SE

Search for:


Archive for the ‘Interesting SE Articles’ Category

Analysis of the Lower Merion School District Remote Monitoring of Students

Wednesday, May 12th, 2010

Simply typing “Lower Merion County WebCam” into Google brings back 35,000 websites and “Lower Merion County” 185,000. This is no small news story. Yet, the focus of many is on the ability the IS department had to take unsolicited and private pictures of minors/students in their homes using school issued laptops.

On February 16th, 2010 a civil suit was brought against the Lower Merion PA school district which, in short, charges the school of spying on students and in some instances taking photographs of students in their homes using the embedded webcam in the school issued Apple MacBooks, without their knowledge. Previously social-engineer.org had blogged on the initial disclosure. Analysis of the Lower Merion School District Remote Monitoring of Students

The information for these articles is based on the recently released report of an independent investigation retained by the school district and preformed by Ballard Spahr, L.L.P. with the use of L-3 Services, INC., an independent computer forensic consulting firm. During the course of this 10 week independent investigation, 500,000 pages of documents and 19 terabytes of data was voluntarily given by the school district to be analyzed by the investigating parties resulting in a very long report. There were also several interviews with school district staff and local law enforcement.

Social Engineer.org sent out a plea for help and a security enthusiast and penetration tester, Nick “nick8ch” Hitchcock, stepped forward to help us analyze and decipher this large report. What we came up with was a two part blog post that will analyze this story from some unique perspectives.

Part 1: Technical Analysis: what technology was used, how, when and to what extent. Part 2: What we can learn from this case and protect ourselves against privacy violations from so-called “trusted” sources.

Part 1: Technical Analysis.

First, let’s look at the background of the school district’s technology setup. In the fall of 2007, the school district purchased a computer management software to handle the ever growing size of their network infrastructure. They chose a software product by the name of LANrev. It’s important to note that since the time of initial purchase of the software, the company that previously created this software package, Pole Position, was purchased by Absolute Software. The name of the software has changed as well as some features, but for the case record, I will use the original naming of the monitoring software and named components. LANrev’s features included features such as software deployment and updates/patches, hardware/software inventory management, cross-platform compatibility (meaning Windows and Apple computers were supported) and a “Theft Recovery” feature called TheftTrack. For obvious reasons we will be focusing on the aspects of the last feature.

What exactly did TheftTrack do? In the event of a laptop theft, this service could be remotely activated on the laptop. The TheftTrack service was not active at all times. It had to be manually started. Within the school district, only two individuals of the 18 IS staff members had TheftTrack administrative access, Carol Cafiero – IS Coordinator and Michael Perbix – Network Technician.

What was TheftTrack capable of? Three things could be selected to be collected. Any one or all of these features could be selected or deselected when TheftTrack was activated. 1) The IP address of the computer 2) A still photograph or snapshot from the embedded webcam taken at a certain time interval, as short as one minute. 3) A desktop screenshot of the computer taken at a similar time interval as the webcam snapshot.

Some points to note from these features is that TheftTrack was incapable of recording video or audio from the computer. Also, it could not access the camera if it was in use by another application for instance, video conferencing. It was found that remote snapshots were not available “on-demand” but available only after TheftTrack was activated and then sent at the time interval in which LANrev was set to check-in or “call home” to the school’s main LANrev inventory server. This obviously could only take place when the specified computer was connected to the internet. The information was then uploaded and stored to the LANrev inventory server. This information would then need to be manually purged from the server and reviewed.

Here is a video of Michael Perbix talking about this tracking feature:

One discrepancy in the internal investigation that I found is that, although only two individuals had sufficient credentials to activate or deactivate the service, I see documentation to support that any LANrev administrator could view collected data from TheftTrack.

From a social engineering perspective, the usefulness and relevance of this independent report ends here. One critical aspect of this case goes ignored……

The entire focus of this investigation rests in the fact that the TheftTrack module was the only method able to remotely breach the privacy of students and teachers.

