Nemo Me Impune Lacessit

Saturday, 25 May 2019

Another Phishing Attempt Upon Me

Filed under: Security, Technology — Tags: , , , — mikewb1971 @ 3:53 AM (03:53)

After logging into my ProtonMail account to send my latest to The Libertarian Enterprise, I noticed a bit of spam in my inbox there —

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐On Saturday, May 11, 2019 9:28 AM, Proton Team <MicrosoftS.Office.365-NotificatiSons-Noreplys@server102.hostwhitelaabel.com> wrote:

Mikewb1971

Your mikewb1971@protonmail.com will be removed in the next 24 hours as your device has been sending a shut down request to our internal server.

Take a verification if you think it’s just an error..

Let’s dissect the email address first — MicrosoftS.Office.365-NotificatiSons-Noreplys@server102.hostwhitelaabel.com

server102.hostwhitelaabel.com gives me nothing but an error message —

hostwhitelaabel.com also gives me an error message —

Back to the original message in my ProtonMail inbox —

The blue box marked “VERIFICATION NEEDED” links to https://tinyurl.com/y5st9lzr/, which in turn redirects to https://bitmex.global/css/proton/cmd-login=2d31d5c9d52dd9c521620c808d5558d4/0710dev14pfbr0fwwhw8x9dr.php?rand=13InboxLightaspxn.1774256418&fid.4.1252899642&fid=1&fav.1&rand.13InboxLight.aspxn.1774256418&fid.1252899642&fid.1&fav.1&email=&loginpage=&amp;.rand=13InboxLight.aspx?n=1774256418&fid=4#n=1252899642&fid=1&fav=1, a lookalike of the Protonmail login page

Typing “gofuckyourself” into the username field and random text into the password field somehow led me back to my Protonmail account (or a lookalike of it), so I couldn’t click the big “X” in the upper right-hand corner of that particular tab fast enough.

Going to bitmex.global revealed only a black screen saying

THIS DOMAIN IS FOR SALE

josephgasparello@protonmail.com

Maybe “Joseph Gasparello” should seek honest employment, instead of trying to phish my Protonmail account?

But too late — just changed my password (2:57 AM)


LESSONS TO BE LEARNED HERE

  1. NO, I do NOT have a sense of humor about someone messing about maliciously with me or mine. I DO reserve the right to have some malicious counter-fun with such people.
  2. ALWAYS check the address bar to make sure that the site you’re logging into actually IS the site you intend to log into — your credit rating, reputation and such will thank you for doing so.

NOTES

  1. Reposted –
    1. Personal blogs and micro-blogs – Diaspora* / Ello / Facebook / Gab / Minds / Twitter / VK

Advertisements

Sunday, 26 November 2017

About Those Self-Driving Cars . . . .

Filed under: Politics, Resistance, Science, Technology — Tags: , , , , , — mikewb1971 @ 8:38 PM (20:38)

One question for those reading this —

How many of you remember this commercial from OnStar that aired a few years ago?

There’s plenty more where that came from —

YouTube search: onstar stolen vehicle slowdown

YouTube search: onstar stolen vehicle slowdown commercial

I’m sure that when your car gets stolen or jacked away from you, this sort of thing sounds fantastic.

With that in mind, there is a downside to giving law enforcement this sort of access.

What happens when they have a warrant out for you, for whatever reason (drugs, terrorism, securities, unpaid taxes or fines, bench warrant, use your imagination here)?

If your car has one of these tracking systems built into it, they can go to the dealer, show their paperwork to whoever is working at the service desk, and not only demand a location for your vehicle, but real-time tracking information about it, and have the dealer rep shut it down when they need it shut down.

If you happen to be driving down the road when they give that order and your vehicle “loses” power, it will be your problem, not theirs.

There are ways around this sort of thing — white-hat hackers to the rescue here:

How to disable Onstar without losing bluetooth and without setting error codes

  1. Remove Onstar Module from vehicle.
  2. Remove the 6 T10 screws from the bottom of the Onstar Module.
  3. Pull up on the main board to separate it from the antenna board.
  4. Remove the Male/Male connector that connects the main board to the antenna board.
  5. Drop the main board back in without the Male/Male connector and reinstall the screws.
  6. Reinstall the Onstar Module in the vehicle and enjoy!

No error codes and no Onstar connectivity.

So when self-driving cars and trucks are mass-produced and in use by the general population, what can we expect?

I won’t be surprised if Congress mandates that the manufacturers include a backdoor to the cars’ operating system for law enforcement use. That way when the cops have a warrant for you, they don’t need to swarm (“stack”, in SWAT element parlance) up at your front door and conduct a legalized home invasion[1], they can just hack your car to deliver you to the local station, and lock you inside upon arrival.

And of course, the how-to on that will never, ever get out to the criminal element.

Is there a solution to this?

Yes — insist that you have control over who has access to your vehicle’s operating system and connectivity, so that anyone wanting this level of remote control has to have your explicit, knowing sign-off beforehand.

Or disconnect your car’s autonomous mode, unless that becomes impractical or de facto illegal[2].

Are you going to have that level of control with outfits like OnStar?

And then there’s the issue of operating system vulnerabilities. What sorts of holes will be exploitable by third parties, officially-sanctioned or freelancers?

At least with a cell phone, you can block the signal when you want by putting the phone into a plastic bag, then wrapping the bag with aluminum foil (a Faraday cage). I’m not sure how that would work with a car.

In the mean time, I recommend getting friendly with your local hacker space, 2600 meetup[3], or Linux User Group [LUG].


NOTES

  1. Compare and contrast SWAT “dynamic entry” techniques versus home invasions conducted by the criminal element
  2. I refer to the self-driving cars in Vernor Vinge’s Rainbows End
  3. As of September 2017: Meetup pages / sites, Meetup list
  4. Published in The Libertarian EnterpriseNumber 950, 26 November 2017
  5. Approximate reading level – 12
  6. Reposted –
    1. Personal blogs and micro-blogs – Diaspora* / Ello / Facebook / FetLife / Gab / Google Plus / Liberty.me / Liberty Society / Minds / Tea Party Community / Twitter / VK

Create a free website or blog at WordPress.com.

%d bloggers like this: