In
Hack the Stack, 2006 How attackers gain illicit entry to a corporation’s premises depends on the company’s security posture. One way is for the attacker to
loiter by the company entrance and wait for an authorized person to unlock the door. Once open, the attacker follows the person inside, thus, piggybacking on that person’s authorization [also known as tailgating]. Another way is blending in with a group of people. If an attacker has to display a badge, they have to steal one. Alternatively, materials for making fake IDs are available on the Internet at www.myoids.com. A more brazen approach is to talk his
or her way inside. If a door requires a Personal Identification Number [PIN] for entry, shoulder surfing [i.e., observing someone else enter their PIN on the keypad] can be used to learn a valid PIN. If the PIN has to be used in combination with a badge, a combination of attacks is needed. Once unauthorized entry is achieved, the attacker can take photographs of computer screens and any other materials. He or
she can steal manuals, storage media, and documents [e.g., the company directory]. The attacker can even install a hardware keystroke logger. Keystroke loggers [also known as keyloggers] record the keystrokes typed on a computer’s keyboard. Keystroke loggers record passwords and capture the information before encryption is used on the password. There are two types of keystroke loggers: hardware and software. Some advantages of hardware keystroke loggers are that they are completely undetectable by software, can record all keystrokes, and can record keystrokes before the operating system is loaded [such as the Basic Input Output System [BIOS] boot password]. One disadvantage is that the attacker has to return to retrieve the hardware keystroke logger. An attacker can also be an insider [e.g., co-workers, a disgruntled employee, or someone on the cleaning crew]. As you can see in Figures 9.1 and 9.2, hardware keystroke loggers have a male connector on one end and a female connector on the other end. It is placed between the keyboard jack on the computer and the plug on the keyboard.Layer 8: The People Layer
Unauthorized Entry
Figure 9.1. KeyKatcher with PS/2 Connectors
Photo courtesy of Allen Concepts, Inc.Figure 9.2. KeyGhost with USB Connectors
Photo courtesy of KeyGhost Ltd.Some Web sites selling hardware keystroke loggers are:
■www.KeyKatcher.com [see Figure 9.1]
■www.KeyGhost.com [see Figure 9.2]
■www.KeyLogger.com
To make your own hardware keystroke logger go to www.KeeLog.com.
Software keystroke loggers have many advantages over their hardware counterparts. They can be installed through social engineering attacks, can discern which program is accepting the keyboard input from the user, and can categorize the keystrokes for the attacker. They can send the captured keystrokes to the attacker via e-mail, Internet Relay Chat [IRC], or other communication channel. Some popular software keystroke loggers are:
■
Spector Pro [www.spectorsoft.com] Takes screenshots, records e-mail messages that are sent and received, and records keystrokes [see Figure 9.3].
Figure 9.3. System Surveillance Pro Software Keystroke Logger
■Ghost Keylogger [www.download.com] Uses an encrypted log file and e-mails logs.
■IOpus STARR PC and Internet Monitor [www.pcworld.com/downloads/file_description/0,fid,22390,00.asp] Captures Windows login.
■System Surveillance Pro [www.gpsoftdev.com/html/sspoverview.asp] Inexpensive and easy to use [see Figure 9.3].
Detecting software keystroke loggers can be accomplished a couple of ways. The most common is using scanning software to inspect files, memory, and the registry for signatures of known keystroke loggers and other spyware. A signature is a small portion of a file [i.e., a string of bytes] that always appears in spyware programs. Another method of finding spyware is real-time detection of suspicious activity.
Some programs that detect keystroke loggers and other spyware are:
■FaceTime Enterprise Edition [www.facetime.com]
■Windows Defender [www.microsoft.com/athome/security/spyware/software/default.mspx]
■Ad-Aware [www.lavasoftusa.com]
■Spybot Search & Destroy [www.spybot.info]
■Webroot Spy Sweeper Enterprise [www.webroot.com]
■Spyware Doctor [www.pctools.com/spyware-doctor]
Anti-spyware programs also have different supplemental tools. Spybot Search & Destroy has some nice tools such as a registry checker for inconsistencies [see Figure 9.4], which integrates with their file information program, FileAlyzer.
Figure 9.4. Spybot Search and Destroy Anti-spyware Program
Tools & Traps…
Detecting Keystroke Loggers
Hardware keystroke loggers can only be detected by visually inspecting the keyboard connection. Because they don’t run inside the computer as a program, there’s no information in memory. Look for a device [usually barrel-shaped] that is plugged into the keyboard jack, with the keyboard plugged into a jack on that device. KeyGhost Ltd. makes a keyboard with the keystroke logger built in, so that even visual inspection is insufficient.
Software keystroke loggers are programs that run inside the computer. They must be started every time the computer is booted or when a user logs on. There are many ways to get a program to start automatically; a program like Autoruns from www.sysinternals.com shows all of them. As seen in Figure 9.5, we have detected sfklg.dll, the SoftForYou Free Keylogger.
Figure 9.5. Autoruns
Read full chapter
URL: //www.sciencedirect.com/science/article/pii/B9781597491099500137
Advanced Techniques
Ted Fair, ... Technical Editor, in Cyber Spying, 2005
Introduction
Congratulations, you have made it through the first part of cyber-spy school. By now you should have a basic understanding of the spy process and quite a few tricks to help you pry into people's online lives. You may be feeling computer savvy, and even a little dangerous. Be warned, this is just the beginning. We have given you a few basic tricks and scenarios, which will work most of the time, especially in ideal situations. Of course, one of the most important rules of cyber-spying [all spying, in fact] is that there are no ideal situations.
To be as prepared as possible for these non-ideal conditions, you need to develop skills that will expand your knowledge base and make you as versatile as possible. One major thrust of this chapter is to improve and build upon some of the techniques discussed earlier in this book. We want you to take what you have learned and convert it from basic to guru, so that when you encounter those odd cases, you still have a few more tricks up your sleeve.
Although this book focuses mostly on personal computers [PCs], they are only a small part of the entire cyber-realm. While they are generally most people's gateway to cyberspace, they are not the only area a good cyber-spy should focus on. As cell phones, personal digital assistants [PDAs], and even video game consoles become more advanced, there are more ways to get online and to store and use information. All of these devices can hold clues about how their owner lives. A cyber-spy should not overlook this potential gold mine of information. Harnessing the Internet and its many powerful search engines and online databases should also be a tool in every spy's arsenal. Many people still do things the old-fashioned way–by paper. Detailed credit card statements, phone bills, and other periodic paper documents are a great place for collecting even more information. Viewing the entire picture and collecting and correlating data from different sources is a very important part of spying, and an advanced technique that even professional spies have a hard time mastering.
Tips and Tricks
Take Two
Throughout this book, we have discussed using hardware-based keystroke loggers. In many cases, they are the easiest and only way to get the information you need. If you decide to purchase a keystroke logger for your spying endeavors, we strongly recommend that you buy two identical ones. Having two keystroke loggers is extremely helpful when you have to deploy and analyze data from them.
A good spy tries to expose himself as little as possible; for you that means minimizing your time on target. While installing a keystroke logger is a quick and easy task, if you want to take it to any other computer and analyze it, there is a time issue involved. If you only have one, you are forced to install it again after you have dumped the data; hence, there is a window of time when the machine is not being monitored at all.
The situation is improved with two keystroke loggers. When you remove the full one from the back of the target PC, you replace it with the empty one. You now have immediate coverage on the computer. Meanwhile, you can analyze the other keystroke logger on a different machine.
Read full chapter
URL: //www.sciencedirect.com/science/article/pii/B9781931836418500137
Botnets: A Call to Action
Craig A. Schiller, ... Michael Cross, in Botnets, 2007
The Industry Responds
At the TechEd 2006 conference in Boston, Microsoft confirmed that “well-organized mobsters have established control [of] a global billion-dollar crime network using keystroke loggers, IRC bots, and rootkits,” according to “Microsoft: Trojans, Bots Are ‘Significant and Tangible Threat,’” an article by Ryan Naraine in the June 12, 2006, edition of eWEEK.com. Microsoft is basing this conclusion on data collected by its Malicious Software Removal Tool [MSRT]. The article says that MSRT has removed 16 million instances of malicious code on 5.7 million unique Windows systems. Sixty-two percent of these systems were found to have a Trojan or bot client.
The Alliance Against IP Theft, an organization in the U.K., published a document titled “Proving the Connection—Links between Intellectual Property Theft and Organised Crime” [www.allianceagainstiptheft.co.uk] that supports Microsoft's claim.
On August 10, a group of information security professionals, vendors, and law enforcement gathered at Cisco Headquarters in San Jose. With little notice, the “Internet Security Operations and Intelligence Workshop” attracted around 200 attendees. Led by the enigmatic Gadi Evron [security evangelist for Beyond Security and chief editor of the security portal SecuriTeam], speaker after speaker painted a bleak and complex picture. Many lamented the increasing ineffectiveness of the prevailing strategy, which focused on identifying and taking out C&C servers. This is the “kill the head of the snake” approach. Bots have begun to evolve beyond this weakness now. Some now have multiple C&C servers, and, like a Hydra, if you cut off one C&C server, two more pop up. Some used protocols that lend themselves to a more decentralized organization. Some are using “Fast Flux” DNS technology [see Chapter 3] to play an electronic version of the shell game with the C&C server. There was much wailing and gnashing of teeth by the security and network professionals. However, amidst the lamentations, some very interesting and innovative ideas were presented.
These ideas involve different methods of detecting botnets, aggregating this information, and sharing it for the benefit of all. Some ideas were so tempting that participants began trying out aspects of the idea during the presentation. When all was said and done, 200 minds knew what only a handful knew before. Further, a “call to action” had been issued. Come out of our shell, share what we know, organize our responses.
Read full chapter
URL: //www.sciencedirect.com/science/article/pii/B9781597491358500032
Spying on Chat and Instant Messages
Ted Fair, ... Technical Editor, in Cyber Spying, 2005
Collecting Passwords and Buddy Lists
While there is a lot of information that can be gleaned from IM conversations, there are some situations where just having knowledge of who is on your mark's buddy list may be sufficient. This piece of information alone can shed valuable light onto the composition and nature of your target's online relationships; after all, these are the people your mark feels are worth having only a click away. Also, depending on the messenger service, it can be useful to have block/ignore lists as well. Once obtained, it may be necessary to impersonate your mark to determine some of his or her contacts’ relevance and relationship with your mark. This impersonation usually requires your mark's password, another important piece of data to collect. In some cases, the password is hidden and scrambled in registry settings; in others, it sits in a plain text file.
Collecting the Buddy List and Password from AIM
Chapter 6 covered the process for obtaining the buddy list from AIM. Obtaining the password is a slightly trickier procedure. Versions of AIM older than 4.7 stored the scrambled passwords in the Windows registry. Version 4.8 and higher store a hash of the password. A hash is the result of feeding the password into a one-way function, meaning that it is mathematically impossible to recover the password from the hash. So, if your mark is using an old version of AIM, there is a chance you might be able to recover the password. To determine the version, go to the AIM window and select Help | About AOL® Instant Messenger. A dialogue box should pop up giving numerous tidbits of information, along with the version number. A Google search on AIM password recovery will show several tools that will uncover the password. While this would be a fortunate scenario, it is a highly unlikely one. As of the writing of this book, the current version of AIM is 5.9, and it will most likely be much higher by the time this book is printed. The best bet for actually acquiring a password is to use a hardware or software keystroke logger. In addition to installing one, a good idea is to pull up the client and type in an incorrect password. Since many clients automatically save the last password typed, you need to modify the one stored to ensure that your mark enters the correct one the next time he or she logs on.
Like AIM, viewing the Yahoo Messenger's buddy list is covered in Chapter 6. Like AIM, Yahoo passwords are not stored or transmitted in plain text. Similarly, using a keystroke logger is the best advice for collecting this information.
MSN uses Microsoft's .NET passport as the basis for its authentication. Like AIM and Yahoo, the password for MSN is not stored or transmitted in plain text. However, since it relies on .NET passport, access to your target's account is usually enough to get MSN to log on.
Another very useful option of MSN is the ability to save a contacts list By going to Contacts | Save Contact List. Using this capability, you can take a list of buddies/contacts from your mark's computer and load them on a different computer for analysis.
Since Gaim is not distributed by the owners of the IM networks and must interact with more than one network, it is more efficient for Gaim to store its own buddy and password lists. Gaim stores all of its information in easy-to-view .xml configuration files. XML files are a type of markup language that is relatively easy to understand and which can be opened by most Web browsers. This is the program you want your mark using. If you have any influence at all, steer your mark this way. There are two files of interest: accounts.xml, which has all of the IM accounts and their corresponding passwords and blist.xml, which is a copy of the buddy list for each account. There are basically two ways to find the XML files that you are looking for—manually, if you know where they are, or by searching the entire hard drive for them. We discuss both methods along with their trade-offs.
The default location of Gaim's XML files can be found by opening explorer.exe and browsing to the following location:
C:\Documents and Settings\\Application Data\.gaim\
Both files should be there and accessible using Notepad or most any other text-viewing application. This requires one of two things to be true: the user has not marked his or her files as private, which is often the case. Or, if they are marked as private, you must be looking for these files from an administrator account or from the same account as your mark. While this method depends on permissions and is a little trickier than the next one we discuss, it allows you to locate the Gaim configuration directory for your mark, which also contains other useful information. In addition, should the nomenclature for the file names change, you can examine the files in the directory one by one, looking for the correct information.
Use Microsoft's or Google's search tool and look for blist.xml and accounts.xml. To broaden your search and find even more potentially interesting files, a search for *.xml in Microsoft's tool or xml in Google's should produce useful results. Like the previous method, this one also depends on file permissions. Once you have found the files, their contents should be plainly visible. The following example shows the accounts.xml file for a Gaim user. As you can see from this example, account names and their corresponding passwords [when stored] are both clearly visible. In this example, the account name is “sarahevans1988,” and the password is “gatorade.”
0’ encoding=‘UTF-8’ ?>
prpl-oscar
sarahevans1988 gatorade
0
login.oscar.aol.com
ISO-8859-1
5190
1
In the next example, we show you the type of information that you can retrieve from a stored buddy list. This example shows you the blist.xml file for “SarahEvans1988.”
rsion=‘1.0’ encoding=‘UTF-8’ ?>
0
dirtylarry001