The standard install of LANrev allows remote administrator access to the client and allows much more to be done to monitor, track and collect data from its client computers.

The following information can be found via the LANrev website. Theft tracking was officially available starting with version 4, but as far back as Version 1 of LANrev the administrator had the ability to interact with the shell or command line of any monitored computers. Any information security specialist or hacker will confirm this alone is the “Holy Grail” or the ultimate goal in compromising a computer system. This, by default, was available at ANY time to the administrators. Notice other highlighted revisions in the life of this software:

- LANrev version 2.0 implemented remote desktop integration with Mac and Windows, allowing remote graphical user interface interaction.

- LANrev version 3.0 added integration of VNC, PC Anywhere and Timbuktu. VNC takes remote graphical user interface interaction to another level, because it allows stealth remote monitoring of the computer desktop undetected and without interaction from the remote user. This contradicts the claim that the school district did not have the means of viewing live feeds of the students activity.

- LANrev version 4.51 added support to search and display any text file from client computers on the administrator’s workstation using the new View Text File command. Also added in this release was the ability to request LANrev to try to wake up a computer that is presently suspended and to discard all commands that have been run from the remote computer.

- LANrev version 4.6.2 decided to sacrifice security for ease of use. Directly from the release notes: “New preference setting for Agent Deployment Center (Mac OS X only): You can now instruct LANrev Administrator to disregard SSH host keys for identifying clients on which to install the Agent. This has the advantage of not requiring re-authentication when the operating system of the client has changed, e.g., because of reinstallations. Note, though, that this option also causes a slight reduction in security that makes it possible in principle for an unauthorized device to appear as a legitimate member of the network to the Agent Deployment Center and capture the SSH password.”

- LANrev version 5.1.1 added a feature when executing AppleScript scripts, you can choose between executing them in the context of the current user or in the context of another user.

Another part of this case is that one of the two members of the IS department that had TheftTrack credentials, Michael Perbix, was active on certain technical forums discussing remote activation and deactivation of the built-in webcam on Apple MacBooks. One such post on his own blog gave instructions on how to do this, as well as providing a simple script to make such a process easy.

Remember the last feature mentioned above ,where “you can now choose between executing them in the context of the current user or in the context of another user.”? This particular feature comes into play with a possible “stealth” use of the built-in webcam.

During normal operation, if the internal webcam is activated on a MacBook, a small green light appears next to the webcam, letting you know it is active. For instance, at times during the past few years at the Lower Merion school, several students reported their green webcam lights momentarily turning on and then off. One such case was even reported by a 9th grade teacher by the name of Christine Jawork. She even mentioned it to her students that the school could “activate their laptops’ webcam”, and she had taped over her webcam because of this. She also confirmed to the independent investigation that some of her students discussed seeing the green light when not using the webcam.

This would make sense if the monitoring software took a single snapshot. But if there was any prolonged use of the webcam it would not be “stealth” because the light would stay on constantly. But, what if, there was a way to disable the light? This is where our research becomes speculative but still raises serious concerns. As mentioned, Michael Perbix posted a method to disable the built-in webcam. Why would he do this if the TheftTrack software relied on this hardware for taking snapshots? His own words in another forum has the answer.

He says: “You … can simply change permission on 2 files…what this does is prevent internal use of the iSight, but some utilities might still work (for instance an external application using it for Theft tracking etc)…I actually created a little Applescript utility and terminal script which will allow you to do it remotely, or allow a local admin to toggle it on and off. The info and links to a DMG are in my blog.“

Interesting. So the method of disabling the webcam he used was a permission change. Remember, the LANrev software gave administrator rights on the remote machine, allowing them to activate the webcam. Continue to watch our blog for updates on this research.

In addition, here is Michael Perbix’s personal blog where he mentions installing software directly on to a users computer and executing commands via scripts.

