The Cutest Little Corporate Espionage Tool I’ve Ever Seen for Zero Dollars…

I work with a colleague who is a master of productivity technology.  From “Remember-the-Milk” to “Getting-Things-Done” to “The four hour work week”, if there’s a tool, tip, trick, book, Tweet feed or guru related to getting stuff done more efficiently, more device-independently or more location-independently, he’s probably tried it, bought it, used it or followed it.  So the other day he mentioned that Firefox sync, which I hadn’t used before, now has an iPhone app, which I therefore also had not used before.

So I google’d firefox sync and found that, according to Mozilla.org, it’s a “free browser add-on that lets you stay in sync with your Firefox. Access your history, passwords, bookmarks and even open tabs across all your devices.”  What good would that do me?  Well says Mozilla, let’s say you’re “doing online research from the office, only to see it’s time to head home. Now you can go back to your opened tabs and search history in an instant from any PC. Your Firefox is as you left it, no matter where you log in.”

Sounds great!  Thanks Brian for bringing this work-enhancing little wonder to my attention.  >:-)

Being who I am and what I do for a living, the only thought that occurred to me is “Wow! Think of the mischievous potential for that!”  I promptly installed it on my “dirty” box, an old Dell tower I keep in my office for surfing malware-hosting sites, Phishing pages and other stuff likely to infect the machine, then put the related app on my iPhone, configured the settings and Presto!

Figure 1: Here are the open tabs on my PC:

Three tabs open – Hotmail, Monster and the site for a Biotech startup.  Note that nothing obvious in my PC browser shows it is now “Sync-able”.

Figure 2: Here’s the tabs screen on my iPhone app:

Three tabs open – Hotmail, Monster and the site for a Biotech startup.

Now given my constant immersion in Phishing issues, my next thought was, even if the hit rate was exceedingly low, wouldn’t a Phish targeting Firefox sync users be interesting.  Problem is, you’d mostly get uninteresting junk from uninteresting victims, and how many people use Firefox Sync anyway?  Almost no one uses this thing.  Then the penny dropped.  That’s the good news!  No one uses the thing (remember, it also isn’t obvious if you are using the thing. See note below Figure 1 above.)

If I was a malware guy or a Phishing guy or a crooked IT guy or knew someone who was (especially in a big publicly traded company), why not find a way, via drive by download, manual installation, social engineering, remote update or whatever, to install this thing on some key machines inside an organization.  I mean, if they can get a malicious banking trojan onto my PC from a server in Brazil, how hard would it be to get a browser plugin installed? I could write ten social engineering scenarios with a nearly guaranteed chance of success, but let’s take as read that I could get the thing onto a PC and set the user name and credentials.

That’s it!  My free agent-in-place is now waiting to report whenever I want to take out my iPhone.  What’s that big Pharma executive reading about today? Researching a possible takeover target?  Gotta buy me some of that stock.  Looking for a new job? Interesting.  How about using non-work email to reply to a “casual encounter” personal ad on Craigslist?  If they’re married (easy to find out browsing the social networks, property tax records etc.) I’d say, “Hello, hush money.”

And the best part of all… you can scan this PC all day long and the AV program will tell you honestly and correctly there is no malware on this machine.

Whether bad guys do it to us, or we do it to ourselves, the digital water (see here and here) will find the cracks and crevices in the containment systems.  The more we strive for connectivity, productivity and social and professional interaction, the more water will find its way to the sea.

Disclaimer: The views expressed on this blog are mine alone, and do not represent the views, policies or positions of Cyveillance, Inc. or its parent, QinetiQ-North America.  I speak here only for myself and no postings made on this blog should be interpreted as communications by, for or on behalf of, Cyveillance (though I may occasionally plug the extremely cool work we do and the fascinating, if occasionally frightening, research we openly publish.)

Data like ditigal water… (2)

Well, the “Digital Water” post produced more emails and responses than anything I’ve written, so I thought I’d continue this line of thought a bit further.  I think the basic notion was pretty well summarized there, so for now I thought I would add just one more fissure in the foundation of the data-can-be-controlled construct.

All the machines, systems, standards and policies that surround IT equipment, use and access control and so on, may be optimally designed, perfectly executed and rigorously followed.  People, process and technology can all work in concert without flaw, failure or even human error.  Like a stone wall that “stops” the progress of a flow of water, it only stops it viewed through the temporal lens of our perceptions as short lived creatures.  Sooner or later, humble little H2O will eat its way, literally, through mountains of rock.   See?

Courtesy of the Cedar City Tourism Bureau Web site

Well all those policies, procedures and technology similarly have a temporal aspect that “runs out” in far less than the millennia it takes water to wear down stone.  That timeframe is roughly equivalent to, let’s say, the useful life of a device in an industry that intentionally obsoletes everything at breathtaking speed.

What do I mean?  Well, let’s take the humble photocopier – what does it do? As its name implies, it photographs documents, then stores the image on a hard drive, then prints that image on a new piece of paper.  Given the quality of the images needed to produce good copies, the full color we all want, the big stacks of documents in corporate offices, is it any wonder that the hard drives in these things are large, and may retain an awful lot of data in them?

The vendors have every incentive to sell or lease you their newest copier with even higher resolution and an even bigger hard drive, and will happily take the old one away and drop off the new one (think car salesmen – “drive it, tow it or drag it in, even if it doesn’t work. We’ll pay off your trade no matter how much you owe!)

