The Lateral Approach

In conducting investigations online the use of social media is an invaluable tool. I doubt that any investigator would disagree with me that these days a suspect’s online profiles are a virtual dumpster. You may be thinking, “A dumpster? What’s so great about a smelly dumpster?”. Early in my career a dumpster was pure gold. Before the Internet was “a thing” people would throw away everything including their paper phone bills, store receipts, typewritten letters, etc. As long as the trash was in the public domain and being discarded it could be used as evidence, or just simply intelligence. All this could be obtained without a warrant.

Now enter the digital age where things that would have ended up in the trash now remains online indefinitely. There is a treasure trove of intelligence that people freely toss into plain sight like their day old garbage. Some of these seemingly innocuous details are assets, personal associations, business relationships, and employment.

You may think that just because your online profile is set to private or limited that there isn’t much that can be found. This is a false sense of security. When most privacy minded people set up their online profiles, they make it so only their “friends” or “connections” can see their most private details. This is especially true on popular social hubs such as Facebook and Linkedin. I too have my profiles set to “private”. However, I am aware of the flaw in this method of false privacy and am always vigilant.

Someone with deception in mind can gain entry to your online profile data the same way a criminal gains entry into a building. An inside man (or woman). Now you may not think of your business colleague or your Aunt Sally as an inside man, but they very well could be. When I investigate someone online, very rarely do I come at them head on. The head-on method not only offers less opportunity, it lets the suspect see you coming. Rather then expose yourself, it is better to connect with Aunt Sally or a co-worker, thus taking the Lateral Approach. You see more often than not, being a “friend of a friend” on a social network allows you to see more information on your original target without actually being connected to them. Being friends with the suspect’s Aunt Sally may now allow you to see their full friends list or connections, posts, contact info and employment. If their profile is still locked down, then there is always the option of sending a friend request to the suspect now that you have a connection in common. This connection makes you less of an unknown to that person. After all, if Aunt Sally knows you how bad could you really be?

I would highly recommend prior to conducting any online investigation that you not only hide your IP address by using a proxy service, but that you also have examiner or undercover accounts created on all popular social networks.

Keep following those virtual breadcrumbs. ~ Hi-Tech P.I.

Dancing the Two-Step

With the recent Adobe security breach we should all be reminded how vulnerable our data really is in the hands of hundreds, sometimes thousands of data providers and online businesses. We are relying on others to keep our information safe and out of the hands of these bad guys. Going back 20 years, would you ever have thought to trust so much personal information to so many? Not me. It has almost become 2nd nature for us to hand over personal info without a  thought. It is a little scary to think how complacent we have become with not only our own personal information, but also our employer’s and client’s information.

I have the pleasure of being in great communities of investigators and security professionals, who for the most part will give you free advice that for many is invaluable. Most professional groups have some type of Listserve or online group through which they communicate. But, being a member of a Listserve can come at a price. Listserves are a convenient way for malware to be spread to thousands of people via one single email address. When one person is complacent and allows their email account to be hacked, it puts many of us at risk. Not to mention yours and your client’s data. What should be done?

There is something called Multi-Factor or Two-step authentication that has been around for years, but has just in the recent few become mainstream and widely available. Multi-factor authentication provides a second layer of security to online accounts in addition to your standard password. This 2nd layer could be a hardware device like Yubikey, or a 4 digit code that is sent to your cell phone. I use both. Multi-factor authentication is now available through most major online service providers such as; Google, Yahoo, MSN, Facebook, Twitter, PayPal, etc.

My question is…why not? It’s very much like your bank asking you for your telephone password in addition to your name or locking the deadbolt on your front door in addition to the handle lock. These two things have become acceptable to us, and so will securing your online accounts. We just need to place the same importance on those accounts as we do our homes and finances.

This Gizmodo article does a good job at getting you started: How to Enable Two-Factor Authentication on All Your Accounts

Stay safe and keep following those virtual breadcrumbs. ~ The Hi-Tech P.I.

Who do you trust?

I recently listened to the audio book “Ghost in the Wires” written by infamous hacker Kevin Mitnick. Although I would not approve of his activity, I was very interested in his  Phreaking and Social Engineering skills.

Growing up in the investigations industry in the 80’s and 90’s, social engineering was second nature. We did not have the vast databases available today, so we relied heavily on human interaction for information. Today this skill is very much in play; however, social engineering is increasingly being adapted by criminals, rather than colleagues. My recent trip to the hacker conference DefCon in Vegas reaffirmed this. Attending seminars on this very subject, were thousands of hacker types, several who were likely criminal masterminds. I watched as they jotted down notes and laughed at the ease of tricking everyday folks into handing over their personal details.

Good tips on this subject can be found in today’s blog post at Lifehacker.com titled “How Can I Protect Against Social Engineering Hacks?” It’s worth a look.

Keep following those virtual breadcrumbs. ~ The Hi-Tech P.I.

Website Security with a Little Obscurity

While strolling around the Internet the other day, I stumbled upon this solid post on www.hackerfactor.com and thought I would share.

Security By Obscurity

Security by Obscurity is a term that describes security through secrecy. If you don’t tell anyone that you have a million dollars buried in your backyard, then it is “secure” because nobody will find it.

There’s a saying in the security field: Security by Obscurity (SbO) does not work. If you are vulnerable, then you are still vulnerable. You’re just hoping that nobody discovers the exploit.

In my opinion, SbO does work to a degree. While SbO should not be your only security option, it does deter pre-attack reconnaissance. For example, most automated scanners look for obvious signs that can be used to identify a vulnerable system. If the scanner finds something, then the attack will come later. However, if you remove these markings then the scanners won’t flag your site for an attack. SbO removes the “low hanging fruit”.

The first thing you want to remove is anything that denotes what software version you are running. For example, WordPress is a very popular blog software package. If the bottom of your blog says “Powered by WordPress“, then everyone knows what software you are running. Knowing “WordPress” isn’t that bad. However, WordPress also embeds the version in the HTML content. For example, the “We Love WP” site runs WordPress. If you “view source” of their web page, you will see at the top:

<meta name="generator" content="WordPress 2.8.4" />

Now we know that they are running WordPress version 2.8.4. If you happen to know of a security vulnerability for version 2.8.4 (such as a XSS or Traceback denial-of-service), then you know that the “We Love WP” blog is vulnerable.

Similarly, the popular vBulletin web forum software includes the version at the bottom of the page and in the HTML meta data. Does the world really need to know that theGraphic Forums uses version 3.6.1?

So the first thing to do (regardless of whether you know of a vulnerability or not): remove all information about software and version from your site. This includes information embedded in your HTML pages and RSS feeds. Where to do the change depends on your software. With blogs, it is usually in the custom template, default template, or PHP/ASP pages. You probably don’t need to change every single web page — but you will probably need to change it in a few places.

This won’t stop someone from attacking you and does not close the security hole. What it does do: this prevents automatic scanners (and casual observers) from quickly determining that you are vulnerable. (Congratulations, you are no longer the lowest hanging fruit and most likely to be attacked.)

For the really creative types out there, don’t just remove it. Change it! Misinformation is far more damaging to an attacker than no information. Rather than removing the “Powered by WordPress”, change it to say “Powered by Serendipity” — a totally different blog package, or just lie: BlogProKit 9.8.1. Now if someone if going to attack you, then they will initially do so with the wrong set of exploits.

___________

Hope you found it at least a little informative as I did.

Keep following those virtual breadcrumbs. ~ The Hi-Tech P.I.

Just who do you think you are?

As an everyday Joe, being able to find out who is behind a phone number could help identify a crank caller, scammer or phone threat.  As an investigator we have long had resources for this type of thing, some that are free and many which cost money.

In my previous post titled Jenny 867-5309 I detail many sources used to help identify phone subscribers. Those were sources utilizing either caller ID data or directory assistance. But what if the phone number you are trying to ID is a mobile phone and is not listed in an online database? You could call the number and listen to the voicemail, but that would compromise your own phone number. Drum roll please…..here’s the turn.

Super-sleuth Robert Scott author of the “The Investigator’s Little Black Book” and proprietor of www.skipsmasher.com has created a nifty little investigative tool for the masses called Spy Dialer. How it works is you submit the subject’s mobile number into Spy Dialer and it anonymously queries the voicemail system of that number. The cool part is what magicians call the Prestige; a surreptitious recording of the subscriber’s voice and that’s not all…the ability to download the recording to your PC!

Well now you may ask, what’s the catch?  No catch. There is both a free and a paid service. The only vice of the free service is if your perp calls the number back it will play a short quip about Spy Dialer. The paid service is a very reasonable at $9.95 per year. There is even an Android app currently available and an iPhone app in the works.

So the next time you get this Prank Caller (offensive), the only question will be, do I want to be the victim or victor? Spydialer.com

Keep following those virtual breadcrumbs. ~ The Hi-Tech P.I.

A Picture is Worth a Thousand Words

So a couple of years ago some thieves broke into my F-150 (via a common security flaw in that year/model), stealing my GPS, DVD system, car stereo and a digital camera. A quick call to my insurance company took care of replacement of the stolen items; however, my following concern was the photos stored in my digital camera. Even though their intention was to sell the hard goods on the black market, these crooks now had photos of my family, home, etc. This was a little unsettling.

I filed a report with the local police department, which included serial numbers of the items, but even the police said it is very rare these types of items are ever recovered. After I thought a little more about the contents of the camera’s memory card, I concluded that there was really not enough in there at the time to worry. Further, there was nothing incredibly embarrassing portrayed that if released somewhere online, I would be force to change my name and move to Costa Rica. However, if there was a way to help track down my camera and recover my pics, I sure would have used it.

I recently came across an interesting website that may help folks in the same situation. It is called www.stolencamerafinder.com. This free service allows you to upload a photo taken on the misplaced camera and search online for any photos containing the same metadata. You may also input your camera’s serial number manually. The Metadata often contains the serial number of the camera the photo was taken from; therefore, if a thief snaps a pic with your camera and uploads a photo online, theoretically this service should find it. Possibly then leading you back to the perp.

I have not had the occasion to test this service extensively, so I welcome any feedback or success stories.

Alternatively, I also found a user-powered website called www.ifoundyourcamera.net. This site allows anyone to upload photos they have found, in hopes of finding and returning the photo to its rightful owner. Not as technical as the aforementioned, but noble none-the-less.

Keep following those virtual breadcrumbs. ~ The Hi-Tech P.I.

IP Cybercrime Bootcamp World Tour

Don’t miss the next IPCybercrime Boot Camp taught by my brother and mentor Rob Holmes.

“Rob Holmes, CEO of IPCybercrime.com LLC, has created a much-anticipated workshop on the state-of-the-art techniques that have made him the premier innovation leader in the Online Investigations industry. Never before, anywhere, has this much quality content been imparted in one place.”

This truly is the highest quality instruction available on Internet investigations in our industry. Every attendee is wowed at the amount of content, as well as the usefulness of Rob’s techniques.

 
For a list of Venues and for more info visit this link IPCybercrime Boot Camp