Privacy Issues: May 2009 Archives

It's been an interesting day or so where leaked pictures on the web is concerned - stories abound regarding the leak of what are allegedly naked Rihanna shots (link is safe for work, obviously). Indeed, leaks of naked people plastered all over the web are becoming more and more common.

With that in mind, I thought we'd take a look at something I found at the weekend - a malicious program specifically designed to get onto your PC, scour the hard drive and send all the pictures it finds back to the hacker.

In time honoured tradition, here are the files as they appear on the desktop:


Aw look at the little hand, waving at you. Or, to be more accurate, look at the creepy set of fingers about to go pawing through your pictures.

As soon as you fire up Picture Hunter, you know the creator is fully aware of his rather ill-advised shenanigans:


It never fails to amaze me how many people create programs like this yet are never responsible for anything, ever. Oh well. The program springs into life with a number of basic options for our wannabe image pilferer:


As you can see, you enter your FTP account login details and FTP address into the required fields, then hit "Build". What you end up with is a customised version of the "Stub" file that contains your FTP data. Check out the file size, it's tiny:


Approximately 24.5kb of file rummaging activity is on the way - amazing to think how much damage such a small file could cause, as we'll see. It's worth noting that there are multiple versions of this in the wild - although some don't grab JPEG files, others not only grab JPEGs but also Zips, Docs and PDFs as an added bonus.

On my testbox, I've placed a number of images - each one a different type of file.

If I was tricked via Social Engineering into running the Server file (and of course, the attacker will likely rename it and probably give it a pretty icon to make it more appealing to the target) then the file will immediately start digging through the PC, digging out image files and then sending them to the attackers FTP account where he can browse the pictures at leisure.

Here's my FTP account a few minutes after the infection file has been executed on the target PC:


A .bmp, a .GIF and a .PNG have already appeared in the FTP directory. Shall we take a closer look at one of the files?



These are harmless images, but the potential for damage to a reputation (or just general embarassment) is huge - how many people store monster nudie pictures of themselves on their home computer, for example? The program attempts to minimise the amount of non essential images collected by filtering out certain areas of the PC - so temporary internet files, program files and images under 1kb in size are ignored.

Interestingly, the attacker could put themselves at risk due to the program simply scooping up whatever it finds - what if the infected PC has illegal pornography on it? All of a sudden, they've just uploaded a bunch of child pornography pictures to a third party FTP service - who probably aren't going to be very pleased, to put it mildly.

Of course, if the attacker is greedy enough to create a file like this in the first place, that's a risk they'll just have to take. For the rest of us, let this be a timely warning - the best place to store your image files (especially ones that involve you running around with a whip and a gimpsuit) is on an external hard drive that you can hide under the bed, in a locked case, surrounded by high explosives and tripwires.

Don't say we didn't warn you :)

At InfoSec Europe 2009, I gave a talk about the problems companies will face as they move to services of a 2.0 nature. What follows are my Top Five Tips for tackling some of these issues - they seemed to go down quite well, so hopefully there's something in there you can make use of too.

TOP TIP ONE: Put someone in charge of Social Networking in the workplace.

I noticed as I was talking about sites such as Twitter, Yammer, etc that nobody in the room of about 130 people had used (or in most cases even heard of) any of these websites.

My concern with this is that I can guarantee there's some degree of what I like to call Intellectual Property Spillage going on. In other words, random employees and marketing bods see these new sites, think it's a good idea to be on them and then before you know it, there are unofficial presences all over the place and it becomes difficult to control exactly what's going on.

When I spoke about this issue recently, a chap in the talk went off and came back to me half an hour later. He told me he was amazed to find something like five groups set up by staff on Facebook, a Youtube page and a Yammer account - all out there online, doing their own things.

I was pleased to see a rep from a major music company approached me after the InfoSec talk and told me his company specifically employs someone to go around all the 2.0 sites registering "official" presences on these sites and keeping an eye on the oddball accounts.

Works for them...

TOP TIP TWO: Enforce a set of rules with regards what NOT to put on sites like Yammer

Yammer is basically Twitter for business users. Anyone from a company can set up a "private" Yammer account for the group, and then invite other employees to start posting about what they're working on.

The problem here is that many companies rush to join services like Yammer, post up a whole bunch of information that could be somewhat sensitive and then abandon the account. The following screenshot says it all:

Click to Enlarge

As you can see, the last post was four months ago, with all that company specific information just sitting around, doing nothing. In addition, Yammer profiles want users to fill in a ludicrous amount of personal information. Full name, title, start date, significant other, kids names, birthday, interests, work / mobile phone, previous employers & start dates...and that's only a portion of the data requested. It's a social engineers dream, assuming they can trick a Yammer user to hand over their login OR pull off a successful phish attack.

Even better, you can view the company user list and see who has the most followers - assuming the most followed people are likely to be the most relevant / important people there, you're painting a huge bullseye on the "Staff who most need to be stalked".

My advice? If you have someone keeping an eye out for 2.0 sites / groups related to your company, ensure services such as Yammer are top of the list...and think carefully about posting sensitive company information. It'll only take one solitary phish to cause a lot of problems.

TOP TIP THREE: Keep real world friends & work associates OUT of your top 10 friends on Myspace

Yeah, Myspace is somewhat looked down upon by all the cool kids but whatever. There's still a lot of early adopters out there who use it successfully for networking, and it's still a powerful marketing tool for certain types of product / company / dreadful Emo bands.

Myspace is also notorious for troll groups and general idiocy. A typical past-time for trolls is to find out personal information, then cause trouble in the real world. Hassling people at their place of work is always great fun for them, or if that should fail, causing trouble for friends / work colleagues.

They do this by seeing who sits in your "Top five / ten / whatever" list of friends, on the basis that most people will (naturally enough) place their real world friends / workmates in that top position.

You know what I'm going to suggest, don't you? Take all your real world contacts and place them OUTSIDE the Top Ten Friends list. Put all those random people you accumulate - the bands, random additions, people you talk to on a forum once every blue moon - in the top spot. When the bad guys go trawling for information they can use against you, they're not going to get very far when they're wasting all their time conversing with German rock guitarists and spambots.

TOP TIP FOUR: Avoid the "Life story on Linkedin" approach

Yes, Linkedin is a useful way to make business contacts, see who is going to relevant events and so on. However - when I was at InfoSec, I was taken by how many people basically treat it as a posh version of Facebook and competing with people they know to see who can get the most "friends".

This is a TERRIBLE idea. Consider this - Linkedin works by constantly, endlessly nagging you to fill things in, complete this, flesh that out to hit utterly meaningless "targets".


Think about the amount of personal and business related information you're adding to your Linkedin page. Consider it's likely to be similar to the kind of data you're putting onto the more private Yammer account that only your workmates can see, only HERE you're making it viewable to all those random additions to your contact list.

Is that really a good idea? It's not hard for a social engineer to create a fake profile on Linkedin and go roaming - especially while people seem to be treating it as a popularity contest...

TOP TIP FIVE: Delete old Twitter messages (the "five a day" rule)

If you want to build up a picture of a potential target, Twitter is the place to hang out. It's random, it's stream of consciousness and no matter how hard the person posting tries, even a person who carefully considers what they post is going to leak some personal data about themselves that they'd rather not share.

It doesn't have to be anything spectacular; it's just an endless series of useful nuggets that someone, somewhere can use to build up a picture of you and do bad things. It's surprisingly easy to work out where someone lives (for example) when they're doing something as basic as posting region specific pictures of buses in their area on twitpic, for example.

To some people this isn't a big deal; to others who want to keep their location more anonymous than most, they probably didn't stop to think something as basic as posting up a picture of a bus could reveal their location.

In the same way, now so many people use Twitter for business related things it's easy to imagine that over time someone might have posted things that could be used to flesh out a target. Want to go dumpster diving? Well, what time does the only guy in his office go on his coffee break at? Oh look, according to Twitter he goes every day at 10:30AM, and we know he's the only person in there because he says he locks up...

Anyway, my advice is this - if your business world crosses over into your Twitter posts in some prominent way, you might want to consider deleting all but your five most recent Twitter posts. Do you really need them all lying around, waiting to potentially cause problems further down the line?

That concludes my "Top Five Tips". You might not agree with all of them (and feel free to share your own!), but hopefully there's enough in there to give some pause for thought the next time a 2.0 site is begging you to fill it up with an endless stream of information.

About this Archive

This page is a archive of entries in the Privacy Issues category from May 2009.

Privacy Issues: May 2008 is the previous archive.

Find recent content on the main index or look in the archives to find all content.