Tag Archives: Social Engineering

Top 10 Most Obvious Hacks of All Time (v0.9)

Post Syndicated from Robert Graham original http://blog.erratasec.com/2017/07/top-10-most-obvious-hacks-of-all-time.html

For teaching hacking/cybersecurity, I thought I’d create of the most obvious hacks of all time. Not the best hacks, the most sophisticated hacks, or the hacks with the biggest impact, but the most obvious hacks — ones that even the least knowledgeable among us should be able to understand. Below I propose some hacks that fit this bill, though in no particular order.

The reason I’m writing this is that my niece wants me to teach her some hacking. I thought I’d start with the obvious stuff first.

Shared Passwords

If you use the same password for every website, and one of those websites gets hacked, then the hacker has your password for all your websites. The reason your Facebook account got hacked wasn’t because of anything Facebook did, but because you used the same email-address and password when creating an account on “beagleforums.com”, which got hacked last year.

I’ve heard people say “I’m sure, because I choose a complex password and use it everywhere”. No, this is the very worst thing you can do. Sure, you can the use the same password on all sites you don’t care much about, but for Facebook, your email account, and your bank, you should have a unique password, so that when other sites get hacked, your important sites are secure.

And yes, it’s okay to write down your passwords on paper.

Tools: HaveIBeenPwned.com

PIN encrypted PDFs

My accountant emails PDF statements encrypted with the last 4 digits of my Social Security Number. This is not encryption — a 4 digit number has only 10,000 combinations, and a hacker can guess all of them in seconds.
PIN numbers for ATM cards work because ATM machines are online, and the machine can reject your card after four guesses. PIN numbers don’t work for documents, because they are offline — the hacker has a copy of the document on their own machine, disconnected from the Internet, and can continue making bad guesses with no restrictions.
Passwords protecting documents must be long enough that even trillion upon trillion guesses are insufficient to guess.

Tools: Hashcat, John the Ripper

SQL and other injection

The lazy way of combining websites with databases is to combine user input with an SQL statement. This combines code with data, so the obvious consequence is that hackers can craft data to mess with the code.
No, this isn’t obvious to the general public, but it should be obvious to programmers. The moment you write code that adds unfiltered user-input to an SQL statement, the consequence should be obvious. Yet, “SQL injection” has remained one of the most effective hacks for the last 15 years because somehow programmers don’t understand the consequence.
CGI shell injection is a similar issue. Back in early days, when “CGI scripts” were a thing, it was really important, but these days, not so much, so I just included it with SQL. The consequence of executing shell code should’ve been obvious, but weirdly, it wasn’t. The IT guy at the company I worked for back in the late 1990s came to me and asked “this guy says we have a vulnerability, is he full of shit?”, and I had to answer “no, he’s right — obviously so”.

XSS (“Cross Site Scripting”) [*] is another injection issue, but this time at somebody’s web browser rather than a server. It works because websites will echo back what is sent to them. For example, if you search for Cross Site Scripting with the URL https://www.google.com/search?q=cross+site+scripting, then you’ll get a page back from the server that contains that string. If the string is JavaScript code rather than text, then some servers (thought not Google) send back the code in the page in a way that it’ll be executed. This is most often used to hack somebody’s account: you send them an email or tweet a link, and when they click on it, the JavaScript gives control of the account to the hacker.

Cross site injection issues like this should probably be their own category, but I’m including it here for now.

More: Wikipedia on SQL injection, Wikipedia on cross site scripting.
Tools: Burpsuite, SQLmap

Buffer overflows

In the C programming language, programmers first create a buffer, then read input into it. If input is long than the buffer, then it overflows. The extra bytes overwrite other parts of the program, letting the hacker run code.
Again, it’s not a thing the general public is expected to know about, but is instead something C programmers should be expected to understand. They should know that it’s up to them to check the length and stop reading input before it overflows the buffer, that there’s no language feature that takes care of this for them.
We are three decades after the first major buffer overflow exploits, so there is no excuse for C programmers not to understand this issue.

What makes particular obvious is the way they are wrapped in exploits, like in Metasploit. While the bug itself is obvious that it’s a bug, actually exploiting it can take some very non-obvious skill. However, once that exploit is written, any trained monkey can press a button and run the exploit. That’s where we get the insult “script kiddie” from — referring to wannabe-hackers who never learn enough to write their own exploits, but who spend a lot of time running the exploit scripts written by better hackers than they.

More: Wikipedia on buffer overflow, Wikipedia on script kiddie,  “Smashing The Stack For Fun And Profit” — Phrack (1996)
Tools: bash, Metasploit

SendMail DEBUG command (historical)

The first popular email server in the 1980s was called “SendMail”. It had a feature whereby if you send a “DEBUG” command to it, it would execute any code following the command. The consequence of this was obvious — hackers could (and did) upload code to take control of the server. This was used in the Morris Worm of 1988. Most Internet machines of the day ran SendMail, so the worm spread fast infecting most machines.
This bug was mostly ignored at the time. It was thought of as a theoretical problem, that might only rarely be used to hack a system. Part of the motivation of the Morris Worm was to demonstrate that such problems was to demonstrate the consequences — consequences that should’ve been obvious but somehow were rejected by everyone.

More: Wikipedia on Morris Worm

Email Attachments/Links

I’m conflicted whether I should add this or not, because here’s the deal: you are supposed to click on attachments and links within emails. That’s what they are there for. The difference between good and bad attachments/links is not obvious. Indeed, easy-to-use email systems makes detecting the difference harder.
On the other hand, the consequences of bad attachments/links is obvious. That worms like ILOVEYOU spread so easily is because people trusted attachments coming from their friends, and ran them.
We have no solution to the problem of bad email attachments and links. Viruses and phishing are pervasive problems. Yet, we know why they exist.

Default and backdoor passwords

The Mirai botnet was caused by surveillance-cameras having default and backdoor passwords, and being exposed to the Internet without a firewall. The consequence should be obvious: people will discover the passwords and use them to take control of the bots.
Surveillance-cameras have the problem that they are usually exposed to the public, and can’t be reached without a ladder — often a really tall ladder. Therefore, you don’t want a button consumers can press to reset to factory defaults. You want a remote way to reset them. Therefore, they put backdoor passwords to do the reset. Such passwords are easy for hackers to reverse-engineer, and hence, take control of millions of cameras across the Internet.
The same reasoning applies to “default” passwords. Many users will not change the defaults, leaving a ton of devices hackers can hack.