What could possibly go wrong in this model?  Like the water taking its time to carve the grand canyon, when the temporal (and artificial) constraint of “while it’s here in our office” is removed and the perspective is broadened to the life of the device, the notion of keeping data secure on office IT systems becomes more than a bit suspect.

Here‘s a fun recent example from “News of the World” in the UK.  They undertook:

“buying a cheap second-hand copier from a dealer and [found] it crammed with records from a Government-linked defence firm.  Worse still, like thousands of other office copiers, it was destined for export abroad to FRAUD hotspots in West Africa.”

Read the full story.  Depending on your view, it’s either depressing, or a testament to the inexorable will and solvent power of (Digital) water….


Disclaimer: The views expressed on this blog are mine alone, and do not represent the views, policies or positions of Cyveillance, Inc. or its parent, QinetiQ-North America.  I speak here only for myself and no postings made on this blog should be interpreted as communications by, for or on behalf of, Cyveillance (though I may occasionally plug the extremely cool work we do and the fascinating, if occasionally frightening, research we openly publish.)

Don’t worry about that new malware – your A/V program will take care of it (in about two weeks)

So I (try to remember to) end every post with a disclaimer which includes the phrase:

“no postings made on this blog should be interpreted as communications by, for or on behalf of, Cyveillance (though I may occasionally plug the extremely cool work we do and the fascinating, if occasionally frightening, research we openly publish.)”

Well, this is one of those times.   A couple of us have been working on this analysis for some time, and it’s finally been made public.

Cyveillance is already known for a paper put out twice a year.  It shows the abysmal detection rates for the security and anti-virus programs vs. the malware we discover being shoved at you  “in the wild” as of right now, e.g.  installed by drive-by download one minute ago when browsing a malicious link or infected page.

The question that comes up again and again whenever I speak to clients, partners or the press about these studies is “OK, but how far ahead of the curve is your discovery?  That is, are you protecting me an hour sooner than McAfee/Norton/etc.?  Or a month?” We’ve known the rough answer for a while now, but we put hard numbers to it.

From the company press release:


Cyveillance tested thirteen popular AV solutions2 to determine their detection rate over a 30 day period and found that popular solutions only detect an average of 18.9% of new malware attacks. By day eight, AV solutions average a 45.7% detection rate. This rises to 56.6% on day 15, 60.3% by day 22, and 61.7% after 30 days. Top AV solutions take an average of 11.6 days to catch up to new malware.

Gratuitous plug – get the full white paper here:  http://www.cyveillance.com/web/forms/request.asp?getFile=118


Data like digital water…

There’s an old saying in some martial arts systems that “water seeks its own level”, i.e. no matter what you do to contain it, route it, control it or prevent its movement, water is forever drawn by gravity toward sea level.  Simple as it is, a few molecules of hydrogen and oxygen, over time water will generally overcome, burst through, dissolve or exploit its way through every fissure, failure, crack, container or barrier.  Whether it is over seconds or centuries, the philosophical view goes, water will find its way out to the endless open sea.

This old chestnut crossed my mind during my koryu bujutsu (classical Japanese martial arts) class this weekend and I realized it solved a problem I struggled with all last week, which was, after a week like this, how do I pick a topic?!

(BTW I don’t normally say this explicitly, but actually read all the linked stories in the section below, or at least read the headlines of each.  It will put this post in a much clearer context.)

With so much fodder in a single week, from DEFCON’s social engineering extravaganza to the Wikileaks debacle to the posting of 100 million Facebook profiles gathered from the open source, it felt like the world was finally smacked in the face enough times at once to notice what some of us have been studying, struggling with and occasionally shouting from the rooftops for nearly a decade, which is that the traditional problems of intelligence, privacy protection, law enforcement and even personal safety have all been turned on their head.

The problem is not “I can’t get the information I need because it isn’t out there”.  The problem is now that it IS out there. A lot of it, most of it, and possibly in the near future, darn near all of it. What the classified data leaks, and the corporate breaches, and lost laptops and eBay’ed hard drives and hacking contests are finally beginning to convey to mainstream awareness is that data is becoming digital water. This includes governments’ information, financial information, corporate information, and your and my personal identity, social- and professional-network information.

Whether by accident or design, whether through architectural flaws in the construction of the storehouse or intentional holes drilled in the containers, in a completely networked world, information is constantly seeping, condensing, evaporating and ever so slowly but inexorably wearing away at the systems and structures designed to contain it.  More dramatically than water, as the Wikileaks and Facebook episodes highlight (you can download the entire contents of what was harvested in either case with a simple google search), once digital water finds a crack in its containment, it can flow to a new “level” (e.g. a hacker chat room or an anonymous FTP server) and eventually to the open sea/public ‘Net with sometimes-breathtaking speed and impact.

Some will decry this as poisonous, others will applaud it as the road to utopia, some will try to retard it, others will seek to further and hasten it.  I expect I’ll post separately on what I think it all means (it’s too much for one sitting) but of this I am absolutely certain – there is no stopping it.  There is no putting the genie back in the bottle.  Digital water will seek its own level, and there are people out there, from industry watchers to spies to private eyes to health insurance companies that are already sponging up the trickles and dribbles.  Get ready for the flood, this is just the beginning.


Disclaimer: The views expressed on this blog are mine alone, and do not represent the views, policies or positions of Cyveillance, Inc. or its parent, QinetiQ-North America.  I speak here only for myself and no postings made on this blog should be interpreted as communications by, for or on behalf of, Cyveillance (though I may occasionally plug the extremely cool work we do and the fascinating, if occasionally frightening, research we openly publish.)

%d bloggers like this: