Bill Ryan's Other Blog

Bruce Schneier links to a story over at f-secure about a scam as brilliant as it is evil..  As far as scams go, it’s not ‘evil’ in the sense of taking you to the cleaners (it attempts at getting you to pay $400.00  so I guess the damage largely depends on where you’re sitting at the time) but it’s evil b/c as Schneier puts it, “the level of detail is impressive.”

What it does is basically pops up a warning indicating that you have software on your machine that violates copyright law.  It then demands $400.00 payment to clear up the matter.  There’s a very official looking website and for all intents and purposes, it looks ‘real’.  There’s no typos on it for one thing (I’ll never cease to be amazed at how few scammer ever bother to spell/grammar check their content or bother to get a native language speaker write the content.  It’s really not that hard to find someone who speaks English as their native language. And it’s a highly guarded secret  that there are different dialects of English and most of the major languages.  Typos, culturally incorrect spelling {realise vs. realize if you’re sending it to someone in the US}, usage errors and the like are commonplace in just about every scam I’ve encountered). The e-commerce components appear to work perfectly.  The folks at f-secure already went ahead and looked up the domain registration and while it’s registered to someone already well known in the scamming community, most lay people wouldn’t recognize the name.  All in all, they did their homework and paid a lot of attention to detail.

Then again, considering how little respect some in the law enforcement community regard copyright law, I’m amazed anyone’s actually paying them

[tags] ICPP Copyright Foundation [/tags]

This post and all others on this site are subject to the current Copyright as well as the Sites Terms of Use. Any reproduction, duplication or publication without express written permission from the author is strictly prohibited.

Yesterday, I wrote a post describing a hypothetical situation where two adversaries were trying to gain intelligence on each other (Need someone’s email or access to their computer?). I would have written this follow up last night, but Sarah and I went to dinner a little late and by the time we got home, I was too tired to write. And when we arrived, there was a whole lotta Proliferating going on in our living room. So I spent the last 20 minutes of the evening engaging in some hard core counter proliferation of Poopy Nice Nice (I didn’t have time to conduct full Counter Proliferation i.e. Bungholian Analysis  so I have yet to identify the culprit but rest assured, it’s going down tonight) .  The Sausage Dog of Doom is a very evil Creature, but I digress.

In that post, I described a few different attack vectors and the +/- of each approach.  And I showed what one could accomplish if they loaded the right software on an adversary’s machine.  I did this without giving too many specifics to show people how easy this is to do. And I asked repeatedly, if you were the target, would this attack work on you?  I think in many cases it would.

Now, one of the key pieces isn’t technological, it’s Social Engineering. [Remember that humans are almost always the vulnerability that attackers take advantage of on successful exploits.  In all of Kevin Mitnick’s attacks, almost all of them were based on successful Social Engineering.  In The Art of Intrusion, he goes through a time when he actually used it to show some big shots at the Pentagon how vulnerable there were) A target might be reluctant to open any attachments that came  from you.  In this case, the ‘evil step mother’ didn’t respect the children’s privacy and would read through the kid’s email looking for information about the other parents or negative stuff the kids were saying about her.  So I showed how you might get someone like that to bite.  You put something intriguing sounding in the Subject line – something you know that would get the person’s attention. It should be enough to make sure they want to read more, but not bad enough it could be used against you.  Then, in the body of the message, reference some instructions in the attachment and make the contents sound like a smoking gun of sorts. Now, instead of trying to convince Maria to open the attachments, Maria will WILLINGLY and AMBITIOUSLY take it upon herself to open the attachment, which is how you could install the Keystroke Logger. B/c she has her eye on scandal stuff in the kid’s email, she isn’t thinking about possible infections. In fact, she’ll  likely bypass/ignore any warning the system puts up (assuming any were) b/c they really want to see what’s in the document. And b/c they took it upon themselves to do this, and b/c it’s the kid’s account they were looking through – they’ll be convinced it’s legitimate contraband and doubtfully will ever look back.  At this point, if you don’t put anything juicy in there, they’ll be mad and might smell a rat. On the other hand, if you give them too much red meat, they could use it against you. So meet in the middle. Come up with something that’s mildly offensive.  Something that you know will anger them (just b/c they get angry easy) but that a reasonable person would say Oh, come on, that’s really nothing to.  This gives them their pound of flesh and in this case Maria would be dying to get ANYTHING on Sallie, so she’d be satisfied with anything that she had where Sallie said something negative about Maria in.  Of course, you could just go nuclear, but remember that has the potential to be used against you.  If you don’t put anything in there, the target will wonder what’s going on and will be much likely to think long and hard about the attachment.  If you get them to do it themselves, and it conforms to their suspicions, they’ll never think twice about it. Remember, once you had the keystroke logger on their machine (Rather, I want you to think about what would happen if they got the keystroke logger on YOUR Machine), all of your passwords are probably theirs too. Any email or chat account is there. And God knows what can be mined from Email and Chat accounts.  Any Browsing. Any site passwords. Any banking passwords (heck, they’d even be able to see your challenge responses).  This is about as bad as it could get for most people.

While this is a hypothetical, you can see where stuff like this would really apply. what I was trying to show is the thinking you must engage in to get the other person to drop their guard. After all, once you got the keystroke logger, you’d be able to access their personal emails on external accounts like Yahoo, AOL, Hotmail or Gmail. You’d be able to see what sites they visited. You’d be able to see contents of Chats they engaged in. You’d be able to see documents they were typing.  In short, you would have a gold mine of information.  And if the target was indeed doing something underhanded, dishonest or immoral – you’d have all the details you’d need to crush them.  Even if it wasn’t admissible in court, you’d know enough information to help you ‘coincidentally’ send the right subpoenas or find the dead bodies and smoking guns. 

Let’s say you had the same case, but the adversary respected the children’s privacy. Or, let’s say there weren’t any children.  What would you do then?  One thing you could do is send a copy of a legitimate legal document to them (you could take a legit court document, insert the malware in there and be done with it. They’d be much more likely to ignore any warnings they got b/c it’s something they expect, from a source they ostensibly trust. And if it was discovered, the assumption would be that it started at the source, not with you). 

You could similarly send an ‘official letter’ to them with a title and subject that would make them really want to open it.  Or, you could spoof an email address pretending to be someone they knew (like a supervisor) and attach documents that look like something that might normally be sent.  Call their office and find out who is in charge of Payroll.  Look on the Contact Me form of their company to see the Email Address format that’s used (like FirstName.LastName@companyname.com).  Spoof that email and send a PDF with ‘Payroll Receipt for period ending XX.XX.XXXX”) And just put nothing in it.

If you used an exploit like this one found in Adobe PDF, the possibilities of what you could do are endless. Maybe instead of the boss, you could pretend to be their parents. And in the document, send it with a title that is something they might expect to get.  They open the document, it’s empty so they won’t think much of it, but they’re now infected and you’re able to log into their email accounts and read through everything. You could get extra clever and pretend to be a close friend or relative. Let’s say Maria had a brother named Bill – certainly her ex-husband would know this. Let’s say Bill normally used Bill.MariasBrother@hotmail.com – Sallie could create an account that’s Bill.MariasBrother@yahoo.com – she could spoof the From: part of the email so it comes from Hotmail.com. But she could use the Yahoo account for the Reply To.  Unless Maria is really savvy and pays close attention to this stuff, it’s doubtful she’d ever catch it (in fact, unless she hit reply, she wouldn’t ever even be able to see the Reply To)

Maria:

Hey, it’s me, Bill. I need a favor, Here’s a copy of something I wanted to get mom for her birthday.  (Common Friend) had some trouble opening it so if you open it up and it’s blank, try downloading the new Acrobat reader. If it still doesn’t open, I can resend it to you as an image format.  Let me know what you think. If you like it, I’ll go ahead and order it and sign all of our names.

Maria opens it and there’s nothing there. (Her machine is now infected and her worst enemy now owns her computer.) Because “Bill” already mentioned it as a possibility,  Maria isn’t suprised by the blank PDF document.  So she follows the instructions and downloads the latest Adobe reader and gives it one more try. Again, nothing. So she hits Reply on the email and says:

Bill, I tried opening the document, but couldn’t. I even got the new Acrobat but it still didn’t show up. Can you send me the picture instead?

This time though, it goes to the Yahoo account so the real “Bill” would never know of what happened. Maria already saw the email came from “Bill” originally, so it’s doubtful she’d pay attention the the Reply To address, especially when it’s so similar anyway.  Even if she noticed it, she very likely would just ignore it. ( I use a different Reply To address most of the time and have only had a handful of people ever mention it to me or ask about it. ) A few days later when they spoke, Maria would mention it to Bill. Bill would have no idea or think Maria’s talking about something else or that it got eaten in the spam filter.  When they synced up, chances are they’d just assume it’s spam when they couldn’t figure it out.

And even if they do, at this point, it’s too late. All the counter proliferation measures in the world won’t save them now. Even if they suspected something bad, it’d likely be at least a few hours later, and she’d almost certainly have checked her email by then. She almost certainly will have typed a password to the machine in by then.  So even if they suspected something – there’d be nothing apparent on the machine. By this time, the logger should be deactivated so it’d be really hard to detect (especially if they wrote it themselves, b/c it wouldn’t match any known definitions and even well known ones are good at hiding themselves). Even if Maria and Joe found it, they’d have no idea what it was or what it did and if it was homemade, they'd have to decompile it and have a savvy coder figure out what it did.  Doubtful.  But this would almost never happen. Most people just delete spyware assuming they can find it. How many people do you know that have spyware infections decompiled and looked through?  I’m a software developer and I wouldn’t even go through that hassle. In fact, I can’t imagine ever wasting that much time or energy on it.

Even if they did all of this, it would take forever. By then, the attacker would own their email accounts, chats and most other things.  Here’s the beautiful part.  Since the Logger is deactivated, there’s no indication it’s running (or very little indication).  Let’s say Maria decided to change her password (or just did it as a routine course of action).  Sallie tries to get in and it doesn’t work this time.  No problem.

Sakkue just goes to the configuration, tells the Logger to activate itself, and depending on the product, turn itself off once the file gets to X kb or shortly after the words http://www.aol.com or http://www.yahoo.com are typed.  While not 100% foolproof, this would be 99% foolproof and if somehow it turned off prematurely, Sallie could just try again.  If Joe and Maria cleaned the stuff off of there then it’d be game over temporarily, but it’s doubtful.  And once Sallie has the password, she can get into the email and do all sorts of things to help ensure the Maria’s computer gets reinfected.

Again, I ask you, if you were the target, how would you fare? If someone had a keystroke logger on your machine, what would they be able to discern? If they had all your email passwords, what would they be able to find?  If they saw your new passwords after you changed them, are you still hyper vigilant about checking the IP Addresses that access your accounts? What about the  PDF exploit? Would you think much about it if you got a blank PDF? What if you aren’t in a court case or criminal case.. well, do you think there aren’t criminals out there who’d love to clean out your bank accounts? If they had all your challenge question responses and passwords, what could they do?  Ask some of the victims of DB.Singles.Org who had their Paypal accounts drained (all b/c they reused passwords and ONE SITE THEY USED had weak security measures. Wanna bet at least one site you use has equally lame security?)

Take this stuff seriously and guard yourself against it, whether its a court case or your banking information, you don’t want to ever let yourself fall victim to this, especially when it’s so easy and essentially free to protect against. Spyware and malware are rampant and if you don’t take the responsibility for counter proliferation of spyware and malware on your machines, don’t expect anyone else to either. I know I make a lot of counter proliferation jokes but when it comes to proliferation of spyware, it’s not joking matter. Counter Proliferation of Dog Poop on the other hand, is definitely a joking matter – in fact, while Sarah and I were out at Dinner last night, we had a ton of proliferation  going on.

I have had a few people ask about consulting for them. I’m pretty busy but do have some availability to do assessment, audits and create a strategy to protect yourself with.  Contact me at blogcommenter@williamgryan.com to discuss this further. I’d be glad to help out with basic stuff for free, so feel free to post comments and I’ll do my best to answer them. If it’s more involved and will take some time, then just email me at the address above.

LET ME EMPHASIZE THAT NONE OF THE CHARACTERS DESCRIBED ARE REAL PEOPLE OR BASED ON REAL PEOPLE. THE ENTIRE STORY IS COMPLETELY FICTIONAL. THE ISSUES RAISED ARE REAL AND SO IS THE ADVICE (WHICH IS OFFERED FOR FREE, WITHOUT ANY WARRANTY BLAH BLAH BLAH) BUT NONE OF THE CHARACTERS ARE.  ANY RESEMBLANCE TO REAL PEOPLE IS PURELY COINCIDENTAL (THERE ARE PROBABLY MORE THAN A FEW FAMILIES OUT THERE WITH DIVORCED PARENTS, TWO CHILDREN, A REMARRIED FATHER AND AN EVIL STEP-MOTHER WHO HATES THE KIDS). THE NAMES, CHARACTERS, EVERYTHING – IT’S ALL MADE UP. AGAIN, EVERY CHARACTER AND THE SITUATION ARE JUST FICTION AND ARE NOT REAL PEOPLE OR BASED ON ANYONE REAL SO ANY SIMILARITIES ARE PURELY COINCIDENTAL)

This post and all others on this site are subject to the current Copyright as well as the Sites Terms of Use. Any reproduction, duplication or publication without express written permission from the author is strictly prohibited.

[tags]Email Security, Keystroke Logger, Internet Privacy, Internet Security, db.singles.org, Kevin Mitnick, The Art of Deception[/tags]

Bruce Schneier posted this earlier today and my draw hit the floor:

I really don’t know where to begin. Lock My PC 4 bills itself as a “better way to lock your computer”. The main product pages describes it as follows:

Lock My PC™ is an easy in use, powerful and compact tool to lock your computer from unauthorized use. When you leave your computer unattended, the program disables the hot keys (including Ctrl+Alt+Del), mouse, locks CD/DVD ROM doors and displays a lock screen. Nobody can access your system without providing the correct unlock password.

Unlike another similar computer lock software that cannot lock Ctrl+Alt+Del on a computer running Windows XP, our Lock My PC runs own keyboard driver to block such key combinations. Moreover, bulletproof startup lock guarantee that when your computer locaked at startup, this lock cannot be bypassed even in safe mode!

Why Lock My PC ?

You don’t like snoopers. They are always prying into your e-mail messages, programs, data, files, etc. Lock My PC allows you to lock your computer with a password while you leave it unattended. You can lock your computer manually, with a menu or hotkey, or set up auto lock when your computer is idle.

Hmmm, I guess one could overlook one typo on a corporate page, but looking through this, there are quite  few.   That alone might lead you to question their attention to details, something that’s absolutely critical for security software.

“Well Bill, they are probably from another country where English isn’t their first language. So just b/c they don’t have perfect grammar, it’s not fair to assume they are careless elsewhere.”

I buy that argument in principal, but either way I’d say it would make me look really carefully for other signs of carelessness. It might be unimportant b/c after all, English isn’t their first language or they’re computer scientists not English professors. 

This should clear up any confusion one might have as to how seriously they take security:

From: Bugs NotHugs <bugsnothugs () gmail com>
Date: Wed, 7 Apr 2010 04:23:55 -0600

---

Vendor: FSPro Labs [http://www.fspro.net/]
Product: Lock My PC 4 [http://www.fspro.net/lock-pc/]

---------- Forwarded message ----------

[request for help on locked PC]

Hello,

Please try engineering password:
19740619

Best regards,
FSPro Labs Customer Service

Technical Support  -- support () fspro net
Sales Department   -- sales () fspro net
Information Center -- info () fspro net

The support forum isn’t secure, anyone can browse directly to it.  And if you did, you’d be able to access a Master Password for their product that will let you unlock any version of it.  And I don’t mean unlock as in licensing – I mean Unlock as in Circumvent precisely what this product is supposed to protect against.

This would be patently irresponsible for a software company that sold software that had little in the way of security implications.  For a company that sells a security solution, it’s a sheer and utter disgrace.

I know people make mistakes. I know tech support people have high turnover so you frequently have new people with little product familiarity. I know tech support guys get gunned at all day by rude, annoying and/or idiotic people and often are willing to do anything to make customers happy.  But for this to happen, several things must be in place.

First off, the company has a “Master” password for all of their products. This isn’t item dependent (which would still be bad. Would you still consider buying this product if you knew up front it had a backdoor in it?). Any disgruntled former employee could access it, put it on the web or do God knows what else with it. Next, the password isn’t even kept very secret. If you’re going to have something like this which could expose all of your trusting customers to serious breaches, you should at least safeguard the hell out of it (although I’d maintain you shouldn’t have it at all). Next, the tech wasn’t apparently trained well enough in security to even realize what he was doing was ‘really irresponsible and dangerous.  And no one up the chain of command apparently reviews what their people say in the support forums so it’s stayed up there for a while. You might argue this isn’t necessarily true, it’s possible a higher up reviewed this and found it ok.  That’s certainly true. But if it is the case, it’s infinitely worse than them not reviewing what their subordinates are doing.  It’s one thing for a new low level support tech to make a mistake like this, if anyone who’s been there a while or has any position of authority were to do this – they don’t deserve to be in a position of trust like this.

Sadly, this doesn’t surprise me.  It was just a few months ago I know of a commercial web site that was breached by employing a SQL Injection Attack.  Mind you, this was in 2010.  How anyone can leave an injection vulnerability open after all the publicity is beyond me.  I also know of quite a few companies that do the same thing as this, some of which deal with very sensitive data.  They use master passwords (some even use SA and ‘password’ or the company name ) for all of their apps.  Many don’t ever change passwords, even after employees who knew them are terminated or leave.  And some of them even tell clients the master password, just b/c it makes tech support easier.  I don’t know what’s worse, a security oriented software company or a software company that handles private data for the government/banks/hospitals.  Either way, there’s no excuse for this.

IMHO, this will be the biggest impediment to cloud computing. At first, everyone will be thrilled by the simplicity and value.  Then there will be a high profile breach and many people will second guess the whole thing.  If there are enough high profile breaches, adoption of cloud computing could be seriously hampered.  Having worked or consulted with many software companies and having many friends who do the same, the sad truth is that stuff like this is the rule rather than the exception.  It’s almost always driven by laziness or ego (“No one is ever going to attack our stuff, how would they even know where to begin” or my personal favorite “It’s on an INTRANET, so we don’t need to worry about security”.  Think about the DB.Singles.org debacle (and think about how they ‘responded’)

Ms. Andrea R. Mitchell; Mrs. Carol Wilk Roubal; Mr. Christopher M. Mitchell; Ms. Claire E. Mitchell; Mr. Gregory Allen Mitchell; Mr. James Alexander Mitchell Andrea S Lootens Andrew Alfano Andrew Burdi CPM Andrew Cinque REALTOR Andrew D Sicko Andrew Dirga Properties Andrew Giancontieri REALTOR Andrew J. Fama Dr. Ivan Roubal – Chino Hills, California; Dr. Glen Rouse – Loma Linda, California … Dr. Andrea Rothe – Johnson City, New York; Dr. Lewis Rothman – Valhalla, New York Andrea Brose Cindy Roubal : Rufa Mae Quinto Gabrielle Lazure Ellen Ten Damme Keira Knightley Rachel Scorgie : Seana Ryan Laia Marull Jacqueline Pöggel Alex Andrea —Juliette Andréa —Janice Andreas —Starr Andreeff —Lydia Andrei —Ursula Andress —Julie Andrews —Brittany Andrews —Jacy Andrews Andrea Boykowycz, USA Andras Szigeti, Hungary Petr Roubal, Czech Republic Zoltan Vass, Hungary Taras Slobodyanyuk, Ukraine Vitaliy Levchuk, Ukraine

[tags]Security, Software Backdoor, Lock My PC 4, Bruce Schneier[/tags]

Over the years, I’ve received a good 100 or so requests from people seeking help to break into an email account or someone’s computer.  Without fail, I never knew the people and they found me via Google.  They never bothered to read the pages which the links pointed to b/c the referrals were almost always articles I had advising people how to NOT GET HACKED.  Most of the cases involved teenagers typically looking to find out if their boyfriend/girlfriend was cheating on them, wanting to get even with someone who they claimed was doing evil stuff to them or something along those lines.  A few cases were people involved in court cases looking to get dirt on their baby momma|daddy or former spouse by going through their computer or getting into their email.  Google or Bing must have indexed something I wrote recently b/c I’ve gotten two such requests this week.

Now, I’ve never once written an article or anything explaining how to hack into someone’s machine.  I’ve never once discussed how to breach someone’s privacy.  I’ve went out of my way to teach people how to AVOID this. By comparison  I’ve received probably 50 emails over the years from people asking me to help ensure they don’t get hacked or get rid of malware or spyware (then again, I’ve received a ton of comments so that might explain the disparity). 

So I decided that maybe if I write a HOW TO Article explaining how you would go about hacking someone’s email or computer, maybe that’d serve to help people counteract such measures. Before I continue, I want to warn you that in most cases, hacking into someone’s account is illegal.  Whether or not it’s illegal, it’s arguably immoral and certainly uncool.  I’ve heard all sorts of excuses from “My boyfriend is cheating on me with this girl who I think has herpes and he doesn’t wear condoms and I need to find out if he has it” to people trying to justify it by claiming their baby momma is abusing their kids. People  always have supposedly ‘good’ or ‘necessary’ reasons for breaching other people’s privacy but it’s almost always little more than rationalizations.  So let me be clear, I don’t condone hacking and I don’t condone violating people’s privacy.  I’m going to make my central points here without giving details precise enough to help you hack say, someone’s AOL account but will give you enough information to protect yourself. This isn’t a definitive work by any means but is typical of how you’d get attacked – so pretend the person in question is YOU and think about how to protect yourself.

BEFORE I CONTINUE, LET ME EMPHASIZE THAT NONE OF THE CHARACTERS DESCRIBED ARE REAL PEOPLE OR BASED ON REAL PEOPLE. THE ENTIRE STORY IS COMPLETELY FICTIONAL. THE ISSUES RAISED ARE REAL AND SO IS THE ADVICE (WHICH IS OFFERED FOR FREE, WITHOUT ANY WARRANTY BLAH BLAH BLAH) BUT NONE OF THE CHARACTERS ARE.  ANY RESEMBLANCE TO REAL PEOPLE IS PURELY COINCIDENTAL (THERE ARE PROBABLY MORE THAN A FEW FAMILIES OUT THERE WITH DIVORCED PARENTS, TWO CHILDREN, A REMARRIED FATHER AND AN EVIL STEP-MOTHER WHO HATES THE KIDS). THE NAMES, CHARACTERS, EVERYTHING – IT’S ALL MADE UP. AGAIN, EVERY CHARACTER AND THE SITUATION ARE JUST FICTION AND ARE NOT REAL PEOPLE OR BASED ON ANYONE REAL SO ANY SIMILARITIES ARE PURELY COINCIDENTAL)

Let’s come up with a typical scenario along the lines of one I’ve heard (and for the sake of argument, we’ll assume it’s a legitimate case of needing to get the information at hand).  Say Joe and Sally were married with two children, Joey Jr and Sandy. Sally has primary custody but Joe gets weekend visitation.  Sally’s a great and caring mother and Joe is the exact opposite. And no such story would be complete without an evil step-mother.  So let’s say Joe recently married Maria, the evil step-mother.  Joe recently started a suit against Sally to get his custody agreement changed wanting more time so he could pay less in child support.  Joe’s new wife is really awful to the children and while Joe used to just be a negligent father, he frequently throws his kids under the bus to keep from getting in trouble. If he keeps Maria’s the focus on them, he stays out of the crosshairs.  Sally is horrified at the thought of Maria having more time with her kids and a huge ugly mess ensues.  Maria and Joe start a vicious campaign of lies and distortions and are pulling out all the stops in trying to smear Sally.  Sally *knows* from things her children tell her that Maria is an awful person and does a lot of awful things, and that a lot of it is documented in her email account on AOL or Yahoo.  How should Sally proceed?

Sally needs access to the computer but being a loving mother, would never do anything to involve her kids.  While the kids hate Maria and want to do whatever they can to help, Sally is hesitant to let them even be remotely involved b/c they shouldn’t be in the middle (and if Maria caught them spying or anything, she’d certainly punish the kids ruthlessly).

The first thing she could do is try to guess the Password for Maria’s email account. She could navigate over to Yahoo.com or AOL.com, type in Maria’s email and guess at her password.   Since she’d almost certainly get it wrong, she could select “Forgot my Password” which would initiate the Password reset policy. She knows enough about Maria to answer all sorts of background questions (and the kids certainly could help).  So is this worth a try? Categorically NO.

Why?  Ask David Kernell.  He used this technique and was completely successful.  But it caused some major complications.  However in Sally’s case, it could be a lot worse. Here’s just a few of the problems:

1. If she can’t guess the password, Maria will almost certainly be notified that someone was trying to get into her account. Maria will then likely take much more precautionary measures making any future successes much less likely.
2. The Provider may not let you change the password, it may simply send the new email or a reset link to whatever account is listed in the profile.  This will have the same end result as Item 1.
3. The provider will very likely log the IP Address. Whether its changed successfully or not, Yahoo or AOL may send her an email with the IP Address of the attempt.  If so, Maria will not just know someone was trying to get into her account, she’ll know it was Sally
4. If she gets in, she won’t know the original password.  So the next time Maria logs into the account, she won’t be able to get in.  In such a case, each of the previous items is likely to come into play.
5. Logging in with the Password if you have it is legal, even if the person hates your guts. If you have the credentials, you can get into the account.  But using means such as this or pretending to be someone you’re not (like Sending an email to MyRealBox.com pretending to be your ex-spouse) is not legal and as such, Sally could fail at getting any new info, and give Maria all sorts of ammunition to attack back with

So the first countermeasure here is DON’T ANSWER YOUR CHALLENGE QUESTIONS WITH REAL ANSWERS.  Instead, come up with some canned answers that you know are fake.  If you went to Kiski Prep high school, answer ‘Highlands’ as your high school if asked.  If your fist pet’s name was Spot, answer with the name of the current pet you have. Whatever you do, make sure you use fake answers.  Then pick easy questions that an adversary would likely think they could answer.  By doing both, you’ll egg them into trying to access your account. They’ll fail.  And they’ll likely keep answering over and over sure they have the correct answer and that you’re just spelling it wrong.  They will have a lot of fun trying to convince a jury that they ‘accidentally’ repeatedly put your real high school’s name in the answer box. 

For Sally, the lesson here is DON’T DO ANYTHING ILLEGAL. And forget about trying to guess a password or brute force someone’s password.  It will very likely fail but in this case, Success could easily be much worse than failing.

The next thing Sally might try is having the kids look over Maria’s shoulder and guess her password.  Or she could ask the kids to try to get Maria to give it to her (“Maria, I need to log onto the computer to get my homework assignment, can you just give me the password for now?”) Most people reuse passwords so if you get one of their passwords, you’ll likely be able to use it other places. And even if not, they’ll likely use that password as a basis for another password.

This approach is a complete loser too. Here are a few reasons why:

1. It involves the children.  Any parent that intentionally sticks their kids in the middle of such disputes is an a-hole.  You might need to win, but you never need to win so bad you stick your kids in the middle of it
2. If Maria gave them the password, and then you used emails from that account, she’d almost certainly put two and two together and the kids would pay in blood.

Unlike the last approach though, if she reused passwords and she just gave the kids the computer login, you’d be set. You’d have the correct password so you wouldn’t be hacking or pretending to be them.  Unless you deleted messages or did something obnoxious, Maria would never know it happened so from a technical point of view, it’s much better than the previous method.  But it involves the kids and using your kids as a human shield is just plain f****ed up.

Here’s one last approach, which is precisely what I’d use if I was ever to go over to the dark side, sell my soul to the devil and go for broke.

Sallie could buy or have a software developer friend write her a Keystroke logger.  The logger would hopefully be sophisticated enough that it wouldn’t show up in the task bar, that it wouldn’t show up in task manager either and that it would execute transparently. Ideally, it would be able to remotely send the results to a pre-specified email account.  Here’s a few aspects of how this would work:

1. The logger would be as invisible as possible not showing that it was executing anywhere.
2. If it had to show up in Task Manager, it would use a clever name like “MS Search Indexing” or “McAfee Virus Scanner” (particularly if you knew that they used a specific brand of spyware detectors). Just adding a space in a program name is enough to differentiate it while making it ‘look’ like something legit. Svchost is always a good choice for a name – even though it’s not really a service.
3. It could be toggled off remotely and ideally uninstall itself if it needed installing in the first place
4. It could disappear and then come back to life
5. It would have to be able to be remotely installed
6. It would need to be able to transmit the results (i.e. email, ftp, http) somewhere else where it could be reviewed by Sallie
7. It would need to be subtle enough to not set off any spyware warnings

Pretty much any Keystroke Logger worth its salt would have all of these features.  Any developer with even a small amount of technical skill could write a tool like this in a day or so. Sallie would do something like this:

• She should set up a complete throwaway email account. If the Logger was able to do http or ftp file transfers, the same sort of thing should be done – have access to a throw away account
• When setting up the account, make sure nothing points back to Sallie
• Avoid accessing the account from her home or work. Instead, head to a coffee shop, or use a service like Anonymizer.  David Kernell can tell you why free public proxy servers aren’t the way to go unless Sallie is prepared to keep her mouth very quiet about it.
• Sallie should find a unsecured wireless router and sit in her car when she accesses the email account. Or she should use a Coffee shop or hotel wireless without stepping inside where the cameras can see you.  Even if they require passwords, this isn’t very hard to do (think really hard for a second about how you might do it. If you can’t come up with anything, watch the Mossad Assassination video and think about what they might do. If you still can’t figure it out, I’d highly recommend reading one or all of the following {I’d encourage reading each of them, particularly the Ostrovsky book either way). If she/you can’t figure it out after reading some of these, stay away from anything clandestine b/c you clearly have no aptitude for it.
  • By Way of Deception – Victor Ostrovsky
  • Spy Wars – Tennent Bagley
  • The Art of Deception – Kevin Mitnick
  • The Art of Intrusion – Kevin Mitnick
  • No Tech Hacking: A Guide to Social Engineering, Dumpster Diving, and Shoulder Surfing – Johnny Long
  • How to be Invisible – J.J. Luna

Now, Sallie just needs to send Maria an email with an attachment that must be opened. If she thinks Maria won’t be that cunning, well, she could have one of the kids open up their email. Better yet, if Maria is the type of insecure sociopath who violates their kid’s privacy b/c of paranoia but justifies it as parental responsibility, this is the perfect setup.  Sallie sends the email with the program attached to it as an attachment to the kids. She instructs them not to open up the email anywhere but on Maria’s computer. She should give it a compelling name that she knows Maria will go crazy over and perhaps put just enough in the body of the email to set Maria off without going so far as that it could make her look bad.  Maria sees a Title to the effect of “Is the Monster Making your life miserable” and then in the body put “Honey, I‘ve attached the instructions on what to do If Maria starts anything with you this weekend.”  Seeing that, with the taunting title, Maria will almost certainly click on the attachment to see what it is.  Even if a warning came up, Maria would likely just click “Ok” b/c she’d want to see what was in the document so badly.  This would be perfect for a Word Macro or something similar and inside the document, having something like “Just kidding” or Sallie’s home phone number with nothing in it that anyone would get excited over.

I could write volumes on how to get Maria or her counterpart to open the email but I won’t.  That’s where it crosses the line in my book so I’ll leave that up to you (rather, I’ll let you think about this for a second and think what you might do. Would you open it?  Most people would.  So keep that in mind when opening attachments, even if you think they’re legit.  Viruses and malware are only spread b/c of ‘trust’ – so think long and hard about how and why you trust things that you receive via email).

Here’s where things get fun. Sallie should now wait a few days  before retrieving the results. In fact, she should ‘make sure’ that Maria checks her email. She could for instance, send something of a legal nature or something she knows Maria would want to know about.  She could call beforehand and say “I sent you _________________________”  That would give her a time frame among other things to check against in the results dump (those things can get pretty big).

After waiting a day or two, she should now retrieve the results.  If she finds what she needs, she should immediately deactivate the logger at this point. Not uninstall it but deactivate it.  At this point, she should look for any string that has “AOL.com ” in it.  Since she knows Maria’s email address, she should look for that too.  If she sees “AOL.com” followed by “bluemaria007@aol.com” (this is a made up address – or at least I hope. If there is a blue maria 007 please accept my apologies in advance).  Sallie can be pretty confident that the password is the very next string.

She should go test it out once she thinks she has it. If it’s wrong, she should never try more than once in a 30 minute setting. Yes, I’m sure it takes more to lockout most accounts, but why push it. Patience is your friend here.  Once Sallie is in, she could elect to uninstall the Keystroke Logger , which would get rid of any trace of it. The downside is that if it’s discovered, it’ll point back to ‘her’ email address. If she followed the steps above, then not much could come from it but it would put Maria one step closer to finding out what just happened. So it’s best to just remote remove any such information if she was going to leave it installed but deactivated. There’s a gamble at this point.  The quicker She uninstalls it, the less lower the odds that it’ll ever be discovered. On the other hand, if she needs it b/c Maria changes her password or anything, she’ll need to get it reinstalled.

The Logger approach has some other benefits.  Not only will it let Sallie see passwords, she’ll see everything Maria does (and anyone else on the computer). Maybe Maria has a pr0n fetish. Maybe she’s cheating on Joe. Maybe she engages in cybersex. Maybe she’s doing something else she shouldn’t be.  The Keystroke Logger would let Sallie know about ALL OF IT.  Maybe Joe is doing some stuff he shouldn’t. Whatever the case, if they’re doing it on the computer, Sallie will know.

What should Sallie do now?

1. Use the Search feature and search for “Sallie” and each child’s name individually.
2. Search for her Last name (which may produce too many results if it’s still the same last name as Joe)
3. Search for sexual terms
4. Search for common drug names
5. Search for “affair”
6. Look at all the correspondence between Joe and Maria. Are they fighting? If so, what are they fighting about?  This will likely prove to be very useful later on.
7. NOW, SALLIE SHOULD LOOK THROUGH THE SENT ITEMS FOLDER.  She will likely find things that are YEARS old b/c most people don’t clear out their SENT Items.  She should do the same for Deleted Items
8. She should search for any other email accounts Maria or Joe might have. 
9. She should search for Facebook, Twitter, MySpace etc and any other such accounts.  Since she likely uses the same password, she should try to access any of these and see if there’s anything helpful.
10. If she find another email account that doesn’t have the same password, she should wait until about 3:00 AM on a Sunday. She should go into that account and reset the password (while having this particular email open).  She can then reset the password for the other accounts and IMMEDIATELY delete any traces of information about the reset from the existing account. Maria will try to access one of those other accounts and  not be able to get in. But unlike the earlier scenarios, she’ll likely think it’s just a glitch, or that she forgot the right password or whatever. And with all the traces deleted, she’ll never have any idea. Even if she was told there was a reset, at this point, she’ suspects nothing so she’d likely think the email provider was mistaken. Sallie needs to make sure she deletes the item from the Trash though and any Sent Item emails either. If Maria happened to be online and watching her email, she’d see the new email come in then disappear. That’s why it should be done at a time when Sallie is sure Maria isn’t using the computer.  She could always do it while calling Maria to make sure Maria is on the phone with her (although this is far from foolproof).
11. It may be the case that Maria has other email accounts (like her work account) that have all sorts of incriminating information. If she’s in trouble at work, Sallie will know. If she’s stealing money, Sallie will know. If she’s trading on insider information Sallie will know.  If she’s having an affair with a coworker, Sallie will know. This could open up all sorts of doors so it’s not something you’d want to overlook.

Legally, Sallie won’t be able to use much of this as evidence. Depending on the state’s laws, the information may or may not be accessible. So if she admits to hitting the kids, or some other emotional cruelty, it may not be admissible.  However that’s irrelevant in many cases. If she was having an affair, Sallie could make sure someone notified Joe of the details. If she was engaging in cybersex or Pr0n, Sallie could drop Joe or Maria’s boss some of the details.  You get the idea.

At this point, Sallie could search all the Sent items and trash, find stuff years old as well as new material and just save each one.  Most people have all sorts of embarrassing stuff in their emails and if she’s doing something wrong/illegal/immoral, it’s a virtual certainty there’s some record of it on the computer.

Remember, Sallie didn’t just get her email. She know is likely to have Maria’s other email accounts, Joe’s other accounts, Passwords or account information she had saved as Drafts (Drafts are frequently a Gold mine), chat details, documents she wrote to the attorney – just think about how you use the computer. Imagine your worst enemy who you were in a court battle with had full access to it without you knowing.  She could come and go as she pleased. How would that affect you?

If you haven’t read it already, I highly encourage you to read my article on the Hacking of DB Singles.org aka Operation Jesus. There are many valuable lessons to be learned there, most of which I’ll review here.  I’d also point out that in the middle of the attack, I called the computer crimes investigator for a  Sherriff’s Department close to where I live.  This is the same person that was hassling me about something so absolutely silly no one would believe me if I wrote it. Yet in the middle of a huge hacking, where thousands of dollars were stolen, where child porn was being put up on people’s Facebook  pages, where all sorts of false ‘confessions ‘ were being made about rape, molestation etc by people pretending to be the account owners – no one called me back.  Almost all of this damage could have been prevented had law enforcement known or stepped in to intervene. I had full details of what was happening.  I’ll never know why he never called me back but I can speculate. I do know however that he’s been willing to spend quite a bit of time helping someone harass a private citizen (it’s never harassment when someone in Law Enforcement is doing it though – don’t forget that).  Actually, I’m sure that not only will he read this, a friend of his will once again violate my terms of use and he’ll say nothing. By his own words, his friend admitted to doing something that is unquestionably a crime but he did nothing about it.  I guess if the authorities agree with your motivation or don’t like the victim, it’s not a crime either.  Even though I haven’t identified any names and didn’t disclose any details – I’m betting that once he reads this I’ll be questioned or arrested (b/c it’s no secret he’s just dying to arrest me for something).

I bring up the Singles.org incident for two reasons. The first is that it shows you how vulnerable many people are and they never know it. It illustrates how just doing a few small things resulted in a huge difference with respect to how much exposure people had. Some people only had their Profile pages defaced, others had thousands of dollars stolen via Paypal, had their Facebook pages hacked or had people make horrendous confessions from their email accounts – confessions which were about criminal activity in several cases and were completely untrue.

If these people would just not REUSE PASSWORDS, their exposure would have been limited to the Dating site. If they used Dummy Email accounts for public profiles they would have faced no real exposure.  In addition, you should remember to never ever ever ever open attachments unless you’re beyond positive that it’s something you want.  You should always check with the sender. In the hypothetical above, the sender would have verified that she meant to send it, but remember that it was a plant the whole time. If Sallie would have sent Marie the attachment, it would have been received with much more suspicion. You should remember that someone else could do something naive or stupid and you could still be at risk.  You should think long and hard about what you keep stored in your email accounts.  You should think about what would happen if an adversary/enemy had access to everything you were typing.  You should be very careful about keeping virus definitions up to date and what processes you allow to run in Task Manager.  Think about how I described the Logger that I would write.  Would you notice another Servicehost.exe running?  You should also think about watching all traffic coming out of your computer and network.  You should delete everything from your trash as soon as possible. You should keep your Sent Items folder cleaned out. You should use multiple email addresses and always always always use different passwords (strong passwords that are markedly different from other ones).  You may consider using a Biometric reader for account access (at our house,we have finger print readers on all the machines.  You should pay close attention to the IP Addresses that have accessed your email (do you know your IP Address?  You should make sure you know your home and work IP Addresses and take any ‘strange’ items very seriously.  You might even do what we do… That is, I don’t check email from any of my machines. Instead I use a Virtual Machine that I do all my internet surfing and emailing with.  Even if they got a logger on my box, they’d be hard pressed to get much info out of it b/c as soon as I’m done, the Virtual Machine is SHUT OFF.

There’s always a tradeoff when it comes to security and that tradeoff comes at the price of convenience.  Until recently, I never had any enemies I’d be very worried about and the best defense is always to not have people gunning at you. Even know that I know someone is out to get me and I think they’re too crazy/ignorant/psycho to, i started taking security around the house a lot more seriously.  By not doing anything bad you greatly minimize the attack vector, but we all have things some things that are private that we wouldn’t want everyone to know (if one of your parents was dying for instance).  Since it’s a tradeoff, you have to decide where your comfort zone is.  Think about the Maria hypothetical I came up with above.  If Sallie did that to you, how would you fare? If you have someone out to get you , you should assume that they might be able to do just that.

Sun Tzu (and honestly, it was Sun Tzu, not the Godfather had a lot to say about dealing with your enemies. And one of the best ways to lose to your enemy is to underestimate him. You can take this to the extreme and lock yourself in a closet, but isn’t that giving your enemy a victory in and of itself?  Instead, you need to accurately asses the threat, look at the situation as objectively as possible (in fact, you should find some contrary opinions), make sure you’re not believing your own press releases and take reasonable precautions. In most cases, just making a few small changes or taking some very basic precautions is more than enough to safeguard yourself.

And just keep in mind, if Maria used a service like Privicy, she’d never have had these problems.  But I don’t want to shamelessly plug my own products in an article about security – I just mention it b/c in reality, it will solve almost all of these sorts of problems.

[tags]By Way of Deception, The Art of Deception, The Art of Intrusion, No Tech Hacking, Kevin Mitnick, J.J. Luna, JJ Luna, How to be Invisible, www.howtobeinvisible.com, Victor Ostrovsky, Sun Tzu, Email Hacking, Spyware , Malware, Online Privacy, Email Security, Keystroke Loggers, Db.singles.org, Singles.Org, Operation Jesus[/tags]

Again, just to reiterate:

BEFORE I CONTINUE, LET ME EMPHASIZE THAT NONE OF THE CHARACTERS DESCRIBED ARE REAL PEOPLE OR BASED ON REAL PEOPLE. THE ENTIRE STORY IS COMPLETELY FICTIONAL. THE ISSUES RAISED ARE REAL AND SO IS THE ADVICE (WHICH IS OFFERED FOR FREE, WITHOUT ANY WARRANTY BLAH BLAH BLAH) BUT NONE OF THE CHARACTERS ARE.  ANY RESEMBLANCE TO REAL PEOPLE IS PURELY COINCIDENTAL (THERE ARE PROBABLY MORE THAN A FEW FAMILIES OUT THERE WITH DIVORCED PARENTS, TWO CHILDREN, A REMARRIED FATHER AND AN EVIL STEP-MOTHER WHO HATES THE KIDS). THE NAMES, CHARACTERS, EVERYTHING – IT’S ALL MADE UP. AGAIN, EVERY CHARACTER AND THE SITUATION ARE JUST FICTION AND ARE NOT REAL PEOPLE OR BASED ON ANYONE REAL SO ANY SIMILARITIES ARE PURELY COINCIDENTAL)

Being the optimistic fellow I am, having a great week is nothing unusual.  Last week was so amazingly good I thought it would be ages before I had another one that good.  Then Monday came around and things have just kept getting better.  I didn’t think anything could top yesterday, and well, today somehow managed to do so. 

In the course of 24 hours, every sucky thing in my life went away (ok, not totally away, but away enough for my taste – Metaphorically, I’d liken it to getting cured of Ebola, except Ebola is nowhere near as fugly, dresses better and is infinitely more pleasant to be stuck with).

I’m back to being able to focus on value added activities now which among other things involves the launch of my entrepreneurial dream – Privicy.net (it’s just the default MS landing page now but the beta will be up in two weeks). I’ve already managed to learn more about .NET 4.0 and WCF than I could ever want but this has forced me to learn a lot of things I always avoided, like front end work.  One of the coolest things I’ve got to work with is OpenID. I’ve also been able to work with Andriod development quite a bit which was getting really cool – until the Windows Mobile 7 SDK was announced.  I guess now it’s bye bye Java and hello Silverlight. 

I’ve already received a ton of interest over Privicy and I need to have it done by May 2, 2010 or I’ll lose out on a good bit of money.  I’m going to try to , where possible, post some of the cooler stuff that I came across while developing the site.

Anyway, I’m back and have a lot of content ready to go – I’m going to brave the Upgrade to WordPress 2.9.2 and get at it.  Considering my luck with WordPress Upgrades, I need to do it this week while life is smiling so favorably upon me

Thank God people write articles like this that clearly explain things instead of sensationalizing them.  Then again, if everyone in America read articles like this, the technology reporters at media outlets would be out of jobs. 

This article is great for many reasons and is a very informative read for many different audiences.  Experienced developers will appreciate the way he explains the issues even though they (better be) should be familiar with the subject matter.  In it, he covers the following:

• SQL Injection
• Cross Site Scripting Attacks
• Cross Site Request Forgery
• Remote File Inclusion
• Phishing
• Clickjacking

For non-technical people, there’s a good explanation of big picture stuff and has some easy to read graphs explaining security problems.  The advice provided is useful but I have a few things I’d add (probably a good idea for a blog post)

Hat Tip:  Bruce Schneier

[tags]Internet Attacks, Internet Security, Sql Injection, Cross Site Scripting, Cross Site Request Forgery, Remote File Inclusion, Phishing, Clickjacking, Bruce Schneier[/tags]

I wouldn’t have.  Bruce Schneier links to an incredibly impressive skimmer that was recently found live, in use, in California.  Check out the pictures and think about whether or not you’d suspect anything funny. And even if you do catch  it, read the whole article and consider if you caught every aspect.   Like Schneier says, he didn’t catch any of it either, and that’s the whole point.

[tags]ATM Skimmer, ATM, Bruce Schneier[/tags]

2009 was a pretty mediocre year overall, but Kim decided to end it with a bang.  She finally accepted the fact that she’s married to a geek and embraced the geek chic while shopping for me.  One of the things she got me was a Cisco WVC210 Wireless G PTZ Internet Video Camera.  We’d been talking about installing some Doggy Cams for a while, but I really wasn’t expecting this.

Historically, the little bit of talent I have resided exclusively in the software realm.  When it came to wiring up anything, I could make a mess or an accidental explosion, not much more.  Trudging through the learning curve though, I started making some progress.  My crowning success for the year WAS turning the interior of my car into a fully functioning T-Mobile Hotspots (I really didn’t think much about having built-in BlueTooth in my car at first, I’ve since learned to really love it b/c with Wi-Fi and the Hotspot, it’s all kinda wireless).

This whole thing started as a father/daughter project and grew.  Santa brought her a NetBook to use with her Webcams so between the XBox Live acct and this, she’s going to be the highest tech kid in SC.  I tried getting it working in the car, not b/c it’s practical or even desirable, but just to see if I could get it to work.  As you drive, you roam and the IP Address is reassigned regularly (in this case, I’m roaming a lot so that’s the most likely culprit) so the forwarding is problematic.  Basically, you can see what the camera is looking at from a computer in the car even while moving. You can look at it over the internet if you sit still.  But for now, that’s all I was able to pull off.  I’ll be checking with the DynDNS.org folks to see if I can get something working while driving, but for now, I’m not expecting any miracles.

The WVC210 sat in the box for a day while we attended to other holiday duties (Santa brought me DJ Hero as well which took precedence).  Setup couldn’t have been easier and here’s what it took from start to finish (Finish being defined as ‘available and on the internet’):

1. Setup requires a CAT5 connection from the camera to the switch (or router).       
2. You need to connect the power cable.                                                  1 minute w/ #1 combined
3. Stick the install CD into a computer and start wizard.                            1 minute
4. Software needs to find the device.                                                         2 minutes
5. Walk through the wizard.                                                                     4 minutes
6. If all works correctly, here’s what you’ll see.
7. Add user accounts.                                                                                              3 minutes
8. Login to account (I used DynDNS.org)                                                                     1 minute
9. Retrieve your settings and write them down or commit them to memory.                  30 Seconds
10. Login to Router and set up Port Forwarding.                                                            3 Minutes
11. Go  to Internet and verify everything works.                                                                2 minutes
12. Enjoy

From start to finish, the whole thing took just about 15 minutes.  There’s one thing I sort of fibbed about.  DynDNS.org is awesome and very easy to use but I screwed up Port Forwarding the time around.  I tweeted asking if anyone knew how to troubleshoot.  Within a few minutes, Chris at DynDNS.org wrote me back and offered direct support.  I took a stab at the Port Forwarding on my own and it worked like a charm, but the whole DynDNS.org was awesome and I’m hooked.

Now a few months ago, someone cracked our doorbell chime.  I’m definitely not qualified to play with electric so it’s just sort of been sitting in limbo for a while. The additional cameras are perfect for such tasks.  Instead of looking like a lame a55 that can’t fix a doorbell, I look way cool for having video monitoring at the front door.  Coupled with some of the X10 (yep, after years of rolling her eyes, Kim has seen the light on X10 and become a fiend believer) stuff we bought recently, home automation has made a lot of progress recently and it’s been absolutely painless.

Anyway, once I got everything hooked up, the final step was removing the wires so it was fully wireless.  That was as hard as unplugging the cable and viola’, it was good to go.

Nothing big or impressive about a Webcam so what makes this blog worthy other than bragging about a wife cool enough to support my inner geek?  Here’s a few:

• It’s cake plugging in additional cameras.
• It provides two way audio which makes it perfect for a doggy tormentor cam or a door monitor.  The Sausage Dog of DOOM has reported back that he does not like me and mommy being able to watch him destroy our living room. What’s more, he really hates that we can say “NO!”  or “Stop it Nikki!” without having to be there.  From my point this is a huge plus, from an evil Sausage Dog’s perspective, it’s a bug.
• You can fully control the camera remotely.
• You can turn on motion detection so it follows around what’s moving.  Coupled with the previous item, this makes it an ideal Doggy cam .  This feature allows you to have emails sent to you directly when motion is detected and you can do really slick stuff like this too.  If only I could get it to recognize gestures, like, a small sausage like dog lifting up his rear left leg… I know I read an article a few years back of a guy that did something similar for his cat.  The cat would drag in dead animals which was a real pisser since he was often out on business for a few days at a time. So he wired the webcam to the cat door and if it detected an anomaly (i.e. a cat shaped critter with a a really wide thing in its mouth, it would lock the door)
• You can record sessions – disk space is your only real limitation. This makes it great for surveillance in business or home scenarios.
• It’s wireless so you can place it in strategic places without “those wires” which drives wives and anally retentive geeks nuts.
• There’s a very easy to use, web based administrative console. 
• Everything is URL addressable
• Features such as Panning and Tilting are available right out of the box.
• All of the functionality can be used w/out any programming

The downsides are few and in all fairness, I’ve only really had it a day or so and I haven’t dug in deep enough to be sure all of these are in fact, valid:

• The instruction manual is really thin. There’s a quick start and that’s pretty much it.  There is comprehensive online documentation however
• You may have to reset the camera once or twice before it can be seen by the software.  I had to reset it twice before it was recognized.  All in all though, this only took about a minute to accomplish
• There is very little guidance along the lines of security.
• I don’t know if there’s an exposed API. The control panel is pretty decent and does everything I need it to but it’d be nice to be able to write custom software to take advantage of it.  My guess is that there is something I’ve just missed it.  The viewer an ActiveX control but I’m going to try sniffing the wire and see if I can recognize any of the traffic.  If you run it securely this won’t work but it may give me a starting point of where to look.
• It appears you have to have it plugged in (i.e. no battery). Coupled with the size, it makes it kinda obvious that it’s there. This is a bug or a feature depending on what you’re using it for.

[tags] Cisco, Video Surveillance, Cisco WVC210, Internet Video Camera, DynDNS, BlueTooth, X10, Home Automation [/tags]

I just activated the plugin so that when you visit a page, you’ll see your IP Address.  I’ve seen some funky behavior though (or so I think) so if you wouldn’t mind, click on the Address link and if you get an incorrect IP – let me know – it’ll look like the one below (which BTW, Is NOT live – it’s just there for demo purposes)

Your IP Address is:
xx.xxx.xxx.xxx

Bruce Schneier covers a Wired story detailing Sprint’s alleged complicity in something that should make your skin crawl.  It’s nothing new, Luna was warning of this stuff since the first draft of How To Be Invisible and several times thereafter.  It may seem that I’m being a tad hypocritical when I say this is a bad thing, after all I find cell phone based snoopware not only cool, but very useful for many folks. Cell phone snoopware is extremely powerful, effective and easily available (and yes, in some cases, legally questionable) so to some extent, it’s silly getting all upset about stuff like this. On the other hand, I don’t have to worry about civillians abusing their power to try to settle  a score with me or make my life miserable.  Without breaking the law, there’s nothing a civillian could do with this sort of stuff to really hurt me [and for the record, I'm using 'me' in the abstract sense here].  Depending on how you spend your free time, someone could ostensibly cause you some embarassment, but there’s plenty of remedies for that sort of thing.

Employees of the various government agencies however, could cause all sorts of problems for people.  For me to effectively make use of snoopware, I’d need to access the phone in most cases and owners would be fully in their power to check for and remove any such snoopware added to their phones.  The same isn’t the case in situations such as the one alleged with Sprint.  If someone bugged my phone and I caught it, I’m entitled to pursue several different legal remedies depending on the circumstances.  If the Sprint story is accurate, the targets weren’t aware of being tracked, couldn’t do anything to detect it and couldn’t do anything to prevent or stop it.

The response from law enforcement types of course is that this is all paranoid nonsense.  If you don’t have anything to hide, you don’t have anything to worry about they’ll typically argue.  And if they never abused their positions and were perfectly honest, that’d be a plausible defense.  Personally, I think most govt agents are decent enough folks and not prone to abusing their positions, but there’s no disputing there are bad apples.  And just one of those bad apples could cause you a bunch of problems.  Whatever you think of the guy otherwise, look at the example of Joe the Plumber. He got on the bad side of some people with access to his personal information and look what happened.  Had those same people been employees of a private corporation, he’d be sitting on quite a lucrative law suit. (And yes, I know Judicial Watch either offered to or actually filed a suit on his behalf – but had it been a private company, he wouldn’t need a high powered advocacy firm to help him out).

Quoting Chris Soghoian, I can’t imagine how this situation will get addressed without government action and well, it’s probably wise to be the under on that one:

Sprint Nextel provided law enforcement agencies with its customers’ (GPS) location information over 8 million times between September 2008 and October 2009. This massive disclosure of sensitive customer information was made possible due to the roll-out by Sprint of a new, special web portal for law enforcement officers.The evidence documenting this surveillance program comes in the form of an audio recording of Sprint’s Manager of Electronic Surveillance, who described it during a panel discussion at a wiretapping and interception industry conference, held in Washington DC in October of 2009.

It is unclear if Federal law enforcement agencies’ extensive collection of geolocation data should have been disclosed to Congress pursuant to a 1999 law that requires the publication of certain surveillance statistics — since the Department of Justice simply ignores the law, and has not provided the legally mandated reports to Congress since 2004.

One thing is for sure, if a private citizen was caught pulling this exact same thing on members of law enforcement or Congress, Congress’ attitude would be just a weee bit less apathetic about responding. 

The other argument I typically hear is a reference to Evan Ratliff.  If you’re unfamiliar with him, here’s the rest of the story in a nutshell. He’s a free-lance writer and blogger.  He took a gig for Wired magazine that entailed disapparing for a month.  He was to try to hide out and anyone that found him would simply need to say the magic word, and they’d be privvy to a $5,000.00 prize. Ratliff gave it a great go, but before long he was caught. 

Following the story, there’s little doubt that people used inside connections in an attept to follow him.  The extent of that is hard to know for sure, but there’s little doubt that people used friends and contacts at various companies to locate him. Those friends almost certainly did things that, well, were out of the bounds of the companies’ rules.  Does anyone really think that you magically become some ethical angel just b/c you work for the government?  Private sector folks bend the rules so you can rest assured govt folks do it too.

Law Enforcement claims this sort of stuff is necessary.  Law and Order types will claim it’s necessary to fight terrorism and similar bad guys.  Seems to me then, that the solution would be kind of simple.  An evidence rule that gave people immunity from anything not specifically relevant to the prosecution of terrorism in the form of throwing out the evidence, would go a long way to mitigate the damage that could be done by rule benders.  Providing EASY to retrieve records for anyone not currently the target of a terrorism investigation would be another.  Creating a ‘paper trail’ of anyone that looked at a person’s information is not hard and not difficult. Granted that doing anything with govt software is infinitely more difficult than it needs to be, implementing such tracking wouldn’t be cheap.  But that line of argument is essentially advocating the rewarding of incompetence.  And even considering the additional expense, there’s certainly at least one or two unnecessary govt programs we could cut to pay for it. (Defunding NPR for instance would work for me). 

If this sort of stuff is really needed for a specific case to prevent some huge atrocity, fair enough. But some fed using this stuff to hassle some guy banging his ex-girlfriend should never be allowed to happen.  I don’t see how anyone can say such a scenario is unlikely.  So if it did happen, the victim should be able to know about it and sue the hell (and have the person fired, not put on some BS administrative leave) out of the person.  

Another possible remedy would be to allow cell phone proivders to offer “opt out” service. (One might argue that this would be extortion, but I don’t see it any different than paying extra for an unlisted telephone #). I missed the official memo when all cell phones became tracking beacons, but it’s something that could be done without.  So say, for $10.00.00 extra a month, T-Mobile (the best cell phone company on Earth) could offer “Secure” service that meant you couldn’t be tracked.  I know all sorts of people, concerned for my safety should I ever find myself stranded a ditch , would have a fit over such a service, but I’m an adult and I’m willing to live with that risk.  After all, I’ve yet to lose a family member or friend (or even know of someone who has) b/c they weren’t able to be tracked by their cell phone.  But I have come across people who’ve gotten on the bad side of a cop (for matters completely unrelated to the law) and been seriously harassed as a result of it.

We’re not able to stop technology from eroding our privacy and even if we were, we wouldn’t want to.  Moreover, this trend isn’t going anywhere but up.  So the solution seems to be minimizing the incentives for abuses.    To Quote Mr Luna – “Governments hide secrets from their citizens, why shouldn’t citizens be able to hide secrets from governments?”

[tags]Digital Privacy, Sprint, Invasion of Privacy, Snooping[/tags]

I was writing my buddy Ken an email the other day, asking for his opinion and help on something.  I noticed this was included in the reply email.

From:      Cuckoo1@EvilDevilCuckoo.com

To:          kalidor727@aol.com

Sent:       June 17, 2009

Subject:  RE:RE:RE:Amy and Jill’s Camel Toe (or is it Toe(s) plural?)

FLAVOR00-NONE-0000-0000-000000000000 0.000000

Wuttup K?  So I was about to post our pics from the playoffs on my facebook page and I realized there was a problem.  Not sure what the deal was, but Camel toe was running wild. The pics of you and Amy look good, but Amy will kill me if I post something where she’s ‘sportin toe’.  See attached.  And look at Jill (greg’s date).  I couldn’t have photoshopped Toe that well.

So do me a favor – let Amy see them and tell her I can a- not post them, b- cut her out of them, c- snip the picture so it’s only above the waste.  Same for Jill – I don’t have her email so if you could just give hers to Greg and lemme know what they want to do. Not sure if you know – but Jill gets offended really easy and my gut tells me that if she finds out what CamelToe is and that she has it – she won’t let Greg hang out with us anymore. I”m on her good side for now b/c she’s a dog foster parent too – but let’s face it, a lot of woman aren’t going to find CamelToe humor as funny as we do.

BTW, WTF is that FLAVOR00 code?  Ithought you embedded a funny in there but if you did – i can’t find it. I know you aren’t whack enough to accuse me of lacking Flava so wtf is it?  It’s on your end.  Then again – I have to remember who I’m talking to – G*d only knows what kind of spyware and keylogging crap you’ve got on that machine of yours. Do you still have the biggest collection of Tranny Pr0n in the South [Amy, if you’re reading this – I’m not kidding. Ken is a huge aficionado of Tranny Pr0n and has every Buck Angel flick ever made – make sure to turn Safe Search off before clicking on that link – Just kidding Ame   )

I hope you feel better, and are back on your feet soon .  If you get bored at home, give me a call. I should be in the office for the most of tomorrow.  Have a great night and thank you for everything.

I know what it is, but for the life of me can’t figure out how it got there, or why.  I looked around Bing and that other company I’m not supposed to talk about and couldn’t find anything that really mentioned it.  I found a lot of markup references (you know, kinda like how <mailto:someaddress@whatever.com> isn’t an email address so stuff like this sitting in markup isn’t really an error) and a few people asking WTF it meant but I couldn’t find an answer.  I was thinking it might have something to do with the AOL.com account that was used (I know, I know, why do I remain friends with someone so lame they still use an aol.com address with a cheesy movie reference (kalidor727@aol.com)?  Well, b/c he’s a swell guy, a good friend and I’ve known him since way back in da 305. And like he told me, everyone can’t have a cool character like an Evil Devil Cuckoo or a ChupaCabron.

Come on Ken old buddy – it’s time to get rid of the training wheels and get yourself, you know, like a Gmail account or something.  If you want, I’ll even create one on one of my domains for you and you can check it on your Android or iPhone – oh yah, you’re still dorking out with the blackberry.  Well, if you or Greg ever want to get out of the 19th century, I can be bribed with lunch at Ruth’s.

Comments are closed for this post

The rest is history.  Having seen it in action, I must say it’s impressive (although I think there’s probably more appropriate words that I could use b/c impressive doesn’t have a nefarious connotation to it).  The only tricky part is getting it on the computer in the first place. If you own the computer, that’s no problem.  You can just install it directly or if it’s networked, push it down via an install script.  If you don’t have access to the computer, then you’re going to need someone that does.  If they can legitimately get on the computer, they can install the stuff for you.

After that you just need to sit back and enjoy being an agent of chaos – b/c that’s pretty much what this stuff enables you to become.  Imagine someone who’s not exactly friendly to you being able to see everything you did on your computer?  Yah, it might not be legal in a court of law, but they’d learn so much about you they could really cause you some misery. They’d know where the bodies were buried so even though they couldn’t directly use the results as evidence, they’d know what to subpeona and exactly where to find it. That alone could save you a boatload of money.

So after seeing this in use as well as several other spyware programs, what would I recommend to protect yourself from this?  That largely depends on how much security you need.  I’ll outline what you can do without crimping your style much for really sensitive information you want to ensure never is seen by anyone you don’t approve of.  You could conceivably do all of your internet surfing and emailing using this approach without interfering with your life too much, but it’s overkill. Moreoever, the goal is to not even let people know what you’re doing any of it.  So if they get on your computer and search it, they’ll find nothing  and go away. If they know you have all sorts of intense countermeasures, they’ll try a lot harder:

Virtual Machines and a USB drive are the key:

•  Encrypt the usb drive, recycle it frequently and guard the hell out of it in the interim.
•  Password protect it to with a password that you don’t use anywhere else (or anything close to it), that’s totally random and that’s strong.  Take great care to never reuse the password, not even parts of it [For instance, think of a book or newspaper you like.  Spell it backwards and take the first and last letters off of it.  Take the last 2 digits of your birth year and add 10 to it, and then do the same subtracting 5.  Add those to the front of the reversed name you just created and  the second number to the end.  This allows you to not have to remember the password, you just remember the algorithm used to generate it.  The more distant the words you use or the numbers you use are from you are, the better) .  Add special characters to the beginning, middle or end regularly and each time you log in from a machine that you have concerns about.  Even if a keystroke logger got your password, if you change it regularly they'd have little time to act on it. And to act on it, they'd have to get your USB drive, nail the right image and successfully log onto it.  Unless you're running from the mob  or the KGB - you'll be more than fine.  
• Don't log onto any untrusted networks with that image (you may want to keep a few images on that drive - one 'public' one so you can use free wifi and hop on unknown networks and one that's private which you use only on trusted networks.  Using this approach, just be damn sure that you keep anything that you don't want known out of the equation.  Drop your public one regularly and replace it with a copy. Copy/pasting is cheap and you can easily get a drive that'll hold a few images and still fit in your pocket) 
• Use a base image and make plenty of copies. 
•  Use Pocket Firefox and Tor (aka the Tor Bundle) - loaded in a USB drive or install them on the base image so that you can reuse them.
• If you're using a public email service, enable SSL/Https.  Yes, this will slow things down ever so slightly but it's worth the minor hassle in most cases.
• For really sensitive material - make sure you encrypt your files (PGP works great) and don't leave the plaintext originals anywhere.  If you really want to be cool you can use Steganography.
• Wipe your internet files regularly.  Delete all the content that's collected.  This will be a slight inconvenience when you log into sites you go to a lot, but you'd be amazed at how much information can be gathered just by looking at someone's history and temp files (and this in particular is something I see done all the time.  I had a coworker who loved to go through fellow coworkers temporary internet files if they ever left their notebooks unlocked.  He'd frequently come across Pr0n or similar stuff.
• Consider a 3M Privacy Filter [I was astounded at how many people were annoyed by me using a Privacy Filter when I first got it.  I had a good friend/coworker who openly admitted that if your email was up on the screen, he was reading it.  He'd say "I'm a nosey bastard - I can't help it.  I don't mean any harm and I don't ever talk about what I see, but when I see email up, I'm reading it".  So I got one just to screw with him.  Shortly afterward I heard person after person say "I can't see anything on your screen."  Then I'd show them the filter and responses were either "Cool, where can I get one" or "WTF man, why would you put that on your machine."  Needless to say, they work splendidly and if you're subtle about it, most people won't even know what it is)
• MOST IMPORTANTLY.  Don't talk about it. Don't tell people "I use Tor and Pocket Firefox".  Don't brag about how kick a55 your security procedures are.  Shut up about it totally and to the best of your ability, don't let anyone see what you're doing.  I mainly work out of a Virtual Machine shell anyway b/c of all the different configurations I need. If I didn't tell anyone, most people would have no idea I was using a VM just by walking by.

Run through those and mix and match until you strike a balance between your security comfort level and convenience threshold.  That'll protect you from pretty much any software based snooping other than a keystroke logger (although to be effective, the logger would have to be a darned goood on and already be on the machine you'ure typing on) and it'll severely limit what they can collect on you if they did somehow get spyware or a logger on your imaged drives. 

I live a very dull life and don't have much of interest on my machines.  I encrypt all my senstive stuff just b/c it's a habit. Back in college I thought it was cool to PGP everything and I just kept the habit afterward.  The Virtual Machine approach has many benefits (only downside is needing a little extra disk space - which is cheap these days - and it eats RAM).  It keeps you isolated so that if you do get spyware or a virus on your machine, the attack vector is small.  If you install beta software, you can keep it from screwing up your machine.  You can also start off with a clean machine each time you want to try something new. This is very helpful for debugging.  You can have several different operating systems and service pack levels, so you can thoroughly test your software on each configuation a client might have.  There's a trillion other reasons too. I'm not trying to sell you on virtualization just making the point that there's a lot of upside to using it.

I'm currently under contract to write a series of  articles on safe computing and online privacy.  In prepping for it, I've run through and done all of the things I mention above and they aren't hard to do.

This post and all others on this site are subject to the current Copyright as well as the Sites Terms of Use. Any reproduction, duplication or publication without express written permission from the author is strictly prohibited.

[tags]Spyware, Malware, Encryption, PGP, Internet Security, eblaster.com, Secure Email, Pocket Firefox, Tor, Microsoft Virtual PC, Hyper V[/tags]