Separating the Paranoid from the Hacked

Sad story of someone whose computer became owned by a griefer:

The trouble began last year when he noticed strange things happening: files went missing from his computer; his Facebook picture was changed; and texts from his daughter didn’t reach him or arrived changed.

“Nobody believed me,” says Gary. “My wife and my brother thought I had lost my mind. They scheduled an appointment with a psychiatrist for me.”

But he built up a body of evidence and called in a professional cybersecurity firm. It found that his email addresses had been compromised, his phone records hacked and altered, and an entire virtual internet interface created.

“All my communications were going through a man-in-the-middle unauthorised server,” he explains.

It’s the “psychiatrist” quote that got me. I regularly get e-mails from people explaining in graphic detail how their whole lives have been hacked. Most of them are just paranoid. But a few of them are probably legitimate. And I have no way of telling them apart.

This problem isn’t going away. As computers permeate even more aspects of our lives, it’s going to get even more debilitating. And we don’t have any way, other than hiring a “professional cybersecurity firm,” of telling the paranoids from the victims.

Tags: , , ,

Posted on June 26, 2017 at 12:30 PM46 Comments

Comments

Better Word For Paranoid, Please June 26, 2017 12:40 PM

I had been in this situation myself. When I started to be very “loud” about the contents of leaked documents, US propagnanda operations and a number of other sensitive National Security topics – a series of uncomfortable and intimidating events occurred including my internet traffic being intercepted through Virginia, unusual certificate behavior (pinned cert checking caught certs that were changed but otherwise “valid”, certificates with huge formatting errors, clearly wrong certificate, etc). I was followed multiple times and my house and car were ransacked. Up until around when I stopped contemplating about blowing the whistle about some TLA interactions with my (Fortune 500) employer and stopped trying to popularize Snowden and Manning documents.

But at the time nobody was really able to believe me. We need a better word for paranoid for when there’s a good reason for it.

Rhys June 26, 2017 1:20 PM

Just because one is neurotic still doesn’t mean they weren’t out to get him.

If one relies solely on the Kabuki theater of social media as a basis for being “known” to others, don’t you think that was a bit (self) deceptive from the start?

Not an issue of security. More a matter of erroneous logic leading to erroneous expectations.

That condition has existed in social settings long before social media or the internet. Or psychiatry.

Larry Hunter June 26, 2017 1:21 PM

“Just because you’re paranoid doesn’t mean they aren’t after you.”
― Joseph Heller, Catch-22

John June 26, 2017 4:37 PM

The underlying issue is our growing dependence on technology combined with the growing confidence we have in the integrity of machines vs that of the human mind. “What is more likely, that this poor person is delusional.. or that their whole digital (–> real) life has been a hacking target?”

What if June 26, 2017 4:38 PM

What if that professional cyber security firm wasn’t competent enough to find anything on his computer? Or if the hacker was better at clearing their tracks?

K15 June 26, 2017 5:05 PM

Where can I take, or connect, my phone to see if it has the software it was born with?
How can you tell what the intentions are, of the men in the middle (if any)?

Nichols June 26, 2017 5:06 PM

Really sad, but this kind of situation is more common each day. In the past, while I was at one consulting firm, every week we got calls from persons telling similar stories many times including this kind of “strange things”, eavesdropping and wiretappings complaints. Although some of then are paranoid, many of them are been pursuited or monitored by relatives or even criminals.

//Chris June 26, 2017 5:16 PM

Hi i know allready its not the best place to post this because nobody ever gives advices here.

But i post it anyway, i have recently put up a ssh server that is available for “normal” users just a username password thing, the whole environment inside is about searching about stuff regardint amateur radio stuff, so its not easy to make it with certificates.

I have put it in chroot and secured it with no known executables that can be exploited and forced the users to use rbash.

Anyhow since its fronting internet i installed sshguard and been wathcing this now for a couple of days and some things gets my attention.
Namely google similar to this one (also some vietnamese guys doing the same echange)

Unable to negotiate with 104.154.221.11 port 54157: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth]

Ofcourse sshguard wont trigger this, but then is the question, firstly what on earth has google business into my site in the first place, second why ssh sites, and why try this weird sha1 method? is it so that sha1 is insecure and google is mapping those insecure sha1 sites for someone else.

Can anyone give some explanations what this is all about please.

//Chris

Indeed June 26, 2017 5:22 PM

In general, I agree that the paranoid are considered irrational. However, when we are discussing the complexity of computer systems and networks, I’m more of the view that so called “paranoia” derives from an understanding that our technological infrastructure is inherently insecure.

I somethings wonder if the term “paranoia” should be used to describe someone who is worried about their communications being intercepted, especially since it was revealed that the NSA and other agencies are quite literally collecting everything.

k15 June 26, 2017 5:36 PM

Would a MITM affect the manifestation of your online payments, and if so, what would look different?

k15 June 26, 2017 5:55 PM

Story as press release – there was no actionable advice, about how to detect that you had been hacked. Just good practices to prevent, and what general sort of organization could find out if it had occurred, “a professional cybersecurity firm”.

Nonsense June 26, 2017 6:02 PM

Hackers had broken in to his home network via an internet-connected printer and sabotaged his files. Instead of signing off with “thank you”, the hackers changed the first word to something offensive.

The trouble began last year when he noticed strange things happening: files went missing from his computer; his Facebook picture was changed; and texts from his daughter didn’t reach him or arrived changed.

But he built up a body of evidence and called in a professional cybersecurity firm. It found that his email addresses had been compromised, his phone records hacked and altered, and an entire virtual internet interface created.

“All my communications were going through a man-in-the-middle unauthorised server,” he explains.

The “victim” in the article has probably been conned by a “professional security firm.”

His phone, text messages, email,

The REAL problem he had was probably this: His GMail password Based SSO (OAuth) was compromised. (Thus affecting everything else)

His password was “Password”, right?

Podesta, anyone?

We Are the Product to Exploit and Suffer June 26, 2017 6:45 PM

Before Snowden people were mocked and called tin-foil nuts. They too were labeled paranoid.
After Snowden its been total silence.

Are people stalked by sick people?
Are people eavesdropped upon every page they visit?

Before it was called private investigators now its big data building mind-boggling dossiers of your every weakness. They are sold and used against you. Mostly people go through life ignorantly but some suspect a violation but can’t prove it.

Have you ever imagined how much data is in your dossiers in thousands of unregulated companies?
Even churches eavesdrop upon members every thought!

At least Europe is going in the right direction about to fine intrusive Google a billion dollars.
America today is cursed by laziness, ignorance, rage, stress, broken families and isolation.
The majority are medicated as they’ve lost control of their lives. That is AI is beginning to make decisions against their own free will. Is noticing the incremental loss of liberty being paranoid?

The best treatment is cut out ALL sensors and two-way communications totally. Except for a dumb phone. Then start interacting with real human beings.

Its convenient, superficial and lazy to call them paranoid when not having all the facts.

Everything's A Honeypot June 26, 2017 7:16 PM

I’m about 72.4% positive this article has been inserted into the webpage my browser pulled 😉

Most the people who show up here are P…

Metrics?

But but Imma Gonna Tallk June 26, 2017 7:20 PM

I recommend the Motherboard series “When Spies Come Home”

https://motherboard.vice.com/en_us/topic/when-spies-come-home?topic_id=58ed3bb3092d884d367c4bd4

This type of griefing is far more common than people realize. Even as recent as five years ago most people needed some degree of specialized expertise beyond the script-kiddie level to really take someone out. Not any more. Hackers now sell these services openly on the dark web. It is no longer reserved for people into fraud or people proving they are “leet” but now includes people out for revenge, people who want to prove they are powerful, jealous lovers…. “Stalkerware”is a real thing.

@Bruce once said that yesterday’s PHD thesis is tomorrow’s hack (or something to that effect). We should now add that yesterday’s hack is today’s griefing tool.

Hanna-Hunt June 26, 2017 8:41 PM

PoleaseDo Not Find A Better Word For Paranoid:
The correspondence Bruce receives from so-called “political activists” and their bots who claim their lives are hacked or being hounded by the U.S. bc of their political activism re: Snowden are usually the exact opposite of paranoid. Psy-war disinformant troll farms paid, patriot” volunteers, or botniks troll anyone who advocates for the internet and anyone who calls them out. Which means it’s easier to just call them paranoid.

Code words for the internet are “the interesting” as in, distracting threat to Skinhead Putin, he of closed society Russian autocrats. Who pollutes his local and www to reverse the flow of accurate information that makes him and his country look bad. Which leads to extreme trolling of YT, Twitter, people across the internet including Bruce Schneier.

Same with China, N Korea, Saudi Arabia and the more recent collection of autocratic extremists who make Trump look librul.

In comment sections I used to see overly formal accusations of Russophobic McCarthyism as in, “at the end of the day sir, have you no shame? It is of extreme concern to see your pages making outrageous accusations about my beautiful Mother Russia…etc etc. (only slightly exaggerated)

And then there are the few who really are crazy. And I’m sure it’s of concern to use such an impolite term.

V Dangi June 26, 2017 10:15 PM

Sometimes reality bites need a proper check. Stalking online by some and hacking and poisoning someone,s life by herd in real life are totally different things. And based on what?
Post-truths stories rarely work.

eugene June 26, 2017 11:03 PM

Liked the quote by Larry Hunter, thanks Larry.
We need to become more savvy about passwords, password management and 2FA for a start for stating the obvious right? There should be a very good detailed step by step beginner how to guide by the EFF that painstakingly explains best practise to the uncertain. Then it should by virally advocated everywhere because really griefers need to be gone.

eugene June 27, 2017 12:26 AM

Eugene’s Home user #security Check! list for Windows.
Seize the day!
1. ESET https://www.eset.com/us/home/smart-security-premium/ or Kaspersky https://www.kaspersky.co.za/total-security Premium AV installed – Scanned? Check!
2. SUPERAntiSpyware http://www.superantispyware.com/ installed – Scanned? Check!
3. Have you done your windows updates lately (you know like today)? Check!
4. Have you setup strong passwords for your accounts https://strongpasswordgenerator.com/ or via Lastpass or Password Safe? Check!
5. Do you have a password manager such as Password Safe https://pwsafe.org/ installed? Check!
6. Are you using 2FA [Two Factor Authentication] on your accounts (eg. Gmail)? Check!
7. Have you harnessed the power of good browser add-ons, such as uBlock Origin? Check!
8. Have you subscribed to a Premium VPN service, such as NordVPN or ExpressVPN? Check!
9. Are you backing up to a secure Cloud service, such as Zoolz Intelligent or Crashplan?
Well, alrighty then… Vacuum and disinfect the keyboard there Krusty! (Phew!)

Versailles Thinthread June 27, 2017 1:59 AM

Before Snowden people were mocked and called tin-foil nuts. They too were labeled paranoid.
After Snowden its been total silence.

Nothing has really changed in that regard. Not within the “consensus reality” of “ordinary people”.

Hanna-Hunt June 27, 2017 2:32 AM

Now that their boy has been elected to Casablanca (WH) USA, most of the troll farm mind control, FEMA coffin RW channels on You Tube have either gone silent or have suddenly gone into rehab for rebranding. Wonder why? IOW, after Snowden, Russian Psy-war troll farms went crazy pointing to the US as the ultimate evil surveillance state. Those who pretended to be MIA for the previous 15 yrs were “truly shocked and appalled.” IOW, the NSA mandate wasn’t to exceeded their mandate and listen? Record?

We were then and are now to unknow or forget Stalin (u can now call him butcher or cannibal in Russia wo getting sued) and Putin’s KGB that got along so well with the GDR E. German Stasi. Forget the current Russian government and politics and the once and future Czar____(what’s his name again?) Why? Bc they are a society “in transition.”

Clive Robinson June 27, 2017 2:47 AM

@ Winter,

There is no perfect security, but you can move the odds in your favor.

Only for a little while.

Look at it this way you have a person, busy with getting on with their life versus the archetypal “300lb unemployed teenager sitting at a computer keyboard in their underpants” fixating on the busy person.

It’s not exactly a fair contest, even if the teenager is caught before they do real damage (swatting, drug bombing etc) they rarely get the sort of treatment by the authorities that will change their behaviour.

The real problem is that way to few people are “sufficiently paranoid” for their own good when it comes to the online part of their lives.

But as @Bruce notes,

    This problem isn’t going away. As computers permeate even more aspects of our lives, it’s going to get even more debilitating

Also for the stalker types the Internet is an almost perfect low risk “target rich” environment…

Winter June 27, 2017 4:11 AM

@Clive
“Only for a little while.”

In the long term we are all dead. Meanwhile, it is reprieves for short terms that will get us to the final end.

Joking aside, this is a real problem. But even those proverbial people that are “going on with their lives” will learn something about security if they make a little effort. This is like martial arts. Training in martial arts does not help you to win pub brawls and beat down muggers. But it gives you a sense of danger and humility that will help you get out before the problems start. The man behind the the TV show “The real hustle” told an interviewer that even after 300 shows he is sure he too can be the victim of a hustle. That is the right spirit.

I think such a handbook will give potential victims a keen sense on that they can be made victims and also how. And, most importantly, that they should seek professional help when needed.

Clive Robinson June 27, 2017 7:09 AM

@ Winter,

I think such a handbook will give potential victims a keen sense on that they can be made victims and also how.

The problem is that things change so fast, I don’t think even experts can keep up.

Without doubt WiFi is “A curse that keeps blighting” and with the proliferation of WiFi devices with hundreds if not thousands of inbuilt vulnerabilities, “catch up” is not the game people should be playing.

In practice the only thing protecting the majoriry of people, is that it is such a “target rich” environment that they actually have a small probability of being hit by zero days before the zero day gets found.

Worse even when infected by malware most people don’t know it. It’s only when the attacker is not just not covert but blatantly so that users start to notice.

Back in the day the simplest solution for most was to use a CD/DVD based computer that had no non volitile storage an attacker could be reached. Thus a hard reset or power cycle would gey rid of most nasties.

The question is can we find a modern equivalent such that users can sweep the bugs out with a simple “spring clean” not just for Internet connected devices but all WiFi devices as well.

Theodore Dyer aak aak ak June 27, 2017 9:48 AM

The 300lb unemployed teenager sitting at a computer keyboard in their underpants fixating on the busy person is most commonly a cop. The only attacks on this bullseye have been from police. That’s because police are numerous, bored with their featherbed union jobs, incompetently managed, and dumb. That makes their monkey tricks easy to counter. But it points up the most pernicious aspect of the CIA fusion centers: they let cops play junior spy cadet. What the spook has has that the cop wants is formal legal impunity. And the pervs and psychos that flock to cop life love impunity.

Who? June 27, 2017 9:55 AM

@ Winter

This is clearly targeted at non-experts who are prime targets of all kinds of cyber attacks. There is no perfect security, but you can move the odds in your favor.

No, it is clearly targeted to vandals:

Your laptop’s microphone can also be remotely and covertly activated, to capture audio. You could try putting hot glue over the microphone input on your laptop casing, to muffle sounds. Better still, open your casing and cut the microphone wire.

Wouldn’t it be enough detaching the microphone cable? Do we really need to destroy it?

Andrew June 27, 2017 12:49 PM

@eugene
10. Use a limited user for common operations, browsing and emails – unchecked

E.F. June 27, 2017 1:33 PM

Years ago I heard the story of this elderly woman taken to see a psychologist. She claimed a man was following her. Well, the doc checked her story out. Turned out her husband had hired a private detective, who was in fact following her. If you’re going to disprove somebody’s psychosis, you can’t just dismiss it out of hand. You have to verify the facts.

Herman June 27, 2017 10:59 PM

@//Chris
It is possible to launch an attack through Google Translate. That way a perp can hide behind a Google server IP address.

The SSH1 protocol is insecure, so it is a common attack vector of SSH servers.

You can mitigate the problems very easily: Reconfigure the SSH server to disable SSH1 and use a non-standard port. While it is possible for an attacker to do a port scan and find the SSH server anyway – they don’t, since it is easier to find another victim.

SuperQ June 28, 2017 1:20 AM

@//Chris @Herman

If you whois lookup that IP, you’ll find out very quickly that this is coming from Google’s cloud service. This is likely someone using google to do vulnerability scanning.

NetRange:  104.154.0.0 - 104.155.255.255
CIDR:      104.154.0.0/15
NetName:   GOOGLE-CLOUD
NetHandle: NET-104-154-0-0-1
Parent:    NET104 (NET-104-0-0-0-0)
OriginAS:  AS15169
Comment:   ** The IP addresses under this netblock are in use 
Comment:        by Google Cloud customers ** 
Comment:   Direct all copyright and legal complaints to 
Comment:   https://support.google.com/legal/go/report
Comment:        
Comment:   Direct all spam and abuse complaints to 
Comment:   https://support.google.com/code/go/gce_abuse_report
Comment:        
Comment:    For fastest response, use the relevant forms above.
Comment:        
Comment:   Complaints can also be sent to the GC Abuse desk 
Comment:   (google-cloud-compliance@google.com) 
Comment:   but may have longer turnaround times.
Comment:        
Comment:   Complaints sent to any other POC will be ignored.
Ref:       https://whois.arin.net/rest/net/NET-104-154-0-0-1

Cassandra June 28, 2017 2:38 AM

@Clive Robinson

You triggered me with “sufficiently paranoid”. I agree completely that the average IT user is nowhere near paranoid enough – and by IT, I don’t mean the department that used to be called “Data Processing” in companies a few decades ago, but anyone who uses “Information Technology”. I wouldn’t limit it to online either, as you rightly point out that the proliferation of wireless devices is hard to keep track of. For example, a few years ago, a major telecommunications equipment manufacturer was looking at embedding a mobile SIM in every device sold for inventory tracking purposes (the B-to-B IoT market is huge) – when you look at the size of SIMs and the radio stage of mobile phones, you can see that almost any electrically powered device could have this, whether you want it or not*.

There is a difference between healthy paranoia, and unhealthy paranoia. The line is usually drawn at “more paranoid than you are”, and, unfortunately, a significant number of commenters here are more paranoid than the ‘average joe’, and so regarded by the ‘average joe’ as crazy. Degree of paranoia also depends on what you have reason to be paranoid about, and some have more reason than others.

We do live in a new environment, where smartphones invade pretty much everyone’s privacy, whether you personally use one or not – Scott McNealy was right – so to come back to the topic of this blog, the ease of securing something will depend on what it is you are trying to secure – and personal privacy has become a great deal harder to secure since McNealy’s statement in 1999. I think that is because people are still insufficiently paranoid.

My friends and relatives regard my aversion to social media as more than a bit odd, and there is tremendous social pressure to participate. I do note that younger generations are far less wedded to the notion of privacy than the older generations (which have me as a member), so I might just be a cultural dinosaur. On the other hand, reading the NY Times report ( via https://www.socialcooling.com/ ) that partygoers celebrating ‘spring break’ in Florida were moderating their behaviour because they were scared of their actions being recorded on the ubiquitous smartphones might indicate that younger generations are changing behaviour to be more conforming in response to a lack of privacy. Whether this is good or not is debatable.

*This might be unhealthy paranoia, especially if I went around being suspicious that the toasters were eavesdropping on me. Of course no-one would ever ‘Internet-enable’ a TV, or a refrigerator, or a toaster would they?

Clive Robinson June 28, 2017 4:31 AM

@ Cassandra,

Of course no-one would ever ‘Internet-enable’ a TV, or a refrigerator, or a toaster would they?

Well, all jokes aside, a Chinese Manufacturer did put a nasty little WiFi device into a clothes iron…

The point is like a GSM and SIM frontend these things can be made very small. Thus it would not be dificult to put a WiFi and GSM unit together to make a surveillance device (I’ve had the bits to do it on my work bench for a while). The problem is power requirments kind of makes it need to have a mains power source.

