April 2008 Archives

A while back, I wrote about the recent Dreamcast Phish and my declaration of love for the ill-fated console (which is currently undergoing something of a Renaissance with home brew kits, games and movie appearances) seemingly took a few of you by surprise, especially those that also had a thing for the SEGA console! I thought it might be fun to post up some pictures of my gaming collection - feel free to post up links to yours, because stuff like this is always interesting. Shall we start at the beginning? Oh, as this post is image intensive I'm sticking the main content after the jump so if you're not interested in looking at lots of pictures of plastic and cardboard, now is the time to turn back!

For those that are still with me.....

April 1st, 2008: Who Is Watching the Detectives?

We write about an interesting "system error" (as Myspace called it) that allowed people to track other Myspace users that were visiting their page, after having notified Myspace about this issue.

April 16th, 2008: Who Is Watching the Detectives Part 2

This still hasn't been fixed, and (worse still) it looks like this has been in circulation since at least October 2007. Hurry up, Myspace...

April 30th, 2008: It looks like this has finally been fixed, and it's no longer possible to auto subscribe visitors to your video subscription channel. Hooray! Score one for the good guys - that's one less tool hackers, Myspace Trolls and crapflooders can use to game the system.

One down, plenty to go....

Booze and Binders...

| | Comments (0)
ac1.jpg

Remember, kids - don't mix alcohol and executables.

I swear these programs keep getting smaller. Weighing in at around 30 kb, one of the newer automated phish creation programs currently in circulation. Behold, a strange cube icon on your desktop:

pd1.gif

Run the program, and you end up with a devastatingly idiot proof phish creation tool. In a nutshell, you enter the URL of the site you want to target and also the place where your phish script is located. It sucks down the content of the target site and jumbles it up with your phish script - hey presto, one Phish page ready to roll.

Facebook...

http://blog.spywareguide.com/upload/2008/04/pd2-thumb.gif
Click to Enlarge

Myspace...

http://blog.spywareguide.com/upload/2008/04/pd4-thumb.gif
Click to Enlarge

And, just to show that it will suck down pretty much any site you enter, here's Google search engine...

http://blog.spywareguide.com/upload/2008/04/pd3-thumb.gif
Click to Enlarge

On the bright side, this one doesn't come with spoken help files...

While I was attending RSA2008, I had the pleasure of talking to Lidija Davis of Tech Talk Radio.

You can download the Podcast here, where we talk about all sorts of wonderful Web 2.0 things....

I came across a number of websites hacked over the last few weeks using an SQL injection - the same exploit used by script-kiddie tearway The Punisher. I quickly realised this person was hanging out on the same forums as our Punishing pal, and quickly traced him back to his main website. Well, it appeared his site had only just launched and did nothing else than serve as a placeholder for whatever material he'd be uploading in future. Note how he attempts to pass the site off as somehow belonging to Network Solutions so as not to attract attention:

http://blog.spywareguide.com/upload/2008/04/russ1-thumb.jpg
Click to Enlarge

Well, a few weeks have passed and now, if you visit his site, you'll notice a very interesting difference:


http://blog.spywareguide.com/upload/2008/04/russ2-thumb.jpg

Click to Enlarge

All of the text has suddenly been switched to Russian, presumably in the hope that casual snoopers will think "nothing to see here, move along". If you click the "leave page" hyperlink (after having refused to agree to their terms), it attempts to play a terrible MP3 - just to confuse the visitor further.

They've also pasted a seemingly endless stream of banner ads on the lower section of the page - casual vistors will think the site is nothing more than a Russian affiliate ring stuffed full of "win it now" iPod deals, commission links and affiliate schemes. Again, it's all lies - none of the banners are clickable, they've just been pasted in randomly onto the page.

russ3.jpg

Finally, click "I accept" and you're taken to a forum (that only appears to have been in existence for a very short time) with the following "go away now" message:

russ4.jpg

Pretty sophisticated for a garden variety script kiddie, especially given the extremely unimaginative website defacements he was previously rolling out. It also begs the question - why is he so cagey, and what is he trying to hide? More importantly, how did he come about the idea of pretending to be a Russian affiliate guy in the first place?

I could rehash a bunch of warnings to people selling items on EBay with regards scams originating from Nigeria, but it's actually easier to just point you in this direction if you're at all concerned - eight solid pages of every kind of Nigerian EBay scam you could ever possibly imagine stretching back two years. From faked "payment received" emails to claims of "being out of the country, but the item is for my relative in Nigeria and we'll pay extra for shipping", it's all in there.

The current fees for sellers are bad enough without having to worry about this sort of thing too....

Observed being fired around via email, pasted to blogs and forums....pretty much everywhere you can imagine:

"If someone by the name of Mark Genesis Gallardo (rugbylegend) wants to add you to their list, don't accept it. It's a virus. Tell everyone on your list because if somebody on your list adds them you will get it too. It is a hard drive killer and a very horrible virus. Please pass this on to everyone on your list. We need to find out who is using this account. Sorry for the inconvenience. Right click on your group name of your buddy list and click Send Message to all. Copy and paste"

Smells like a typical "fake virus warning" to me. Everything from the "Don't think about it, just send this message" hysteria coupled with dubious technical information (you'll be "infected" simply by adding this individual to your contacts?) makes me think this is nothing more than a hoax.

Be careful out there, but don't panic needlessly!

A few weeks ago, I wrote about a technique that could be used to track the people hunting bad guys on Myspace. Well, I was curious how long this had been in circulation for. Thankfully, some of the people using this are pretty stupid so of course, wandering through their photo galleries proved particularly useful:

newcde1111.jpg

Check out the date - October 26th, 2007. So this has been in circulation since at least that date....oh dear. Note that this particular individual talks about using it in conjunction with IP trackers, too. I've been somewhat out of the loop on this one due to attending conferences, but I've just tried it out again and can confirm that it still works.

As we said in the original blog entry, if you don't want people to track you in this way (until Myspace actually fix this) then add the following to your HOSTS file:

vids.myspace.com

...and you should be fine.

Last week I spoke at RSA 2008 on the subject of "Echo Boom Hackers". Long story short, "Echo Boom" kids are supposed to be that generation which has never been without an online world to live and play in, and so their take on the nature of privacy, anonymity and that interface between your public and private worlds don't quite work in the same way as (say) mine does. Yes, I grew up without the Internet. Sue me already. We also talked about how researchers and law enforcement could use their different attitude to our advantage when attempting to shut them down.

Inbetween emergency landings, awards ceremonies and book signings to attend I got the feeling this years RSA wasn't quite as interesting as last years event. The common complaints seemed to be "Too many sessions", "not enough interesting booths" and a general sense of "can't be bothered".


, originally uploaded by Paperghost.

I agree. I don't recall anywhere near the same amount of talks going on last year, and the inevitable result is half empty rooms and speakers wondering where all the people went. I only go to these events to speak or listen to others, and the majority of the talks I went to all suffered from a distinct lack of attendance. I was lucky - speaking with Robert Vamosi of CNet, we were doing our presentation in the Keynote Room 103 (complete with its own videocameras and producer), and so even though we talked on the last day, we still pulled in a good hundred or so people which is pretty decent. I'd have liked more, but then I'm just greedy.


, originally uploaded by Paperghost.

Anyway, if any organisers of RSA just happen to be passing by - because I'm sure they stop by here all the time - then please, REDUCE THE AMOUNT OF SESSIONS. I was informed while there that everyone would have access to the talks they missed, yet I've returned home to see that you now apparently have to have a full session pass to see the recorded highlights / listen to audio / whatever. This is a really bad idea, and simply makes a niche event even less accessible to those that can't attend (and don't want to pay the insane prices to do so).

Rant over.

Robert and I were in town to talk about a subject that probably doesn't get brought up much at RSA (in fact, it doesn't seem to pop up much anywhere) - the new breed of wannabe hackers, the lengths they go to with regards fitting in and the dangers and problems facing both their victims and themselves, and how those dangers can quickly (and irreversibly) bleed into the real world. That all sounds faintly scary, so here's Robert and I looking all smiley at the FaceTime booth.


, originally uploaded by Paperghost.

Phew. Here's a couple of photographs from the talk itself:


, originally uploaded by Paperghost.


, originally uploaded by Paperghost.


, originally uploaded by Paperghost.

The talk was divided into three main sections - a general overview of what I've seen out there over the last 12 months+, tips and tricks for catching hackers on social networking sites, Youtube and various other places using everything from Skype to advertising networks, and (finally) the dangers that these activities produce day in and day out. It was a tricky subject to approach - the idea was to ramp up the punch of the presentation towards the end, but too general an introduction might have resulted in people getting bored and walking out. There wasn't really any way round this, but thankfully people stuck around (I think one guy left halfway through, but that was because his phone was ringing so we'll let him off the hook).

Of course, there was also the added danger that people would be expecting a high level technical presentation - this is RSA, after all - and be baffled at the sight of 70 minutes of anecdotes.

Still, I love a challenge and the presentation seemed to go down really well with the audience. There's been a fair amount of coverage already (links at the end), and a number of people asked me to get involved with a few initiatives aimed at both keeping kids safe online and also trying to steer them away from hacking and cracking which was pretty interesting. I'm just glad people found us at all, because I'm sure we were originally scheduled for the "Hackers & Threats" Track but somehow ended up on the "Industry Experts" sessions. Not really helpful when you're running round half an hour before your presentation starts wondering why nobody knows where your room is!

Just like last year, you can click here and check out some 300+ pictures from my trip, starting with the emergency landing my plane made and finishing off with - er - more aeroplane woes. So many people had issues with aircraft at this conference, maybe that could be next years theme.

As for additional reading, well, there's a fair amount of it and will probably give you a better overview of what went on than I ever could. Eventually RSA are supposedly going to stream the talk we gave in full, but that might take a week or two - as soon as it's online, I'll post a link to it.

Further Reading:

Robert Vamosi: Meet the Echo Boom Hackers
Robert Vamosi: Echo Boom Hackers - A Dangerous Game
Robert Vamosi: Echo Boom Hackers - Shame

Matt Hines: Taking Down Teen Hackers

Tech Talk Radio: RSA 2008. (The Podcast itself is floating round on the main site somewhere, but I couldn't actually find it. If anyone locates it, feel free to pass me the link!)

Consumer Reports: Kids Turned Cybercriminals

You might have noticed you haven't been able to leave any comments for a while. Apparently something went a bit screwy behind the scenes but everything appears to be fine now, so please feel free to offer up comments on new blog posts if so inclined. I'll even leave a test comment below as proof that everything is back to normal...

It's well known that law enforcement, security researchers and groups that track down / remove pedophiles, trolls and crapflooders from Myspace spend a lot of time networking, watching profiles, tracking dubious individuals through their postings, friends lists and other things too numerous to mention.

It's a tricky business, and can potentially place people like myself at great risk of being found out, exposed or run over the coals if one of these bad guys works out you've been trailing them for the past three months.

What happens, though, when the bad guys have a method to know exactly who is watching them? And what are the consequences?

Well, ponder no more because they're already doing it. Someone, somewhere has come up with a method to track people using Myspace itself - if you visit that persons profile, they will know who you are and be able to take (in)appropriate action. This method is already in use amongst Myspace trolls, and has been seen pasted to at least one hacking forum. You can bet this is doing the rounds on the underground circuit.

How do they do this?

By taking a few lines of code and placing it onto their profile (note that we're not disclosing any information about the code yet, as Myspace are still fixing this and we don't want to help more people to use this than are already doing so). When you visit that profile, you are automatically subscribed to that persons video channel.

Simple, sneaky, effective. To the regular user, this isn't too much of an issue - people can paste in coded "trackers" onto Myspace pages that attempt to log IP Addresses, browser type, country etc. "All" this does is tell the bad guy which Myspace users have visited their page.

However, this isn't so good for anyone hunting down hackers, pedophiles and other dubious characters because

a) they will know if, say, Paperghost has suddenly started poking around their profile and
b) pedophiles and other predators will spot "Officer Jackson" popping up on their subscriber list and likely go underground or vanish altogether.

Worse, the code can be pasted anywhere - a hacker could place it on their blogspot blog, or a forum, or anywhere else for that matter - if someone visits that page while logged into their Myspace account, they will still potentially end up on the hackers subscriber list.

How does it work?

Well, here is a shot of my friend looking for me on Myspace:

msvids1.gif

Naturally enough, they find me:

http://blog.spywareguide.com/upload/2008/04/msvids2-thumb.gif
Click to Enlarge

They click on the top link, and visit my page.

http://blog.spywareguide.com/upload/2008/04/msvids3-thumb.gif
Click to Enlarge

However, if they now go and check their video channel subscriptions, they'll find they've automatically been subscribed to my video channel.

http://blog.spywareguide.com/upload/2008/04/msvids4-thumb.gif
Click to Enlarge

At this point, it's time to let my friend logout and log back in as myself. If we now look at a screenshot (which I took myself while logged in), you can see I have a new subscriber - the person that just visited my profile (bottom left):

http://blog.spywareguide.com/upload/2008/04/msvids5-thumb.gif
Click to Enlarge

As time goes by and more people visit my profile, they'll all find themselves automatically added to my subscriber list:

http://blog.spywareguide.com/upload/2008/04/msvids6-thumb.gif
Click to Enlarge

In this way, you will have a record of every single Myspace user that has visited your profile page.

How can you combat this?

Well, it's surprisingly easy to get around this scam (which Myspace are working to fix, by the way - we notified them of this on Sunday, and I know at least one other individual has apparently reported this too). If you're a regular Myspace user, you may not be too bothered by being subscribed to some random persons video channel. If it bugs you, simply go to

http://vids.myspace.com/index.cfm?fuseaction=vids.myvideos

Then click "My Subscriptions", and under the "Subscriptions by User" category it'll show a list of every person who you are currently subscribed to. Click their Username, then hit "Unsubscribe".

Job done.

If you happen to be in Law Enforcement, Security Research (or happen to be anyone that doesn't particularly want to be tracked in this way, for that matter) simply add the below to your HOSTS file:

vids.myspace.com

And all subscription attempts should fail miserably.

The last contact I had with Myspace was last night, and they said

"Hello,
We are working to fix this error. We do not have a reliable estimate at this time.

Thank you,
MySpace.com"

Hopefully, they will fix this quickly. The damage is already done, and bad people are using this to full effect. The issue here, is that the only people who seemingly didn't know about it were the good guys - the ones most at risk from this code. The only way to mitigate this risk to people hunting the bad guys is provide a simple (yet entirely effective) antidote to this latest wave of dubious behaviour, which we've provided for you above.

Take my advice and use it until Myspace can confirm this is entirely locked down.

About this Archive

This page is an archive of entries from April 2008 listed from newest to oldest.

March 2008 is the previous archive.

May 2008 is the next archive.

Find recent content on the main index or look in the archives to find all content.