Bill Ryan's Other Blog

Bruce Schneier links to a story over at f-secure about a scam as brilliant as it is evil..  As far as scams go, it’s not ‘evil’ in the sense of taking you to the cleaners (it attempts at getting you to pay $400.00  so I guess the damage largely depends on where you’re sitting at the time) but it’s evil b/c as Schneier puts it, “the level of detail is impressive.”

What it does is basically pops up a warning indicating that you have software on your machine that violates copyright law.  It then demands $400.00 payment to clear up the matter.  There’s a very official looking website and for all intents and purposes, it looks ‘real’.  There’s no typos on it for one thing (I’ll never cease to be amazed at how few scammer ever bother to spell/grammar check their content or bother to get a native language speaker write the content.  It’s really not that hard to find someone who speaks English as their native language. And it’s a highly guarded secret  that there are different dialects of English and most of the major languages.  Typos, culturally incorrect spelling {realise vs. realize if you’re sending it to someone in the US}, usage errors and the like are commonplace in just about every scam I’ve encountered). The e-commerce components appear to work perfectly.  The folks at f-secure already went ahead and looked up the domain registration and while it’s registered to someone already well known in the scamming community, most lay people wouldn’t recognize the name.  All in all, they did their homework and paid a lot of attention to detail.

Then again, considering how little respect some in the law enforcement community regard copyright law, I’m amazed anyone’s actually paying them

[tags] ICPP Copyright Foundation [/tags]

This post and all others on this site are subject to the current Copyright as well as the Sites Terms of Use. Any reproduction, duplication or publication without express written permission from the author is strictly prohibited.

Yesterday, I wrote a post describing a hypothetical situation where two adversaries were trying to gain intelligence on each other (Need someone’s email or access to their computer?). I would have written this follow up last night, but Sarah and I went to dinner a little late and by the time we got home, I was too tired to write. And when we arrived, there was a whole lotta Proliferating going on in our living room. So I spent the last 20 minutes of the evening engaging in some hard core counter proliferation of Poopy Nice Nice (I didn’t have time to conduct full Counter Proliferation i.e. Bungholian Analysis  so I have yet to identify the culprit but rest assured, it’s going down tonight) .  The Sausage Dog of Doom is a very evil Creature, but I digress.

In that post, I described a few different attack vectors and the +/- of each approach.  And I showed what one could accomplish if they loaded the right software on an adversary’s machine.  I did this without giving too many specifics to show people how easy this is to do. And I asked repeatedly, if you were the target, would this attack work on you?  I think in many cases it would.

Now, one of the key pieces isn’t technological, it’s Social Engineering. [Remember that humans are almost always the vulnerability that attackers take advantage of on successful exploits.  In all of Kevin Mitnick’s attacks, almost all of them were based on successful Social Engineering.  In The Art of Intrusion, he goes through a time when he actually used it to show some big shots at the Pentagon how vulnerable there were) A target might be reluctant to open any attachments that came  from you.  In this case, the ‘evil step mother’ didn’t respect the children’s privacy and would read through the kid’s email looking for information about the other parents or negative stuff the kids were saying about her.  So I showed how you might get someone like that to bite.  You put something intriguing sounding in the Subject line – something you know that would get the person’s attention. It should be enough to make sure they want to read more, but not bad enough it could be used against you.  Then, in the body of the message, reference some instructions in the attachment and make the contents sound like a smoking gun of sorts. Now, instead of trying to convince Maria to open the attachments, Maria will WILLINGLY and AMBITIOUSLY take it upon herself to open the attachment, which is how you could install the Keystroke Logger. B/c she has her eye on scandal stuff in the kid’s email, she isn’t thinking about possible infections. In fact, she’ll  likely bypass/ignore any warning the system puts up (assuming any were) b/c they really want to see what’s in the document. And b/c they took it upon themselves to do this, and b/c it’s the kid’s account they were looking through – they’ll be convinced it’s legitimate contraband and doubtfully will ever look back.  At this point, if you don’t put anything juicy in there, they’ll be mad and might smell a rat. On the other hand, if you give them too much red meat, they could use it against you. So meet in the middle. Come up with something that’s mildly offensive.  Something that you know will anger them (just b/c they get angry easy) but that a reasonable person would say Oh, come on, that’s really nothing to.  This gives them their pound of flesh and in this case Maria would be dying to get ANYTHING on Sallie, so she’d be satisfied with anything that she had where Sallie said something negative about Maria in.  Of course, you could just go nuclear, but remember that has the potential to be used against you.  If you don’t put anything in there, the target will wonder what’s going on and will be much likely to think long and hard about the attachment.  If you get them to do it themselves, and it conforms to their suspicions, they’ll never think twice about it. Remember, once you had the keystroke logger on their machine (Rather, I want you to think about what would happen if they got the keystroke logger on YOUR Machine), all of your passwords are probably theirs too. Any email or chat account is there. And God knows what can be mined from Email and Chat accounts.  Any Browsing. Any site passwords. Any banking passwords (heck, they’d even be able to see your challenge responses).  This is about as bad as it could get for most people.

While this is a hypothetical, you can see where stuff like this would really apply. what I was trying to show is the thinking you must engage in to get the other person to drop their guard. After all, once you got the keystroke logger, you’d be able to access their personal emails on external accounts like Yahoo, AOL, Hotmail or Gmail. You’d be able to see what sites they visited. You’d be able to see contents of Chats they engaged in. You’d be able to see documents they were typing.  In short, you would have a gold mine of information.  And if the target was indeed doing something underhanded, dishonest or immoral – you’d have all the details you’d need to crush them.  Even if it wasn’t admissible in court, you’d know enough information to help you ‘coincidentally’ send the right subpoenas or find the dead bodies and smoking guns. 

Let’s say you had the same case, but the adversary respected the children’s privacy. Or, let’s say there weren’t any children.  What would you do then?  One thing you could do is send a copy of a legitimate legal document to them (you could take a legit court document, insert the malware in there and be done with it. They’d be much more likely to ignore any warnings they got b/c it’s something they expect, from a source they ostensibly trust. And if it was discovered, the assumption would be that it started at the source, not with you). 

You could similarly send an ‘official letter’ to them with a title and subject that would make them really want to open it.  Or, you could spoof an email address pretending to be someone they knew (like a supervisor) and attach documents that look like something that might normally be sent.  Call their office and find out who is in charge of Payroll.  Look on the Contact Me form of their company to see the Email Address format that’s used (like FirstName.LastName@companyname.com).  Spoof that email and send a PDF with ‘Payroll Receipt for period ending XX.XX.XXXX”) And just put nothing in it.

If you used an exploit like this one found in Adobe PDF, the possibilities of what you could do are endless. Maybe instead of the boss, you could pretend to be their parents. And in the document, send it with a title that is something they might expect to get.  They open the document, it’s empty so they won’t think much of it, but they’re now infected and you’re able to log into their email accounts and read through everything. You could get extra clever and pretend to be a close friend or relative. Let’s say Maria had a brother named Bill – certainly her ex-husband would know this. Let’s say Bill normally used Bill.MariasBrother@hotmail.com – Sallie could create an account that’s Bill.MariasBrother@yahoo.com – she could spoof the From: part of the email so it comes from Hotmail.com. But she could use the Yahoo account for the Reply To.  Unless Maria is really savvy and pays close attention to this stuff, it’s doubtful she’d ever catch it (in fact, unless she hit reply, she wouldn’t ever even be able to see the Reply To)

Maria:

Hey, it’s me, Bill. I need a favor, Here’s a copy of something I wanted to get mom for her birthday.  (Common Friend) had some trouble opening it so if you open it up and it’s blank, try downloading the new Acrobat reader. If it still doesn’t open, I can resend it to you as an image format.  Let me know what you think. If you like it, I’ll go ahead and order it and sign all of our names.

