Griffin > Tasks > Personal experiences of Internet crime
Griffin2
Follow Production
Share

The Griffin -team is looking for your ideas and comments.

Join and show your support for Griffin.

Join This Production

Personal experiences of Internet crime

Created at April 27, 2009
Created by Timo Vuorensola
Deadline December 06, 2009: over 2 years over
Shots given 9
Reference media

Thumbs ranking

Kerry O'Donoghue Cyber crime is not in isolation
Poll_bar
5/22%
David Yacobus Worm
Poll_bar
3/13%
Alexander Vervaet How to hack important things
Poll_bar
2/9%
(null) Cybercrime as censorship
Poll_bar
2/9%
Thomas Shaddack Worms knowing the passwords
Poll_bar
2/9%
Thomas Shaddack Self-advertising vulnerable machines,...
Poll_bar
2/9%
Thomas Shaddack Hacking laptop (and BIOS in general) ...
Poll_bar
2/9%

Description

Tell us your personal experiences on Internet crime. Have you been a victim of a crime, or have you (god forbid!) committed one (Piracy not included :). Or maybe you know somebody who has done something.


You must login or register to give a shot

Shots

Order by
Croped_body_thumb
Kerry O'Donoghue May 19, 2010 13:04 5 Thumb-ups
Flag this shot
Add to Favorites

Cyber crime is not in isolation

You may find that in many cases the Hacker, Cyber Criminal or whatever you want to call them is not just acting via the web they are very often involved in 'real world' crimes too without sometimes realising it, or the information they gained is involved in other crimes i.e. ID fraud will be carried out over the web sometimes but the same ID will be sold to another and that person may well use it for buying physical items on the web which then are sold in Bars etc.

Card cloning is another problem and then the information is transferred from one magnetic strip to another. I have seen staff in organisations transfer money electronically to fund terrorism, to facilitate the purchase of properties to house people who were trafficked illegally.

Cyber crime is popular with organised crime as those who carry out the crimes do it and view it as a victimless crime so it is easy to recruit people to do it or blackmail normally honest people into comitting the cyber crime, which I have seen. A cyber criminal most of the time would not break into a house to steal anything or mug an old lady because they would have to encounter the victim, but via computer they will empty that same old ladies bank account without a second thought or facilitate the illegal purchase of a house to be used as a brothel for trafficked women. The only difference is the cyber criminal does not have to face the victim so their conscience is clear, all they did was sit behind a computer and tap a few keys.

Jump to comment form

Comments

(null) May 20, 2010 18:13 Flag

Kerry, that's a great offer and I think these would be great ideas for the series, but I'm not actually the production leader so I'm not sure whether I'm the right person to be receiving stuff.

The leader is Timo Vuorensola but he's busy right now with Iron Sky ( http://www.youtube.com/watch?v=DeAfoiN5SDw )... hmm...

Try contacting Riku Pyhälä ( http://www.wreckamovie.com/user/show/1689 ), he's listed as the assistant leader.

Jack Malinowski May 20, 2010 16:57 Flag

nail + head = yes

Kerry O'Donoghue May 20, 2010 09:14 Flag

Kris if you want I can send you or put up actual case studies of different types of crimes that are linked like this. Do you want to know how you actually gather the intelligence it's nothing like 24 in reality it takes a lot longer.

One frightening aspect is when corruption is involved caused by someone being blackmailed into assisting an organised crime group that uses hackers to advance their crimes.

My email is odono10@gmail.com and I'll send the case studies out from that address if anyone wants to see them.

Like I said before I'll do anything to help. from Kerry

(null) May 19, 2010 13:33 Flag

Just thinking about the chain idea... that might actually be a pretty good narrative structure for the series.

Perhaps the thread that runs through the episodes could be following a chain?

Carl L. May 19, 2010 13:30 Flag

Anyone who's ever played Shadowrun (no, not the xbox game) knows how useful a hacker can be.

(null) May 19, 2010 13:26 Flag

...so what you're saying is, Griffin should show the whole chain of crime instead of just one link?

You must login or register to comment

Biological_warfare_thumb
Alexander Vervaet December 04, 2009 20:03 2 Thumb-ups
Flag this shot
Add to Favorites

How to hack important things

I once heard of a guy who succeeded in hacking the computers of the pentagon. He had hacked the computer of a university, which was doing research for a company that was doing something for something else and so one. But al they all worked on a project which was ordered by the pentagon so the guy managed to break in in the computers of the pentagon via the companies that worked on that project.

