Thursday 7 September 2017

I caught a scammer

A story has been going round the blogosphere about "the biter bit": where a tech-savvy merkin turns the tables on a 'foreign gentleman' attempting to scam him out of $400. If you want to hear the original podcast, you'll need 50 minutes and a certain tolerance for commercial breaks. But the story was picked up by Ars Technica which a) will allow you to skim the scam details and save some time b) has embedded copies of some of the key photos that feature in the story.  It's quite exciting in a technogeek sort of way, rather than a car-chase and abseiling sort of way, and nobody dies.

It reminded me of the old days when I was given a mighty server to store copies of Genbank the DNA database and software for accessing and analysing the sequences therein contained. The database seemed very large back then, partly because comms tech was so primitive.  it has been doubling in size every 18 months since, so is now really big.  1994 was early days for the internet, the WWW was only a few years old and the bubble wasn't even thought of, let alone bursting a lot of youngster's dreams of riches; as it did in 2000.  There was no point in storing all that data unless I was going to allow Irish researchers to access it.  I would set up accounts for anyone whose boss was prepared to pay a nominal annual subscription.  I was also expected to update the database every three months, which I did, but also to update the firmware of the operating system which I lacked the confidence to do with sufficient regularity. I adopted an "if it ain't broke, don't fix it" attitude which meant that most security updates languished off the operating system.

TCD's official Unix expert was a very helpful guy called Mike McGovern, who would hold my hand but couldn't actually do the work I was contracted for. One day I whined "How am I expected to do all this? I'm only a biologist".  He curtly replied "I'm only a geographer", with the implication that I could do what he had to do, if I moaned less and did more - it was kindly meant.

In between database updates, I had time to learn about how Unix computers worked and pay some attention to checking who was using what software when. Although I was based in Trinity College Dublin, I was providing a National Bioinformatics service and got log-ins from IP addresses in other Irish universities; and because scientists travel, some traffic came in from abroad. I felt I was running a rather sophisticated cosmopolitan hub.  One day, going through recent traffic, I noticed a log-in from an unrecognised address which I tracked down to an Internet Café on Dame Street about 300m outside the railings of TCD.  Yes, there was a time before Wifi, laptops and smartphones. I called the café up to report possibly nefarious usage and their Sys$op got terribly excited because they had CCTV security cameras. If I told him the time and the IP#, he could get me a picture of the perp: Cybercrime Bust! Unfortunately, they only stored a few days of CCTV tapes and my event had just been over-written.

A few months later, I noticed a login from TCD - so far so normal - but from the user-name of a student I knew had graduated and moved abroad. That was peculiar, and more to the point it was happening even at that moment. I called Mike who identified IP# as a terminal in one of the Public Access Terminal PAC rooms in his building. We agreed to meet five minutes later in the corridor outside; then burst in and literally collared a second year CompSci student trying to find what Unix computers could do. The kid was ultimately disciplined in some way and I resolved to impose some password discipline on my users.

That was another interesting exercise. With a slightly guilty feeling, I acted as game-keeper turned poacher and hacked the encrypted passwords of all my users. This didn't require me to know any 20 digit prime numbers. There was a program you could download - Crack, was it called?, or Doom?: I can't recall.  aNNyway, this program would encrypt a dictionary using your computer's password security software and see if any encrypted words matched strings found in the /etc/passwd file. It took a few hours to run and I flagged about 5% of my users as having failed this elementary test. I sent them all a message to up their game on the security front. I remember one case where the user had 'cleverly' reversed her surname, oblivious of the fact that it was now a normal but uncommon English language word.  We were all super-naive w.r.t. computer security 20 years ago. My 5% trawl had just used a plain language hack-dictionary; with more time, it could have added l33t [prev] substitutions of 'one' for 'el'; 'zero' for 'oh' and outed a bunch more people.  The current advice is not to use any word - even if gussied up with substitutions and special &$%# characters - strip the first letters off a phrase instead: nmtesirtd for nihilists or tbontbtitq for decision-makers.

No comments:

Post a Comment