Phone phishing, just one way to social engineer information from end users

Social engineering is used to obtain or compromise information about an organization or its computer systems. An attacker may seem unassuming and respectable, possibly claiming to be a new employee, repair person, or researcher and even offering credentials to support that identity.

The following is a recent real life example which would seem very innocuous.

An associates phone rings.  The person identified herself as working for the accounts receivable department.  She indicated to the user that the phone extension he had was noted as sitting near an HP Color Printer.  She asked if he could provided the model and serial number for her records.  (Before we go any further, how many of you reading this sit “near” and HP printer?)

The user was keen enough to ask the caller’s name.  She responded with only a first name “Kathy”.  Fortunately this set off a red flag that something many not be completely legitimate with her request.  He then indicated it wasn’t necessarily a good time for him and asked if he could get the information and send it to her in an email.  Still suspicious but now afraid the caller may just hang up, the user stalled and answered “oh yes, there is an HP printer right here” and gave the model number, but nothing specific to the device or the company he works for (serial number or IP address).

After saying this, the caller seemed more interested again and continued to ask how they administer and maintain the printers.  The end user indicated he wasn’t sure and would have to ask.  He then asked for her last name to which she responded “White”.  Being resourceful, the user quickly checked the companies Active Directory.  No users matched that specific name.

He then offered to get the rest of the information and call her back.  The caller indicated that the phone she was using was only able to make outbound calls and she wasn’t sure what number would call her area (does this sound like any phone in your company?).  When he insisted he’d need to call her back, she quickly hung up on him.

By asking specific and probing questions, a caller may be able to piece together enough information to infiltrate an organization’s network. If an attacker is not able to gather enough information from one source, he or she may contact another source within the same organization and rely on the information from the first source to add to his or her credibility.  While each of those pieces of information may seem insignificant by themselves, in total, they may give a hacker just the information they need to footprint a company or network in order to run a targeted attack on the environment.

Advertisements

Steve Jobs 1 – Adobe 0

Adobe Flash Player Icon

Image via Wikipedia

Apparently Steve’s bet on mobile platforms free from Flash will have ramifications beyond Apple IOS devices.

While competitors happily used the lack of Flash support to help spur sells of their non-Apple devices, Adobe has now abandoned a strategy to continue to develop Flash for mobile devices (I think they mean mobile OS’s) and instead will work more diligently to comply with the HTML5 standard.

More information can be found in the exclusive ZDNet article here.

Is a 10 minute nationwide RoadRunner outage noticeable? Uhhh… yeah.

While all the details aren’t out yet.  It looks like Time Warner Cable/Road Runner took a 10 minute network outage today at 6:10 PDT.

From what I noted and backed up with other online resources, it looks like there may have been a “flap” with one of the core routers (pulled from DSL reports board).

Even some speculation that it may have been related to this issue noted via twitter regarding the a Juniper bug and a BGP route distribution.

Regardless the hit was widespread and has shown to have disrupted services across the globe.

Noticeable?  Absolutely.  Sadly the first indication I received was from my wife indicating that nothing at home was working.  Instinct was to call the TWC help number already preprogrammed into my phone.  When the major support numbers from TWC all inaccessible, it occurred to me that there may have been more than a local outage.

When we finally saw some monitoring reports, it was confirmed.  My wife is quicker than your average network monitoring tool.  🙂

Simple AirPlay setup for whole house audio

I’ve been enamored with home audio since I was a very young.  I can recall turning on radios in separate rooms of the house so I could run from room to room playing my guitar along with the radio, preparing myself for future “rock-stardom”.  Fortunately for us all the long hair and spandex didn’t survive the 80’s but my desire to have audio in every room of the house didn’t.

Since then, I’ve spent more time (and money) than I should trying to build a fully distributed, multi-source audio distribution system, or what has been marketed at Whole House Audio but the big A/V vendors.  None of these efforts have been inexpensive, user friendly, or as functional as I would have wished.

Needless to say, I was very excited at the potential uses of AirPlay when it was initially introduced by Apple.  Utilizing this feature built into IOS devices and iTunes, you can easily put together a reasonable system (from a cost and complexity standpoint) that will give you fairly good results.

I’m certain there are more ways to do this than I’ll give you here, so please don’t flame me for forgetting your preferred method….

Step 1 – Start with a source

The most basic of AirPlay sources is iTunes.  If you’ve accepted iTunes to be your central storage for all digital media, this gives you a good based from which to start. iTunes gives you a lot of flexibility here and can easily be controlled via the Apple remote app from any IOS device.

From iTunes or the Remote app you can select your music or playlist as well as the destinations within your home.  Each AirPlay target has a separate audio level control available so you can balance out the levels to your preference (or the devices capability).