It would appear that the IS department knew what the LANrev software was capable of. They knew how to use it officially, meaning activating TheftTrack. Our research leads us to believe this is just the tip of the iceberg. LANrev itself was capable of much more. The extremely scary part about this is that anything manually pushed out or installed remotely using LANrev may not have been logged. At least TheftTrack, when activated, left a paper trail. If any one of these LANrev administrators, not just the two TheftTrack administrators, wanted to remotely install a malicious application, such as a program to capture keystrokes or screenshots, they could at any time. In addition, they had the ability to remotely view the computer desktop of any user in real-time without the user’s knowledge.

In conclusion, the independent report, although seemingly thorough, was narrow in focus. It did not take into consideration the abilities of the LANrev software, but solely dwelt on the TheftTrack module. I’d also like to highlight the fact that they retrieved 19 terabytes of electronic data. To put this in perspective, they say you would be able to fit the entire library of congress on roughly 20 terabytes. So in the span of 10 weeks all 19 terabytes of data were thoroughly investigated?

I believe this “independent” investigation is not enough to persuade anyone of the school district’s innocence in this matter. In fact, at face value, it appears that this report distracts from the real issue, that of the personal privacy of the students and family. The report simply places blame on the previous IS director who is no longer employed by the school district and the TheftTrack software which is no longer in use. However, ANY monitoring software that allows remote access to a computer in the privacy of your home without your knowledge is the same thing. Privacy issues are still being violated. Just because the “official” tracking software does A, B & C, this doesn’t mean that LANrev cannot accomplish the same when in the hands of an unethical network technician. Privacy and human decency should always be put above any network infrastructure process. There is so many intricate details in this case that we simply couldn’t write about all of it. Although the independent report lacks a full scope into this case, it does have very good information about some of the specifics. I suggest you take a look at it.

Have we heard the last of this? Probably not. There are ways you can protect yourself and your family. Look for a follow-up to this article about ways and methods of protecting yourself from a technical perspective and using common sense techniques against privacy threats from “trusted” sources.

Posted in Interesting SE Articles | 20 Comments »

Social-Engineer.org on FBI Access in Lower Merion Web Cam Scandal

Tuesday, May 11th, 2010

How would you feel if someone hacked into your computer or business and illegally captured screenshots or even camera images of you, your employees or even your family using social engineering? Now to extend that even further, what if in one of those screenshots they caught you doing something you should not have been doing, something illegal?

Would you expect to be brought up on charges, considering that those images where obtained by an illegal hacker? Most of us would probably think that we are quoting scatman Social Engineer.org on FBI Access in Lower Merion Web Cam Scandalome conspiracy theory movie… but the sad truth is that this may very well be the reality.

As you know the team at social-engineer.org has been following and blogging on the crazy story that continues to unfold in regards to the Lower Merion Web Cam Scandal. I can’t say much because as of this second we have a dedicated researcher scouring through the all of data, reports and information that has been gathered on this topic. Recently there has been in depth research into the terabytes of pictures and data collected to determine the real culpability of the school and the employees of the school.

As we have been preparing this story for release we saw a news story that just forced us to blog some information early. Here is the snippet that caught our attention:

“Plaintiffs’ counsel’s concern centers around the 50,000+ photographs and screen shots taken of other students and parents that Plaintiffs’ counsel has not examined,” Haltzman’s response reads in part. “Since the Government has not agreed to immunize all students and their parents from prosecution for criminality that could possibly be depicted in the data collected, and since it is conceded that the data collected by LMSD, a government entity, was illegally obtained in violation of the Fourth Amendment, there is concern that the Government will target, or worse prosecute, students and parents based upon the illegally obtained evidence.”

There are still parents who haven’t even seen their pictures yet and the government may intercede and grab the photos, catalog and possibly prosecute – WOW.

Previously on May 3rd the FBI asked why so many images where taken without regard for privacy of families and especially minors. So the question comes in, who gave Lower Merion the right to intrude on those communications? Regardless of whether a student stole a computer, whether a student is a problem student or whether the parents missed an insurance payment – does it not seem inexcusable for the school to violate the privacy of minors, students and families?

