Zeroday 01100100011010010

“The FBI reports a break-in every 15 seconds” is how each call begins. The recorded message goes on to say “Let us place a small sign in your yard and we will install a new security system for free.” There has been a little coverage on this scam from smaller local news outlets. [1] The scammers always call from different numbers [2] and with an irregular frequency. Almost every post I’ve read about these calls says that they, like me, are on the Do Not Call list. This post is an attempt at catharsis. How much can I find out about this company and what resources will I need?

I’m starting with some basic sleuthing and complaint filing. I phoned my cell phone carrier and reported the numbers. The customer service representative said she’d forward all of the information I provided to their “Scam Department”. I’m not sure if there is such a thing at cell phone providers but I do hope it’s real.

What was different about this phone call was that when I pressed “1” for more information I didn’t get an immediate rep. I was disconnected and received a phone call a few minutes later [2]. I wasted my time with the scammer today just trolling her but next time I’m going to pump her for information. So I tried looking up the second number that called me and the area code matches Colorado Springs, Colorado. I called Sprint and TMobile to see if the number matched one of their customer records. Each customer service agent denied that the numbers belonged to any of their customers and one gave me a clue on what to look for next. “This number belongs to a landline with SMS capabilities.”

When I searched for landline providers in Colorado Springs I found Century Link is the largest provider. I called their residential customer service center and after speaking with a few different agents was told that the number didn’t match a residents number but it doesn’t mean that the person with that number isn’t a customer. It could be that the phone number belongs to a batch of numbers that are part of a small business account. She was nice enough to give me the number of their small business accounts but they were closed for the night.

I’ll keep at this in my spare time because now I’m curious if I can uncover these scammers without the resources used of law enforcement or the government. My guess is they are using a call center’s ability to mask ANI so each of the numbers in the second footnote are fake however the number that called me back today seems real enough. My guess is this person is a sales rep working for the scammer and if anyone presses “1” during the initial robocall they get a notification and call back.

[1] http://wtkr.com/2013/02/28/woman-says-sc…

[2] 4047210540 http://www.findwhocallsme.com/4047210540
347-690-1807 http://www.callercomplaints.com/SearchRe…
207-512-2295 http://whocalled.us/lookup/2075122295
207-512-2295 http://whocalled.us/lookup/2075122295
919-249-0360 http://whocalledme.com/PhoneNumber/919-2…
480-999-5639 http://wafflesatnoon.com/2012/03/10/scam…
702-444-4939 http://wafflesatnoon.com/2012/03/10/scam…
972-905-6694 http://wafflesatnoon.com/2012/03/10/scam…
817-725-8612 Received personally by author
309-270-2208 http://whocallsme.com/Phone-Number.aspx/…
973-273-7826 http://www.callercenter.com/973-273-7826…
701-301-4001 http://www.callercenter.com/701-301-4001…
206-496-0929 http://800notes.com/Phone.aspx/1-206-496…
253-382-992 http://800notes.com/Phone.aspx/1-206-496…
503-457-1176 http://800notes.com/Phone.aspx/1-503-457…
216-278-0127 http://800notes.com/forum/ta-8d32864d2b5…
612-351-3204 http://800notes.com/forum/ta-8d32864d2b5…
321-800-4409 http://800notes.com/forum/ta-8d32864d2b5…
717-628-7009 http://800notes.com/forum/ta-8d32864d2b5…
727-350-9789 http://800notes.com/forum/ta-8d32864d2b5…

[2] 719-355-6263

A recent Ars Technica article on ASUSGATE pointed to this blog and named me as a blogger who was caught with his digital pants down. I wanted to capture some of my incident response procedures now that some time has passed and my stress levels are back to normal. As noted in the article the first thing I did was shut down all non-necessary services such as FTP and Samba. Luckily for me I never liked the idea of AiCloud so that service was already off. Next I ran a port scan on my external IP address from an server outside of my home network to make sure that no ports were left opened. My goal was to ensure that literally 0 ports were open to the outside world and my router didn’t respond to uninitiated packets sessions. I ran an nmap scan that checked ports 1-65534 and found a port in the very high ethereal range (something like 32000) and dug back through the ASUS interfaces until I found the culprit. Apparently I had forgot to turn off the VPN pass through option from my time working at Akamai. I ran the scan again focusing only on the port that was found in the previous scan and it was off.

I’m still concerned that I have a known IP address though. At the very least anyone who doesn’t like me could send a DDoS (or just a DoS with a strong enough connection) and make sure I don’t see the internet for a while. From the research I’ve done cable companies like Comcast dole out IP addresses using DHCP but the leases can be for years. The only time they change them is when the MAC address changes so my next step is to disconnect my ASUS and connect a laptop running a liveCD directly to the cable modem in hopes of getting a new IP address.

When ASUS contacted me they sent notes on the best practices they were announcing to existing customers and details of a beta patch that was rolling out. What I didn’t see was that the FTP service would explicitly not be open on the WAN interface and require authorization from the user to open up their files to the internet. Those victims that put a username/password on their FTP should not use default credentials like “admin/admin” since they are well known and, as stated above, the IP address of the router probably hasn’t changed.

Lastly I want to nitpick on the editor’s choice of describing my folly as being “caught with my pants down”. I think this was a great way to spice up the story but the analogy doesn’t work that well. I didn’t expose anything that I would be ashamed of. The image of my pants being down is my genitals are exposed and that’s something I don’t show in public and so a more apt analogy would be that my digital fly was down. Anyone in the world could get a peek into my digital pants, and it’s certainly embarrassing, but since I don’t walk around “commando style”[1] I was covered underneath that undone zipper.

[1] Military commandos who operate in the jungle often do not wear underwear because of the health issues associated with increased moisture and lack of air flow. http://en.wikipedia.org/wiki/Going_comma…

EDIT: NullFluid points out that they aren’t the group that performed the intrusive scan but are only hosting the text file. [0]

There was a definite sense of dread when I started reading the txt file [1] disclosing a massive flaw in Asus routers. I’ve had an RT model ASUS for nearly two years now and recently hooked up a giant USB hard drive to it so I could stream movies from my blueray player. But I thought there was no way I was affected since I went through the settings for the FTP service and disabled all outside access. I did leave the FTP security set to anonymous because I thought anyone not logged into my WPA2 protected wifi couldn’t even see the service.

Out of curiousity I entered ‘ftp://[my external ip address]’ into my browser and sat wide eyed when I saw the contents of my media server show up. I reasoned it must be because I’m already inside the network (which doesn’t even make sense really) but panic was starting to set in. So I pulled out my phone and turned off the wifi connection and tried it there. Now I was worried.

I started downloading the torrent of directory listings and quickly turned the FTP service off. I checked the pastebin with all the IP addresses that had the dir listing bug [2] and there was my IP address. Worry was now turning to fear. After the torrent finished I looked for my IP address and found that it was under ‘partial listings’.

There’s no point in my denying that I got pwned because in the file listings are things like ‘OLIVER_DAY_GMAIL_COM_201401052241083414.pdf’ which is a copy of a boarding pass I downloaded. I’d started pushing stuff from my Downloads folder onto the media drive for convenience sake. I’m not worried about what’s on that drive however I’m terrified by the idea that someone replaced a file with some malware and then I opened it assuming I was safe.

I’m also going through memories of flaky wifi in the last month plus some weird issues with the drive itself and wondering if it was due to others accessing my drive at the same time I was. It’s a really sickening feeling although I got off pretty lucky. In my life I’ve had friends who were pwned by rival hackers and had entire mail spools dumped, financial information leaked, etc. All I lost was a directory listing and some face.

Going through the file listings of other IP addresses I see insanely personal items like whole backups of laptops, family photos, porn collections, and tax documents. Anyone that has the list of IP addresses can potentially download any of those files. I wrote some python to walk through the list of IP addresses and check to see if logging in anonymously is still possible. I’m not bothering to look at anything just see if ftp.login() works and recording the statistics. The numbers are not reassuring. The code is also on pastebin for those who want to run it and help report the numbers. [3]

While I’m not entirely opposed to the idea of full disclosure I’m not sure I agree with nullfluid’s Brothers Grim, et al dump of vulnerable IP addresses. Even though this act caused me to discover the vulnerability in my own hardware I’m not okay with the idea that he took a snapshot of my FTP directory and made that part of the torrent. What was the point in that? It would have been just as effective to list the IP address and I would have reacted and benefited the same. All he’s they’ve done is made certain people way bigger targets because the listing shows movies, or music, or porn, or very very personal files. If nullfluid Brothers Grim, et al is going to poke into everyone’s drives anyway why not leave a note in the root of the FTP directory warning the user of the vulnerability? That’s the biggest problem I have with his their approach is he they told the world but he they didn’t tell the victims. Fine I’ve patched my Asus router and now question whether I should keep it at all. I agree it was a very poor decision on Asus’s part to make those default settings the way they were and I doubt I’ll turn the FTP service back on anytime soon. But including full directory listings of all these victims is on you nullfluid Brothers Grim, et al. It was a mistake on your part and you should apologize to us all.

[0] The text file lists the following as the crew that performed the scan: The Brothers Grim, Chuck Palahniuk, Gargamel, Debra Morgan, Gollum, Voldemort, Skeletor, Duke Igthorn
[1] http://nullfluid.com/asusgate.txt
[2] http://pastebin.com/ASfYTWgw
[3] http://pastebin.com/fpB7U1gb http://pastebin.com/HWLASXaY http://pastebin.com/zunt8jeu