Jump to comment form

Comments

Peter Vesterbacka December 06, 2009 23:00 Flag

Might even have been Griffin Sharpe who did that in his days of hacking stuff.

You must login or register to comment

Lair8bsm_thumb
Thomas Shaddack October 27, 2009 07:07 2 Thumb-ups
Flag this shot
Add to Favorites

Self-advertising vulnerable machines, passive scanning

When a machine has a vulnerable service exposed to the Net, it can be (and usually is) scanned for that and then infected. The worm then usually uses the machine as an attack base for scanning more machines and spreading itself exponentially.

By doing the probes, it advertises its presence - and also its vulnerability. Merely by listening to the probes on my firewall, I can make myself an up to date database of easy-to-compromise hosts for case of need. Then, when a proxy or other service needs to be used, look up the logs and pick a suitable victim for a temporary hijack. Passive way, minimizing chance of being detected.

Passive methods are the best for routine use. No broadcasting what you're doing, just listening. And knowing.

Jump to comment form

Comments

David Jansson November 15, 2009 09:23 Flag

You're scaring me...

You must login or register to comment

Tianyi Pan October 29, 2009 14:15 2 Thumb-ups
Flag this shot
Add to Favorites

Deactivation of your Email Address

Should I reply?

from Administrator <admin@mailsupport.com>
reply-to activate-emailonline@aggies.com
to
date 29 October 2009 14:13
subject Deactivation of your Email Address

THIS MESSAGE IS FROM OUR TECHNICAL SUPPORT TEAM This message is sent
automatically by the computer.
If you are receiving this message it means that your email address has
been queued for deactivation; this was as a result of a continuous error
script (code:505)received from this email address. To resolve this problem
you must reset your email address. In order to reset this email address,
you must reply to this e-mail by providing us the following Information
for confirmation.

Current Email User Name : { }
Current Email Password : { }
Re-confirm Password: { }

Note: Providing a wrong information or ignoring this message will resolve
to the deactivation of This Email Address.

You will continue to receive this warning message periodically till your
email address is been reset or deactivated.resolve

Jump to comment form

Comments

Tianyi Pan October 29, 2009 20:48 Flag

"This is actually a pretty good real-life example."

Exactly ;)

Thomas Shaddack October 29, 2009 14:24 Flag

Certainly not. It looks like a scam intended to get your email access credentials.

That then can be used for spamming, or sending scams in your name, or even reading your email and using the acquired information to impersonate you in order to get some money out of your contacts. (Happened.)

Example how hijacked Facebook profiles are used is here:
http://www.securitypark.co.uk/security_article262602.html
I assume a variant with email would work too.

As various web services can send you a new password by email, getting access to your email may serve as a first step to gain access even to other services you use.

This is actually a pretty good real-life example.

(null) October 29, 2009 14:17 Flag

"Should I reply?"

LOL

You must login or register to comment

Lair8bsm_thumb
Thomas Shaddack October 27, 2009 10:10 2 Thumb-ups
Flag this shot
Add to Favorites

Tracking down an anonymous email

Some time ago, a coworker got a problem. Her SO was getting anonymous emails from a webmail account, intended to make him question their relationship. He told her. She had a suspicion at her office colleague. And called me to investigate.

The webmail conserved the sender IP in the mail headers. Good. We traced the IP down to another place, a wireless ISP in a mid-sized town. The colleague was proved innocent.

It turned out that the place was her hometown. That led to a hypothesis that the sender is somebody she knows; underlined by what the sender knew and wrote to the mails.

We took her personal mail account, and went through the mail headers, one by one, looking for the IP to match. And after a while, we found a mail from her friend, another woman from that town, with a matching sender IP.

She openly confronted her. The other lady denied involvement. Emails stopped and never appeared again.

I did a similar thing before, on a mailinglist. There was a war between two of the list members. An email appeared, accusing one of something, attempting to ruin his reputation. As he was my friend, I took a look at the mailbox, attempted to match the IP address. And, found. The other listmember's posts from last couple days matched. (Beware of dynamic IPs on cable modems and DSL lines; they are quasi-persistent and can stay the same for days or even months.) Posted the findings on the list, attacks ceased.

Another email-related lookup was about a long-lost friend who resurfaced again. Her webmail account shown an IP address. The IP address geolocated to a large US city, the WHOIS shown a large ISP from that city. Reverse DNS lookup yielded no domain set for the IP. According to the coarse location and the zone time, the mail was likely sent from a work computer. Quick lookup with a script written for the purpose of assisting with identifying spam (an oneliner that tries a reverse lookup at the entire C-class, x.x.x.0 to x.x.x.255), and voila - in the sea of empty responses there was one mx.companyname.tld - a mailserver, just a few numbers from that one IP. (Mailservers have to have their reverse domain name set. Not doing so leads to a lot of spamfiltering.) Hypothesis: company having leased a small block of addresses, running own mailserver. A quick look at the company website, and from its parts not indexed by a search engine a list of employees was accessed - and she was there.

Jump to comment form

Comments

Mari Harju October 27, 2009 17:03 Flag

This could easily be used by the criminals as opposed to tracking them - for example, a stalker could use this kind of infomration to get the aprpoximate RL location of their victim - if they can narrow them to $company in $city things can get a lot easier for them.

You must login or register to comment

No-user-picture-set
(null) June 22, 2009 01:57 2 Thumb-ups
Flag this shot
Add to Favorites

Cybercrime as censorship

I used to run my own websites about various topics but there were so many hacking incidents and security holes no matter what CMS I tried that I just gave up on running a site of my own. I just couldn't stand all the backing up and fixing and worrying, so I shut my sites down.

Although they probably didn't intend it, the hackers in effect censored my sites.

This could produce some interesting storylines for a cybercrime series, if it featured hack attacks where the censorship WAS intended. It would provide a motivation for cybercrime other than money.

Jump to comment form

Comments

Thomas Shaddack October 27, 2009 08:40 Flag

A more direct, more sinister and less illegal (and often more expensive for the victim) form of censorship involves lawyers. The Yes Men, with their recent Chamber of Commerce prank, created an example.
http://www.commondreams.org/newswire/2009/10/23-5

The same article mentions also earlier such attempt involving gwbush.com by the RTMark group.

Such attempts come from all sides, being it corporations or political parties.
http://www.tjcenter.org/muzzles/

A wide set of online censorship attempts using all available resources, dating back to the early ages of the Net and not limited to online settings but also involving physical world threats/attacks, was/is being perpetrated by the "Church" of Scientology. Who also were the subject behind the shutdown of the anon.penet.fi anonymous remailer.
http://en.wikipedia.org/wiki/Fair_Game_(Scientology)
http://en.wikipedia.org/wiki/Penet_remailer

Peter Vesterbacka October 26, 2009 17:16 Flag

Agree 100% with you about fiction playing catch-up to reality. Have been talking to a few people who really know this stuff and the real stories are amazing. That is one of the reasons we started Project WORM, so many stories that need to be told and will make for excellent entertainment too. And will hopefully be quite different from what you'd see from Hollywood, after all we are on a mission to wreck the Hollywood model;-)

Thomas Shaddack October 26, 2009 14:30 Flag

It actually DOES happen in reality. Especially vulnerable are the webs that either anger script kiddies, are a pain for somebody (typical for antispam services), or contain some valuable data (e.g. credit cards).
Real-life example: taking down several spamblock lists and convincing operators of some to give up.
http://research.lifeboat.com/spam2.htm

Want to take a website (or an Internet service in general) down? Hire a botnet and DDoS them into oblivion.

There is a possibility of an alternate architecture for the RBL blocklists, decentralized P2P immune against DDoS.
http://www.sysdesign.ca/archive/ddos_resistant_blocklist.pdf

A way to avoid CMS vulnerabilities is going without one and coding the stuff directly in HTML or low-end PHP. Still vulnerable to the host's own holes and to DDoS, but these are now the hosting service's business. Requires much more knowledge than CMS, though.

The reality is crammed full with potential plots for dramas. The fiction is actually playing catch-up.

(null) October 26, 2009 12:05 Flag

Whatever you use though, there's always going to be some vulnerability, and the more famous a website is the more likely hackers are going to pick it as a target. And if some group or organisation hates a particular website, they might even pay a hacker to harass it until it's taken down.

Even if this is unlikely to happen in reality, it's at least a plausible plot for a drama. :)

Thomas Shaddack October 26, 2009 11:11 Flag

A low-end method to harden a server against such attacks is to put the CMS interface into a non-default location. Most of such attacks are perpetrated by automated systems, looking for low-hanging fruits like files at default paths. Will not work against a dedicated attacker with time on his hands, but will foil a bot.

You must login or register to comment

Lair8bsm_thumb
Thomas Shaddack October 27, 2009 08:02 2 Thumb-ups
Flag this shot
Add to Favorites

Hacking laptop (and BIOS in general) passwords

Sometimes a laptop appears that gets bought cheaply or acquired in a similar way that has a BIOS password set, which needs to be removed.

The BIOS configuration data are usually hidden in a small EEPROM chip. Which usually looks like a 8-pin SMD part, with 24C... or 93C... labeling. Common part, with available datasheets. Usually with I2C bus.

The clock and data lines can be tapped by soldering thin wires on the chip's pins. The activity on them can be sensed by a 'scope, an I2C bus analyzer, or even a plain old LED. By grounding the lines, the reading of the chip can be disabled at the right moment. Depending on the BIOS, it is possible to force it to think the machine just went down from the assembly line and should initialize to defaults, or just force zeros to the bus when reading the password, making the BIOS think it has zero length. The bus behavior can be observed and further guessed by trial and error while watching the bus activity; a scope is useful here, a LED can be sufficient.

Alternatively, the chip can be desoldered, read, written, soldered back. Or just the traffic from the chip can be monitored, and the password decoded from it.

When only the BIOS setup password is set, it is possible to use debug.exe (or linux eeprom tools) to directly set some bytes in the EEPROM to wrong values. At next boot, the BIOS checksum fails and defaults are set.

This applies generally to many things using I2C bus and configuration EEPROMs. Closeup shots at a technician deftly soldering thin shiny wires on tiny chip pins could look nice in a movie. Other attractive-looking things may be waveforms on an oscilloscope, or some sort of color-highlighted scrolling logs or decoded bus traffic. Chipping of devices, from game consoles to DVD players, also often requires direct access to the hardware on component level.

For a sample of oscilloscope screenshots with videosignal, check out this:
http://en.wikipedia.org/wiki/Analogue_television_synchronization
(Especially with CRT-based scopes, adjusting the brightness and ambient light to look good on camera may take a while of experimenting.)

A young, unemployed technician who desperately needs money often won't ask many questions before whipping out the soldering iron.

...after gaining access, said technician may poke around the hard drive, find something of value (confidential data, or saved access passwords to websites or a VPN...), attempt to extract the value, and set off an unexpected avalanche of events. (The same can be done with data found on a purchased non-wiped or poorly-wiped secondhand disk/machine, or as a breach of trust when said technician is hired to do data recovery.)

Jump to comment form

Comments

This shot doesn't have comments.

You must login or register to comment

Lair8bsm_thumb
Thomas Shaddack October 27, 2009 06:58 2 Thumb-ups
Flag this shot
Add to Favorites

Worms knowing the passwords

I got one of the sites in my care hacked. The index page was changed, an iframe linking to a third party server hosting some exploits was inserted.

Examination of the logs shown a login via FTP, download of the file and immediate reupload. That was done couple more times, from vastly different locations, over a period of few weeks. There were no signs of bruteforcing, and the password was reasonably strong.

The hypothesis is that the computer of the person responsible for the site content was wormed, the worm took hold of the site/username/password saved there, and then told its brothers in the botnet.

Jump to comment form

Comments

This shot doesn't have comments.

You must login or register to comment

David Yacobus May 03, 2009 23:31 3 Thumb-ups
Flag this shot
Add to Favorites

Worm

Once, the network on my company got infected by a kind of worm that somehow transmitting and downloading something (likely virus or spyware) from the net. The only way we can be sure that it will not transmit confidential data is by unplugging the modem cable. Takes about two weeks before there are tutorials on how to remove it.

Jump to comment form

Comments

Thomas Shaddack October 26, 2009 11:56 Flag

Most worms I encountered were spamming. The mode of operation is usually laying dormant for a while, then send a burst of traffic, then laying dormant again. Very difficult to spot them all that way when watching in real-time. Looking for outgoing connections to port 25 at the firewall, and making a log, works more reliably. Blocking outgoing port 25 is the best but not always practical.

Another activity commonly encountered is scanning the networks. Watching for ARP traffic, machine querying for machines it should not be asking to contact, provides telltale clues here; as ARP queries are broadcasts, the monitoring can be done from any machine on the LAN.

You must login or register to comment