Bill Ryan's Other Blog

This post and all others on this site are subject to the current Copyright as well as the Sites Terms of Use. Any reproduction, duplication or publication without express written permission from the author is strictly prohibited.

Yesterday, I wrote a post describing a hypothetical situation where two adversaries were trying to gain intelligence on each other (Need someone’s email or access to their computer?). I would have written this follow up last night, but Sarah and I went to dinner a little late and by the time we got home, I was too tired to write. And when we arrived, there was a whole lotta Proliferating going on in our living room. So I spent the last 20 minutes of the evening engaging in some hard core counter proliferation of Poopy Nice Nice (I didn’t have time to conduct full Counter Proliferation i.e. Bungholian Analysis  so I have yet to identify the culprit but rest assured, it’s going down tonight) .  The Sausage Dog of Doom is a very evil Creature, but I digress.

In that post, I described a few different attack vectors and the +/- of each approach.  And I showed what one could accomplish if they loaded the right software on an adversary’s machine.  I did this without giving too many specifics to show people how easy this is to do. And I asked repeatedly, if you were the target, would this attack work on you?  I think in many cases it would.

Now, one of the key pieces isn’t technological, it’s Social Engineering. [Remember that humans are almost always the vulnerability that attackers take advantage of on successful exploits.  In all of Kevin Mitnick’s attacks, almost all of them were based on successful Social Engineering.  In The Art of Intrusion, he goes through a time when he actually used it to show some big shots at the Pentagon how vulnerable there were) A target might be reluctant to open any attachments that came  from you.  In this case, the ‘evil step mother’ didn’t respect the children’s privacy and would read through the kid’s email looking for information about the other parents or negative stuff the kids were saying about her.  So I showed how you might get someone like that to bite.  You put something intriguing sounding in the Subject line – something you know that would get the person’s attention. It should be enough to make sure they want to read more, but not bad enough it could be used against you.  Then, in the body of the message, reference some instructions in the attachment and make the contents sound like a smoking gun of sorts. Now, instead of trying to convince Maria to open the attachments, Maria will WILLINGLY and AMBITIOUSLY take it upon herself to open the attachment, which is how you could install the Keystroke Logger. B/c she has her eye on scandal stuff in the kid’s email, she isn’t thinking about possible infections. In fact, she’ll  likely bypass/ignore any warning the system puts up (assuming any were) b/c they really want to see what’s in the document. And b/c they took it upon themselves to do this, and b/c it’s the kid’s account they were looking through – they’ll be convinced it’s legitimate contraband and doubtfully will ever look back.  At this point, if you don’t put anything juicy in there, they’ll be mad and might smell a rat. On the other hand, if you give them too much red meat, they could use it against you. So meet in the middle. Come up with something that’s mildly offensive.  Something that you know will anger them (just b/c they get angry easy) but that a reasonable person would say Oh, come on, that’s really nothing to.  This gives them their pound of flesh and in this case Maria would be dying to get ANYTHING on Sallie, so she’d be satisfied with anything that she had where Sallie said something negative about Maria in.  Of course, you could just go nuclear, but remember that has the potential to be used against you.  If you don’t put anything in there, the target will wonder what’s going on and will be much likely to think long and hard about the attachment.  If you get them to do it themselves, and it conforms to their suspicions, they’ll never think twice about it. Remember, once you had the keystroke logger on their machine (Rather, I want you to think about what would happen if they got the keystroke logger on YOUR Machine), all of your passwords are probably theirs too. Any email or chat account is there. And God knows what can be mined from Email and Chat accounts.  Any Browsing. Any site passwords. Any banking passwords (heck, they’d even be able to see your challenge responses).  This is about as bad as it could get for most people.

While this is a hypothetical, you can see where stuff like this would really apply. what I was trying to show is the thinking you must engage in to get the other person to drop their guard. After all, once you got the keystroke logger, you’d be able to access their personal emails on external accounts like Yahoo, AOL, Hotmail or Gmail. You’d be able to see what sites they visited. You’d be able to see contents of Chats they engaged in. You’d be able to see documents they were typing.  In short, you would have a gold mine of information.  And if the target was indeed doing something underhanded, dishonest or immoral – you’d have all the details you’d need to crush them.  Even if it wasn’t admissible in court, you’d know enough information to help you ‘coincidentally’ send the right subpoenas or find the dead bodies and smoking guns. 

Let’s say you had the same case, but the adversary respected the children’s privacy. Or, let’s say there weren’t any children.  What would you do then?  One thing you could do is send a copy of a legitimate legal document to them (you could take a legit court document, insert the malware in there and be done with it. They’d be much more likely to ignore any warnings they got b/c it’s something they expect, from a source they ostensibly trust. And if it was discovered, the assumption would be that it started at the source, not with you). 

You could similarly send an ‘official letter’ to them with a title and subject that would make them really want to open it.  Or, you could spoof an email address pretending to be someone they knew (like a supervisor) and attach documents that look like something that might normally be sent.  Call their office and find out who is in charge of Payroll.  Look on the Contact Me form of their company to see the Email Address format that’s used (like FirstName.LastName@companyname.com).  Spoof that email and send a PDF with ‘Payroll Receipt for period ending XX.XX.XXXX”) And just put nothing in it.

If you used an exploit like this one found in Adobe PDF, the possibilities of what you could do are endless. Maybe instead of the boss, you could pretend to be their parents. And in the document, send it with a title that is something they might expect to get.  They open the document, it’s empty so they won’t think much of it, but they’re now infected and you’re able to log into their email accounts and read through everything. You could get extra clever and pretend to be a close friend or relative. Let’s say Maria had a brother named Bill – certainly her ex-husband would know this. Let’s say Bill normally used Bill.MariasBrother@hotmail.com – Sallie could create an account that’s Bill.MariasBrother@yahoo.com – she could spoof the From: part of the email so it comes from Hotmail.com. But she could use the Yahoo account for the Reply To.  Unless Maria is really savvy and pays close attention to this stuff, it’s doubtful she’d ever catch it (in fact, unless she hit reply, she wouldn’t ever even be able to see the Reply To)

Maria:

Hey, it’s me, Bill. I need a favor, Here’s a copy of something I wanted to get mom for her birthday.  (Common Friend) had some trouble opening it so if you open it up and it’s blank, try downloading the new Acrobat reader. If it still doesn’t open, I can resend it to you as an image format.  Let me know what you think. If you like it, I’ll go ahead and order it and sign all of our names.

Maria opens it and there’s nothing there. (Her machine is now infected and her worst enemy now owns her computer.) Because “Bill” already mentioned it as a possibility,  Maria isn’t suprised by the blank PDF document.  So she follows the instructions and downloads the latest Adobe reader and gives it one more try. Again, nothing. So she hits Reply on the email and says:

Bill, I tried opening the document, but couldn’t. I even got the new Acrobat but it still didn’t show up. Can you send me the picture instead?

This time though, it goes to the Yahoo account so the real “Bill” would never know of what happened. Maria already saw the email came from “Bill” originally, so it’s doubtful she’d pay attention the the Reply To address, especially when it’s so similar anyway.  Even if she noticed it, she very likely would just ignore it. ( I use a different Reply To address most of the time and have only had a handful of people ever mention it to me or ask about it. ) A few days later when they spoke, Maria would mention it to Bill. Bill would have no idea or think Maria’s talking about something else or that it got eaten in the spam filter.  When they synced up, chances are they’d just assume it’s spam when they couldn’t figure it out.

And even if they do, at this point, it’s too late. All the counter proliferation measures in the world won’t save them now. Even if they suspected something bad, it’d likely be at least a few hours later, and she’d almost certainly have checked her email by then. She almost certainly will have typed a password to the machine in by then.  So even if they suspected something – there’d be nothing apparent on the machine. By this time, the logger should be deactivated so it’d be really hard to detect (especially if they wrote it themselves, b/c it wouldn’t match any known definitions and even well known ones are good at hiding themselves). Even if Maria and Joe found it, they’d have no idea what it was or what it did and if it was homemade, they'd have to decompile it and have a savvy coder figure out what it did.  Doubtful.  But this would almost never happen. Most people just delete spyware assuming they can find it. How many people do you know that have spyware infections decompiled and looked through?  I’m a software developer and I wouldn’t even go through that hassle. In fact, I can’t imagine ever wasting that much time or energy on it.

Even if they did all of this, it would take forever. By then, the attacker would own their email accounts, chats and most other things.  Here’s the beautiful part.  Since the Logger is deactivated, there’s no indication it’s running (or very little indication).  Let’s say Maria decided to change her password (or just did it as a routine course of action).  Sallie tries to get in and it doesn’t work this time.  No problem.

Sakkue just goes to the configuration, tells the Logger to activate itself, and depending on the product, turn itself off once the file gets to X kb or shortly after the words http://www.aol.com or http://www.yahoo.com are typed.  While not 100% foolproof, this would be 99% foolproof and if somehow it turned off prematurely, Sallie could just try again.  If Joe and Maria cleaned the stuff off of there then it’d be game over temporarily, but it’s doubtful.  And once Sallie has the password, she can get into the email and do all sorts of things to help ensure the Maria’s computer gets reinfected.

Again, I ask you, if you were the target, how would you fare? If someone had a keystroke logger on your machine, what would they be able to discern? If they had all your email passwords, what would they be able to find?  If they saw your new passwords after you changed them, are you still hyper vigilant about checking the IP Addresses that access your accounts? What about the  PDF exploit? Would you think much about it if you got a blank PDF? What if you aren’t in a court case or criminal case.. well, do you think there aren’t criminals out there who’d love to clean out your bank accounts? If they had all your challenge question responses and passwords, what could they do?  Ask some of the victims of DB.Singles.Org who had their Paypal accounts drained (all b/c they reused passwords and ONE SITE THEY USED had weak security measures. Wanna bet at least one site you use has equally lame security?)

Take this stuff seriously and guard yourself against it, whether its a court case or your banking information, you don’t want to ever let yourself fall victim to this, especially when it’s so easy and essentially free to protect against. Spyware and malware are rampant and if you don’t take the responsibility for counter proliferation of spyware and malware on your machines, don’t expect anyone else to either. I know I make a lot of counter proliferation jokes but when it comes to proliferation of spyware, it’s not joking matter. Counter Proliferation of Dog Poop on the other hand, is definitely a joking matter – in fact, while Sarah and I were out at Dinner last night, we had a ton of proliferation  going on.

I have had a few people ask about consulting for them. I’m pretty busy but do have some availability to do assessment, audits and create a strategy to protect yourself with.  Contact me at blogcommenter@williamgryan.com to discuss this further. I’d be glad to help out with basic stuff for free, so feel free to post comments and I’ll do my best to answer them. If it’s more involved and will take some time, then just email me at the address above.

LET ME EMPHASIZE THAT NONE OF THE CHARACTERS DESCRIBED ARE REAL PEOPLE OR BASED ON REAL PEOPLE. THE ENTIRE STORY IS COMPLETELY FICTIONAL. THE ISSUES RAISED ARE REAL AND SO IS THE ADVICE (WHICH IS OFFERED FOR FREE, WITHOUT ANY WARRANTY BLAH BLAH BLAH) BUT NONE OF THE CHARACTERS ARE.  ANY RESEMBLANCE TO REAL PEOPLE IS PURELY COINCIDENTAL (THERE ARE PROBABLY MORE THAN A FEW FAMILIES OUT THERE WITH DIVORCED PARENTS, TWO CHILDREN, A REMARRIED FATHER AND AN EVIL STEP-MOTHER WHO HATES THE KIDS). THE NAMES, CHARACTERS, EVERYTHING – IT’S ALL MADE UP. AGAIN, EVERY CHARACTER AND THE SITUATION ARE JUST FICTION AND ARE NOT REAL PEOPLE OR BASED ON ANYONE REAL SO ANY SIMILARITIES ARE PURELY COINCIDENTAL)

This post and all others on this site are subject to the current Copyright as well as the Sites Terms of Use. Any reproduction, duplication or publication without express written permission from the author is strictly prohibited.

[tags]Email Security, Keystroke Logger, Internet Privacy, Internet Security, db.singles.org, Kevin Mitnick, The Art of Deception[/tags]

This post should not be taken seriously. If you do, please get some professional help as soon as possible.

Kim and I made a quick trip to the Greer WalMart yesterday.   It’s not WalMart per se but the people that frequent it.  Case in point – we pull up and it was fairly busy.  There were at least 20 loose shopping carts in our parking aisle alone.  (And it’s not b/c the WalMart employees don’t try to collect the carts).  There’s just a lot of low class people who are too self-important to return carts.  I wouldn’t be surprised to see such low class people there that they’ would make fun of people that returned their carts.  I’m sure a kid returning their carts might even get called “Cart Girl” by some of the trashier folks.

Upon entering, I had a serious case of Deja Vu. I was back in undergrad sitting in Advanced Phenomenology studying Sartre.  No Exit was one of his more popular books and was pretty much required reading for Philosophy majors back in my day.  As we walked in, every single motorized scooter was in use and we saw some perfectly healthy woman let her child get on the thing and drive off with it.  The reason I thought of No Exit though was simple.  At the risk of oversimplification, No Exit is about Existential Hell. That’s what, I realized, the case is for the seats of those motorized scooters.  Imagine what being one of those seats is like.  Imagine the view.  Imagine the smell.  It’s hard to imagine anything being worse than being one of those seats.

WalMart has recently rearranged things.  We know that WalMart is a well known hangout for Gangs, including but not limited to Transnational gangs, directly or indirectly, by you.  Well, those days are long gone.  Now, WalMart hosts all sorts of other gangs, including but not limited to Multi-National Gangs, nationalist gangs, block gangs, teen gangs, and directly and indirectly, prison gangs.  So I pay close attention to their Proliferation, being one of the Nation’s Foremost experts on Counter Proliferation.

Here’s the breakdown:

Being one of the world’s foremost experts on Counter Proliferation, my name and face are known by all major gang members.  Upon entering WalMart, visualizing what it must be like being a scooter seat and walking to aisle 1, I was immediately recognized by a major crime boss.  As Kim and I walked around, we could see him following us.  We used a quick evasive technique to get over to aisle’s 5.  Los Zetas are a lot of things, but they at least respect Counter Proliferation professionals such as myself.  Papa was still watching us but now we were in Los Zetas territory and any move by a MS13 member based Baby Diapers and Dog Treats will result in serious retaliation by Los Zetas.  I had a really bad case of Jock Itch and needed the soothing relief of Hydrocortisone but that presented a problem.  The Hydrocortisone is located in an unincorporated area – they aren’t aisles so no gang has them claimed.  on the other hand, b/c no one claims them any gang can make a move on you there without fear of stepping on anyone else’s toes.  Using my advanced Counter Proliferation knowledge, I decided to make a move.  I called my boss Greg and told him to meet me over by the Tampons. As soon as Greg showed up, I filed an official complaint with him about how terrible I was being treated by the gang members.  But that was a ruse.  I immediately snuck around the corner, grabbed a box of Maxi-Thins for Kim and we made a run for it.  We texted Greg and told him to hold down the theater of operations until we could get clear.  Between our current position and the self-service cash registers, we had to cross La familia’s turf, as well as the East Coast Souljah’s and the Boy Scouts of America.  You never know when a scout master might try to take your a33 so I was on pins and needles.  Anyway, we made a run for it paid for our stuff and ran out to the car.  We called Greg and told him we thought we had a tail.  He confirmed our op-sec had been blown but since we both share a common pain in the a55, he’s always willing to help.  Quickly, we dumped our shopping cart behind someone else’s car.  Yah, it’s rude.  Yah, it shows you have no class. But hey, Counter Proliferation is no joke and we had business to do.  We did three loops around the parking lot confirming our tail.  Greg called back and said he was calling in reinforcements.  I got to the straightaway and punched it.  We hurried up home and by the time we got there, Greg confirmed a major crime boss was off the streets.  We thought “Oh boy, we can brag to every kid we know about this and sound really cool.  I said to Kim “remember how we used to whip out our guns and slink around the house every time the wind blew all so we could look like we take security seriously? Well, we look even cooler than that now. I said, “You know honey, even greg knows our OpSec is blown, b/c people or persons have turned on us and are finking us out.  If anyone brings it up, we’ll just lie and claim the traitors are actually double agents working for us.”’

For some reason, my blood sugar was really low and I was ravenously hungry.  The Sausage Dog of Doom knocked over the bong so our fun was over.  As it wore off, I had to realize it was all a lie.  There weren’t any gangs staking me out at WalMart, transnational or otherwise.  MS 13 doesn’t really run aislies 1-4 at Greer Walmart.  The people ratting us out really aren’t double agents.  When we whip our guns out and slink around the house, we look every bit as stupid and cheesy as one would expect.  And yes, when we leave our shopping carts around without taking them back, it’s b/c we’re a55holes and this is just one more example of it.

Counter Proliferation is serious business folks.  It’s no joking matter and should never be laughed at, by you.  The mere notion of laughing about it, directly or indirectly including but not limited to cracking up, or spitting diet coke all over the screen, is a crime against humanity and well, don’t let me catch you doing so.  It’s well known in Counter Proliferation circles that laughing about Counter Proliferation puts the Counter Proliferation Trained personnel and their families lives at risk.  What “At Risk” means exactly is anyone’s guess, but trust me, it puts lives at risk.  Furthermore, joking about it can easily cause people indirectly related to me to be unable to find  meaningful employment.  Don’t laugh, it’s no joking matter!

In my next piece, I’m going to show video footage of Counter Proliferation in action.  By simply examining someone’s fecal matter (aka Turds) you can use Counter Proliferation techniques to determine whether or not they are a gang member or not.  This area of Study is known as “Cornholian Anal-ysis” and “Bungholian Anal-ysis “ (Anal-ysis – get it?).  Remember folks, this isn’t a joke.  Just b/c I make bong references and talk about Cornholian Analysis, that doesn’t mean I don’t take my Counter Proliferation seriously.  I do.   I’ll remind everyone that I am one of the world’s foremost experts in Counter Proliferation. I’ve been Counter Proliferation trained and Certified Undercover for almost 40 years now, more experience than anyone other so called expert you’ll come across.  So feel free to let me know any questions you may have and if you too would like to learn Advanced Counter Proliferation techniques, I’m available for consulting.

[tags]Counter Proliferation, Certified Undercover, Wal Mart, Transnational Gangs, MS 13, La Familia, Los Zetas, Crips, Bloods, Boy Scouts of America, William Ryan, W.G. Ryan, Bill Ryan, Kimberly Ryan[/tags]

I just got back from Wal-Mart forgetting that today was Latin American Street Gang Appreciation Day there,  and sure as heck, I not only saw several MS 13 souljas staking out the joint, but I saw Senor Chingo Bling himself.  La Familia was there, so were Los Zetas.  They’ve each got a separate part of Walmart under their turf (can you believe Los Zetas got stuck with the Toddlers Clothing section, I would think that would be run by La Familia?  WTF) Greer just isnt’ what it used to be. When they noticed the Supreme All Knowing Counter Proliferation Mullah, they panicked and spread out like rats.  Nothing makes people tremble in their shoes than seeing a Counter Proliferation Expert show up.

As I walked in, one of the MS 13 members said “Hey cuzz, ain’t you teh one related to that Cop that got us arrested for following her around the parking lot last time? You know cuz, Dude looks like a lady , or lady lookin like a dude, ya dig?”  I simply replied, “You think I’m related to that Puta de mierda?  Are you f***** kidding me?  No cuzzz, I ain’t related to no one like that.  So anyway, is Chingo here? I wanted to see if I could get a copy of They can’t deport us all?”  He replied “You ain’t got me convinced, if you wuz real, you’d have said ‘You think I’m related to that Fea Puta de mierda”.  All I could say was “My bad – you got me there homie”  It’s hell only knowing Cuban Spanish – outside of Miami it does me little good.  Oh well, at least MS 13 didn’t have me whacked.  Guess I’ll be shopping at Target from now on.
This post and all others on this site are subject to the current Copyright as well as the Sites Terms of Use. Any reproduction, duplication or publication without express written permission from the author is strictly prohibited.
[tags]Transnational Gangs, Latin American street gangs, Drug Gangs, MS-13, La Familia, Los Zetas,  Counter Proliferation[/tags]