Caustic Bottle         Caustic Bytes     Shark Teeth

  Internet Security - March 2016

    READ THIS PAGE AND LEARN! ALL online financial transactions may now be compromised! Sadly the world is now a very different place, a scarier place than it was and, with all that the internet can offer, a place that is less safe than it was. The authorities tell us their internet snooping software will help in the fight against paedophiles and terrorists and it may well but it will also massively increase cybercrime and NO PERSONAL COMPUTER is safe, even when it scans clean using antivirus and malware tools! I am a retired IT consultant and worked in PC system security. I developed a system based on free software and some 2 years after I did that, it was published as a 4 page pull out in a major national newspaper in one of their Saturday editions. If you want to read it go here. This is a page on this website so you are at no risk by changing pages. Imagine how I felt about 1 year ago when I found that my browser had been hijacked. I run a Linux PC as the security is better than any other system I know. My security had never before been compronised so I was RATHER upset. Using Linux gave me Mozilla Firefox for my browser and Mozilla Thunderbird for email, both of which are world leading packages. When you call Firefox it tells you if your browser has been hijacked by taking 3 to 4 times as long to load and then you get a window telling you that Firefox is already running and to close the first called Firefox or reboot the system. The purpose of Firefox running unseen in background is to provide whomever with the ability to interrogate your PC, usually known as "phishing". Whatever I tried to do to get rid of this problem met with zero positive results. Scans using GUI's were done followed by scans from the command line in console and signed in as root but no suspect files were found. Drastic action was obviously needed so I decided to do a "forensic Linux installation".

    I fitted a new factory clean hard drive to my laptop. I installed my Linux from the DVD I used originally because, even though there were newer versions of the software which I had on DVD, the first one was a "known clean DVD". I had run my laptop for over a year with no invasion from an install from this DVD so I trusted it. I used a laptop that had a wired (RJ 45) internet connectiuon which I unplugged for the install. The methodology was to be totally disconnected from the net, printers etc for the install and to proceed step by step to see what I was doing when the browser hijacker appeared. The hard drive set up was the first 10GB partition was set as the swap file. The next 40GB partition was set as / (where the operating system is installed) and the rest of the drive was the third partition set as /home. This is because only users tend to get infections which are in the browser cache and emails, thus a scan for infections need only be done on the /home directory, wher the users and Firefox, Thunderbird etc are installed. I always do a weekly scan on the / partition just to prove it. Now, after install, I have a clean Linux which has never been connected to anything. Tests were done on Firefox and it was clean. I did over 20 tests on Firefox and no problem. Now I plugged the RJ 45 cable in to the laptop to connect to my ISP (internet service provider). I left it connected for 10 seconds and then unplugged it. I tested Firefox and found it to be hijacked. The RJ 45 connection was a link to my ISP ONLY! Firefox was never invoked at any time. Firefox was in it's raw "as installed" condition and had no other contact with anything except the ISP. I repeated this proceedure twice more, each time using Dban to nuke the hard drive back to factory new condition. I got exactly the same results. I deduced the problem was coming from my ISP.

    Now, I have 9 working systems, the old ones purely have old data on them but the current systems are a mini tower with Windows 7 on one HD and Linux on the other of the 2 HD's. There is a Linux laptop, a windows 8 laptop, a Windows 8 notebook and an Android tablet. The Linux laptop is on all day every day and the others are used if needed. The notebook is used once every 6 months, which will be important information later on this page. The tablet is never used (only 1GB memory) and this page is being written on the Linux laptop. The Linux laptop is connected to the internet to collect emails and is normally NOT plugged in by the RJ 45 cable to the net. It is scanned on boot up both by GUI (takes 45 seconds) and as root on the console (takes 25 seconds) and is re-scanned after any internet connection. I find a suspect file in the Firefox cache about once every 4 days as I limit internet connection on this machine to emails but occasionally use Firefox. At about the same occurrence, once every 3 days, I get an email infection. After cleaning any infection, the system is re-booted and re-scanned. This is to ensure the suspect file is not running in memory. The cache infections are usually java script files which may OR may not be a problem BUT there is a file called Exploit_CVE_2016.*** where the *** is any random 3 digits. This file will connect your PC to a web site which is a phishing site. The email infection is a file, Heuristics.Phishing.Email.SpoofedDomain, that attaches it'self to your email Inbox. Heuristics refers to "living unseen in memory" and the rest is self explanatory until we get to SpoofedDomain which I take to be an unseen email to somewhere and that email contains all that the phishing part has found, like bank, credit card details and, if you have given card details online to buy something, those details are probably logged as the keystrokes you used. Now fixing this Heuristics can be done as follows. If you delete ALL mails in the Inbox, you are still infected! In Thunderbird you can delete the Inbox as T'bird will re-introduce it at the first time it is required to accept a new email. I have no details of how other email packages can cope. One way is to go on the command line and use the "more" command. If you enter "more < filename" on the command line it will put up onscreen all that is in "filename" so you can read the file. NOTE the < (from) part of that command. IF you put > instead of < you are saying "more into filename". This is a misuse of more and you will get an error message BUT, if you then look at "filename" it returns a content of 0! Effectively this misuse nukes the content of "filename" so to do that to the Inbox leaves it clean of the infection but it is still there to use so this may be the remedy for other email packages other than T'bird but it DOES work on T'bird. I also remove all access permissions to 6 directories, held in 2 different places, which are world writable and are used by phishing software to collect and transmit data. This is necessary because if they are allowed to collect data, it MAY be transmitted just after boot up OR it could be stored until the RJ 45 is plugged in.

    OK, now is the time to tackle my ISP so I went on their website to raise a support ticket to complain. I got a non denial denial, it wasn't them as their server scans clean every time. I scanned my laptop after I went on their web site AND I went NOWHERE ELSE, ONLY my ISP. The scan returned 1 java script infector and NINE separate copies of the Exploit file!!!!! OK, I am now thinking wider than before because many of my old clients were reporting the same hijacking to me and they were ALL with the same ISP as I had taken them there. I went to many of them and found one thing in common, all the infections of browsers were on laptops BUT, I also found on the desktop boxes, whilst there was no browser hijacking, many of them did not switch off straight away and the internet connection was busy. We sometimes got a screen that said "you cannot switch off as a background process is running". That screen should appear and stay as it has a button that says "force shutdown". In every case that screen appeared for about 1 second then disappeared. I checked my mini tower and it did the same. My conclusion was that maybe it was the GCHQ snooper software. Prior to this all is deadly accurate but, from this point, I cannot wholly prove my assumptions about third party software so remember that I may be right, slightly off base or miles away but I trust all I have ever learned and I go with what comes next. A fixed system does not need a browser hijacker as it always connects to the same ISP from the same place BUT, a laptop may be used at 07.00 AM from it's expected home connection and at 10.45 AM it gets switched on and the user is on a train to London, thus using a different ISP, hence the need to hijack the browser of ANY PORTABLE machine.

    So, how are they doing this when no machine scans positive for an infection or we do not find the exact same suspect file on all scans? Easy, GCHQ houses the snoop software REMOTELY on servers. If I were GCHQ I would have 5 servers all at different offices to ensure continuity of the snoop ability. This software would have to operate, maybe as a "guest user" on EVERY ISP, either with or without their knowledge and with or without their consent. As a "guest user" the snoop software would be able to see ANYBODY's PC that was connected to that ISP. I recently helped a friend install a new mini tower. He was using a different ISP to me and we DID GET that "you cannot switch off" screen which seemed to confirm my thoughts about GCHQ using ALL ISP's to do their work. OK, how does this software work? On further investigation I found that all machines except Linux machines, have a "guest" as a user. If you go into it, the delete option is not available! If you have a guest user with root or admin permissions, programmed to run in background that is put in place during boot up, it is the MAIN user and you cannot see it. On a Linux machine it is NOT listed as a user BUT, if I go into console and list users, there are 2 and only I logged on. If I then change to root, I am user number 3 so user number 1 with root permissions is the boss user.

    Now for the risk. It is easy to think "I am no terrorist, I am no paedophile so what if they are sniffing". BUT, who is that guy at that desk at GCHQ thinking I am better than her, I should have got the promotion, the 5000 more". THAT is your bad apple and a likely data harvester for his own uses if he has permissions to access the data. Is he the only one? Did he want the promotion so he COULD have the access permissions? How many people are engaged in this exercise? The risk, however, GETS WORSE! Who is involved? The law in the UK has recently been changed because of GCHQ's snooping. The NSA in America do not have this software so GCHQ were sharing anything suspicious with an American connection with the NSA. This was declared illegal so the law was rewritten. We know that GCHQ has software that can switch your smart phone on under stealth conditions. This means that if you look at it, the screen is dark, it looks to be off BUT it is NOT! They can switch your mike on under stealth conditions so any conversation can be heard. They can also pinpoint your position to WITHIN 2 FEET! Now that makes you think, doesn't it, about what their snoop software is capable of. BUT IT GETS WORSE! Think about the 10 infections I got from my ISP's web site. This suggests to me that a few cyber criminals have found a way to "piggy back" on the GCHQ remote ISP connection. This means the ISP has no idea of this as no scan would show it. That explains how the Heuristics infection gets past the email servers protection. It explains how the infection files get through the firewall onto my machine. The firewall has that 1 port for thr ISP or there is no connection but if the attacker can use the same port, your firewall is of no use!

    As stated, the NSA does not have, to our knowledge, good snooper software so how are they doing it? Remember my notebook running windows 8? I decided to run it up. There was so much about Windows 10 so I thought I might upgrade it. As it is rarely used I felt I had to update it. What a nightmare. You cannot go to Windows 10 from Windows 8, you have to update Windows 8 until it qualifies for a Windows 8.1 upgrade. OK, I went for it. This was a nightmare as the Seattle programmers could not get the order of install correct in the lists. Some programs need earlier programs to be installed as they carry "dependencies", which, if not there, stop the install of the new program. That means each program MUST be installed in the correct order. I ended up on a Microsoft forum lookinf for help. I did actually work it out for myself and by selecting and deselectinf programs from the install lists, I corrected the install order. We now get to the Microsoft Store part. As I was preping this laptop to go Windows 10 and I do not use Windows I had no use of a store account so I refused it. Next time I booted up to carry on the work, I had to wait 45 minutes whilst Windows was "reconfiguring Windows". When it was done I had the "Microsoft Store" screen. I realised that this was the norm until I took an account so I did. Next time I booted up I could not access MY NOTEBOOK with the password I gave it when I bought it. I had to use the Microsoft Store password. I looked for the "change password" feature in settings but it was no longer there! So, MY notebook was now THEIRS! Anybody with access to the password file had access to ANY PC in thw WORLD running Windows 8.1 Now, try this. I decided to put the notebook under lock and key and not to be trusted. I acquired a spare laptop (Windows 8) and went through the whole update thing to take that laptop to Windows 10. During this process I looked on the Windows update forum to refresh my memory. I found a message, as yet unread, from a Microsoft employee advising me to forget Windows 10 until it was written, he said it was only half there. I decided to go to Windows 8.1 to be ready for 10 as and when it was fit for purpose. When I got to the Store bit, it would not accept my password as used on the notebook. I had to create a new account with new password, so I did. When I had done I saw that the number of update files for the laptop was more than for the notebook so I dug it out to check it. I had not run the notebook for 6 months but, when I booted it, I could not log in and I got no type of instruction window. After a couple of shots my suspicious mind kicked in and I tried to log in with the password I used on the laptop, and IT WORKED! Now tell me are these my machines or Microsofts? So my mind threw me some questions. Firstly, Microsoft never give anything away for free since Windows 3.11 so why is it free to upgrade to Windows 10? Most PC's on this planet are running Windows 7, proven, tried and trusted but the free upgrade is now open to all fully updated Windows 7 users. Is this a ploy to get all of the over 90% of PC's on this earth to be on Windows 10? Is this because it already carries the spyware links? Is it so that ANY PC can be accessed at will? Is it because the US Government is paying for every Win 10 download because this is an agreement between the NSA, the Government and Microsoft? Are there any or all of the major search engines involved? When we looked at the "bad apples" earlier as the source of risk, if all of these organisations are involved in some way or another, how many thousands work for them? How many thousands of bad apples might there be? NOW, how safe do you feel?

    I have 3 sites on the net who hold my payment details and I enter only 1 bit of data to do business so they work. If I want to buy something I have seen online, I get an email addy for the site and a phone number and I do the payment bit on the phone. My landline number is known only to me and my provider so maybe I bust all the way through the small print if ever there is a fraudulent transaction claim. My mobie is NOT a smart phone, I want a phone and a camera, nothing more. Banking and credit card payment is done by landline phone with contacts who know me, my banter, my money movement habits etc. Finally, ,I have a "carrot and stick" account. This is the bills pay account. It has no balance over 20. I move money in and secure the bill payment immediately I ring off from the bank. I can put every detail of this card into an internet form knowing there can only ever be a 20 fraud by a successful robber. The bank knows what this account is for. There is a watch on it for unusual activity as they believe that "this account and debit may have been compromised on the internet". NOTHING gets done online anymore! Please realise that, when you speak on the phone about system security you will be told "OH, we have the most secure system on the net". This is a little girl or boy, fresh from school, reading the standard answer sheet in front of them on their desk. They may be right but they do not understand that you are talking about YOUR system risk through phishing and it is nothing to do with the security or lack of it from those who you are talking to. Until companies begin to see this you could be conned into using the net when I have told you why it is not safe! Think of todays world where corruption is rife. I knew that, a couple of years back when some banks had ATM's that failed for a day and their web sites denied you access to your accounts, the banks blamed a "system glitch". They did not admit that it was probabnly cyber criminals who may have got away with untold amounts of ransom so never accept "over the phone excuses" as nobody, except me, tells the truth anymore.

    I apologise if this sounds like a conspiracy theory. I can only go where the evidence takes me. I pooh poohed those that said the moon landing was a con and I did it on this site and on Yahoo answers. My reasons for what has been said here are sound because I am a man of logic and I can add up. Scaremongering is never a good tactic but I was scared, that's why I did what I did. Make your own mind up but watch over the next 2 or 3 years just how much cyber crime mushrooms and, by then, there will be a massive public outcry around the world and GCHQ and the others might have to stop. In fact, just yesterday, GCHQ admitted publicly that after 1BN spent on surveillance software, the project was a failure. We are in limbo but I will stay with my limbo as I find cyber limbo too tricky.


Home    Site Map
General Map      Contact CB

The JSC Group March 2006