Masscan and background radiation of the Internet

I’ve written a tool that can easily scan the entire Internet in a short period of time. It surprises people that this possible, but it obvious from the numbers. Internet addresses are only 32-bits long, or roughly 4 billion combinations. A fast Internet link can easily handle 1 million packets-per-second, so the entire Internet can be scanned in 4000 seconds, little more than an hour. It’s basic math.
Because it’s so easy, many people do it. If you monitor your Internet link, you’ll see a steady trickle of packets coming in from all over the Internet, especially Russia and China, from hackers scanning the Internet for things they can hack.
People’s reaction to this scanning is weirdly emotional, taking is personally, such as:
  1. Why are they hacking me? What did I do to them?
  2. Great! They are hacking me! That must mean I’m important!
  3. Grrr! How dare they?! How can I hack them back for some retribution!?

I find this odd, because obviously such scanning isn’t personal, the hackers have no idea who you are.

Tools: masscan, firewalls

Packet-sniffing, sidejacking

If you connect to the Starbucks WiFi, a hacker nearby can easily eavesdrop on your network traffic, because it’s not encrypted. Windows even warns you about this, in case you weren’t sure.

At DefCon, they have a “Wall of Sheep”, where they show passwords from people who logged onto stuff using the insecure “DefCon-Open” network. Calling them “sheep” for not grasping this basic fact that unencrypted traffic is unencrypted.

To be fair, it’s actually non-obvious to many people. Even if the WiFi itself is not encrypted, SSL traffic is. They expect their services to be encrypted, without them having to worry about it. And in fact, most are, especially Google, Facebook, Twitter, Apple, and other major services that won’t allow you to log in anymore without encryption.

But many services (especially old ones) may not be encrypted. Unless users check and verify them carefully, they’ll happily expose passwords.

What’s interesting about this was 10 years ago, when most services which only used SSL to encrypt the passwords, but then used unencrypted connections after that, using “cookies”. This allowed the cookies to be sniffed and stolen, allowing other people to share the login session. I used this on stage at BlackHat to connect to somebody’s GMail session. Google, and other major websites, fixed this soon after. But it should never have been a problem — because the sidejacking of cookies should have been obvious.

Tools: Wireshark, dsniff

Stuxnet LNK vulnerability

Again, this issue isn’t obvious to the public, but it should’ve been obvious to anybody who knew how Windows works.
When Windows loads a .dll, it first calls the function DllMain(). A Windows link file (.lnk) can load icons/graphics from the resources in a .dll file. It does this by loading the .dll file, thus calling DllMain. Thus, a hacker could put on a USB drive a .lnk file pointing to a .dll file, and thus, cause arbitrary code execution as soon as a user inserted a drive.
I say this is obvious because I did this, created .lnks that pointed to .dlls, but without hostile DllMain code. The consequence should’ve been obvious to me, but I totally missed the connection. We all missed the connection, for decades.

Social Engineering and Tech Support [* * *]

After posting this, many people have pointed out “social engineering”, especially of “tech support”. This probably should be up near #1 in terms of obviousness.

The classic example of social engineering is when you call tech support and tell them you’ve lost your password, and they reset it for you with minimum of questions proving who you are. For example, you set the volume on your computer really loud and play the sound of a crying baby in the background and appear to be a bit frazzled and incoherent, which explains why you aren’t answering the questions they are asking. They, understanding your predicament as a new parent, will go the extra mile in helping you, resetting “your” password.

One of the interesting consequences is how it affects domain names (DNS). It’s quite easy in many cases to call up the registrar and convince them to transfer a domain name. This has been used in lots of hacks. It’s really hard to defend against. If a registrar charges only $9/year for a domain name, then it really can’t afford to provide very good tech support — or very secure tech support — to prevent this sort of hack.

Social engineering is such a huge problem, and obvious problem, that it’s outside the scope of this document. Just google it to find example after example.

A related issue that perhaps deserves it’s own section is OSINT [*], or “open-source intelligence”, where you gather public information about a target. For example, on the day the bank manager is out on vacation (which you got from their Facebook post) you show up and claim to be a bank auditor, and are shown into their office where you grab their backup tapes. (We’ve actually done this).

More: Wikipedia on Social Engineering, Wikipedia on OSINT, “How I Won the Defcon Social Engineering CTF” — blogpost (2011), “Questioning 42: Where’s the Engineering in Social Engineering of Namespace Compromises” — BSidesLV talk (2016)

Blue-boxes (historical) [*]

Telephones historically used what we call “in-band signaling”. That’s why when you dial on an old phone, it makes sounds — those sounds are sent no differently than the way your voice is sent. Thus, it was possible to make tone generators to do things other than simply dial calls. Early hackers (in the 1970s) would make tone-generators called “blue-boxes” and “black-boxes” to make free long distance calls, for example.

These days, “signaling” and “voice” are digitized, then sent as separate channels or “bands”. This is call “out-of-band signaling”. You can’t trick the phone system by generating tones. When your iPhone makes sounds when you dial, it’s entirely for you benefit and has nothing to do with how it signals the cell tower to make a call.

Early hackers, like the founders of Apple, are famous for having started their careers making such “boxes” for tricking the phone system. The problem was obvious back in the day, which is why as the phone system moves from analog to digital, the problem was fixed.

More: Wikipedia on blue box, Wikipedia article on Steve Wozniak.

Thumb drives in parking lots [*]

A simple trick is to put a virus on a USB flash drive, and drop it in a parking lot. Somebody is bound to notice it, stick it in their computer, and open the file.

This can be extended with tricks. For example, you can put a file labeled “third-quarter-salaries.xlsx” on the drive that required macros to be run in order to open. It’s irresistible to other employees who want to know what their peers are being paid, so they’ll bypass any warning prompts in order to see the data.

Another example is to go online and get custom USB sticks made printed with the logo of the target company, making them seem more trustworthy.

We also did a trick of taking an Adobe Flash game “Punch the Monkey” and replaced the monkey with a logo of a competitor of our target. They now only played the game (infecting themselves with our virus), but gave to others inside the company to play, infecting others, including the CEO.

Thumb drives like this have been used in many incidents, such as Russians hacking military headquarters in Afghanistan. It’s really hard to defend against.

More: “Computer Virus Hits U.S. Military Base in Afghanistan” — USNews (2008), “The Return of the Worm That Ate The Pentagon” — Wired (2011), DoD Bans Flash Drives — Stripes (2008)

Googling [*]

Search engines like Google will index your website — your entire website. Frequently companies put things on their website without much protection because they are nearly impossible for users to find. But Google finds them, then indexes them, causing them to pop up with innocent searches.
There are books written on “Google hacking” explaining what search terms to look for, like “not for public release”, in order to find such documents.

More: Wikipedia entry on Google Hacking, “Google Hacking” book.

URL editing [*]

At the top of every browser is what’s called the “URL”. You can change it. Thus, if you see a URL that looks like this:

http://www.example.com/documents?id=138493

Then you can edit it to see the next document on the server:

http://www.example.com/documents?id=138494

The owner of the website may think they are secure, because nothing points to this document, so the Google search won’t find it. But that doesn’t stop a user from manually editing the URL.
An example of this is a big Fortune 500 company that posts the quarterly results to the website an hour before the official announcement. Simply editing the URL from previous financial announcements allows hackers to find the document, then buy/sell the stock as appropriate in order to make a lot of money.
Another example is the classic case of Andrew “Weev” Auernheimer who did this trick in order to download the account email addresses of early owners of the iPad, including movie stars and members of the Obama administration. It’s an interesting legal case because on one hand, techies consider this so obvious as to not be “hacking”. On the other hand, non-techies, especially judges and prosecutors, believe this to be obviously “hacking”.

DDoS, spoofing, and amplification [*]

For decades now, online gamers have figured out an easy way to win: just flood the opponent with Internet traffic, slowing their network connection. This is called a DoS, which stands for “Denial of Service”. DoSing game competitors is often a teenager’s first foray into hacking.
A variant of this is when you hack a bunch of other machines on the Internet, then command them to flood your target. (The hacked machines are often called a “botnet”, a network of robot computers). This is called DDoS, or “Distributed DoS”. At this point, it gets quite serious, as instead of competitive gamers hackers can take down entire businesses. Extortion scams, DDoSing websites then demanding payment to stop, is a common way hackers earn money.
Another form of DDoS is “amplification”. Sometimes when you send a packet to a machine on the Internet it’ll respond with a much larger response, either a very large packet or many packets. The hacker can then send a packet to many of these sites, “spoofing” or forging the IP address of the victim. This causes all those sites to then flood the victim with traffic. Thus, with a small amount of outbound traffic, the hacker can flood the inbound traffic of the victim.
This is one of those things that has worked for 20 years, because it’s so obvious teenagers can do it, yet there is no obvious solution. President Trump’s executive order of cyberspace specifically demanded that his government come up with a report on how to address this, but it’s unlikely that they’ll come up with any useful strategy.

More: Wikipedia on DDoS, Wikipedia on Spoofing

Conclusion

Tweet me (@ErrataRob) your obvious hacks, so I can add them to the list.

Top Ten Ways to Protect Yourself Against Phishing Attacks

Post Syndicated from Roderick Bauer original https://www.backblaze.com/blog/top-ten-ways-protect-phishing-attacks/

It’s hard to miss the increasing frequency of phishing attacks in the news. Earlier this year, a major phishing attack targeted Google Docs users, and attempted to compromise at least one million Google Docs accounts. Experts say the “phish” was convincing and sophisticated, and even people who thought they would never be fooled by a phishing attack were caught in its net.

What is phishing?

Phishing attacks use seemingly trustworthy but malicious emails and websites to obtain your personal account or banking information. The attacks are cunning and highly effective because they often appear to come from an organization or business you actually use. The scam comes into play by tricking you into visiting a website you believe belongs to the trustworthy organization, but in fact is under the control of the phisher attempting to extract your private information.

Phishing attacks are once again in the news due to a handful of high profile ransomware incidents. Ransomware invades a user’s computer, encrypts their data files, and demands payment to decrypt the files. Ransomware most often makes its way onto a user’s computer through a phishing exploit, which gives the ransomware access to the user’s computer.

The best strategy against phishing is to scrutinize every email and message you receive and never to get caught. Easier said than done—even smart people sometimes fall victim to a phishing attack. To minimize the damage in an event of a phishing attack, backing up your data is the best ultimate defense and should be part of your anti-phishing and overall anti-malware strategy.

How do you recognize a phishing attack?

A phishing attacker may send an email seemingly from a reputable credit card company or financial institution that requests account information, often suggesting that there is a problem with your account. When users respond with the requested information, attackers can use it to gain access to the accounts.

The image below is a mockup of how a phishing attempt might appear. In this example, courtesy of Wikipedia, the bank is fictional, but in a real attempt the sender would use an actual bank, perhaps even the bank where the targeted victim does business. The sender is attempting to trick the recipient into revealing confidential information by getting the victim to visit the phisher’s website. Note the misspelling of the words “received” and “discrepancy” as recieved and discrepency. Misspellings sometimes are indications of a phishing attack. Also note that although the URL of the bank’s webpage appears to be legitimate, the hyperlink would actually take you to the phisher’s webpage, which would be altogether different from the URL displayed in the message.

By Andrew Levine – en:Image:PhishingTrustedBank.png, Public Domain, https://commons.wikimedia.org/w/index.php?curid=549747

Top ten ways to protect yourself against phishing attacks

  1. Always think twice when presented with a link in any kind of email or message before you click on it. Ask yourself whether the sender would ask you to do what it is requesting. Most banks and reputable service providers won’t ask you to reveal your account information or password via email. If in doubt, don’t use the link in the message and instead open a new webpage and go directly to the known website of the organization. Sign in to the site in the normal manner to verify that the request is legitimate.
  2. A good precaution is to always hover over a link before clicking on it and observe the status line in your browser to verify that the link in the text and the destination link are in fact the same.
  3. Phishers are clever, and they’re getting better all the time, and you might be fooled by a simple ruse to make you think the link is one you recognize. Links can have hard-to-detect misspellings that would result in visiting a site very different than what you expected.
  4. Be wary even of emails and message from people you know. It’s very easy to spoof an email so it appears to come from someone you know, or to create a URL that appears to be legitimate, but isn’t.

