The Cutest Little Corporate Espionage Tool I’ve Ever Seen for Zero Dollars…

I work with a colleague who is a master of productivity technology.  From “Remember-the-Milk” to “Getting-Things-Done” to “The four hour work week”, if there’s a tool, tip, trick, book, Tweet feed or guru related to getting stuff done more efficiently, more device-independently or more location-independently, he’s probably tried it, bought it, used it or followed it.  So the other day he mentioned that Firefox sync, which I hadn’t used before, now has an iPhone app, which I therefore also had not used before.

So I google’d firefox sync and found that, according to Mozilla.org, it’s a “free browser add-on that lets you stay in sync with your Firefox. Access your history, passwords, bookmarks and even open tabs across all your devices.”  What good would that do me?  Well says Mozilla, let’s say you’re “doing online research from the office, only to see it’s time to head home. Now you can go back to your opened tabs and search history in an instant from any PC. Your Firefox is as you left it, no matter where you log in.”

Sounds great!  Thanks Brian for bringing this work-enhancing little wonder to my attention.  >:-)

Being who I am and what I do for a living, the only thought that occurred to me is “Wow! Think of the mischievous potential for that!”  I promptly installed it on my “dirty” box, an old Dell tower I keep in my office for surfing malware-hosting sites, Phishing pages and other stuff likely to infect the machine, then put the related app on my iPhone, configured the settings and Presto!

Figure 1: Here are the open tabs on my PC:

Three tabs open – Hotmail, Monster and the site for a Biotech startup.  Note that nothing obvious in my PC browser shows it is now “Sync-able”.

Figure 2: Here’s the tabs screen on my iPhone app:

Three tabs open – Hotmail, Monster and the site for a Biotech startup.

Now given my constant immersion in Phishing issues, my next thought was, even if the hit rate was exceedingly low, wouldn’t a Phish targeting Firefox sync users be interesting.  Problem is, you’d mostly get uninteresting junk from uninteresting victims, and how many people use Firefox Sync anyway?  Almost no one uses this thing.  Then the penny dropped.  That’s the good news!  No one uses the thing (remember, it also isn’t obvious if you are using the thing. See note below Figure 1 above.)

If I was a malware guy or a Phishing guy or a crooked IT guy or knew someone who was (especially in a big publicly traded company), why not find a way, via drive by download, manual installation, social engineering, remote update or whatever, to install this thing on some key machines inside an organization.  I mean, if they can get a malicious banking trojan onto my PC from a server in Brazil, how hard would it be to get a browser plugin installed? I could write ten social engineering scenarios with a nearly guaranteed chance of success, but let’s take as read that I could get the thing onto a PC and set the user name and credentials.

That’s it!  My free agent-in-place is now waiting to report whenever I want to take out my iPhone.  What’s that big Pharma executive reading about today? Researching a possible takeover target?  Gotta buy me some of that stock.  Looking for a new job? Interesting.  How about using non-work email to reply to a “casual encounter” personal ad on Craigslist?  If they’re married (easy to find out browsing the social networks, property tax records etc.) I’d say, “Hello, hush money.”

And the best part of all… you can scan this PC all day long and the AV program will tell you honestly and correctly there is no malware on this machine.

Whether bad guys do it to us, or we do it to ourselves, the digital water (see here and here) will find the cracks and crevices in the containment systems.  The more we strive for connectivity, productivity and social and professional interaction, the more water will find its way to the sea.

Disclaimer: The views expressed on this blog are mine alone, and do not represent the views, policies or positions of Cyveillance, Inc. or its parent, QinetiQ-North America.  I speak here only for myself and no postings made on this blog should be interpreted as communications by, for or on behalf of, Cyveillance (though I may occasionally plug the extremely cool work we do and the fascinating, if occasionally frightening, research we openly publish.)

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: