Ask DACS
December 2013

Moderated and reported by Jim Scheef

Ask DACS is a Question and Answer session before the main presentation at the monthly General Meeting. We solicit questions from the floor and then answers from other audience members. My role as moderator is to try to guide the discussion to a likely solution to the problem. The answers below include my own post-meeting research.

Q – I received a call the other night from a man with a deep Indian accent who claimed to be a technician from Microsoft. He said that my computer was “virus stricken” and was offering to help me fix it. He asked that I go to a website and once there, a window popped up asking permission to install software on my computer. At this point I stopped. I Googled this and found many references including a warning Microsoft has about this scam on their website.
A – Our DACS community is indebted to this member for bringing this up at the meeting. Fortunately he stopped the “support technician” before any immediate financial harm was done. The Microsoft warning about this scam is on the Safety & Security Center at http://www.microsoft.com/security/online-privacy/avoid-phone-scams.aspx. I had not heard of this scam before the meeting and my reaction was that the scammer installed and left malware on the member’s computer. From what I have seen on YouTube and various blogs, it appears that the GoToMeeting site used by the scammers is legitimate, although different scammers may use different sites. The scammer continues to prompt the victim thru the process of installing GoToMeeting. He (or she) gives the victim a code to start a remote control session. If the victim does this he is pwned (en.wikipedia.org/wiki/Pwn).  The scammer now has complete control and if the victim is using an ‘administrator’ account (the Windows default for the first account on a machine), you have given the scammer everything he needs to install his malware right before your eyes! There are several YouTube videos of these calls and of people trying to see how long they could keep the “technician” on the phone. You may find these amusing. One series of videos starts at bit.ly/1kxYMDx. Look for the one where the victim tells the technician that he is on a Macintosh and then insists the technician help him anyway.
If my initial reaction at the meeting was correct, and malware was installed, it is likely to be too new to be detected by even a current anti-virus or malware scanner like Malwarebytes.
I have two questions about this scam: (1) How long will LogMeIn (a publicly traded company) allow the scammers to continue to create accounts and operate the scam? (2) No one has a satisfactory explanation for how the scammers get the phone numbers, but you can bet it’s not legitimate. My theory would be that they hacked the registration records of some web sites that include phone numbers. When I register at such sites, I tend to give my number as 860-555-0000. On most sites, this passes the field edit but is obviously wrong to anyone who actually looks at it.
The discussion turned to ways of detecting malware that hides from scanners. My suggestion is to boot in safe mode and run full scans using both your anti-virus and something like Malwarebytes. A member suggested a rootkit detector from Malwarebytes. I’ve used rootkit detectors from both Microsoft and Sophos. In researching this question, I learned that the System Restore function in Windows (en.wikipedia.org/wiki/System_Restore) was vastly improved in Vista and later. System Restore can actually help in this situation if the attempt is made soon enough after the problem has occurred. System Restore in Vista and later uses Shadow Copy to save files and registry settings modified during an installation. The dates in System Restore are all “restore points” created during a Windows Update or other well-behaved software installation (note that malware is seldom well-behaved). The disk space provided for the “before” files is limited and these files will be over-written in time. This would actually be another good reason to stop using XP!

Q – Along the lines of the first question, Bruce Preston offered a warning about malware called CryptoLocker. A common means of delivery is a spam email with the subject “Your order confirmation”
A – From Wikipedia (en.wikipedia.org/wiki/CryptoLocker):
CryptoLocker is Trojan horse malware which surfaced in late 2013. A form of ransomware targeting computers running Windows, a CryptoLocker attack may come from various sources; one such is disguised as a legitimate email attachment. When activated, the malware encrypts certain types of files stored on local and mounted network drives using RSA public-key cryptography, with the private key stored only on the malware's control servers. The malware then displays a message which offers to decrypt the data if a payment (through either Bitcoin or a pre-paid voucher) is made by a stated deadline, and says that the private key will be deleted and unavailable for recovery if the deadline passes. If the deadline is not met, the malware offers to decrypt data via an online service provided by the malware's operators, for a significantly higher price in Bitcoin.
Although CryptoLocker itself is readily removed, files remain encrypted in a way which researchers have considered infeasible to break. Many say that the ransom should not be paid, but do not offer any way to recover files; others say that paying the ransom is the only way to recover files that had not been backed up.
Our discussion covered many things. First, the malware will find and search mapped (network) drives as well as local drives, so it will find and encrypt your files, pictures, music, etc., stored on a file server or network attached storage. Files that are mirrored on cloud storage like SkyDrive, Box, Google Drive, etc. are also vulnerable as the good files will be overwritten with the encrypted version. The same thing will happen with “automatic continuous” off-site backups like Carbonite. The only true defense is a traditional off-line backup, the kind that take time to complete and we all hate to make. You should always have at least two versions of such an off-line backup in case it runs on schedule and copies the encrypted files.
Of course, the best defense is to not install the malware in the first place! So far this attack requires the victim to open the email, open the attachment and allow the malware to install and run. At any point in this process, all you need to do is NOT click on the next step! These attacks will become more automated over time so extreme caution will become paramount. The Ars Technica article (bit.ly/19wvX94) has more information.

Q – Is there a free version of Skype?
A – The Skype service (skype.com) is free for “calls” between personal computers. Skype calls that include any “real” phone number incur a per-minute charge and thus require a paid Skype account with a positive balance in the account. It does not matter if the phone number is a traditional land line, a cell phone or a VoIP account. Within the U.S. “Skype-out” calls are 2.3¢/minute or $2.99/month for “unlimited” time. As mentioned last month (dacs.org/archive/2013-12/ranotes.htm), Skype became a service of Microsoft last year. Discussion turned to various “hacks” such as installing a Skype app on an out-of-service smartphone and using the phone over Wi-Fi to “call” another Skype account. This would constitute a free call.

Q – When sending a text message on my Android phone, occasionally the message gets “stuck” where the app shows that it is “sending…” for an extended period of time. Is there a way to clear this condition and resend the message? All I can do now is delete the message and start over.
A – A member suggested waiting until the texting app times out and there is an option to resend (or retry) the message. This is very rare. The questioner said this happens in areas of poor reception. Text messages are sent over the “control band” or “signaling channel” part of the cell phone signal. This channel uses much less bandwidth than the voice channel required for an actual phone call. The signal to make a cell phone ring comes over this same channel which explains why a cell phone can ring just fine in an area of marginal signal and then the actual call is totally unintelligible.

Q – Is it possible to determine the location from which an email message was sent based on the headers in the message? Can I look at my emails and determine where I was when I sent a particular message?
A – There was some discussion on this at the meeting. For the first question, in theory it is possible to trace the transit history of a message as each server adds its stamp to a message as it arrives and passes on to the final destination. In reality, this history can be obliterated totally or in part at any step. A full description of the email delivery process is beyond our scope. The Wikipedia article on SMTP (simple mail transfer protocol) gives an excellent overview (en.wikipedia.org/wiki/SMTP). Discussion at the meeting assumed that the email was received and viewed using an email client program like Microsoft Outlook, Thunderbird, Macintosh Mail, etc. running on your PC, rather than web-based email like Yahoo Mail or Hotmail that is viewed using a browser. Yahoo preserves and can display the “full header”; other services may or may not. Within the headers is the IP address or fully-qualified domain name of each computer that touched the message starting with the sender, then each relay point, and finally the receiving server.
Determining where these servers are located is another matter entirely. Assuming you have the IP address of a machine, you can find the owner of that IP address using a “whois” lookup tool like that at Domain Tools (whois.domaintools.com) or DNS Stuff (dnsstuff.com). The results are likely to disappoint. For example, I have a static IP address in New Milford, yet if you do a basic whois on my IP address, the result is Charter Communications in St. Louis, Missouri. However is you do a reverse IP lookup, the result is telemarksys.com because I (normally) have a webserver on that address. The reverse IP lookup searches for domains that are hosted on an IP address. However, once again this does not tell you where the server is located. A “whois” lookup on the domain will tell you where the domain is registered provided that information is not hidden by the domain registrar, and the domain’s registered address is probably not where the server is located. Another example might be a message sent over Wi-Fi at a Holiday Inn located somewhere fun. The lookup is most likely to reveal the connection is owned by Holiday Inn. That Motel 6 along the interstate is likely to show the AT&T DSL used by the motel rather than the hotel’s name and location. Certainly the ISP providing the connection to the site knows where that connection is located. Such information is available to law enforcement at a merest whim; however the tools to find detail location information are not readily available to the public simply because of how IP address blocks are administered. Such things as Google Location Services can pin point the location of a cell phone based on the phones GPS (very accurate) or cell signal (accuracy depends on distance to nearest cell towers) and can often provide fairly accurate location of a home connection using DSL or cable. The limitation is that this information is real time and is only available to that location. [The extreme irony inherent in this statement relative to news stories of, well, say for the past eleven years is hereby noted.] In other words, the location of your cellphone or computer is only available on that device, at that moment in time, so this does not apply to the question at hand.
Finally, on the question about determining where you were when you sent a message: If you are using an email client on a laptop that you carry with you when travelling, the email messages in your “sent” folder, never leave your computer and thus have no headers at all beyond the date and time. If the messages were sent from your phone over a 3G connection to your cellphone provider, the IP address of the phone might be in the headers, however even if it is, at that point you are in the same situation as for received messages above. So in the final analysis, this entire answer can be summarized into two words: “Sorry, no”.

Q – What is the best way to transfer a photo from an iPhone 4s to a desktop PC?
A – The best (and the official) way to transfer anything to or from any Apple mobile device (iPod, iPhone or iPad) is thru the iTunes program. iTunes is a free download from Apple (apple.com/itunes). When you connect your iDevice to your computer (PC or Mac), iTunes will “pair” itself to the device and offer to synchronize everything that can be synced. This includes music, video, books and movies in addition to your pictures. While you could email the picture to yourself (as pointed out at the meeting); iTunes will sync all of your pictures at full resolution, while the email will try to compress it into nothingness. As a bonus, your iPhone will charge its battery while all this takes place.

Q – Is there a SIG meeting where I can learn about all the various social media services like Facebook, Instagram, Twitter, all the things my granddaughters use that I know nothing about?
A – My first suggestion would be to sit down and let your granddaughters explain how they use whichever ones they use. The meeting tonight is on Facebook and Pinterest (see review HERE). The meeting in June was on Twitter (dacs.org/archive/2013-07/review.htm), and back in September, 2012, we had a speaker on Google+. Social Media would be a good topic for a special interest group (SIG) but ten minutes is not enough time to even define the basics of each service. Many tutorials can be found by searching for “how to use twitter.” Another member mentioned that YouTube has video tutorials on just about any topic and Slide Share (slideshare.com) has PowerPoint presentations that people have posted on many topics. All of these resources are just waiting to be discovered in your search.

.

Questions for the upcoming meeting can be emailed to askdacs@dacs.org.

Disclaimer: Ask DACS questions come from members by email or from the audience attending the general meeting. Answers are suggestions offered by meeting attendees and represent a consensus of those responding. DACS offers no warranty as to the correctness of the answers and anyone following these suggestions or answers does so at their own risk. In other words, we could be totally wrong!