I had a new(ish) investigator contact me about problems resolving an IP address obtained during an investigation. He advised his geolocation services reported the address as “Reserved”.
“Let me guess, it starts with 192”, I replied. He gave the address of 10.1.20.1. That’s why I don’t gamble. I had a one out of three shot of getting it right and still missed.
Let’s review the difference between public and private Internet Protocol (IP) addresses. OG’s can skip to the next section of the newsletter.
There are two categories of IP addresses - Public and Private.
The public IP address is the address assigned to a device that enables it to communicate with other devices on the Internet. This address is assigned by an Internet Service Provider – Comcast, Verizon, Cox, et cetera. This is your home address using the post office analogy. It symbolizes the house number, street, town, state, and zip code.
These addresses are always unique. Internet-connected devices use these address to send communications to each other. Imagine the confusion if two separate homes were assigned the same address. Where does the post office deliver the mail? The house at 181.23.43.121 or the house at 181.23.43.121?
The system works great…until it runs out of unique IP addresses. And that’s the current problem. The most frequently utilized version of IP addressing is called version Four (IPv4) and it’s pretty much out of numbers. The Internet overlords have been trying to push everyone onto version Six (IPv6), but the transition isn’t moving along very fast.
Enter a technology called Network Address Translation (NAT) that makes use of private IP addresses. These addresses are reserved for endpoints on the Local Area Network (LAN). Private IP addresses are not routable to the Internet so they can only be assigned to internal devices connecting to the router. The router translates the private addresses to the public address so the device can communicate with the Internet at large.
Private IP addresses are assigned from specific reserved address ranges defined by the Internet Engineering Task Force (IETF). These reserved address ranges are 10.0.0.0 - 10.255.255.255, 172.16.0.0 - 172.31.255.255, and 192.168.0.0 - 192.168.255.255. If you see an address within these ranges, it is a private IP address.
In most networks, the router will be assigned a public IP address and all devices connecting to the router will be assigned a private IP address. Network Address Translation is the engine that makes it all work.
Addresses in the above-noted private ranges are generally useless to identify a device/user communicating across the Internet. A private IP address isn’t entirely worthless, but it’s not going to lead you to the front door.
The same system is at play in cellular towers. The “tower router” will be assigned a limited number of public-facing IP addresses and every device that connects to the tower is assigned a private IP address.
The router is the magician that makes the magic happen.
A lot is missing from this explanation, but it gets to the point. If you come across an IP address starting with 10., 172., or 192., you're probably dealing with an endpoint on a Local Area Network running a NAT’d system.
Email me if you need more.
Those who know…know
Business Email Compromise attacks are crushing businesses of all sizes but especially small business. In terms of financial loss, dollar-for dollar, nothing else comes close. Ransomware has a higher dollar cost - per incident, but BEC costs much more in the aggregate because it’s occurring so often. Microsoft Security knows…and has devoted Issue 4 of their Cyber Signals report to current BEC trends. https://www.microsoft.com/en-us/security/business/security-insider/reports/shifting-tactics-fuel-surge-in-business-email-compromise/
Holy Mail Theft…
The theft of mail has gotten so out of hand in the Seattle area that the United States Postal Service has suspended mail deliver to the 98118 zip code. Residents are now required to pick up their mail from the post office. The newsletter has a good number of Postal Inspectors as subscribers and I wish them good luck in this battle.
https://www.seattletimes.com/seattle-news/mail-theft-halts-delivery-in-some-seattle-neighborhoods/
https://nypost.com/2023/05/20/seattle-crime-forces-postal-service-to-halt-deliveries-for-zip-code/
The blue print
The FBI arrested an 18 year-old for hacking over 60,000 Draftkings electronic gambling accounts. He was able to sell the credentials to about 1600 accounts which resulted in a $600,000 loss to the account holders and company. The U.S. Attorney’s Office for the Southern District of New York released the charging complaint and it is a fantastic example of a successful cybercrime investigation. And a thorough examination of why password hygiene is so important. https://www.justice.gov/d9/2023-05/u.s._v._garrison_complaint.pdf
Phishing works
Cyber insurance provider Coalition released their 2023 Cyber Claims Report and it’s absolutely well done. The findings only encapsulate those incidents handled by Coalition, but the company is large enough that the findings probably correlate to the market as a whole. Phishing is still king as it was the initial attack vector for all reported incident in the second half of 2022. I gave up my contact information to get the report link so you don’t have to…https://info.coalitioninc.com/rs/566-KWJ-784/images/Coalition_2023-Claims-Report.pdf
The Rest…
The leader of the Skynet carding market was actually just a boring dude in Illinois. https://www.justice.gov/opa/pr/man-pleads-guilty-conspiracy-sell-stolen-financial-information-dark-web
Applied to be a customer service rep…ended up being the point person for romance scams. https://arstechnica.com/culture/2023/05/this-is-catfishing-on-an-industrial-scale/
10 ways to use ChatGPT in your threat hunting effort. https://adamgoss.medium.com/learn-10-ways-to-use-chatgpt-for-threat-hunting-right-now-9fab5507f3b8
CISA published a thoroughly documented the BianLian Ransomware Group. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-136a
Mail Call
My thoughts on the “Law of Participation Inequality” in Issue 130 drew some pithy responses:
“how do your co-workers feel about your thoughts that 9 out of 10 of them should be fired?”
I didn’t say it applied to MY coworkers…
“Matt are you in the 90, the 9, or the 1?”
It’s pretty well known that I’m highly ranked in the 90%.
Cool Job
Director of Fraud Operations - Twillio. https://boards.greenhouse.io/twilio/jobs/5053449?t=cyu53e
Cool Tool
Omnivore Reader - save that article for when you have time to actually read it - distraction free. (I’ve been using this app for two weeks now and it’s awesome. Privacy focused and open-source code. https://omnivore.app/about
Get right to the point and summarize any article. https://sumup.page/
Irrelevant
The Shotgun Argumentation Fallacy
The shotgun argumentation fallacy occurs when one chooses so many arguments, firing many shots as it were, in order to disable your opponent from answering them all.
https://www.logicalfallacies.org/shotgun-argumentation.html
Thanks for opening this weeks email and reading the newsletter. I know your time is limited and I appreciate that you gave me a few minutes.
Matt
“GOOD JUDGMENT COMES FROM EXPERIENCE, AND A LOT OF THAT COMES FROM BAD JUDGMENT.” - at some point I’ll have 10X judgement.
Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.