If you don’t want to use your media library and you prefer to stream your music selections, you are in luck.  You can use a streaming source, like Pandora, to feed AirPlay.  In this case I will use an iPad which I have Pandora set up on.  Launch the app and start playing your preferred playlist.  Once it starts you can double-click the home button to bring up the “multitasking bar”, swipe to the right and you’ll see your audio controls, from there you can click on the AirPlay button to choose which target you would like to use.

Step 2 – Simple target devices (or audio destinations)

Since AirPlay has been out for just over a year now and manufacturers are now starting to integrate it’s features into their devices.  Audio/Video receivers from Denon and many small speaker/dock devices have implemented AirPlay, but I’ve yet to see one of these solutions that are reasonably priced to use if you wanted to stream music to say 5-7 locations in or around your home.

The approach I’ve taken doesn’t really care if the speakers or stereos are “AirPlay enabled” or not.  In fact, most of my target systems are built from either powered speakers or systems we’ve had in our home far longer than the existence of AirPlay.

So how do I connect them?

One of the simplest and underrated devices from Apple is the Airport Express.  While it has the capability to extend your wireless network (albeit at the expense of your throughput), make USB devices like hard drives or printers wireless, or provide ethernet connectivity to a non-wireless device, the biggest feature is it’s ability to be an endpoint in an AirPlay environment.

On every airport express is a combination mini-toslink and analog miniplug connection.  So you can connect to a RCA input with a mini to RCA cable or directly to a digital input with the mini-toslink to toslink cable.  I am very aware that Apple sells a nice “kit” with both these cables for an astonishing $39.  A quick Google search will find an appropriate cable for your application for less than $5 per cable.

I have Airport Expresses using both options.  Where I have a bookshelf stereo unit with optical input, I’ve connected the AE via the toslink cable.  However in a simple and somewhat portable setup, I’ve used another AE simply connected to a pair of powered computer speakers.  With these two options, you can probably accomodate most any stereo or powered speaker setup you have in place today.

To extend my options a bit further, I’ve also utilized Apple TV2s as target devices for AirPlay.  ATV2s fit quite a different category of use verses the AE.  The biggest difference for me is the lack of an analog audio out on the ATV2.  While it has a full size optical output, it can perform the same function as an AE connected to a receiver with an optical input.  This is truly a matter of preference, do what you wish here.  The deciding point for me is what is the end device.  If it’s really at TV, then the ATV2 is the preferred component.  If it’s an audio only device, then the AE is my preferred device.

So now rooms like bedrooms and the family room don’t necessarily have to have a dedicated audio system in them to have audio streamed to them.  The downside to this particular option is that you have to have the television on in those rooms in order to have the audio output.  Whereas you can leave the stereo or speakers connected to the AE always on and set to a preferred volume level.

Step 3 – MultiSource?

While not a traditional multi-source setup, you can get a similar function from this setup.  I cannot use iTunes running from my central media server to serve up different playlists to different rooms/targets.  This would be a wonderful feature if someone on the iTunes dev team could work that out.  However you can use a couple of sources (possibly multiple iTunes or IOS devices) to control separate sets of speakers.  So my daughters could use the iPad to connect to speakers in the bedrooms upstairs to play Radio Disney while I have iTunes or my iPhone streaming music to all the speakers downstairs or outside.

If you’re looking to distribute audio on a fairly reasonable budget, I don’t believe you can easily beat this setup.  It definitely gives you a lot of flexibility about what you want to put where (from a target perspective) and can easily grow to fit your needs.  As each iTunes and IOS update come out, I eagerly look to see what new AirPlay options may be enabled.  Especially as Apple starts to introduce the ability to distribute video in the same manner.  But that’s a whole other topic…

iNeed a new Thermostat?

There was a time, nearly 4 years ago, when a $600 cell phone on the AT&T network was an absurd idea.  You would want to keep that thought in mind when you look at the new home thermostat from Nest that comes in at a mere $250.

Except this is the brainchild of some of the original Apple team that developed the iPod.  In fact the simple user interface of a large scroll wheel and simple screen are very reminiscent to the iPod itself.  NEST cites the stat that a mere 6% of programmable thermostats are actually programmed to provide the function they were purchased to do.  NEST resolves this issue by making the interface intuitive and having the thermostat “learn” your patterns to program itself.

Given the price range for wireless programmable thermostats are already in the $100+ range and I can personally attest to them being rather difficult to program.  If/when I purchase and install, I will write up a quick review.

Roku LT announced… looks like a Roku 2 HD with an instant rebate.

Roku announced yesterday a new device to it’s lineup, the Roku LT.  The Roku LT specs look amazingly similar to the Roku 2 HD.  Looking through multiple write-ups on the device the only discernible difference I can find (besides the odd Roku Purple color of the box) is the fact that it may (or may not) contain a microSD card slot.  Roku touts that the microSD is only to hold channels and games.  Since this device (like the HD) does not have bluetooth (for enabling the control of games) there shouldn’t be as much of a concern over the amount storage, thus no need for the microSD slot.

The omission of bluetooth may also mean the IR remote won’t have the incessant sleep problem that the bluetooth remotes have.  Here’s hoping… 🙂

So for omitting the microSD and bluetooth, Roku lowers the price to $49.99.  If your looking to use this device for what it was primarily designed for (streaming television) then you won’t miss those features and will appreciate having the extra $10.

Trials and Tribulations with the Roku 2 XS

Once there was agreement (after a lot of negotiation) that we weren’t getting the value out of our current television service provider, I needed to find a solution that would give us the option to watch some traditional network programming. We don’t live in an area where we can get any OTA (Over The Air) television reception without an extremely large antenna and amplifier (and that option had a low WAF I might add). Not wanting to purchase all the episodes of prime time television and not willing to wait until the season was over and watch them on Netflix, we were left with Hulu.  While not inclusive of all networks, Hulu does get most of the major prime time dramas (like Glee unfortunately) and other popular shows from network television.

The Hulu decision then drove the next.  How do we then get Hulu to our main television?  I could build a system or do the Mac Mini approach, but neither of those seem feasible for something we were going to just “try” given they are $500+ solutions.  The $59 Roku solution seemed to fit the bill.

As things usually go, if there is a low end and a high end model, it’s pretty predictable which I’ll end up with.  I’m sure the Roku 2 HD would have worked for us, but for only $20 more you step up to 1080p and only $20 more than that you get an “enhanced” remote plus an ethernet port (which seemed like it may be a good idea if it does 1080p).

During the first 30 days with the Roku, I was tempted many times to pack it up and return it to Best Buy.  Since most of my experiences to this point were with traditional set top boxes for cable or satellite and the Apple TV, I was accustomed to things working and working consistently.  What were the points of frustration?

  • Box freezing up – this would occur multiple times a day and be very frustrating.  Unfortunately it seems to occur more frequently on some “channels” than others.  This could be an indication of the fact that the channels are not written by the same people responsible for the Roku OS itself.
  • Remote responsiveness – I have not used an older Roku nor have I used the standard remote.  I’ve only used the “enchanted remote with motion control” that comes with the XS.  Often it take quite a few button clicks to “wake” the remote after it has sat idle for a bit.  After waking the remote, there is a lack of input response also.  After clicking a button, you can look to see the Roku box blink indicating it has received the remote input, however nothing occurs.  This causes you to continue to hit the same button expecting something to eventually happen.  Sometimes it will eventually take effect, other times all of the cumulative clicks seemed to get buffered and then happen all at once taking you somewhere in the system you didn’t intend to go to.
  • Justin.TV – okay it’s not specifically JustinTV, but the fact that channels are created and user supported.  I did find it interesting to be able to bring up some live television shows when they were being broadcast (sports, news, etc).  But the quality is deplorable and the reliability even less.  Remember OTA is not really an option for us, so this was worth trying, but not worth using that much.
  • Angry Birds – I will admit to having been suckered in like everyone else and spent entirely too much time playing Angry Birds on my iPad when we first got it.  I don’t know if it was just the addictiveness of the game or the competition with my wife to see who could keep the high score on each level…  But on the Roku, interacting with this particular game is not as eloquent as a touch screen device.  I appreciate that Angry Birds is a popular game and it may have helped to market the device to end users, but I think it was a bad choice/implementation.
What do I like about the Roku?
  • Picture/Sound quality – the one thing I can compare between the Roku and my Apple TV is Netflix.  So I’ve done quite a bit of A/B comparison and the video/audio quality on the Roku are noticeably better than the Apple TV.  While the Netflix interface isn’t as eloquent, we will watch more Netflix shows on the Roku.
  • Bluetooth remote – while I’m not happy with the inconsistencies of the remote, one interesting factor is it being bluetooth.  While everyone is very used to pointing the remote at the TV, it isn’t necessary with the Roku remote.  This means you can mount the box in a less conspicuous location and still be able to control it (unlike the traditional infrared remotes)
  • Size – Small. That’s cool and it makes mounting it easier.  Double sided tape and it’s almost integrated with your TV.  Certainly no need to purchase specific furniture or shelves to house it.
  • Justin.TV – if you’ve been paying attention, you’re probably thinking “wait, didn’t he say he didn’t like this?”.  I did.  But I think this shows a strength of the Roku in it’s user supported channels and content.  Over time I hope/expect that better offerings/implementations will be made available and the experience will be better.  I’m willing to wait and see.
  • Games – while I don’t think Angry Birds was a good choice for the device and it certainly doesn’t have the video processing to keep up with dedicated systems like a PS or XBOX, it has potential.
Would I purchase the Roku again?  Yes.  Would I get the XS?  Probably not.  I think I’d try the XD and see if the lack of enhanced features makes the remote use any more tolerable.