For example, let’s say that you work for roughmedia.com and you get an email from Chuck in accounting ([email protected]) that has an attachment for you, perhaps a company form you need to fill out. You likely wouldn’t notice in the sender address that the phisher has replaced the “m” in media with an “r” and an “n” that look very much like an “m.” You think it’s good old Chuck in finance and it’s actually someone “phishing” for you to open the attachment and infect your computer. This type of attack is known as “spear phishing” because it’s targeted at a specific individual and is using social engineering—specifically familiarity with the sender—as part of the scheme to fool you into trusting the attachment. This technique is by far the most successful on the internet today. (This example is based on Gimlet Media’s Reply All Podcast Episode, “What Kind of Idiot Gets Phished?“)

  1. Use anti-malware software, but don’t rely on it to catch all attacks. Phishers change their approach often to keep ahead of the software attack detectors.
  2. If you are asked to enter any valuable information, only do so if you’re on a secure connection. Look for the “https” prefix before the site URL, indicating the site is employing SSL (Secure Socket Layer). If there is no “s” after “http,” it’s best not to enter any confidential information.
By Fabio Lanari – Internet1.jpg by Rock1997 modified., GFDL, https://commons.wikimedia.org/w/index.php?curid=20995390
  1. Avoid logging in to online banks and similar services via public Wi-Fi networks. Criminals can compromise open networks with man-in-the-middle attacks that capture your information or spoof website addresses over the connection and redirect you to a fake page they control.
  2. Email, instant messaging, and gaming social channels are all possible vehicles to deliver phishing attacks, so be vigilant!
  3. Lay the foundation for a good defense by choosing reputable tech vendors and service providers that respect your privacy and take steps to protect your data. At Backblaze, we have full-time security teams constantly looking for ways to improve our security.
  4. When it is available, always take advantage of multi-factor verification to protect your accounts. The standard categories used for authentication are 1) something you know (e.g. your username and password), 2) something you are (e.g. your fingerprint or retina pattern), and 3) something you have (e.g. an authenticator app on your smartphone). An account that allows only a single factor for authentication is more susceptible to hacking than one that supports multiple factors. Backblaze supports multi-factor authentication to protect customer accounts.

Be a good internet citizen, and help reduce phishing and other malware attacks by notifying the organization being impersonated in the phishing attempt, or by forwarding suspicious messages to the Federal Trade Commission at [email protected]. Some email clients and services, such as Microsoft Outlook and Google Gmail, give you the ability to easily report suspicious emails. Phishing emails misrepresenting Apple can be reported to [email protected].

Backing up your data is an important part of a strong defense against phishing and other malware

The best way to avoid becoming a victim is to be vigilant against suspicious messages and emails, but also to assume that no matter what you do, it is very possible that your system will be compromised. Even the most sophisticated and tech-savvy of us can be ensnared if we are tired, in a rush, or just unfamiliar with the latest methods hackers are using. Remember that hackers are working full-time on ways to fool us, so it’s very difficult to keep ahead of them.

The best defense is to make sure that any data that could compromised by hackers—basically all of the data that is reachable via your computer—is not your only copy. You do that by maintaining an active and reliable backup strategy.

Files that are backed up to cloud storage, such as with Backblaze, are not vulnerable to attacks on your local computer in the way that local files, attached drives, network drives, or sync services like Dropbox that have local directories on your computer are.

In the event that your computer is compromised and your files are lost or encrypted, you can recover your files if you have a cloud backup that is beyond the reach of attacks on your computer.

The post Top Ten Ways to Protect Yourself Against Phishing Attacks appeared first on Backblaze Blog | Cloud Storage & Cloud Backup.

Ghost Phisher – Phishing Attack Tool With GUI

Post Syndicated from Darknet original http://feedproxy.google.com/~r/darknethackers/~3/mogKZIEOkns/

Ghost Phisher is a Wireless and Ethernet security auditing and phishing attack tool written using the Python Programming Language and the Python Qt GUI library, the program is able to emulate access points and deploy. The tool comes with a fake DNS server, fake DHCP server, fake HTTP server and also has an integrated area […]

The post Ghost…

Read the full post at darknet.org.uk

Fake News As A Service (FNaaS?) – $400k To Rig An Election

Post Syndicated from Darknet original http://feedproxy.google.com/~r/darknethackers/~3/UqEqmi9y3oY/

This is pretty interesting, the prices for Fake News as a Service have come out after some research by Trend Micro, imagine that you can create a fake celebrity with 300,000 followers for only $2,600. Now we all know this Fake News thing has been going on for a while, and of course, if it’s […]

The post Fake News As A Service (FNaaS?)…

Read the full post at darknet.org.uk

Forging Voice

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2017/05/forging_voice.html

LyreBird is a system that can accurately reproduce the voice of someone, given a large amount of sample inputs. It’s pretty good — listen to the demo here — and will only get better over time.

The applications for recorded-voice forgeries are obvious, but I think the larger security risk will be real-time forgery. Imagine the social engineering implications of an attacker on the telephone being able to impersonate someone the victim knows.

I don’t think we’re ready for this. We use people’s voices to authenticate them all the time, in all sorts of different ways.

EDITED TO ADD (5/11): This is from 2003 on the topic.

Research on Tech-Support Scams

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2017/04/research_on_tec.html

Interesting paper: “Dial One for Scam: A Large-Scale Analysis of Technical Support Scams“:

Abstract: In technical support scams, cybercriminals attempt to convince users that their machines are infected with malware and are in need of their technical support. In this process, the victims are asked to provide scammers with remote access to their machines, who will then “diagnose the problem”, before offering their support services which typically cost hundreds of dollars. Despite their conceptual simplicity, technical support scams are responsible for yearly losses of tens of millions of dollars from everyday users of the web.

In this paper, we report on the first systematic study of technical support scams and the call centers hidden behind them. We identify malvertising as a major culprit for exposing users to technical support scams and use it to build an automated system capable of discovering, on a weekly basis, hundreds of phone numbers and domains operated by scammers. By allowing our system to run for more than 8 months we collect a large corpus of technical support scams and use it to provide insights on their prevalence, the abused infrastructure, the illicit profits, and the current evasion attempts of scammers. Finally, by setting up a controlled, IRB-approved, experiment where we interact with 60 different scammers, we experience first-hand their social engineering tactics, while collecting detailed statistics of the entire process. We explain how our findings can be used by law-enforcing agencies and propose technical and educational countermeasures for helping users avoid being victimized by
technical support scams.

BoingBoing post.

Monday’s security advisories

Post Syndicated from ris original https://lwn.net/Articles/714422/rss

Arch Linux has updated ffmpeg
(two vulnerabilities), kdenetwork-kopete (social engineering attacks), and webkit2gtk (multiple vulnerabilities).

Debian-LTS has updated openjdk-7 (multiple vulnerabilities) and vim (buffer overflow).

Fedora has updated epiphany (F24:
password extraction sweep attack).

Gentoo has updated gnutls
(multiple vulnerabilities), graphviz
(multiple vulnerabilities from 2014), and lsyncd (command injection from 2014).

Mageia has updated audacious-plugins (multiple vulnerabilities), calibre (information leak), and nagios (two vulnerabilities).

openSUSE has updated irssi (42.2,
42.1: memory leak), libxml2 (42.2: three
vulnerabilities), and tigervnc (42.2, 42.1:
denial of service).

Oracle has updated kernel 3.8.13 (OL7; OL6:
multiple vulnerabilities), kernel 2.6.39 (OL6; OL5: multiple vulnerabilities).

Red Hat has updated java-1.7.0-openjdk (RHEL5,6,7: multiple vulnerabilities).

Scientific Linux has updated java-1.7.0-openjdk (SL5,6,7: multiple vulnerabilities).

Slackware has updated bind (denial of service), openssl (three vulnerabilities), php (multiple vulnerabilities), and tcpdump (multiple vulnerabilities).

A lesson in social engineering: president debates

Post Syndicated from Robert Graham original http://blog.erratasec.com/2016/08/a-lesson-in-social-engineering.html

In theory, we hackers are supposed to be experts in social engineering. In practice, we get suckered into it like everyone else. I point this out because of the upcoming presidential debates between Hillary and Trump (and hopefully Johnson). There is no debate, there is only social engineering.

Some think Trump will pull out of the debates, because he’s been complaining a lot lately that they are rigged. No. That’s just because Trump is a populist demagogue. A politician can only champion the cause of the “people” if there is something “powerful” to fight against. He has to set things up ahead of time (debates, elections, etc.) so that any failure on his part can be attributed to the powerful corrupting the system. His constant whining about the debates doesn’t mean he’ll pull out any more than whining about the election means he’ll pull out of that.
Moreover, he’s down in the polls (What polls? What’s the question??). He therefore needs the debates to pull himself back up. And it’ll likely work — because social-engineering.
Here’s how the social engineering works, and how Trump will win the debates.
The moderators, the ones running the debate, will do their best to ask Trump the toughest questions they think of. At this point, I think their first question will be about the Kahn family, and Trump’s crappy treatment of their hero son. This is one of Trump’s biggest weaknesses, but especially so among military-obsessed Republicans.
And Trump’s response to this will be awesome. I don’t know what it will be, but I do know that he’s employing some of the world’s top speech writers and debate specialists to work on the answer. He’ll be practicing this question diligently working on a scripted answer, from many ways it can be asked, from now until the election. And then, when that question comes up, it’ll look like he’s just responding off-the-cuff, without any special thought, and it’ll impress the heck out of all the viewers that don’t already hate him.
The same will apply too all Trump’s weak points. You think the debates are an opportunity for the press to lock him down, to make him reveal his weak points once and for all in front of a national audience, but the reverse is true. What the audience will instead see is somebody given tough, nearly impossible questions, and who nonetheless has a competent answer to everything. This will impress everyone with how “presidential” Trump has become.
Also, waivering voters will see that the Trump gets much tougher questions than Hillary. This will feed into Trump’s claim the media is biased against him. Of course, the reality is that Trump is a walking disaster area with so many more weaknesses to hit, but there’s some truth to the fact that media has a strong left-wing bias. Regardless of Trump’s performance, the media will be on trial during the debate, and they’ll lose.
The danger to Trump is that he goes off script, that his advisors haven’t beaten it into his head hard enough that he’s social engineering and not talking. That’s been his greatest flaw so far. But, and this is a big “but”, it’s also been his biggest strength. By owning his gaffes, he’s seen as a more authentic man of the people and not a slick politician. I point this out because we are all still working according to the rules of past elections, and Trump appears to have rewritten the rules for this election.
Anyway, this post is about social-engineering, not politics. You should watch the debate, not for content, but for how well each candidates does social engineering. Watch how they field every question, then “bridge” to a prepared statement they’ve been practicing for months. Watch how the moderators try to take them “off message”, and how the candidates put things back “on message”. Watch how Clinton, while being friendly and natural, never ever gets “off message”, and how you don’t even notice that she’s “bridging” to her message. Watch how Trump, though, will get flustered and off message. Watch how Hillary controls her hand gestures (almost) none, while Trump frequently fails to.
At least, this is what I’ll be watching for. And watching for live tweeting, as I paraphrase what candidate really were saying, as egregiously as I can :).

SPF (SpeedPhish Framework) – E-mail Phishing Toolkit

Post Syndicated from Darknet original http://feedproxy.google.com/~r/darknethackers/~3/fHMgD_pVPbs/

SPF (SpeedPhish Framework) is a an e-mail phishing toolkit written in Python designed to allow for quick recon and deployment of simple social engineering phishing exercises. There are also other popular Phishing tools are frameworks such as: – Phishing Frenzy – E-mail Phishing Framework – Gophish – Open-Source Phishing Framework – sptoolkit…

Read the full post at darknet.org.uk

Bypassing Phone Security through Social Engineering

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2016/04/bypassing_phone.html

This works:

Khan was arrested in mid-July 2015. Undercover police officers posing as company managers arrived at his workplace and asked to check his driver and work records, according to the source. When they disputed where he was on a particular day, he got out his iPhone and showed them the record of his work.

The undercover officers asked to see his iPhone and Khan handed it over. After that, he was arrested. British police had 30 seconds to change the password settings to keep the phone open.

Reminds me about how the FBI arrested Ross William Ulbricht:

The agents had tailed him, waiting for the 29-year-old to open his computer and enter his passwords before swooping in.

That also works.

And, yes, I understand that none of this would have worked with the already dead Syed Farook and his iPhone.