It is known that some years ago a UK Supermarket had a problem in that somewhere in the supply line somebody put in a GSM based card skimmer back end into their epos devices. Thus a vast amount of credit and debit card info including PIN numbers were taken.

The problem was that by design the epos device case was welded shut by the manufacturer so opening them to find out which were bugged and which were not was not an option. So they ended up weighing them to find those that were a little bit heavier. That realy would not be an option today because the bugs are so small they have just a few grams weight, which could probably be offset by cutting out part of the internal plastic from the injection moulding of the clamshell case.

Thus it’s not just Social Media you have to worry about. Thus I have a habit of only using cash…

But there are other issues, in some countries you don’t have to register “who” is living at a property. Thus you could in theory go “off public record”, if you do however the likes of credit checking agencies can not build up a “credit refrence” for you. However there is a hidden down side. Identity thieves and fraudsters can register at your address, and with a little trickery open a bank account there. With carefull timing they can then get some countries postal services to redirect mail in their name to a new address, even a noname PO box (this happened a lot in Auz I’m told).

Thus hugh debts can be run up against the property and many debt collectors are not exactly the brightest people in the world, thus convincing them they “have a duty of care” to ensure they get the right person not you may end up causing quite a pain…

Most people would not even consider this problem, untill it hits them. Landlords etc are only too aware of it as they get bitten every couple of years. Someone I know lives adjacent to a place that is rented out and they have a common entrance way, one day they were shocked to see police in full body armour draging people out and what sounded like smashing the place up. It turns out it was the “immigration enforcment” trying to catch somebody who had never lived there and the smashing noise was them knocking internal doors down to the individual dwellings/rooms that were locked. To search the entire premises looking for any documentation etc just incase there were other “illegals”…

You only have to go to the Brian Krebs site to see what has happened to him to realise just what mayhem can be created for those that are not “sufficiently Paranoid”…

fajensen June 28, 2017 9:32 AM

Very strange story!

“Normal people” must have very different computing experiences than I have.

Apparently, they see all robustness, reliability and predictability; I see flaky garbage that barely hangs together and one better check those numbers etcetera.

If my wife comae to me and complained about strange happenings with her computer and computer-related things, the very last thing I would suspect is that her mind has cracked or she is going senile. I would immediately blame everything on her computer malfunctioning, Facebook screwing up, and so on.

Milo M. June 28, 2017 3:18 PM

The victim in the BBC story is publishing a book:

https://www.linkedin.com/in/gary-berman-8aa36475

http://www.stalkingonair.com/

“Finally, I had to shut down my computer and began searching for the local FBI office. After an intake interview, two agents came to my home and I shared some of the initial documentation. While they were literally watching over my shoulder, a giant cursor appeared on my computer screen and deleted several files. They didn’t believe their OWN eyes and cited ‘insufficient evidence to open a case’.”

Wael June 29, 2017 4:06 AM

What’s good for goose is good for gander (blockchain). Forking the previous list…

  1. If you get hit with a stone in the chest and look behind you to see who threw it at ya… Yoooou might be paranoid
  2. If you have a set of salad bowls and they’re labeled “shielding”… Yoooou might be paranoid
  3. If your tinfoil hat is made out of depleted uranium… Yoooou might be paranoid
  4. If you’re in court, and the judge asks you to present an ID, and you give her an encrypted biological fingerprint encoded as a QR code on self-destructive paper, HMAC’ed with a onetime pad shared secret key that you don’t share (nor remember) and another paper with an oAuth 2.0 token.. Yoooou might be paranoid
  5. If you show up to CISO job position interview wearing your favorite straitjacket… Yoooou might be paranoid
  6. If they hire you… they might be paranoid
  7. If you’re alone in your secret underground bunker inside an air-gaped shielded room and you look behind you to see who’s shoulder-surfing… Yoooou might be paranoid
  8. If your boss says you’re his right hand man, and you check not only that he is not left-handed, but that he really isn’t a she… Yoooou might be paranoid

Built on Jeff Foxworthy’s you might be a redneck…

Gord Wait June 29, 2017 9:55 AM

“Hello, I am calling from the Google, our security audit has detected that your cyber has been hacked. For a small fee we can help..”

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.