+44 (0)20 86848683

Perpetual IT

Category Archives: News

News, Phishing

T-Mobile admits to 37,000,000 customer records stolen by “bad actor”

by

US mobile phone provider T-Mobile has just admitted to getting hacked, in a filing known as an 8-K that was submitted to the Securities and Exchange Commission (SEC) yesterday, 2023-01-19.

The 8-K form is described by the SEC itself as “the ‘current report’ companies must file […] to announce major events that shareholders should know about.”

These major events include issues such as bankruptcy or receivership (item 1.03), mine safety violations (item 1.04), changes in a organisations’s code of ethics (item 5.05), and a catch-all category, commonly used for reporting IT-related woes, dubbed simply Other Events (item 8.01).

T-Mobile’s Other Event is described as follows:

On January 5, 2023, T-Mobile US […] identified that a bad actor was obtaining data through a single Application Programming Interface (“API”) without authorization. We promptly commenced an investigation with external cybersecurity experts and within a day of learning of the malicious activity, we were able to trace the source of the malicious activity and stop it. Our investigation is still ongoing, but the malicious activity appears to be fully contained at this time.

In plain English: the crooks found a way in from outside, using simple web-based connections, that allowed them to retrieve private customer information without needing a username or password.

T-Mobile first states the sort of data it thinks attackers didn’t get, which includes payment card details, social security numbers (SSNs), tax numbers, other personal identifiers such as driving licences or government-issued IDs, passwords and PINs, and financial information such as bank account details.

That’s the good news.

The bad news is that the crooks apparently got in way back on 2022-11-25 (ironically, as it happens, Black Friday, the day after US Thanksgiving) and didn’t go away empty-handed.

Plenty of time for plunder

The attackers, it seems, had enough time to extract and make off with at least some personal data for about 37 million users, including both prepaid (pay-as-you-go) and postpaid (billed-in-arrears) customers, including name, billing address, email, phone number, date of birth, T-Mobile account number, and information such as the number of lines on the account and plan features.

Curiously, T-Mobile officially describes this state of affairs with the words:

[T]here is currently no evidence that the bad actor was able to breach or compromise our systems or our network.

Affected customers (and perhaps the relevant regulators) may not agree that 37 million stolen customer records, notably including where you live and your data of birth…

…can be waved aside as neither a breach nor a compromise.

T-Mobile, as you may remember, paid out a whopping $500 million in 2022 to settle a breach that it suffered in 2021, although the data stolen in that incident did include information such as SSNs and driving licence details.

That sort of personal data generally gives cybercriminals a greater chance of pulling off serious identity thefts, such as taking out loans in your name or masquerading as you to sign some other sort of contract, than if they “only” have your contact details and your date of birth.

What to do?

There’s not much point in suggesting that T-Mobile customers take greater care than usual when trying to spot untrustworthy emails such as phishing scams that seem to “know” they’re T-Mobile users.

After all, scammers don’t need to know which mobile phone company you’re with in order to guess that you probably use one of the major providers, and to phish you anyway.

Simply put, if there any new anti-phishing precautions you decide to take specifically because of this breach, we’re happy to hear it…

…but those precautions are behaviours you might as well adopt anyway.

So, we’ll repeat our usual advice, which is worth following whether you’re a T-Mobile customer or not:

  • Don’t click “helpful” links in emails or other messages. Learn in advance how to navigate to the official login pages of all the online services you use. (Yes, that includes social networks!) If you already know the right URL to use, you never need to rely on links that might have been supplied by a scammers, whether in emails, text messages, or voice calls.
  • Think before you click. It’s not always easy to spot scam links, not least because even legitimate services often use dozens of different website names. But at least some, if not many, scams include the sort of mistakes that a genuine company typically wouldn’t make. As we suggest in Point 1 above, try to avoid clicking through at all, but if you do, don’t be in a hurry. The only thing worse that falling for a scam is realising afterwards that, if only you’d taken a few extra seconds to stop and think, you’d have spotted the treachery easily.
  • Report suspicious emails to your work IT team. Even if you’re a small business, make sure all your staff know where to submit treacherous email samples or to report suspicious phone calls (for example, you could set up a company-wide email address such as cybersec911@example.com). Crooks rarely send just one phishing email to one employee, and they rarely give up if their first attempt fails. The sooner someone raises the alarm, the sooner you can warn everyone else.

Short of time or expertise to take care of cybersecurity threat response? Worried that cybersecurity will end up distracting you from all the other things you need to do? Not sure how to respond to security reports from employees who are genuinely keen to help?

Learn more about Sophos Managed Detection and Response:
24/7 threat hunting, detection, and response  ▶

News

S3 Ep118: Guess your password? No need if it’s stolen already! [Audio + Text]

by

GUESS YOUR PASSWORD? NO NEED IF IT’S STOLEN ALREADY!

Guess your password? Crack your password? Steal your password? What if the crooks already have one of your passwords, and can use it to figure out all your others as well?

Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud.

With Doug Aamoth and Paul Ducklin

Intro and outro music by Edith Mudge.

You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found. Or just drop the URL of our RSS feed into your favourite podcatcher.

READ THE TRANSCRIPT

DOUG. LifeLock woes, remote code execution, and a big scam meets big trouble.

All that, and more, on the Naked Security podcast.

[MUSICAL MODEM]

Welcome to the podcast, everybody.

I am Doug Aamoth; he is Paul Ducklin.

And Paul, I’m so sorry… but let me wish you a belated Happy ’23!

DUCK.  As opposed to Happy ’99, Doug?

DOUG.  How did you know? [LAUGHS]

We dovetail immediately into our Tech History segment.

This week, on 20 January 1999, the world was introduced to the HAPPY99 worm, also known as “Ska”.

Paul, you were there, man!

Tell us about your experience with HAPPY99, if you please.

DUCK.  Doug. I think the most fascinating thing for me – then and now – is what you call the B-word…

…the [COUGHS APOLOGETICALLY] “brilliant” part, and I don’t know whether this was down to laziness or supreme cleverness on the part of the programmer.

Firstly, it didn’t use a pre-generated list of email addresses.

It waited till *you* sent an email, scraped the email address out of it, and used that, with the result that the emails only went to people that you’d already just communicated with, giving them a greater believability.

And the other clever thing it had: it didn’t bother with things like subject line and message body.

It just had an attachment, HAPPY99.EXE, that when you ran it in the foreground, showed fireworks.

And then you closed it; seemed like no harm done.

So there were no linguistic clues, such as, “Hey, I just got an email in Italian from my Italian buddy wishing me H\appy Christmas, immediately followed by an email in English wishing me a Happy 1999.”

And we don’t know whether the programmer foresaw that or, as I said, whether it was just, “Couldn’t be bothered to work out all the function calls I need to add this to the email…

…I know to create an email; I know to add an attachment to it; I’m not going to bother with the rest.”

And, as a result, this thing just spread and spread and spread and spread.

A reminder that in malware programming, as in many things in life, sometimes… less is a lot more.

DOUG.  Alright!

Well, let’s move on to a happier subject, a kind-of sort-of remote code execution hole in a popular cloud security library.

Wait, that’s not happier… but what happened here?

Popular JWT cloud security library patches “remote” code execution hole

DUCK.  Well, it’s happier in that the bug was not revealed in the wild with a proof-of-concept.

It was only documented some weeks after it had been patched.

And fortunately, although technically it counts as a remote code execution [RCE] bug, which caused a lot of drama when it was first reported…

…it did require that the crooks essentially broke into your apartment first, and then latched the door open from the inside for the next wave of crooks who had come along.

So it wasn’t as if they could just show up at the front door and get instant admission.

The irony, of course, is that it involves a popular open source toolkit called jsonwebtoken, or JWT for short.

A JWT is basically like a session cookie for your browser, but that’s more geared towards a zero-trust approach to authorising programs to do something for a while.

For example, you might want to authorise a program you’re about to run to go and do price lookups in a price database.

So, you need to authenticate first.

Maybe you have to put in a username, maybe to put a password… and then you get this access token that your program can use, and maybe it’s valid for the next 100 requests, or the next 20 minutes or something, which means that you don’t have to fully reauthenticate every time.

But that token only authorises your program to do one specific thing that you set up in advance.

It’s a great idea – it’s a standard way of doing web-based coding these days.

Now, the idea of the JWT, as opposed to other session cookies, is that in a “zero-trusty” sort of way, it includes: who the token is for; what things it’s allowed to do; and, as well as that, it has a cryptographic keyed hash of the data that says what it’s for.

And the idea is that that hash is calculated by the server when it issues the token, using a secret key that’s buried in some super-secure database somewhere.

Unfortunately, if the crooks could break into your apartment in advance by jimmying the lock…

…and if they could get into the secret database, and if they could implant a modified secret key for a particular user account, and then sneak out, apparently leaving nothing behind?

Well, you’d imagine that if you mess up the secret key, then the system just isn’t going to work, because you’re not going to be able to create reliable tokens anymore.

So you’d *think* it would fail safe.

Except it turns out that, if you could change the secret key in a special way, then next time the authentication happened (to see whether the token was correct or not), fetching the secret key could cause code to execute.

This could theoretically either read any file, or permanently implant malware, on the authentication server itself…

…which clearly would be a very bad thing indeed!

And given that these JSON web tokens are very widely used, and given that this jsonwebtoken toolkit is one of the popular ones out there, clearly there was an imperative to go and patch if were using the buggy version.

The nice thing about this is that patch actually came out last year, before Christmas 2022, and (presumably by arrangement with the jsonwebtoken team) the company that found this and wrote it up only disclosed recently, about a week ago.

So they gave plenty of time for people to patch before they explained what the problem was in any detail.

So this *should* end well.

DOUG.  Alright, let us stay on the subject of things ending well… if you are on the side of the good guys!

We’ve got four countries, millions of dollars, multiple searches, and several arrested, in a pretty big investment scam:

Multi-million investment scammers busted in four-country Europol raid

DUCK.  This was a good, old-fashioned, “Hey, have I got an investment for you!”.

Apparently, there were four call centres, hundreds of people questioned, and 15 already arrested…

… this scam was “cold-calling people for investing in a non-existing cryptocurrency.”

So, OneCoin all over again… we’ve spoken about that OneCoin scam, where there was something like $4 billion invested in a cryptocurrency that didn’t even exist.

OneCoin scammer Sebastian Greenwood pleads guilty, “Cryptoqueen” still missing

In this case, Europol talked about cryptocurrency *schemes*.

So I think we can assume that the crooks would run one until people realised it was a scam, and then they’d pull the rug out from under them, run off with the money, start up a new one.

The idea was: start really small, saying to the the person, “Look, you only have to invest a little bit, put in €100 maybe, as your first investment.”

The idea was that people would think, “I can just about afford this; if this works out, *I* could be the next Bitcoin-style billionaire.”

They put in the money… and of course, you know how the story goes.

There’s a fantastic looking website, and your investment basically just keeps inching up some days, leaping up on other days.

Basically, “Well done!”

So, that’s the problem with these scams – they just *look* great.

And you will get all the love and attention you need from the (big air quotes here) “investment advisors”, until the point that you realise it’s a scam.

And then, well… you can complain to the authorities.

I recommend you do go to the police if you can.

But then, of course, law enforcement have the difficult job of trying to figure out who it was, where they were based, and getting them before they just start the next scam.

DOUG.  OK, we have some advice here.

We have given this advice before – it applies to this story, as well as others.

If it sounds too good to be true, guess what?

DUCK.  It IS too good to be true, Doug.

Not “it might be”.

It IS too good to be true – just make it as simple as that.

That way, you don’t have to do any more evaluation.

If you’ve got your doubts, promote those doubts to the equivalent of a full-blown fact.

You could save yourself a lot of heartache.

DOUG.  We’ve got: Take your time when online talk turns from friendship to money.

And we talked about this: Don’t be fooled because a scam website looks well-branded and professional.

As a reformed web designer, I can tell you it’s impossible to make a bad looking website nowadays.

And another reason I’m not a web designer anymore is: no one needs me.

Who needs a web designer when you can do it all yourself?

DUCK.  You mean you click the button, choose the theme, rip off some JavaScript from a real investment site…

DOUG.  …drop a couple of logos in there.

Yep!

DUCK.  It’s a surprisingly easy job, and you don’t need to be a particularly experienced programmer to do it well.

DOUG.  And last, but certainly never least: Don’t let scammers drive a wedge between you and your family

…see Point 1 one about something being too good to be true.

DUCK.  Yes.

There are two ways that you could inadvertently get into a really nasty situation with your friends and family because of how the scammers behave.

The first is that, very often, if they realise that you’re about to give up on the scam because friends and family have almost convinced you that you’ve been scammed, then they will go out of their way to poison your opinion of your family in order to try and prolong the scam.

So they’ll deliberately drive that wedge in.

And, almost worse, if it’s a scam where it looks like you’re doing well, they will offer you “bonuses” for drawing in members of your family or close friends.

If you manage to convince them… unfortunately, they’re going down with you, and they’re probably going to hold you to blame because you talked them into it in the first place.

So bear that in mind.

DOUG.  OK, our last story of the day.

Popular identity protection service LifeLock has been breached, kind-of, but it’s complicated… it’s not quite as straightforward as a *breach* breach:

Serious Security: Unravelling the LifeLock “hacked passwords” story

DUCK.  Yes, that’s an interesting way of putting it, Doug!

DOUG.  [LAUGHS]

DUCK.  The reason that I thought it was important to write this up on Naked Security is that I saw the notification from Norton LifeLock, about unauthorised login attempts en masse into their service, that they sent out to some users who had been affected.

And I thought, “Uh-oh, here we go – people have had their passwords stolen at some time in the past, and now a new load of crooks are coming along, and they’re knocking on the door, and some doors are still open.”

That’s how I read it, and I think that I read it correctly.

But I suddenly started seeing headlines at least, and in some case stories, in the media that invited people to think that, “Oh, golly, they’ve got into Norton LifeLock; they’ve got in behind the scenes; they’ve dug around in the databases; they’ve actually recovered my passwords – oh, dear!”

I guess, in the light of recent disclosures by LastPass where password databases were stolen but the passwords were encrypted…

…this, if you just follow the “Oh, it was a breach, and they’ve got the passwords” line, sounds even worse.

But it seems that this is an old list of potential username/password combinations that some bunch of crooks acquired somehow.

Let’s assume they bought it in a lump from the dark web, and then they set about seeing which of those passwords would work on which accounts.

That’s known as credential stuffing, because they take credentials that are thought to work on at least one account, and stuff them into the login forms on other sites.

So, eventually the Norton LifeLock crew sent out a warning to customers saying, “We think you’re one of the people affected by this,” probably just to people where a login had actually succeeded that they assumed had come from the wrong sort of place, to warn them.

“Somebody’s got your password, but we’re not quite sure where they got it, because they probably bought it off the Dark Web… and therefore, if that happened, there may be other bunches of crooks who’ve got it as well.”

So I think that’s what the story adds up to.

DOUG.  And we’ve got some ways here how these passwords end up on the dark web in the first place, including: Phishing attacks.

DUCK.  Yes, that’s pretty obvious…

…if somebody does a mass phishing attempt against a particular service, and N people fall for it.

DOUG.  And we’ve got: Keylogger spyware.

DUCK.  That’s where you get infected by malware on your computer, like a zombie or a bot, that has all kinds of remote-control triggers that the crooks can fire off whenever they want:

How bots and zombies work, and why you should care

And obviously, the things that bots and zombies tend to have pre-programmed into them include: monitor network traffic; send spam to a giant list of email addresses; and turn on the keylogger whenever they think you’re at an interesting website.

In other words, instead of trying to phish your passwords by decrypting otherwise-secure web transactions, they’re basically looking at what you’re typing *as you hit the keys on the keyboard*.

DOUG.  Alright, lovely.

We’ve got: Poor server-side logging hygiene.

DUCK.  Normally, you’d want to log things like the person’s IP number, and the person’s username, and the time at which they did the login attempt.

But if you’re in a programming hurry, and you accidentally logged *everything* that was in the web form…

…what if you accidentally recorded the password in the log file in plaintext?

DOUG.  All right, then we’ve got: RAM-scraping malware.

That’s an interesting one.

DUCK.  Yes, because if the crooks can sneak some malware into the background that can peek into memory while your server is running, they may be able to sniff out, “Whoa”! That looks like a credit card number; that looks like the password field!”

7 types of virus – a short glossary of contemporary cyberbadness

Obviously, that sort of attack requires, as in the case we spoke of earlier… it requires the crooks to break into your apartment first to latch the door open.

But it does mean that, once that’s happened, they can have a program that doesn’t really need to go through anything on disk; it doesn’t need to search through old logs; it doesn’t need to navigate the network.

It simply needs to watch particular areas of memory in real time ,in the hope of getting lucky when there’s stuff that is interesting and important.

DOUG.  We’ve got some advice.

If you’re in the habit of reusing passwords, don’t do it!

I think that’s the longest running piece of advice I can remember on record in the history of computing.

We’ve got: Don’t use related passwords on different sites.

DUCK.  Yes, I thought I would sneak that tip in, because a lot of people think:

“Oh, I know what I’ll do, I’ll choose a really complicated password, and I’ll sit down and I’ll memorize X38/=?..., so I’ve got a complicated password – the crooks will never guess it, so I only have to remember that one.

Instead of remembering it as the master password for a password manager, which is a hassle I don’t need, I’ll just add -fb for Facebook, -tt for Tik Tok, -tw for Twitter, and that way, literally, I will have a different password for every website.”

The problem is, in an attack like this, the crooks have *already got the plaintext of one of your passwords.*

If your password has complicated-bit dash two-letters, they can probably then guess your other passwords…

…because they only have to guess the spare letters.

DOUG.  Alright, and: Consider turning on 2FA for any accounts you can.

DUCK.  Yes.

As always, it’s a little bit of an inconvenience, but it does mean that if I go on the dark web and I buy a password of yours, and I then come steaming in and try and use it from some unknown part of the world…

…it doesn’t “just work”, because suddenly I need the extra one-time code as well.

DOUG.  Alright, and on the LifeLock story, we’ve got a reader comment.

Pete says:

“Nice article with good tips and a very factual approach (smileyface emoticon).”

DUCK.  I agree with the comment already, Doug! [LAUGHS]

But do go on…

DOUG.  “I guess people like to blame companies like Norton LifeLock […], because it is so easy to just blame everyone else instead of telling people how to do it correctly.”

DUCK.  Yes.

You could say those are slightly harsh words.

But, as I said at the end of that particular article, we’ve had passwords for more than 50 years already in the IT world, even though there are lots of services that are trying to move towards the so-called passwordless future – whether that relies on hardware tokens, biometric measurements, or whatever.

But I think we’re still going to have passwords for many years yet, whether we like it or not, at least for some (or perhaps even many) of our accounts.

So we really do have to bite the bullet, and just try and do it as well as we can.

And in 20 years time, when passwords are behind us, then we can change the advice, and we can come up with advice on how you protect your biometric information instead.

But for the time being, this is just one in a number of reminders that when critical personal data like passwords get stolen, they can end up having a long lifetime, and getting widely circulated among the cybercrime community.

DOUG.  Great.

Thank you, Pete, for sending that in.

If you have an interesting story, comment or question you’d like to submit, we’d love to read it on the podcast.

You can email tips@sophos.com, you can comment on any one of our articles, or you can hit us up on social: @NakedSecurity.

That’s our show for today – thanks very much for listening.

For Paul Ducklin, I’m Doug Aamoth reminding you, until next time, to…

BOTH.  Stay secure!

[MUSICAL MODEM]

News

Serious Security: Unravelling the LifeLock “hacked passwords” story

by

Earlier this month, the NortonLifeLock online identity protection service, owned by Arizona-based technology company Gen Digital, sent a security warning to many of its customers.

The warning letter can be viewed online, for example on the website of the Office of the Vermont Attorney General, where it appears under the title NortonLifeLock – Gen Digital Data Breach Notice to Consumers.

The letter starts with a dread-sounding salutation that says:

We are writing to notify you of an incident involving your personal information.

It continues as follows:

[Our intrusion detection systems] alerted us that an unauthorized party likely has knowledge of the email and password you have been using with your Norton account […] and your Norton Password Manager. We recommend you change your passwords with us and elsewhere immediately.

As opening paragraphs go, this one is pretty straightforward, and contains uncomplicated if potentially time-consuming advice: someone other than you probably knows your Norton account password; they may have been able to peek into your password manager as well; please change all passwords as soon as you can.

What happened here?

But what actually happened here, and was this a breach in the conventional sense?

After all, LastPass, another well-known name in the password management game, recently announced not only that it had suffered a network intrusion, but also that customer data, including encrypted passwords, had been stolen.

In LastPass’s case, fortunately, the stolen passwords weren’t of direct and immediate use to the attackers, because each user’s password vault was protected by a master password, which wasn’t stored by LastPass and therefore wasn’t stolen at the same time.

The crooks still need to crack those master passwords first, a task that might take weeks, years, decades or even longer, for every user, depending on how wisely those passwords had been chosen.

Bad choices such as 123456 and iloveyou were probably be rumbled within the first few hours of cracking, but less predictable combinations such as DaDafD$&RaDogS or tVqFHAAPTjTUmOax will almost certainly hold out for far longer than it would take to change the passwords in your vault.

But if LifeLock just suffered a breach, and the company is warning that someone else already knew some users’ account passwords, and perhaps also the master password for all their other passwords…

…isn’t that much worse?

Have those passwords already been cracked somehow?

A different sort of breach

The good news is that this case seems to be quite a different sort of “breach”, probably caused by the risky practice of using the same password for several different online services in order to make logging in to your commonly-used sites a bit quicker and easier.

Immediately after LifeLock’s early advice to go and change your paswords, the company suggests that:

[B]eginning around 2022-12-01, an unauthorized third party had used a list of usernames and passwords obtained from another source, such as the dark web, to attempt to log into Norton customer accounts. Our own systems were not compromised. However, we strongly believe that an unauthorized third party knows and has utilized your username and password for your account.

The problem with using the same password on multiple different accounts is obvious – if any one of your accounts gets compromised, then all your accounts are as good as compromised as well, because that one stolen password acts like a skeleton key to the other services involved.

Credential stuffing explained

In fact, the process of testing whether one stolen password works across multiple accounts is so popular with cybercrooks (and is so easily automated) that it even has a special name: credential stuffing.

If an online criminal guesses, buys on the dark web, steals, or phishes a password for any account that you use, even something as low-level as your local news site or your sports club, they will almost immediately try the same password on other likely accounts in your name.

Simply put, the attackers take your username, combine it with the password they already know, and stuff those credentials into the login pages of as many popular services as they can think of.

Many services these days like to use your email address as a username, which makes this process even more predictable for the Bad Guys.

By the way, using a single, hard-to-guess password “stem” and adding modifications for different accounts doesn’t help much, either.

That’s where you try to create fake “complexity” by starting with a common component that is complicated, such as Xo3LCZ6DD4+aY, and then appending uncomplicated modifiers such as -fb for Facebook, -tw for Twitter and -tt for Tik Tok.

Passwords that vary by even a single character will end up with a totally different scrambled password hash, so that stolen databases of password hashes won’t tell you anything about how similar different password choices are…

…but credential stuffing attacks are used when the attackers already know the plaintext of your password, so it’s vital to avoid turning each passord into a handy hint for all the others.

Common ways that unencrypted passwords fall into criminal hands include:

  • Phishing attacks, where you inadvertently type the right password into the wrong site, so it gets sent directly to the criminals instead of to the service where you actually intended to log in.
  • Keylogger spyware, malicious software that deliberately records the raw keystrokes you type into your browser or into other apps on your laptop or phone.
  • Poor server-side logging hygiene, where criminals who break into an online service discover that the company has accidentally been logging plaintext passwords to disk instead of keeping them only temporarily in memory.
  • RAM scraping malware, which runs on compromised servers to watch out for likely data patterns that appear temorarily in memory, such as credit card details, ID numbers, and passwords.

Aren’t you blaming the victims?

Even though it looks as though LifeLock itself didn’t get breached, in the conventional sense of cybercriminals breaking into the company’s own networks and snooping on data from the inside, as it were…

…we’ve seen some criticism of how this incident was handled.

To be fair, cybersecurity vendors can’t always prevent their customers from “doing the wrong thing” (in Sophos products, for example, we do our best to warn you on-screen, brightly and boldly, if you choose configuration settings that are riskier than we recommend, but we can’t force you to accept our advice).

Notably, an online service can’t easily stop you setting exactly the same password on other sites – not least because it would need to collude with those other sites in order to do so, or to conduct credential stuffing tests of its own, thus violating the sanctity of your password.

Nevertheless, some critics have suggested that LifeLock could have spotted these bulk password-stuffing attacks more quickly than it did, perhaps by detecting the unusual pattern of attempted logins, presumably including many that failed because at least some compromised users weren’t re-using passwords, or because the database of stolen passwords was imprecise or out-of-date.

Those critics note that 12 days elapsed between the bogus login attempts starting and the company spotting the anomaly (2022-12-01 to 2022-12-12), and a further 10 days between first noticing the problem and figuring out that the issue was almost certainly down to breached data acquired from some other source than the company’s own networks.

Others have wondered why the company waited until the 2023 New Year (2022-12-12 to 2023-01-09) to send out its “breach” notification to affected users, if it was aware of bulk password stuffing attempts before Christmas 2022.

We’re not going to try to guess whether the company could have reacted more quickly, but it’s worth remembering – in case this ever happens to you – that determining all the salient facts after you receive claims about “a breach” can be a mammoth undertaking.

Annoyingly, and perhaps ironically, finding out that you have been directly breached by so-called active adversaries is often depressingly easy.

Anyone who has seen hundreds of computers simultaneously displaying a right-in-your-face ransomware blackmail note demanding thousands or millions of dollars in cryptocoins will regrettably attest to that.

But figuring out what cybercrooks definitely did not do to your network, which is essentially proving a negative, is often a time-consuming exercise, at least if you want to do it scientifically, and with a sufficient level of accuracy to convince yourself, your customers and the regulators.

What to do?

As for victim-blaming, it’s neverytheless vital to note that, as far as we know, there is nothing that LifeLock, or any other services where passwords were re-used, can do now, on its own, to fix the underyling cause of this problem.

In other words, if crooks get into your accounts on decently-secure services P, Q and R simply because they discovered you used the same password on not-so-secure site S, those more-secure sites can’t stop you taking the same sort of risk in future.

So, our immediate tips are:

  • If you are in the habit of re-using passwords, don’t do it any more! This incident is just one of many in history that draw attention to the dangers involved. Remember that this warning about using a different password for every account applies to everyone, not just to LifeLock customers.
  • Don’t use related passwords on different sites. A complex password stem combined with an easily-memorised suffix unique to each site will, literally speaking, give you a different password on every site. But this behaviour nevertheless leaves am obvious pattern that crooks are likely to figure out, even from a single compromised password sample. This “trick” just gives you a false sense of security.
  • If you received a notification from LifeLock, follow the advice in the letter. It’s possible that some users may receive notifications due to unusual logins that were nevertheless legitimate (e.g. while they on vacation), but read it through carefully anyway.
  • Consider turning on 2FA for any accounts you can. LifeLock itself recommends 2FA (two-factor authentication) for Norton accounts, and for any accounts where two-factor logins are supported. We concur, because stolen passwords on their own are much less use to attackers if you also have 2FA in their way. Do this whether you are a LifeLock customer or not.

We may yet end up in a digital world without any passwords at all – many online services are trying to move in that direction already, looking at switching exclusively to other ways of checking your online identity, such as using special hardware tokens or taking biometric measurements instead.

But passwords have been with us for more than half a century already, so we suspect they will be with us for many years yet, for some or many, if no longer all, of our online accounts.

While we’re still stuck with passwords, let’s make a determined effort to use them in a way that gives as little help to cybercriminals as possible.

News

Multi-million investment scammers busted in four-country Europol raid

by

Another day, another series of cryptocurrency scams…

…these, fortunately, brought to a halt, though sadly not before they’d defrauded “investors” around the globe to the tune of millions of dollars.

According to Europol, 216 people were questioned in Bulgaria, Cyprus, Germany and Serbia; 15 have already been arrested; 22 searches were conducted, including at four separate call centres; and about $1,000,000 in cryptocurrency was seized.

Law enforcement also confiscated €50,000 in cash; got hold of numerous electronic devices, presumably including laptops, servers, phones and backup devices; and towed away three vehicles.

As we’ve mentioned before, scammers’ cars are often at the show-off end of the vehicular spectrum, and thus worth lots of money, but also potentially include valuable forensic evidence from their numerous on-board computer systems.

All a pack of lies

These scammers used a well-known mechanism for drawing in their victims: start small, simulate regular and substantial gains via totally fictitious online reports, and use this bogus “success” as a lure to convince victims to invest more and more.

Europol notes that although most of the victims seem to be from Germany, where this investigation started, the scammers are known to have fleeced people worldwide, including in Switzerland, Australia and Canada.

Remember that in a scam of this sort, the criminals often allow victims to withdraw a percentage of their “gains”, as a way of convincing them that their investments really do have some sort of “liquidity” and aren’t just being swallowed up forever.

Of course, all they’re really doing is giving you a small fraction of your own money back, under the guise of an interest payment or some other gain in capital value.

Likewise, given that all the “gains” you are looking at are ficticious, concocted via a fake “trading” website that shows everyone’s investments booming, it’s easy for the crooks to pretend to pay you “incentives” for investing more, or to award “bonuses” if you help them draw new people into the scam.

When sufficiently many victims start demanding to withdraw their “investments” – or at least to access more funds than they originally put in – then the crooks know that the game is up…

…and at this point, they will typically cut and run, shutting down the scam site abruptly and vanishing into cyberspace with all the “investments” they’ve tricked people into handing over so far.

We’re guessing that in this case, because Europol describes the criminals as having four call centres, and as operating “fake cryptocurrency schemes” (note the use of the plural noun schemes), that when one fake website was shut down, another “investment opportunity” would soon spring up targeting new victims.

Post-scam scamming

We’ve even reported before on a cryptocoin scam, prevalent in South East Asia, where the crooks throw in a sting-at-the-end-of-the-sting.

These scammers, known as the CryptoRom gang, don’t simply break off contact and run away when a victim tries to withdraw all their “funds” – they try out a post-scam scam where they tell the victim that their withdrawal is on its way, except that it’s been frozen by the government for tax reasons.

The victim is presented with a tax bill, typically 20% of the “gain” they’ve made, so they’ll only be getting 80% of their “earnings” out.

Unfortunately, the scammers say, simply subtracting the 20% tax amount from the withdrawal (a method used by genuine tax authorities, commonly known as a witholding tax) isn’t an option, because of the “government freeze” on the funds.

The victim will need to pay in that 20% themselves – indeed, they’d jolly well better pay in quickly, the scammers claim, given that the “authorities” are now involved and looking for their share.

What was initially a love-your-victim attitude, aimed at praising them for their wise “investments” and congratulating them on their “success”…

…turns into a squeeze-as-hard-as-you can approach aimed at scaring victims into parting with a final lump sum that the criminals know full well they can’t afford, and may well leave them destitute or deeply in debt to friends and family.

Scam on top of scam on top of scam

As we’ve written before, some victims even experience a sting in the tail-of-the-tail of multi-layer scams like this.

Once you realise you’ve been scammed, whether the scammers pull the plug on you, or you pull the plug on them, you may “co-incidentally” be contacted by someone who sympathises with your plight (they may claim that this recently happened to them), and who knows just the thing for you to try next…

…a cryptocurrency recovery service!

Cryptocoins, by design, are largely unregulated, pseudo-anonymous, and typically hard or even impossible to trace and recover.

But cryptocoin recoveries do sometimes happen, occasionally in astonishing amounts and after lengthy periods.

At the end of 2022, for example, US Internal Revenue Service (IRS) investigators announced that they had tracked down and arrested an individual called James Zhong, of Gainesville, Georgia.

They allege that Zhong had stolen about 50,000 Bitcoins from the infamous Silk Road dark web market not long before it was shut down in 2013.

The investigators apparently recovered the majority of those Bitcoins, then worth well over than $3 billion (yes, we do really mean $3000 million), that had been hidden for nearly a decade in a popcorn tin that they found under a pile of blankets in the corner of one of Zhong’s cupboards.

Sadly, if you go down this alleged “cryptcoin recovery service” rabbit hole, you aren’t going to get any money back, because you’re simply wandering into yet another level of the scam.

You will just be pouring yet more good money after bad, and your overall losses will be even more catastrophic.

What to do?

  • If it sounds too good to be true, it IS too good to be true. Talk is cheap, and the fact that these scammers apparently ran four call centres involving hundreds of people is a good reminder that you have no reason to trust anyone who contacts you unexpectedly.
  • Take your time when online talk turns from friendship to money. Some scammers use social media and dating sites to stalk and befriend potential victims in a more personal way than simply cold-calling thousands of people. Don’t be swayed by the fact that your new “friend” happens to have a lot in common with you, and don’t let yourself be mesmerised by their “investment advice”. It’s easy for scammers to pitch themselves as kindred spirits if they’ve studied your social networking or dating site profiles in advance.
  • Don’t be fooled because a scam website looks well-branded and professional. Setting up a website with live graphs, investment pages and “account” management tools is easier than you think. Crooks can readily copy official logos, taglines, branding and even JavaScript code from legitimate sites, and modify it to suit their malicious purposes.
  • Don’t let the scammers drive a wedge between you and your family. If scammers think your family are trying to get you out of trouble, they think nothing of deliberately turning you against your family as part of their scam. Alternatively, they may lure you with the promise of “bonuses” to draw your friends and family into the scam as well.
News

S3 Ep117: The crypto crisis that wasn’t (and farewell forever to Win 7) [Audio + Text]

by

THE CRYPTO CRISIS THAT WASN’T

Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud.

With Doug Aamoth and Paul Ducklin

Intro and outro music by Edith Mudge.

You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found. Or just drop the URL of our RSS feed into your favourite podcatcher.

READ THE TRANSCRIPT

DOUG.  Call centre busts, cracking cryptography, and patches galore.

All that more on the Naked Security podcast.

[MUSICAL MODEM]

Welcome to the podcast, everybody – thank you for listening!

My name is Doug Aamoth; he is Paul Ducklin.

Paul, how do you do?

DUCK.  Very well, Douglas.

DOUG.  All right.

We like start the show with a This Week in Tech History segment, and I have a twofer for you today – two things that went live this week.

One in 1863 and one in 2009.

Both exciting, one perhaps less controversial than the other.

We’re talking, of course, about the first stretch of the London Underground going into service in 1863, the first underground system of its kind.

And then we’ve got the Bitcoin floodgates opening in 2009, the first decentralised cryptocurrency of its kind.

Although we should pencil in an asterisk, because Bitcoin followed in the footsteps of such digital currencies as eCash and DigiCash in the 1980s and 1990s.

DUCK.  Yes, the latter was a rather different sort of “underground movement” to the first, wasn’t it?

DOUG.  [LAUGHS] Exactly, yes!

DUCK.  But you’re right… 160 years of the London Underground!

DOUG.  That’s amazing.

Let us talk about this…

DUCK.  [LAUGHS] You skipped the need to talk about Bitcoin/Controversy

DOUG.  Oh!

DUCK.  Let’s leave our listeners to ponder that one for themselves, Doug, because I think everyone has to have their own opinion about where Bitcoin led us… [LAUGHS]

DOUG.  And their own story.

I had a chance to buy it at $30 a coin and thought that was way too expensive.

DUCK.  Yes, Doug, but if you’d bought at $30, you would have sold at $60 and gone around patting yourself on the back and bragging to everybody.

DOUG.  Oh, not even $60!

DUCK.  Yes, exactly…

DOUG.  I’d have sold at $40. [LAUGHS]

And sticking with the subject of regret, there was a fake call centre in Ukraine that got busted:

Inside a scammers’ lair: Ukraine busts 40 in fake bank call-centre raid

This call centre looks nicer inside than some of the startups I’ve worked at.

So that’s something – this is a full infrastructure here.

What happened with this story, Paul?

DUCK.  Like you say, it looks like a nice little startup, but strangely, when you look at the photos provided by the Ukraine cyberpolice, no one seemed to have turned up for work that day.

And it wasn’t that they went during the vacation. [LAUGHTER]

It was that all the people – and there were, I think, three founders and 37 staff, so this was a biggish boutique business…

…they were all in the next room getting arrested, Doug.

Because although it was a call centre, their primary goal was preying on victims in another country.

In fact, in this case, they were specifically targeting victims in Kazakhstan with banking scams.

Basically, where they call up and they’re talking to you using the same sort of language that the bank would, following a carefully planned script that convinces the person, or convinces sufficiently many of the people they’re calling.

Remember, they’ve got a long list, so they can deal with lots of hang-ups, but eventually they’ll convince someone that they really are talking to the bank.

And once the other end believes that they really are talking to the bank, then…

Everyone says, “Oh, they should have realised it was a scam; they should have known when they were asked to transfer the funds, when they were asked to read out 2FA codes, when they were asked to hand over passwords, when they were asked to disclose details about the account.”

But it’s easy to say that with hindsight…

DOUG.  And I think we’ve talked about this on prior shows – when people ask, “How could someone fall for this?”

Well, they make hundreds and hundreds of calls, but they only need to trick one person. (In this case, it looks like they defrauded about 18,000 people!)

So you don’t need a super-high hit rate based on your calls.

That’s what makes these so dangerous… once you get a victim on the line, and you get access to their bank account, you just start sucking the money right out.

DUCK.  Once someone genuinely believes that they *are* talking to the bank, and they’ve got a call centre person who’s “really” (apparently!) trying to help them – probably giving them better service, support, time, and compassion than any call centre they’ve called themselves lately…

Once the person has crossed that bridge, you can see why they might get drawn in.

And, of course, as soon as the crooks had enough personally identifiable information to fleece the person, they’d jump in and start sucking money out of their account, and moving it to other accounts they controlled…

…so they could then move it on immediately, out of the regular banking system, shoving it into cryptocurrencies.

And that was what they did, day in, day out.

I don’t have much compassion for people who don’t have much compassion for the victims of these scams, to be honest, Doug.

I think a lot of techies sometimes look down their noses: “How could a person fall for this phishing scam? It’s full of mistakes, it’s full of spelling errors, it’s badly punctuated, it’s got a weird URL in it.”

You know, life’s like that!

I can see why people do fall for this – it’s not difficult for a good social engineer to talk to someone in a way that it sounds like they’re confirming security details, or that they’re going to say to you, “Let me just check with you that this really is your address”…

..but then, instead of *them* reading out your address, they’ll somehow wangle the conversation so *you* blurt it out first.

And then, “Oh, yes!” – they’ll just agree with you.

It’s surprisingly easy for someone who’s done this before, and who’s practised being a scammer, to lead the conversation in a way that makes you feel that it’s legitimate when it absolutely isn’t.

Like I said, I don’t think you should point any fingers or be judgmental about people who fall for this.

And in this case, 18,000 people went for… I think, an average of thousands of dollars each.

That’s a lot of money, a lot of turnover, for a medium sized business of 40 people, isn’t it, Doug?

DOUG.  [WRY] That’s not too shabby… other than the illegality of it all.

We do have some advice in the article, much of which we’ve said before.

Certain things like…

Not believing anyone who contacts you out of the blue and says that they’re helping you with an investigation.

Don’t trust the contact details given to you by someone on the other end of the phone….

DUCK.  Exactly.

DOUG.  We’ve talked about Caller ID, how that can’t be trusted:

Voice-scamming site “iSpoof” seized, 100s arrested in massive crackdown

Don’t be talked into to handing over your personal data in order to prove your identity – the onus should be on them.

And then, of course, don’t transfer funds to other accounts.

DUCK.  Yes!

Of course, we all need to do that at times – that’s the benefit of electronic banking, particularly if you live in a far-flung region where your bank has closed branches, so you can’t go in anymore.

And you do sometimes need to add new recipients, and to go through the whole process with passwords, and 2FA, and authentication, everything to say, “Yes, I do want to pay money to this person that I’ve never dealt with before.”

You are allowed to do that, but treat adding a new recipient with the extreme caution it deserves.

And if you don’t actually know the person, then tread very carefully indeed!

DOUG.  And the last bit of advice…

Instead of saying, “How could people fall for this?” – because *you* will not fall for this, look out for friends and family who may be vulnerable.

DUCK.  Absolutely.

Make sure that your friends and family know, if they have the slightest doubt, that they should Stop – Think – and and Connect *with you first*, and ask for your assistance.

Never be pressurised by fear, or cajoling, or wheedling, or anything that comes from the other end.

DOUG.  Fear – cajoling – wheedling!

And we move on to a classic kerfuffle concerning RSA and the technology media…

…and trying to figure out whether RSA can be cracked:

RSA crypto cracked? Or perhaps not!

DUCK.  Yes, this was a fascinating paper.

I think there are 20-something co-authors, all of whom are listed as primary authors, main authors, on the paper.

It came out of China, and it basically goes like this…

“Hey, guys, you know that there are these things called quantum computers?

And in theory, if you have a super-powerful quantum computer with a million qubits (that’s a quantum binary storage unit, the equivalent of a bit, but for a quantum computer)… if you have a computer with a million qubits, then, in theory, you could probably crack encryption systems like the venerable RSA (Rivest – Shamir – Adleman).

However, the biggest quantum computer yet built, after years and years of trying, has just over 400 qubits. So we’re a long way short of having a powerful enough quantum computer to get this amazing speed-up that lets us crack things that we previously thought uncrackable.

However, we think we’ve come up with a way of optimising the algorithm so that you actually only need a few hundred qubits. And maybe, just maybe, we have therefore paved the way to cracking RSA-2048.”

2048 is the number of bits in the prime product that you use for RSA.

If you can take that product of two 1024- bit prime numbers, big prime numbers…

…*if* you can take that 2048-bit number and factorise it, divide it back into the two numbers that were multiplied together, you can crack the system.

And the theory is that, with conventional computers, it’s just not possible.

Not even a super-rich government could build enough computers that were powerful enough to do that work of factorising the number.

But, as I say, with this super-powerful quantum computer, which no one’s near building yet, maybe you could do it.

And what these authors were claiming is, “Actually we found a shortcut.”

DOUG.  Do they detail the shortcut in the paper, or are they just saying, “Here’s a theory”?

DUCK.  Well, the paper is 32 pages, and half of it is appendix, which has an even higher “squiggle factor” than the rest of the paper.

So yes, they’ve got this *description*, but the problem is they didn’t actually do it.

They just said, “Hypothetically, you might be able to do this; you may be able to do the other. And we did a simulation using a really stripped-down problem”… I think, with just a few simulated qubits.

They didn’t try it on a real quantum computer, and they didn’t show that it actually works.

And the only problem that they actually solved in “proving how quickly” (airquotes!) they could do it is a factorising problem that my own very-many-year-old laptop can solve anyway in about 200 milliseconds on a single core, using a completely unoptimised, conventional algorithm.

So the consensus seems to be… [PAUSE] “It’s a nice theory.”

However, we did speak – I think, in the last podcast – about cryptographic agility.

If you are in the United States, Congress says *in a law* that you need cryptographic agility:

US passes the Quantum Computing Cybersecurity Preparedness Act – and why not?

We collectively need it, so that if we do have a cryptographic algorithm which is found wanting, we can switch soon, quickly, easily…

…and, better yet, we can swap even in advance of the final crack being figured out.

And that specifically applies because of the fear of how powerful quantum computers might be for some kinds of cryptographic cracking problems.

But it also applies to *any* issue where we’re using an encryption system or an online security protocol that we suddenly realise, “Uh-oh, it doesn’t work like we thought – we can’t carry on using the old one because the bottom fell out of that bucket.”

We need to be not worrying about how we’re going to patch said bucket for the next ten years!

We need to be able to chuck out the old, bring in the new, and bring everyone with us.

That’s the lesson to learn from this.

So, RSA *doesn’t* seem to have been cracked!

There’s an interesting theoretical paper, if you have the very specialised mathematics to wade through it, but the consensus of other cryptographic experts seems to be along the lines of: “Nothing to see here yet.”

DOUG.  And of course, the idea is that if and when this does become crackable, we’ll have a better system in place anyway, so it won’t matter because we’re cryptographically agile.

DUCK.  Indeed.

DOUG.  Last but not least, let us talk about the most recent Patch Tuesday.

We’ve got one zero-day, but perhaps even bigger than that, we say, “Thanks for the memories, Windows 7 and Windows 8.1, we hardly knew ye.”

Microsoft Patch Tuesday: One 0-day; Win 7 and 8.1 get last-ever patches

DUCK.  Well, I don’t know about “hardly”, Doug. [LAUGHTER]

Some of us liked one of you a lot, so much they didn’t want to give it up…

..and a lot of you, apparently, didn’t like the other *at all*.

DOUG.  Yes, kind of an awkward going-away party! [LAUGHS]

DUCK.  So much so that there never was a Windows 9, if you remember.

Somehow, a drained canal was placed between Windows 8.1 and Windows 10.

So, let’s not go into the details of all the patches – there are absolutely loads of them.

There’s one zero-day, which I think is an elevation of privilege, and that applies right from Windows 8.1 all the way to Windows 11 2022H2, the most recent release.

So that’s a big reminder that even if crooks are looking for vulnerabilities in the latest version of Windows, because that’s what most people are using, often those vulnerabilities turn out to be “retrofittable” back a long way.

In fact, I think Windows 7 had 42 CVE-numbered bugs patched; Windows 8.1 had 48.

And I think, as a whole, in all of the Windows products, there were 90 CVEs listed on their website, and 98 CVE-numbered bugs patched altogether, suggesting that about half of the bugs that were actually fixed (they all have CVE-2023- numbers, so they’re all recently discovered bugs)…

…about 50% of them go way back, if you want to go back that far.

So, for the details of all the fixes, go to news.sophos.com, where SophosLabs has published a more detailed analysis of Patch Tuesday.

January 2023 patch roundup: Microsoft tees up 98 updates

DUCK.  On Naked Security, the real thing we wanted to remind you about is…

…if you still have Windows 7, or you’re one of those people who still has Windows 8.1 (because somebody must have liked it), *you aren’t going to get any more security updates ever*.

Windows 7 had three years of “You can pay a whole lot of extra money and get extended security updates” – the ESU programme, as they call it.

But Windows 8.1? [LAUGHS]

The thing that gives credibility to that argument that they wanted to leave a dry ditch called Windows 9 between 8.1 and 10 is that Microsoft is now announcing:

“This extended support thing that we do, where we’ll happily take money off you for up to three years for products that are really ancient?

We’re not going to do that with Windows 8.1.”

So, at the same time as Windows 7 sails into the sunset, so does Windows 8.1.

So… if you don’t want to move on for your own sake, please do it for mine, and for Doug’s [LAUGHTER], and for everybody else’s.

Because you are not going to get any more security fixes, so there will just be more and more unpatched holes as time goes on.

DOUG.  All right!

We do have a comment on this article that we’d like to spotlight.

It does have to do with the missing Windows 9.

Naked Security reader Damon writes:

“My recollection of the reason there was no Windows 9 was to avoid poorly written version-checking code erroneously concluding that something reporting ‘Windows 9’ was Windows 95 or Windows 98.

That’s what I read at the time, anyway – I don’t know the veracity of the claim.”

Now, I had heard the same thing you did, Paul, that this was more of a marketing thing to add a little distance…

DUCK.  The “firebreak”, yes! [LAUGHS]

I don’t think we’ll ever know.

I’ve seen, and even reported in the article, on several of these stories.

One, as you say, it was the firebreak: if we just skip Windows 9 and we go straight to Windows 10, it’ll feel like we’ve distanced ourselves from the past.

I heard the story that they wanted a fresh start, and that the number wasn’t going to be a number anymore.

They wanted to break the sequence deliberately, so the product would just be called “Windows Ten”, and then it would get sub-versions.

The problem is that that story is kind of undermined by the fact that there’s now Windows 11! [LAUGHTER]

And the other problem with the “Oh, it’s because they might hear Windows 9 and think it’s Windows 95 when they’re doing version checking” is…

My recollection is that actually when you used the now-deprecated Windows function GetVersion() to find out the version number, it didn’t tell you “Windows Vista” or “Windows XP”.

It actually gave you a major version DOT minor version.

And amazingly, if I’m remembering correctly, Vista was Windows 6.0.

Windows 7, get this, was Windows 6.1… so there’s already plenty of room for confusion long before “Windows 9” was coming along.

DOUG.  Sure!

DUCK.  Windows 8 was “indows 6.2.

Windows 8.1 was essentially Windows 6.3.

But because Microsoft said, “No, we’re not using this GetVersion() command any more”, until this day (I put some code in the article – I tried it on the Windows 11 2022H2 release)…

unsigned int GetVersion(void);
int printf(const char* fmt,...); int main(void) { unsigned int ver = GetVersion(); printf("GetVersion() returned %08X:\n",ver); printf("%u.%u (Build %u)\n",ver&255,(ver>>8)&255,(ver>>16)&65535); return 0;
}

…to this day, unless you have a specially packaged, designed-for-a-particular-version-of-Windows executable installation, if you just take a plain EXE and run it, it will tell you to this day that you’ve got Windows 6.2 (which is really Windows 8):

GetVersion() returned 23F00206:
6.2 (Build 9200)

And, from memory, the Windows 9x series, which was Windows 95, Windows 98, and of course Windows Me, was actually version 4-dot-something.

So I’m not sure I buy this “Windows 9… version confusion” story.

Firstly, we would already have had that confusion when Windows Me came out, because it didn’t start with a “9”, yet it was from that series.

So products would already have had to fix that problem.

And secondly, even Windows 8 didn’t identify itself as “8” – it was still major version 6.

So I don’t know what to believe, Doug.

I’m sticking to the “drained and uncrossable emergency separation canal theory” myself!

DOUG.  All right, we’ll stick with that for now.

Thank you very much, Damon, for sending that in.

If you have an interesting story, comment, or question you’d like to submit, we’d love to read it on the podcast.

You can email tips@sophos.com, you can comment on any one of our articles, or you can hit us up on social: @NakedSecurity.

That’s our show for today; thanks very much for listening.

For Paul Ducklin, I’m Doug Aamoth, reminding you, until next time, to…

BOTH.  Stay Secure!

[MUSICAL MODEM]

Latest Blog

View All
go top