing the clip as a warning to corporate security experts of major US companies.

The FBI also warned some months ago about the risks of using hotel wi-fi networks and recommended all government officials, businessmen and academic personnel take extra caution when traveling abroad.

Whilst the corporate world is often most at risks, the average citizens are also highly vulnerable, especially to electronic surveillance on home and foreign soil.

So what can one do to protect the personal data and business secrets on the computers, especially when traveling abroad?

Please read full article here and there.

How to Beat the CIA and Protect Your Data

A little secret and long overdue column – as I have promised some weeks ago.

How about leading a cyber lifestyle without the risks of compromising your computer, privacy and precious confidential data… ie. your life?!

There’s an easy solution and you do not have to be a computer expert. But the CIA, MI6, etc, wouldn’t want you to know the trick… because you can beat those spies and hackers by going online and leaving no trace.

Read the full article here.