Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Exposed via Logmein - Is the old HD a risk


  • Please log in to reply
9 replies to this topic

#1 tjmcinci

tjmcinci

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 10 February 2017 - 03:59 PM

Windows 7:

 

Circa 1956 brain in questionable condition:

I have a computer that I am very careful with.  It has things on it I need to protect.  But I really screwed up during a time when I was distraught from family issues and in a hurry.  It's not easy to admit what happened but here goes.  I have a small company and I am a QuickBooks user.  I really needed to get some quarterly forms filed and get back to the nursing home.  Something went wrong in QB and I googled for the direct number for tech support.  I am getting old and I didn't have my computer glasses on, something I don't recommend.  Google brought up 800-615-0869 but I was rushing and didn't check it out fully.  I called and they were eager to help, just like good old Intuit.  (Intuit later told me this is NOT one of their numbers.)  They wanted to get on my machine with Logmein Rescue.  I reluctantly did it.  I was watching them and it seemed like no big deal.  Then they sent me to their senior guy for help.  He tried to show me in the log files that things were really hosed up.  It was going to take several hours and they wanted $299.  When I balked things quickly turned hostile.  I disconnected from Logmein, hung up, and powered down.  I queried the Logmein people hoping for a response as to whether a file could have transferred to my system (and been run) without my knowledge.  I did not even get the courtesy of a reply.  I grabbed an old hard drive, restored my latest Acronis image (will be doing the backups a lot more frequently now), updated Windows, Quickbooks, etc., etc., and restored my data directory from my NAS.  I get sloppy with my whole system images sometimes but I am very good about copying my data directory to the NAS every time I do anything at all on this computer.  And, of course, the real Intuit had the problem fixed in no time for no charge.

 

So, if anyone actually made it through that whole saga and is still with me, I have a question.  Right now I'm treating that old hard drive like it has the plague.  I enjoy Steve Gibson and Bruce Schneier but I haven't kept up for the past year or so.  In the unlikely event that I find later that I missed something that I need, how virulent is malware these days?  If I just plug the old drive into a cradle to retrieve a data file will I be at risk?  I mean, we aren't to the point where they're infecting SMART systems or anything else that runs just because the drive is powered up, are we?

If you like happy endings then I will tell you that as I was spending several hours changing all my passwords (I even backup LastPass to that PC) I found that none of my bank accounts had been routed and there was no sign that anyone accessed any of my accounts.  Maybe some days the gods smile on dumba**es!



BC AdBot (Login to Remove)

 


#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:35 PM

Posted 12 February 2017 - 04:29 AM

It is technically possible but I believe it is unlikely that the scammers you phoned did that.

 

AFAIK, it's not their M.O.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#3 tjmcinci

tjmcinci
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 12 February 2017 - 05:47 AM

Thanks for taking the time to reply!  I know it was a lot to read.

I agree that it's likely that all they wanted was for me to pay them the money to 'fix' my problem.  But I have to be extra careful with this PC, despite my idiocy the other day.  So are you saying that if I were to put the suspect drive into a cradle on another PC, there is known malware that could run and infect the PC merely by having the HDD powered up and connected via eSATA?



#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:35 PM

Posted 12 February 2017 - 05:56 AM

I was referring to your "SMART systems" question. I understood that as a question about the firmware of the HD being compromised. Wasn't that your question?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#5 tjmcinci

tjmcinci
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 14 February 2017 - 04:52 AM

Yes, thanks.  I was just using the firmware as an example.  If there is any known malware that can run just because the drive is powered up and connected to another computer then I will simply destroy the drive.  It's no great loss and at least I learned an important lesson.



#6 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:35 PM

Posted 14 February 2017 - 10:09 AM

I don't know if there is malware in-the-wild that does this. I have not encountered it.

 

But I known it is possible to compromise the firmware of a HD.

 

But I'm also sure that this is not the case with your HD.

 

Anyways, if you need a document from that HD, you can always boot from a Live Linux CD, connect the HD and retrieve the file.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#7 tjmcinci

tjmcinci
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 14 February 2017 - 12:36 PM

Have mercy, you'd think I would have thought of a Live Linux CD.  Thank you.  That technique has rescued me from needless hardware replacements a few times but it never even occurred to me to use it here.

FWIW, I really think that the only scam playing out here was to bill me $299 for something that's free (if you have enough sense to call the right number).  But I have been trusted with some data that isn't mine to compromise for the sake of convenience.  So I'm being as careful as I can, at least now that I'm thinking straight.

Once I got my system restored and running I tried googling the number I'd called.  It looked like they were just going onto every forum on the internet that would let them post and writing "Quickbooks tech support 1 800 xxx xxxx".  I guess if you do that enough you're the first thing google brings up when you search for help.  All I can say is if you're old, wear your computer glasses and don't call any number from the google summary screen.  And maybe accept that there are times when you just aren't in good enough shape to be doing anything the slightest bit risky on the computer...


Edited by tjmcinci, 14 February 2017 - 12:59 PM.


#8 RolandJS

RolandJS

  • Members
  • 4,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin TX metro area
  • Local time:10:35 AM

Posted 14 February 2017 - 12:41 PM

If you want to reuse that possibly infected HD, you can usb or dvd boot DBAN and nuke that HD; just before you do, name that dude a unique name so that DBAN does not nuke the wrong HD.


"Take care of thy backups and thy restores shall take care of thee."  -- Ben Franklin revisited.

http://collegecafe.fr.yuku.com/forums/45/Computer-Technologies/

Backup, backup, backup! -- Lady Fitzgerald (w7forums)

Clone or Image often! Backup... -- RockE (WSL)


#9 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:35 PM

Posted 15 February 2017 - 03:45 PM

The fact that you called them is a key element for me to believe that this is not a targeted attack, and thus that no sophisticated methods were used.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#10 tjmcinci

tjmcinci
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:35 AM

Posted 16 February 2017 - 06:00 AM

Yes, sir.  I do agree.  On any of my other computers I might have just blown it off. 

My resolve to try to keep up on security wavered about a year ago and I was mainly wondering how bad the known vectors for malware had gotten.  I suspect that many years from now we will find that there are some very clever hacks out there initiated by nation states with deep pockets and no desire to brag about them wherever hackers hang out these days.  Time will tell.  It's unlikely they would be interested in me, anyway.  I've started reading and listening again to try to come back up to speed on the current threats and computer security in general.  I see already that we now have 'fileless malware' that bypasses the disk drive altogether.  Just one guy's opinion, we are losing this war and making ourselves more vulnerable every day as every can opener and paperweight somehow requires internet connectivity to be saleable.  But losing and lost are two different things and I applaud all of you who are out there in the trenches fighting this crap.  The war is winnable if we can convince people to take it seriously and use their $ to get the software and hardware vendors to put the fluff aside for a while and concentrate on security. 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users