Phishing Frenzy – E-mail Phishing Framework

Post Syndicated from Darknet original http://feedproxy.google.com/~r/darknethackers/~3/Xq39_cU3LUY/

Phishing Frenzy is an Open Source Ruby on Rails e-mail phishing framework designed to help penetration testers manage multiple, complex phishing campaigns. The goal of the project is to streamline the phishing process while still providing clients the best realistic phishing campaign possible. This goal is obtainable through campaign management,…

Read the full post at darknet.org.uk

Ransomware Visits Backblaze

Post Syndicated from Andy Klein original https://www.backblaze.com/blog/cryptowall-ransomware-recovery/

Ransomware
“Elli” from our accounting department was trying to go home. Traffic was starting to build and a 45-minute trip home would become a 90-minute trip shortly. Her Windows 10 PC chimed: she had an email. “Last one,” she uttered as she quickly opened the message. It appeared to be a voicemail file from a caller at Quickbooks, our accounting software. “What do they want?” She double-clicked on the attached file and her PC was “toast”, she just didn’t know it yet.
Instead of a voicemail from Quickbooks, what Elli had unwittingly done was unleash a ransomware infection on her system. While she finished up packing her stuff to go home, one by one the data files on her PC were being encrypted making them unreadable to her or to anyone else.
When she glanced back at her computer she noticed something odd: the background picture, the one of her daughters, was gone. It was replaced by a generic image of a field of flowers. Weird. She opened up a folder she kept on her desktop. Here’s what she expected to see:
Clean PC
Here’s what she actually saw:
Infected PC
She couldn’t comprehend what she was seeing. Who could? She called over to our CTO, Brian, to have him take a look at this weirdness. He grabbed the keyboard and started typing. In between the expletives he asked her what she had done on the computer recently. She pointed to the email open in the corner of the screen. Brian asked if she opened the attachment. As she nodded yes, Brian pulled the network cable from the PC, then shut off the Wi-Fi switch, disconnected her external drive, and turned off her computer. “Your PC,” he said, “is infected with ransomware.”
We removed Elli’s infected drive put it in a sandbox where we were able to let it finish its “work”. Once the process was done we accessed the system and besides folder after folder of unintelligible files there were “help” files, put there by the ransomware once as it processed the files in a given folder. Here’s one of them:
Cryptowall Ransomware “Help” Message
cryptowall ransomware help file
Ransomware
Ransomware is malware that infects your computer, encrypts some or all of your data, and then holds it hostage until you pay a ransom to get your files decrypted. Last year we looked at Cryptowall, a form of ransomware. In that blog post we looked at the history and future of ransomware and predicted, sadly, we’d see more attacks. Here are a few recent examples:

Hollywood Presbyterian Hospital: Paid $17,000, “It was the easy choice. I wouldn’t say it was the right choice.”
Community of Christ Church in Hillsboro: Paid $570, “…the only thing we could do was to pay the ransom.”
Europe, the Middle East, Africa and Australia: The security company Trend Micro has labeled the recent attacks a Global Threat as ransomware has invaded these regions with a vengeance.
Mac Computers: Ransomware has now made its way to Apple’s Macintosh, with the first known infection being reported this past week. In this case, it took a fair amount of skullduggery to get past the Apple security protocols. At the center of the attack was a software vendor that was hacked and their software infected with ransomware. The infected software was then available to be downloaded by unsuspecting Mac computer users.

Elli gets her data back
Elli did not pay the ransom. Instead she recovered her data files from her Backblaze backup. Her last backup was just before she downloaded the ZIP file that contained the ransomware, so it was easy to recover all her data and get up and running.
Different versions of ransomware can make the data recovery process a bit more challenging, for example:

Some ransomware attacks have been known to delay their start, instead waiting a period of time or until a specific date before unleashing the downloaded malware and starting the encryption process. In that case you’ll need to be able to roll back the clock on your backup to a date before the infection so you can recover your files.
Other ransomware attacks will attempt to also encrypt connected accessible drives, including for example your local backup drive. For this reason following the 3-2-1 backup strategy of having both an onsite and offsite backup of your data is the best prevention against data loss if ransomware strikes.

Social engineering
All of this could have been avoided had Elli not been fooled by the email and downloaded the file. As is often the case with ransomware attacks, the miscreants used social engineering to get past Elli’s defenses. Social engineering can be defined as the “psychological manipulation of people into performing actions or divulging confidential information.” In Elli’s case there were several tricks:

The “to address” on the email contained Elli’s full name.
It is normal for our office to get emails with attachments from the voicemail system.
It is normal for our office to get messages from Quickbooks.

It’s hard to know if Elli was just one of millions of people who received this email or as is more likely, Elli was the victim of a targeted attack. Such targeted attacks, also known as spear phishing, require that the sender learn about the target so that email message appears more authentic. For most of us finding the information needed to create a credible socially engineered email is as easy as perusing the company web site and then doing a little research on social sites like Facebook, LinkedIn, Google+, and so on.
Lessons learned by “Elli”
It is easy to blame Elli for letting her system get infected with ransomware, but there were multiple failures here. She was using a browser to access her cloud-based email. The email system didn’t block the email that contained the malware. Neither the browser nor the email system she was using caught the fact that the attached ZIP file contained an executable file as she was able to download the file without incident. Finally, the anti-virus software on her PC didn’t detect anything when she downloaded and then unzipped the malware file. No pop-ups, no notifications, nothing; she was on her own and in a moment of weakness she made a mistake. As embarrassing as it is, she let us tell her story so maybe someone else won’t make the same mistake. Thanks Elli.
Epilogue
Some of you may be wondering about the data we store for our customers. The systems and networks of our business operations and our production operations are independent, with separate access and credentials for each. While having an employee’s computer compromised by ransomware was horribly inconvenient for the employee, Backblaze’s core systems were never at risk.
The post Ransomware Visits Backblaze appeared first on Backblaze Blog | The Life of a Cloud Backup Company.

Poland vs the United States: civil liberties

Post Syndicated from Michal Zalewski original http://lcamtuf.blogspot.com/2015/06/poland-vs-united-states-civil-liberties.html

This is the sixth article in a short series about Poland, Europe, and the United States. To explore the entire series, start here.

I opened my comparison of Poland and the US with the topic of firearm ownership. I decided to take this route in part because of how alien the US gun culture may appear to outsiders – and because of how polarizing and interesting the subject is. But in today’s entry, I wanted to take a step back and have a look at the other, more traditional civil liberties that will be more familiar to folks on the other side of the pond.

Before we dive in, it is probably important to note that the national ethos of the United States is very expressly built on the tradition of radical individualism and free enterprise – as championed by thinkers such as Milton Friedman, Friedrich Hayek, or Adam Smith. Of course, many words can be written about the disconnect between this romanticized vision and complex realities of entrepreneurship or social mobility in the face of multi-generational poverty – but the perception still counts: in much of Europe, the government is seen less as a guarantor of civil liberties, and more as a provider of basic needs. The inverse is more true in the US; the armed forces and small businesses enjoy the two top spots in institutional trustworthiness surveys; federal legislators come dead last. This sentiment shapes many of the ongoing political debates – not just around individual freedoms, but also as related to public healthcare or the regulation of commerce. The virtues of self-sufficiency and laissez-faire capitalism seem far more self-evident to the citizens of the US than they are in the EU.

With that in mind, it’s worthwhile to start the comparison with the freedom of speech. A cherished tradition in the western world, this liberty is nevertheless subordinate to a number of collectivist social engineering goals across the whole old continent; for example, strong prohibitions exist on the promotion of Nazi ideology or symbolism, or on the mere practice of denying the Holocaust. The freedom of speech is also broadly trumped by the right to privacy, including the hotly-debated right to be forgotten on the Internet. Other, more exotic restrictions implemented in several places in Europe include the prohibition against disrespecting the religious beliefs of others or insulting any acting head of state; in Poland, people have been prosecuted for hurling childish insults at the Pope or at the outgoing Polish president. Of course, the enforcement is patently selective: in today’s political climate, no one will be charged for calling Mr. Putin a thug.

The US takes a more absolutist view of the First Amendment, with many hate groups enjoying far-reaching impunity enshrined in the judicial standards put forward not by politicians, but by the unusually powerful US Supreme Court. The notion of “speech” is also interpreted very broadly, extending to many forms of artistic, religious, and political expression; in particular, the European niqab and burka bans would be patently illegal in the United States and aren’t even the subject of serious debate. The concept of homeschooling, banned or heavily regulated in some parts of Europe, is seen by some through the same constitutional prism: it is your right to teach your children about Young Earth creationism, and the right trumps any concerns over the purported social costs. Last but not least, there is the controversial Citizens United decision, holding that some forms of financial support provided to political causes can be equated with constitutionally protected speech; again, the ruling came not from the easily influenced politicians, but from the Supreme Court.

As an aside, despite the use of freedom-of-speech restrictions as a tool for rooting out anti-Semitism and hate speech in Europe, the contemporary US may be providing a less fertile ground for racism and xenophobia than at least some parts of the EU. The country still struggles with its dark past and the murky reality of racial discrimination – but despite the stereotypes, the incidence of at least some types of casual racism in today’s America seems lower than in much of Europe. The pattern is also evident in political discourse; many of the openly xenophobic opinions or legislative proposals put forward by European populist politicians would face broad condemnation in the US. Some authors argue that the old continent is facing a profound new wave of Islamophobia and
hatred toward Jews; in countries such as Greece and Hungary, more than 60% of population seems to be holding such views. In Poland, more than 40% say that Jews hold too much influence in business – a surreal claim, given that that there are just several thousand Jews living in the country of 38 million. My own memories from growing up in that country are that of schoolkids almost universally using “you Jew!” as a mortal insult. The defacement of Jewish graves and monuments, or anti-Semitic graffiti, posters, and sports chants are far more common than they should be. It’s difficult to understand if restrictions on free speech suppress the sentiments or make them worse, but at the very least, the success of the policies is not clear-cut.

Other civil liberties revered in the United States, and perhaps less so in Europe, put limits on the ability of the government to intrude into private lives through unwarranted searches and seizures. Of course, the stereotypical view of the US is that of a dystopian surveillance state, epitomized by the recent focus on warrantless surveillance or secret FISA courts. But having worked for a telecommunications company in Poland, my own sentiment is that in Europe, surveillance tends to be done with more impunity, far less legal oversight, and without clear delination between law enforcement and intelligence work. The intelligence community in particular is often engaged in domestic investigations against businesses, politicians, and journalists – and all across Europe, “pre-crime” policing ideas are taking hold.

In many European countries, citizens are not afforded powerful tools such as FOIA requests, do not benefit from a tradition of protected investigative journalism and whistleblowing, and can’t work with influential organizations such as the American Civil Liberties Union; there is also no history of scandals nearly as dramatic and transformative as Watergate. In the States, I feel that all this helped to create an imperfect but precious balance between the needs of the government and the rights of the people – and instill higher ethical standards in the law enforcement and intelligence community; it is telling that the revelations from Snowden, while exposing phenomenal and somewhat frightening surveillance capabilities of the NSA, have not surfaced any evidence of politically-motivated investigations or other blatant impropriety in how the capabilities are being used by the agency. The individualist spirit probably helps here, too: quite a few states and municipalities go as far as banning traffic enforcement cameras because of how they rob suspects of the ability to face the accuser in court.

When it comes to some other civil traditions that are sacrosanct in Europe, the United States needs to face justified criticism. The harsh and overcrowded penal system treats some offenders unfairly; it is a product of populist sentiments influenced by the crime waves of the twentieth century and fueled by the dysfunctional War on Drugs. While Polish prisons may not be much better, some of the ideas implemented elsewhere in Europe seem to make a clear difference. They are difficult to adopt in the States chiefly because they do not fit the folksy “tough on crime” image that many American politicians take pride in.

In the same vein, police brutality, disproportionately faced by the poor and the minorities, is another black mark for individual rights. The death penalty, albeit infrequent and reserved for most heinous crimes, stands on shaky moral grounds – even if it faces steady public support. The indefinite detention and torture of terrorism suspects, with the knowledge and complicity of many other European states, deserves nothing but scorn. Civil forfeiture is a bizarre concept that seems to violate the spirit of the Fourth Amendment by applying unreasonably relaxed standards for certain types of seizures – although in all likelihood, its days are coming to an end.

As usual, the picture is complex and it’s hard to declare the superiority of any single approach to individual liberties. Europe and the United States have much in common, but also differ in very interesting ways.

For the next article in the series, click here.

Poland vs the United States: civil liberties

Post Syndicated from Michal Zalewski original http://lcamtuf.blogspot.com/2015/06/poland-vs-united-states-civil-liberties.html

This is the sixth article in a short series about Poland, Europe, and the United States. To explore the entire series, start here.

I opened my comparison of Poland and the US with the topic of firearm ownership. I decided to take this route in part because of how alien the US gun culture may appear to outsiders – and because of how polarizing and interesting the subject is. But in today’s entry, I wanted to take a step back and have a look at the other, more traditional civil liberties that will be more familiar to folks on the other side of the pond.

Before we dive in, it is probably important to note that the national ethos of the United States is very expressly built on the tradition of radical individualism and free enterprise – as championed by thinkers such as Milton Friedman, Friedrich Hayek, or Adam Smith. Of course, many words can be written about the disconnect between this romanticized vision and complex realities of entrepreneurship or social mobility in the face of multi-generational poverty – but the perception still counts: in much of Europe, the government is seen less as a guarantor of civil liberties, and more as a provider of basic needs. The inverse is more true in the US; the armed forces and small businesses enjoy the two top spots in institutional trustworthiness surveys; federal legislators come dead last. This sentiment shapes many of the ongoing political debates – not just around individual freedoms, but also as related to public healthcare or the regulation of commerce. The virtues of self-sufficiency and laissez-faire capitalism seem far more self-evident to the citizens of the US than they are in the EU.

With that in mind, it’s worthwhile to start the comparison with the freedom of speech. A cherished tradition in the western world, this liberty is nevertheless subordinate to a number of collectivist social engineering goals across the whole old continent; for example, strong prohibitions exist on the promotion of Nazi ideology or symbolism, or on the mere practice of denying the Holocaust. The freedom of speech is also broadly trumped by the right to privacy, including the hotly-debated right to be forgotten on the Internet. Other, more exotic restrictions implemented in several places in Europe include the prohibition against disrespecting the religious beliefs of others or insulting any acting head of state; in Poland, people have been prosecuted for hurling childish insults at the Pope or at the outgoing Polish president. Of course, the enforcement is patently selective: in today’s political climate, no one will be charged for calling Mr. Putin a thug.

The US takes a more absolutist view of the First Amendment, with many hate groups enjoying far-reaching impunity enshrined in the judicial standards put forward not by politicians, but by the unusually powerful US Supreme Court. The notion of “speech” is also interpreted very broadly, extending to many forms of artistic, religious, and political expression; in particular, the European niqab and burka bans would be patently illegal in the United States and aren’t even the subject of serious debate. The concept of homeschooling, banned or heavily regulated in some parts of Europe, is seen by some through the same constitutional prism: it is your right to teach your children about Young Earth creationism, and the right trumps any concerns over the purported social costs. Last but not least, there is the controversial Citizens United decision, holding that some forms of financial support provided to political causes can be equated with constitutionally protected speech; again, the ruling came not from the easily influenced politicians, but from the Supreme Court.

As an aside, despite the use of freedom-of-speech restrictions as a tool for rooting out anti-Semitism and hate speech in Europe, the contemporary US may be providing a less fertile ground for racism and xenophobia than at least some parts of the EU. The country still struggles with its dark past and the murky reality of racial discrimination – but despite the stereotypes, the incidence of at least some types of casual racism in today’s America seems lower than in much of Europe. The pattern is also evident in political discourse; many of the openly xenophobic opinions or legislative proposals put forward by European populist politicians would face broad condemnation in the US. Some authors argue that the old continent is facing a profound new wave of Islamophobia and
hatred toward Jews; in countries such as Greece and Hungary, more than 60% of population seems to be holding such views. In Poland, more than 40% say that Jews hold too much influence in business – a surreal claim, given that that there are just several thousand Jews living in the country of 38 million. My own memories from growing up in that country are that of schoolkids almost universally using “you Jew!” as a mortal insult. The defacement of Jewish graves and monuments, or anti-Semitic graffiti, posters, and sports chants are far more common than they should be. It’s difficult to understand if restrictions on free speech suppress the sentiments or make them worse, but at the very least, the success of the policies is not clear-cut.

Other civil liberties revered in the United States, and perhaps less so in Europe, put limits on the ability of the government to intrude into private lives through unwarranted searches and seizures. Of course, the stereotypical view of the US is that of a dystopian surveillance state, epitomized by the recent focus on warrantless surveillance or secret FISA courts. But having worked for a telecommunications company in Poland, my own sentiment is that in Europe, surveillance tends to be done with more impunity, far less legal oversight, and without clear delination between law enforcement and intelligence work. The intelligence community in particular is often engaged in domestic investigations against businesses, politicians, and journalists – and all across Europe, “pre-crime” policing ideas are taking hold.

In many European countries, citizens are not afforded powerful tools such as FOIA requests, do not benefit from a tradition of protected investigative journalism and whistleblowing, and can’t work with influential organizations such as the American Civil Liberties Union; there is also no history of scandals nearly as dramatic and transformative as Watergate. In the States, I feel that all this helped to create an imperfect but precious balance between the needs of the government and the rights of the people – and instill higher ethical standards in the law enforcement and intelligence community; it is telling that the revelations from Snowden, while exposing phenomenal and somewhat frightening surveillance capabilities of the NSA, have not surfaced any evidence of politically-motivated investigations or other blatant impropriety in how the capabilities are being used by the agency. The individualist spirit probably helps here, too: quite a few states and municipalities go as far as banning traffic enforcement cameras because of how they rob suspects of the ability to face the accuser in court.

When it comes to some other civil traditions that are sacrosanct in Europe, the United States needs to face justified criticism. The harsh and overcrowded penal system treats some offenders unfairly; it is a product of populist sentiments influenced by the crime waves of the twentieth century and fueled by the dysfunctional War on Drugs. While Polish prisons may not be much better, some of the ideas implemented elsewhere in Europe seem to make a clear difference. They are difficult to adopt in the States chiefly because they do not fit the folksy “tough on crime” image that many American politicians take pride in.

In the same vein, police brutality, disproportionately faced by the poor and the minorities, is another black mark for individual rights. The death penalty, albeit infrequent and reserved for most heinous crimes, stands on shaky moral grounds – even if it faces steady public support. The indefinite detention and torture of terrorism suspects, with the knowledge and complicity of many other European states, deserves nothing but scorn. Civil forfeiture is a bizarre concept that seems to violate the spirit of the Fourth Amendment by applying unreasonably relaxed standards for certain types of seizures – although in all likelihood, its days are coming to an end.

As usual, the picture is complex and it’s hard to declare the superiority of any single approach to individual liberties. Europe and the United States have much in common, but also differ in very interesting ways.

For the next article in the series, click here.