Maria opens it and there’s nothing there. (Her machine is now infected and her worst enemy now owns her computer.) Because “Bill” already mentioned it as a possibility,  Maria isn’t suprised by the blank PDF document.  So she follows the instructions and downloads the latest Adobe reader and gives it one more try. Again, nothing. So she hits Reply on the email and says:

Bill, I tried opening the document, but couldn’t. I even got the new Acrobat but it still didn’t show up. Can you send me the picture instead?

This time though, it goes to the Yahoo account so the real “Bill” would never know of what happened. Maria already saw the email came from “Bill” originally, so it’s doubtful she’d pay attention the the Reply To address, especially when it’s so similar anyway.  Even if she noticed it, she very likely would just ignore it. ( I use a different Reply To address most of the time and have only had a handful of people ever mention it to me or ask about it. ) A few days later when they spoke, Maria would mention it to Bill. Bill would have no idea or think Maria’s talking about something else or that it got eaten in the spam filter.  When they synced up, chances are they’d just assume it’s spam when they couldn’t figure it out.

And even if they do, at this point, it’s too late. All the counter proliferation measures in the world won’t save them now. Even if they suspected something bad, it’d likely be at least a few hours later, and she’d almost certainly have checked her email by then. She almost certainly will have typed a password to the machine in by then.  So even if they suspected something – there’d be nothing apparent on the machine. By this time, the logger should be deactivated so it’d be really hard to detect (especially if they wrote it themselves, b/c it wouldn’t match any known definitions and even well known ones are good at hiding themselves). Even if Maria and Joe found it, they’d have no idea what it was or what it did and if it was homemade, they'd have to decompile it and have a savvy coder figure out what it did.  Doubtful.  But this would almost never happen. Most people just delete spyware assuming they can find it. How many people do you know that have spyware infections decompiled and looked through?  I’m a software developer and I wouldn’t even go through that hassle. In fact, I can’t imagine ever wasting that much time or energy on it.

Even if they did all of this, it would take forever. By then, the attacker would own their email accounts, chats and most other things.  Here’s the beautiful part.  Since the Logger is deactivated, there’s no indication it’s running (or very little indication).  Let’s say Maria decided to change her password (or just did it as a routine course of action).  Sallie tries to get in and it doesn’t work this time.  No problem.

Sakkue just goes to the configuration, tells the Logger to activate itself, and depending on the product, turn itself off once the file gets to X kb or shortly after the words http://www.aol.com or http://www.yahoo.com are typed.  While not 100% foolproof, this would be 99% foolproof and if somehow it turned off prematurely, Sallie could just try again.  If Joe and Maria cleaned the stuff off of there then it’d be game over temporarily, but it’s doubtful.  And once Sallie has the password, she can get into the email and do all sorts of things to help ensure the Maria’s computer gets reinfected.

Again, I ask you, if you were the target, how would you fare? If someone had a keystroke logger on your machine, what would they be able to discern? If they had all your email passwords, what would they be able to find?  If they saw your new passwords after you changed them, are you still hyper vigilant about checking the IP Addresses that access your accounts? What about the  PDF exploit? Would you think much about it if you got a blank PDF? What if you aren’t in a court case or criminal case.. well, do you think there aren’t criminals out there who’d love to clean out your bank accounts? If they had all your challenge question responses and passwords, what could they do?  Ask some of the victims of DB.Singles.Org who had their Paypal accounts drained (all b/c they reused passwords and ONE SITE THEY USED had weak security measures. Wanna bet at least one site you use has equally lame security?)

Take this stuff seriously and guard yourself against it, whether its a court case or your banking information, you don’t want to ever let yourself fall victim to this, especially when it’s so easy and essentially free to protect against. Spyware and malware are rampant and if you don’t take the responsibility for counter proliferation of spyware and malware on your machines, don’t expect anyone else to either. I know I make a lot of counter proliferation jokes but when it comes to proliferation of spyware, it’s not joking matter. Counter Proliferation of Dog Poop on the other hand, is definitely a joking matter – in fact, while Sarah and I were out at Dinner last night, we had a ton of proliferation  going on.

I have had a few people ask about consulting for them. I’m pretty busy but do have some availability to do assessment, audits and create a strategy to protect yourself with.  Contact me at blogcommenter@williamgryan.com to discuss this further. I’d be glad to help out with basic stuff for free, so feel free to post comments and I’ll do my best to answer them. If it’s more involved and will take some time, then just email me at the address above.

LET ME EMPHASIZE THAT NONE OF THE CHARACTERS DESCRIBED ARE REAL PEOPLE OR BASED ON REAL PEOPLE. THE ENTIRE STORY IS COMPLETELY FICTIONAL. THE ISSUES RAISED ARE REAL AND SO IS THE ADVICE (WHICH IS OFFERED FOR FREE, WITHOUT ANY WARRANTY BLAH BLAH BLAH) BUT NONE OF THE CHARACTERS ARE.  ANY RESEMBLANCE TO REAL PEOPLE IS PURELY COINCIDENTAL (THERE ARE PROBABLY MORE THAN A FEW FAMILIES OUT THERE WITH DIVORCED PARENTS, TWO CHILDREN, A REMARRIED FATHER AND AN EVIL STEP-MOTHER WHO HATES THE KIDS). THE NAMES, CHARACTERS, EVERYTHING – IT’S ALL MADE UP. AGAIN, EVERY CHARACTER AND THE SITUATION ARE JUST FICTION AND ARE NOT REAL PEOPLE OR BASED ON ANYONE REAL SO ANY SIMILARITIES ARE PURELY COINCIDENTAL)

This post and all others on this site are subject to the current Copyright as well as the Sites Terms of Use. Any reproduction, duplication or publication without express written permission from the author is strictly prohibited.

[tags]Email Security, Keystroke Logger, Internet Privacy, Internet Security, db.singles.org, Kevin Mitnick, The Art of Deception[/tags]

Bruce Schneier covers a Wired story detailing Sprint’s alleged complicity in something that should make your skin crawl.  It’s nothing new, Luna was warning of this stuff since the first draft of How To Be Invisible and several times thereafter.  It may seem that I’m being a tad hypocritical when I say this is a bad thing, after all I find cell phone based snoopware not only cool, but very useful for many folks. Cell phone snoopware is extremely powerful, effective and easily available (and yes, in some cases, legally questionable) so to some extent, it’s silly getting all upset about stuff like this. On the other hand, I don’t have to worry about civillians abusing their power to try to settle  a score with me or make my life miserable.  Without breaking the law, there’s nothing a civillian could do with this sort of stuff to really hurt me [and for the record, I'm using 'me' in the abstract sense here].  Depending on how you spend your free time, someone could ostensibly cause you some embarassment, but there’s plenty of remedies for that sort of thing.

Employees of the various government agencies however, could cause all sorts of problems for people.  For me to effectively make use of snoopware, I’d need to access the phone in most cases and owners would be fully in their power to check for and remove any such snoopware added to their phones.  The same isn’t the case in situations such as the one alleged with Sprint.  If someone bugged my phone and I caught it, I’m entitled to pursue several different legal remedies depending on the circumstances.  If the Sprint story is accurate, the targets weren’t aware of being tracked, couldn’t do anything to detect it and couldn’t do anything to prevent or stop it.

The response from law enforcement types of course is that this is all paranoid nonsense.  If you don’t have anything to hide, you don’t have anything to worry about they’ll typically argue.  And if they never abused their positions and were perfectly honest, that’d be a plausible defense.  Personally, I think most govt agents are decent enough folks and not prone to abusing their positions, but there’s no disputing there are bad apples.  And just one of those bad apples could cause you a bunch of problems.  Whatever you think of the guy otherwise, look at the example of Joe the Plumber. He got on the bad side of some people with access to his personal information and look what happened.  Had those same people been employees of a private corporation, he’d be sitting on quite a lucrative law suit. (And yes, I know Judicial Watch either offered to or actually filed a suit on his behalf – but had it been a private company, he wouldn’t need a high powered advocacy firm to help him out).

Quoting Chris Soghoian, I can’t imagine how this situation will get addressed without government action and well, it’s probably wise to be the under on that one:

Sprint Nextel provided law enforcement agencies with its customers’ (GPS) location information over 8 million times between September 2008 and October 2009. This massive disclosure of sensitive customer information was made possible due to the roll-out by Sprint of a new, special web portal for law enforcement officers.The evidence documenting this surveillance program comes in the form of an audio recording of Sprint’s Manager of Electronic Surveillance, who described it during a panel discussion at a wiretapping and interception industry conference, held in Washington DC in October of 2009.

It is unclear if Federal law enforcement agencies’ extensive collection of geolocation data should have been disclosed to Congress pursuant to a 1999 law that requires the publication of certain surveillance statistics — since the Department of Justice simply ignores the law, and has not provided the legally mandated reports to Congress since 2004.

One thing is for sure, if a private citizen was caught pulling this exact same thing on members of law enforcement or Congress, Congress’ attitude would be just a weee bit less apathetic about responding. 

The other argument I typically hear is a reference to Evan Ratliff.  If you’re unfamiliar with him, here’s the rest of the story in a nutshell. He’s a free-lance writer and blogger.  He took a gig for Wired magazine that entailed disapparing for a month.  He was to try to hide out and anyone that found him would simply need to say the magic word, and they’d be privvy to a $5,000.00 prize. Ratliff gave it a great go, but before long he was caught. 

Following the story, there’s little doubt that people used inside connections in an attept to follow him.  The extent of that is hard to know for sure, but there’s little doubt that people used friends and contacts at various companies to locate him. Those friends almost certainly did things that, well, were out of the bounds of the companies’ rules.  Does anyone really think that you magically become some ethical angel just b/c you work for the government?  Private sector folks bend the rules so you can rest assured govt folks do it too.

Law Enforcement claims this sort of stuff is necessary.  Law and Order types will claim it’s necessary to fight terrorism and similar bad guys.  Seems to me then, that the solution would be kind of simple.  An evidence rule that gave people immunity from anything not specifically relevant to the prosecution of terrorism in the form of throwing out the evidence, would go a long way to mitigate the damage that could be done by rule benders.  Providing EASY to retrieve records for anyone not currently the target of a terrorism investigation would be another.  Creating a ‘paper trail’ of anyone that looked at a person’s information is not hard and not difficult. Granted that doing anything with govt software is infinitely more difficult than it needs to be, implementing such tracking wouldn’t be cheap.  But that line of argument is essentially advocating the rewarding of incompetence.  And even considering the additional expense, there’s certainly at least one or two unnecessary govt programs we could cut to pay for it. (Defunding NPR for instance would work for me). 

If this sort of stuff is really needed for a specific case to prevent some huge atrocity, fair enough. But some fed using this stuff to hassle some guy banging his ex-girlfriend should never be allowed to happen.  I don’t see how anyone can say such a scenario is unlikely.  So if it did happen, the victim should be able to know about it and sue the hell (and have the person fired, not put on some BS administrative leave) out of the person.  

Another possible remedy would be to allow cell phone proivders to offer “opt out” service. (One might argue that this would be extortion, but I don’t see it any different than paying extra for an unlisted telephone #). I missed the official memo when all cell phones became tracking beacons, but it’s something that could be done without.  So say, for $10.00.00 extra a month, T-Mobile (the best cell phone company on Earth) could offer “Secure” service that meant you couldn’t be tracked.  I know all sorts of people, concerned for my safety should I ever find myself stranded a ditch , would have a fit over such a service, but I’m an adult and I’m willing to live with that risk.  After all, I’ve yet to lose a family member or friend (or even know of someone who has) b/c they weren’t able to be tracked by their cell phone.  But I have come across people who’ve gotten on the bad side of a cop (for matters completely unrelated to the law) and been seriously harassed as a result of it.

We’re not able to stop technology from eroding our privacy and even if we were, we wouldn’t want to.  Moreover, this trend isn’t going anywhere but up.  So the solution seems to be minimizing the incentives for abuses.    To Quote Mr Luna – “Governments hide secrets from their citizens, why shouldn’t citizens be able to hide secrets from governments?”

[tags]Digital Privacy, Sprint, Invasion of Privacy, Snooping[/tags]

I was writing my buddy Ken an email the other day, asking for his opinion and help on something.  I noticed this was included in the reply email.

From:      Cuckoo1@EvilDevilCuckoo.com

To:          kalidor727@aol.com

Sent:       June 17, 2009

Subject:  RE:RE:RE:Amy and Jill’s Camel Toe (or is it Toe(s) plural?)

FLAVOR00-NONE-0000-0000-000000000000 0.000000

Wuttup K?  So I was about to post our pics from the playoffs on my facebook page and I realized there was a problem.  Not sure what the deal was, but Camel toe was running wild. The pics of you and Amy look good, but Amy will kill me if I post something where she’s ‘sportin toe’.  See attached.  And look at Jill (greg’s date).  I couldn’t have photoshopped Toe that well.

So do me a favor – let Amy see them and tell her I can a- not post them, b- cut her out of them, c- snip the picture so it’s only above the waste.  Same for Jill – I don’t have her email so if you could just give hers to Greg and lemme know what they want to do. Not sure if you know – but Jill gets offended really easy and my gut tells me that if she finds out what CamelToe is and that she has it – she won’t let Greg hang out with us anymore. I”m on her good side for now b/c she’s a dog foster parent too – but let’s face it, a lot of woman aren’t going to find CamelToe humor as funny as we do.

BTW, WTF is that FLAVOR00 code?  Ithought you embedded a funny in there but if you did – i can’t find it. I know you aren’t whack enough to accuse me of lacking Flava so wtf is it?  It’s on your end.  Then again – I have to remember who I’m talking to – G*d only knows what kind of spyware and keylogging crap you’ve got on that machine of yours. Do you still have the biggest collection of Tranny Pr0n in the South [Amy, if you’re reading this – I’m not kidding. Ken is a huge aficionado of Tranny Pr0n and has every Buck Angel flick ever made – make sure to turn Safe Search off before clicking on that link – Just kidding Ame   )

I hope you feel better, and are back on your feet soon .  If you get bored at home, give me a call. I should be in the office for the most of tomorrow.  Have a great night and thank you for everything.

I know what it is, but for the life of me can’t figure out how it got there, or why.  I looked around Bing and that other company I’m not supposed to talk about and couldn’t find anything that really mentioned it.  I found a lot of markup references (you know, kinda like how <mailto:someaddress@whatever.com> isn’t an email address so stuff like this sitting in markup isn’t really an error) and a few people asking WTF it meant but I couldn’t find an answer.  I was thinking it might have something to do with the AOL.com account that was used (I know, I know, why do I remain friends with someone so lame they still use an aol.com address with a cheesy movie reference (kalidor727@aol.com)?  Well, b/c he’s a swell guy, a good friend and I’ve known him since way back in da 305. And like he told me, everyone can’t have a cool character like an Evil Devil Cuckoo or a ChupaCabron.

Come on Ken old buddy – it’s time to get rid of the training wheels and get yourself, you know, like a Gmail account or something.  If you want, I’ll even create one on one of my domains for you and you can check it on your Android or iPhone – oh yah, you’re still dorking out with the blackberry.  Well, if you or Greg ever want to get out of the 19th century, I can be bribed with lunch at Ruth’s.

Comments are closed for this post