Recently in Privacy Issues Category

It's been an interesting day or so where leaked pictures on the web is concerned - stories abound regarding the leak of what are allegedly naked Rihanna shots (link is safe for work, obviously). Indeed, leaks of naked people plastered all over the web are becoming more and more common.

With that in mind, I thought we'd take a look at something I found at the weekend - a malicious program specifically designed to get onto your PC, scour the hard drive and send all the pictures it finds back to the hacker.

In time honoured tradition, here are the files as they appear on the desktop:

phuntr1.png

Aw look at the little hand, waving at you. Or, to be more accurate, look at the creepy set of fingers about to go pawing through your pictures.

As soon as you fire up Picture Hunter, you know the creator is fully aware of his rather ill-advised shenanigans:

phuntr2.png

It never fails to amaze me how many people create programs like this yet are never responsible for anything, ever. Oh well. The program springs into life with a number of basic options for our wannabe image pilferer:

phuntr3.png

As you can see, you enter your FTP account login details and FTP address into the required fields, then hit "Build". What you end up with is a customised version of the "Stub" file that contains your FTP data. Check out the file size, it's tiny:

phuntr4.png

Approximately 24.5kb of file rummaging activity is on the way - amazing to think how much damage such a small file could cause, as we'll see. It's worth noting that there are multiple versions of this in the wild - although some don't grab JPEG files, others not only grab JPEGs but also Zips, Docs and PDFs as an added bonus.

On my testbox, I've placed a number of images - each one a different type of file.

phuntr5.jpg
If I was tricked via Social Engineering into running the Server file (and of course, the attacker will likely rename it and probably give it a pretty icon to make it more appealing to the target) then the file will immediately start digging through the PC, digging out image files and then sending them to the attackers FTP account where he can browse the pictures at leisure.

Here's my FTP account a few minutes after the infection file has been executed on the target PC:

phuntr6.png

A .bmp, a .GIF and a .PNG have already appeared in the FTP directory. Shall we take a closer look at one of the files?

phuntr7.jpg

Whoops.

These are harmless images, but the potential for damage to a reputation (or just general embarassment) is huge - how many people store monster nudie pictures of themselves on their home computer, for example? The program attempts to minimise the amount of non essential images collected by filtering out certain areas of the PC - so temporary internet files, program files and images under 1kb in size are ignored.

Interestingly, the attacker could put themselves at risk due to the program simply scooping up whatever it finds - what if the infected PC has illegal pornography on it? All of a sudden, they've just uploaded a bunch of child pornography pictures to a third party FTP service - who probably aren't going to be very pleased, to put it mildly.

Of course, if the attacker is greedy enough to create a file like this in the first place, that's a risk they'll just have to take. For the rest of us, let this be a timely warning - the best place to store your image files (especially ones that involve you running around with a whip and a gimpsuit) is on an external hard drive that you can hide under the bed, in a locked case, surrounded by high explosives and tripwires.

Don't say we didn't warn you :)


At InfoSec Europe 2009, I gave a talk about the problems companies will face as they move to services of a 2.0 nature. What follows are my Top Five Tips for tackling some of these issues - they seemed to go down quite well, so hopefully there's something in there you can make use of too.

TOP TIP ONE: Put someone in charge of Social Networking in the workplace.

I noticed as I was talking about sites such as Twitter, Yammer, Present.ly etc that nobody in the room of about 130 people had used (or in most cases even heard of) any of these websites.

My concern with this is that I can guarantee there's some degree of what I like to call Intellectual Property Spillage going on. In other words, random employees and marketing bods see these new sites, think it's a good idea to be on them and then before you know it, there are unofficial presences all over the place and it becomes difficult to control exactly what's going on.

When I spoke about this issue recently, a chap in the talk went off and came back to me half an hour later. He told me he was amazed to find something like five groups set up by staff on Facebook, a Youtube page and a Yammer account - all out there online, doing their own things.

I was pleased to see a rep from a major music company approached me after the InfoSec talk and told me his company specifically employs someone to go around all the 2.0 sites registering "official" presences on these sites and keeping an eye on the oddball accounts.

Works for them...

TOP TIP TWO: Enforce a set of rules with regards what NOT to put on sites like Yammer

Yammer is basically Twitter for business users. Anyone from a company can set up a "private" Yammer account for the group, and then invite other employees to start posting about what they're working on.

The problem here is that many companies rush to join services like Yammer, post up a whole bunch of information that could be somewhat sensitive and then abandon the account. The following screenshot says it all:

yamm1.jpg
Click to Enlarge

As you can see, the last post was four months ago, with all that company specific information just sitting around, doing nothing. In addition, Yammer profiles want users to fill in a ludicrous amount of personal information. Full name, title, start date, significant other, kids names, birthday, interests, work / mobile phone, previous employers & start dates...and that's only a portion of the data requested. It's a social engineers dream, assuming they can trick a Yammer user to hand over their login OR pull off a successful phish attack.

Even better, you can view the company user list and see who has the most followers - assuming the most followed people are likely to be the most relevant / important people there, you're painting a huge bullseye on the "Staff who most need to be stalked".

My advice? If you have someone keeping an eye out for 2.0 sites / groups related to your company, ensure services such as Yammer are top of the list...and think carefully about posting sensitive company information. It'll only take one solitary phish to cause a lot of problems.

TOP TIP THREE: Keep real world friends & work associates OUT of your top 10 friends on Myspace

Yeah, Myspace is somewhat looked down upon by all the cool kids but whatever. There's still a lot of early adopters out there who use it successfully for networking, and it's still a powerful marketing tool for certain types of product / company / dreadful Emo bands.

Myspace is also notorious for troll groups and general idiocy. A typical past-time for trolls is to find out personal information, then cause trouble in the real world. Hassling people at their place of work is always great fun for them, or if that should fail, causing trouble for friends / work colleagues.

They do this by seeing who sits in your "Top five / ten / whatever" list of friends, on the basis that most people will (naturally enough) place their real world friends / workmates in that top position.

You know what I'm going to suggest, don't you? Take all your real world contacts and place them OUTSIDE the Top Ten Friends list. Put all those random people you accumulate - the bands, random additions, people you talk to on a forum once every blue moon - in the top spot. When the bad guys go trawling for information they can use against you, they're not going to get very far when they're wasting all their time conversing with German rock guitarists and spambots.

TOP TIP FOUR: Avoid the "Life story on Linkedin" approach

Yes, Linkedin is a useful way to make business contacts, see who is going to relevant events and so on. However - when I was at InfoSec, I was taken by how many people basically treat it as a posh version of Facebook and competing with people they know to see who can get the most "friends".

This is a TERRIBLE idea. Consider this - Linkedin works by constantly, endlessly nagging you to fill things in, complete this, flesh that out to hit utterly meaningless "targets".

lkdin2.jpg


Think about the amount of personal and business related information you're adding to your Linkedin page. Consider it's likely to be similar to the kind of data you're putting onto the more private Yammer account that only your workmates can see, only HERE you're making it viewable to all those random additions to your contact list.

Is that really a good idea? It's not hard for a social engineer to create a fake profile on Linkedin and go roaming - especially while people seem to be treating it as a popularity contest...

TOP TIP FIVE: Delete old Twitter messages (the "five a day" rule)

If you want to build up a picture of a potential target, Twitter is the place to hang out. It's random, it's stream of consciousness and no matter how hard the person posting tries, even a person who carefully considers what they post is going to leak some personal data about themselves that they'd rather not share.

It doesn't have to be anything spectacular; it's just an endless series of useful nuggets that someone, somewhere can use to build up a picture of you and do bad things. It's surprisingly easy to work out where someone lives (for example) when they're doing something as basic as posting region specific pictures of buses in their area on twitpic, for example.

To some people this isn't a big deal; to others who want to keep their location more anonymous than most, they probably didn't stop to think something as basic as posting up a picture of a bus could reveal their location.

In the same way, now so many people use Twitter for business related things it's easy to imagine that over time someone might have posted things that could be used to flesh out a target. Want to go dumpster diving? Well, what time does the only guy in his office go on his coffee break at? Oh look, according to Twitter he goes every day at 10:30AM, and we know he's the only person in there because he says he locks up...

Anyway, my advice is this - if your business world crosses over into your Twitter posts in some prominent way, you might want to consider deleting all but your five most recent Twitter posts. Do you really need them all lying around, waiting to potentially cause problems further down the line?

That concludes my "Top Five Tips". You might not agree with all of them (and feel free to share your own!), but hopefully there's enough in there to give some pause for thought the next time a 2.0 site is begging you to fill it up with an endless stream of information.

MSNAgent attempts to hide from security analysts

| | Comments (0)

Recently I came across a threat facing MSN messenger users that employs extremely devious means of infection.  The actual executable for this MSN worm is hidden in a .jpg file.

 

picture.PNG

The reason there is no preview available is that this isn't a picture, but executable code in the guise of a picture file.

 

The thing that makes this so interesting is the length at which the attacker is willing to go in order to hide themselves from detection of commonly used security applications.  Only by using certain tools can you see the threat running behind the scenes.  Here you can see an ominously almost legitimate application running called "MSNAgent".

 

txtfile.PNG

MSN Agent starts up when the computer boots up.

 

MSNAgent has the ability to connect to a remote server for the purposes of stealing your MSN username and password.  The file "gf1008.exe" is originally saved in the Temporary Internet Files to avoid too much suspicion.  Its on the Desktop in this example for the purposes of testing. 

 

autostart.PNG

This is shown to the user whenever the computer is restarted.

 

Taking a closer look at gf1008.exe shows you the following:

bintext.PNG

You can see here that this file is directly related to the autostart value "MSNAgent".  It also shows us that it's trying to make a connection to a remote server as well as get the user to change their password presuming for the purpose of phishing the user.

 

 

Attempting to find this threat running with other free security apps might be a problem.

 

Hijackthis:

 


Thumbnail image for hijackthis.PNG

 

Regcrawler:


Thumbnail image for regedit.PNG

MSNAgent can't be found in the registry through traditional means either.

 

Hijackthis is one of the common security applications used to verify if there is an infection when users try to get help from other users on a forum.  Most of the time, Hijackthis is the first step when trying to find the threat.

 

Never fear though.  We detect this threat as MSNAgent.  Using our Microscanner should reveal if you are currently under surveillance.



Today we came across a considerable collection of stolen credit card details - somewhere in the region of 150 seperate pieces of data - posted to a fairly typical Warez forum. The odd thing about it was that the poster didn't really come across as a professional carder - more like someone who happened to stumble across a stockpile of sensitive information and was now trying to distribute it as quickly as he could.

A clue that this might be the case was that the formatting of the data was fairly irregular - normally carders post all their information in a very uniform fashion - here, you could see at least three distinct types of data, some containing nothing more than card details while others contained (amongst other things) name, address, PIN number, phone number and (more worryingly) a "receiver address", as if information had been lifted directly from a back-end payment system.

card_theft_2.jpg

A final clue that the poster might not be a professional carder? Well, the big giveaway is that he happily posted all this information with a huge photgraph of himself for a signature picture and his location listed under his forum avatar.

Can't say I've seen that before.

The majority of victims appear to be based in the United States - there is discernable pattern to the victims, nor is it currently possible to tell what sites were compromised to obtain the data (if any). Of course, we tried to contact some of the victims to let them know to cancel their cards (as far as we could see, all cards are valid until at least next year) but so far, we've had no success.

Extensive searching on the information contained in the forum posts - and it seems to be well hidden underground, even though the poster says to "use them quickly because they're being used by other people too" - turned up no obvious reveals, save for one solitary Email address listed in the data. The Email address took us to a pro carding forum - apparently offline now - where someone was offering up a small sample of private data, with a purchase price of $30,000 to 50,000 dollars for "UK and US bank logins".

Could someone have bought this data then accidentally dumped it into a public directory somewhere? Unlikely, as everyone would now have a copy - but it seems that somewhere, somehow, a professional carder has made a big mistake....

Over the weekend there was apparently an issue with the registration of Live ID accounts, which could allow nefarious characters to indulge in a spot of phishing. More here at CIO.com.

TV Hacking...

| | Comments (0)

From Taipei Times

The signal of a government-run television station in southern China was hijacked by alleged hackers who used the frequencies to broadcast anti-government content, press reports said yesterday...during the blackout, anti-government images lasting up to 40 seconds appeared on television screens in Guangzhou, the provincial capital of China's economically booming region of Guangdong, the report said.

If memory serves me right, there have been numerous incidents of people hacking roadside information displays in the past but they usually carried humorous messages and insults. Hacking a TV channel in China to push Anti-Government messages is pretty hardcore.

This coverage from colleague, Anne. P. Mitchess, Esq., President of the Institute for Spam and Internet Public Policy (ISIPP) on the Melanie McGuire and Google search case caught my eye. It was a matter of time before search histories come back to haunt...and this leaves me further worried about the insecure state of PCs and malware's ability to upload "at-will" into infected PCs. Think "extortionware"- we covered the concept at RSA Conference 2007.

Anne writes...


Melanie McGuire is currently on trial for the murder of her husband, William McGuire. And while many people now know that your Google and other search engine searches can be discovered, apparently back in 2004, Melanie McGuire did not. For among the searches that the prosecution has found on her computers - searches which she conducted on the days leading up to the murder - were searches for "instant poisons", "undetectable poisons", and "fatal digoxin doses." And while those alone don't necessarily prove intent, another search, "how to commit murder" is pretty unambiguous.

But the crown search in the state?s case against Melanie McGuire may be that Melanie also performed searches about gun laws in New Jersey and Pennsylvania. William McGuire was indeed murdered with a gun which, the state claims, Melanie purchased in Pennsylvania.

O.K. so far it doesn't look good for Melanie McGuire. We talk about "greynets" and how different tools, even a simple web browser, carry different degrees of risk based on their use, the user's purpose and intent, and the environment in which the software is deployed and even the security of the hardware and facility too. This case involves Google search queries to help build a case.

It gets more interesting...


Also relevant is the fact that the day before the murder, the state says, Melanie?s computer shows that she searched for a Walgreens pharmacy near to her. A pharmacist at that Walgreens has testified that on the day before the murder she filled a prescription for an as yet unidentified woman with a prescription written for ?Tiffany Bain?, for a rarely ordered but known narcotic. The prescription, for chloral hydrate, was written by Doctor Bradley Miller - a doctor at the office where Melanie McGuire worked at the time. Dr. Bradley Miller, the doctor with whom Melanie was having an affair at the time that William McGuire was murdered

That is true, chloral hydrate (a Class IV hypnotic) is rarely used these days, but still not unheard of during my days in medicine a few years ago. At any rate the circumstantial evidence is starting to pile up. You can read more at The Internet Patrol... but of particular interest was a comment by a reader- Jack Stock who pens:

As a writer, I can see myself asking these same questions of Google?how to commit a murder, the most efficient poisons, etc. And that doesn?t mean that I was planning a murder?except in a fictional story. Murder, he wrote.

There a number of factors to consider here- let's us start with just four questions for starters:

- Who physically had access to the computer?

- What other data was found on the PC?

- Was the PC compromised in any way?

- Is there any other evidence beyond stored search queries?

No matter how obvious or open-shut a case it seems, faulty computer forensic assumptions are dangerous. We certainly don't want to see something like the Julie Amero case happen. You can read a summary and full transcripts here and decide for yourself.

We are in a new era, where your digital footprints, whether you made them out of innocent research, or even if someone else made them for you- can and probably will be used against you.

Our CEO, Kailash Ambwani talks on the greynets concept and how the majority of internet traffic has evolved from http to communicative application traffic. Ambwani discussed how enterprises are adopting greynets, how this increases security liabilities, and how FaceTime security products enable and secure greynets. Remember, Facetime is about enablement and controlling these innovations inside of the Enteprise. Why? Because customers are demanding to communicate this way, and often an organization's most sophisticated users- the forward thinkers and innovators willl bring them into the network because they realize their value, but sometimes forget about the security and regulatory risks involved.

Here is part one and I would note to pay particular attention to how anonymizers, like Rodi and / or Tor, can be used to bypass typical forms of defense. Naturally, and Kailash acknowledges this, products like Tor (designed by the EFF), can be used as anti-censorship tools, especially in countries where this is a problem.

However they can be a disaster, a potential legal nightmare for large enterprises and I.T. administrators to manage. Kailash goes on to note how malware is now profit driven...in his limited time he didn't get to explore the use of widgets, (often thin-Ajax clients) or the stripping of content using browser-powered tools allowing the the propagation of content like video across the Enteprise. This can also be problematic given attacks like Windows Meta Frame exploits or exposure to inappropriate content.

In part two Kailash goes on to discuss how Facetime addresses the issues. Once again the focus is on enablement and control. The Internet is changing and we all must change with it.

Del.icio.us Tags: , , , , , , , , , , , , , , , , , , , , ,

Technorati Tags: , , , , , , , , , , , , , , , , , , , , ,

I have just returned from Affiliate Summit West 2007 where I went scouting the current state of advertising, ethics, and what the future holds for people. I will have more on that later I will say that giant waves seem to be rippling under the surface, and *maybe* in the direction of cleaning up some of the problems...no miracles are in sight, but I saw some positive signs for a change.

With that jaunt over I have to dig in to grab a day or two of rest and then prepare for the RSA show with colleague Chris Boyd...Want to meet him? Now you can! He might do an autograph, conduct a symphony, or show you cool bow staff fighting skills as a bonus. He really CAN do that kind of stuff.

I wanted to take a moment here at the labs to cordially invite you to meet up with us at the RSA conference in San Francisco Feb 5-9. Yes- spend some facetime with FaceTime Communications, the leading provider of solutions for securing and managing instant messaging, peer-to-peer file sharing and Web-based greynets.

Where will you all be?

We will have folks at Booth #2537. Paperghost and I will be there and perhaps other places too...skulking about, being a general menace, and the usual things we do at events- look around, talk to people, and try to snag food.

What is RSA?
Recognized as the largest IT security conference and expo, RSA Conference 2007 is a must-attend event. With a variety of conference tracks to select from, you'll learn strategies to address today's information security problems, and gain insight into the issues of tomorrow. FaceTime is presenting not one, but two presentations for your enjoyment.

Presentation One

February 7th, 9:10 AM - 10:20 AM
Session Code: 2069
Botnet Live: Tracing, Chasing and Building the Case to Bust the Bad Guys
Speakers Chris Boyd and Wayne Porter, FaceTime Security Labs

jan07_rsa_poster.gif

This presentation is by Wayne Porter, yours truly, and led by the kung-fu style malware fighter Chris Boyd a.k.a. PaperGhost- we work in the labs doing all kinds of things you normally would not think about. For a little background on some of this I strongly suggest you check out the podcasts we did a few months ago- because they set the stage for just how incredible the cascade of events can become when you follow the story deep, deep into the abyss. We will also talk a bit about social media, the importance of being out in the field, economics and actually talking to people. Chris, who is a masterful story teller will give you a pretty amazing tour of the underbelly.

The Podcasts

Teaser Cast

Spyware Warriors and the Digital UnderGround Podcast: Part 1 and Part 2.
You can even download them into mp3 format and listen on the go.

Next Up....Our CEO in this Peer2Peer session....

February 7th, 12:30 PM - 1:20 PM
Session Code: P2P-204B
Skype and IM at the Office: User's Birthright or Security's Death Sentence?
Moderated by FaceTime President and CEO, Kailash Ambwani

jan07_rsa_poster_kailash.gif

Kailash, our CEO, while perhaps not as dashing as we research types in the drawn form you see before you, he knows his stuff when it comes to business communications and when you get a title with "Birthright and Death Sentence" in one line...well how can you not be intrigued? Given VoIP and IMs rapid adoption this is a must attend panel- especially if you want to understand some of the legal ramifications and understand the nature of greynets- when good can be bad, and bad can sometimes be good. It is all a matter of perspective and policy.

Want to meet other FaceTimers? Check in at booth #2537 to see demos of our products and solutions, including the recently announced FaceTime Internet Security Edition which includes our award-winning RTGuardian appliance- you can find more about it on the FaceTime Security Products Site.

This is a bit of a pitch, so you are warned, but this is what we do- We combine core gateway security capabilities such as Web filtering and anti-spyware with security for today's greynet applications on a single platform with common policy and management. The FaceTime Internet Security Edition reduces complexity and increases efficiency of the enterprise security infrastructure to reduce overall total cost of ownership. We will also have demonstrations of our flagship instant messaging security and compliance solution, FaceTime Enterprise Edition, will also be available. Why the big deal? FaceTime Enterprise Edition helps organizations meet the new eDiscovery regulations (here for whitepaper) for electronic communications that went into effect December 1, 2006.

So please be our guest we would love to meet you. You can even attend the RSA Conference 2007 Expo compliments of FaceTime. Just register at http://www.rsaconference.com/2007/us/ and use code EXH7FAC for your FREE Expo Pass - a $100 value!*

We hope to see you there!

* You must pre-register before February 2, 2007 for your FREE Expo Pass. Make a note of it!

Browzar: The Story So Far

| | Comments (1)

A lot of people read this post by my good self yesterday and asked for more information on the whole Browzar situation. Browzar, I hear you say? Well, for those of you who don't know, Browzar is an Internet Explorer shell that supposedly provides an added layer of security to your web-browsing. Unfortunately, it looks like an overly enthusiastic press release built Browzar up, and at that point nothing could save it when it appeared the technology employed wasn't as cutting edge as we'd have hoped. A fantastic summary of the whole shambles from start to finish can be seen here.

About this Archive

This page is a archive of recent entries in the Privacy Issues category.

Phishing Scams is the previous category.

Research is the next category.

Find recent content on the main index or look in the archives to find all content.