What if whoever is in front of the camera is not a student or part of the school, friends, family or someone not related to a late payment or bad student? One article used a very good analogy, what if you were late on your cable bill and the cable company decided to just turn on a camera on your cable box to see if you were using the TV and for what? If we had this type of “luck” in a social engineering audit we would feel blessed, but this breach of privacy has only victims.

The lawsuits would be filed so fast it would spin your head off, and rightly so. That kind of privacy invasion is something we just can’t handle, nor should we have to.

This is just the tip of the iceburg and really doesn’t cover the real meat of this story. Our researcher is polishing the story as you read, so stay tuned and we will posting more in the next day or so.

Thanks to nick8ch for sending us the link and helping us with the research for this story.

Posted in Interesting SE Articles | 13 Comments »

A new level to spearphishing

Wednesday, March 3rd, 2010

A recent story on slashdot brought this to my attention and we have archived it in the social engineer archives under the new and improved spear phishing attacks section.

What struck me as interesting about this story that made me rush over here to type this up at the worst time to release a blog post on earth was the way that these attacks are being “made new”.

Heck, most intelligent IT Admins won’t click on the link to “See Britney Naked” or “Adjust your Bank of America Account” because they know it is phishing.

But comes in the “new and improved shiny phishing”. These social engineers have done their homework. They have the names of IT Admins, they have the names and details of current projects and other information that makes the emails very believable. But it doesn’t stop there, this is the part that will make you stand up and pay attention. They are not asking for a link to be clicked or a file to be run or a website to be visited…. they are merely asking for the admin to change some configurations to their servers. These changes would allow their mail servers to be used for spamming, or open up some other vulnerability in their servers.

Take a look at one such email:

---------------------------------
Dear Valued Customer,

We are pleased to announce the go-live date for a new Data Center, scheduled to go live on April 19, 2010.
Please update your firewall rules to allow SMTP traffic on port 25 from the following IP address ranges:xxx.xxx.xxx.xxx/xx (xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx)xx.xxx.xxx.xx/xx (xx.xxx.xxx.xx - xx.xxx.xxx.xxx)

If you have settings on your e-mail server which control the IPs which are allowed to connect for e-mail relay please confirm that those settings are updated as well.

We will be able to test and verify connections one week prior to April 19, 2010. Additionally, we will be proactively running connection tests prior to the launch on behalf of all customers, and contacting you directly if we are unable to connect to any of your domains from ALL specified IP addresses for that domain.

Prior to the launch of the new IP addresses, we recommend that you set up and configure the Deferral Notification alerting feature for your domains using the Deferral Notification option on the Domain properties page in the Admin Center. The Deferral Notification alert feature sends a message to you when a customized threshold has been met or exceeded for deferred e-mail in your domain. After the new IP addresses are launched, this feature will help to ensure that e-mail sent to your domains is not deferred because of unsuccessful connection attempts to your network, and that you alerted in the event that e-mail is being deferred beyond your acceptable limits. For more information on how to set up the Deferral Notification alert feature, see the Admin Center Guide in the Resource Center.

Please refer to the Configuration subtab of the Administration Center for a complete list of IPs which should be allowed to connect to your environment at any time.
---------------------

An unsuspecting admin would and they ARE falling for this wreaking havoc on networks all over.

Until next time….

Posted in Interesting SE Articles, Tactics | 1 Comment »

Forget Big Brother…. We Have High Schools

Thursday, February 18th, 2010

Now I am not sure about you, but this is one of those stories that at first made me laugh…. then when I thought about it the smiles went away.

Hey I got kids and if this happened I just might have to put on the boxing gloves.

Basically the gist of the story is that a school in Philadelphia USA issues laptops to their students.  One day Little Blake Robbins goes to school and is slapped with a “improper behavior in his home” disciplinary action.

Of course the first question is, WTH?  After some questioning what is found is that these laptops have web-cams on them and those web-cams where set so the admins can turn them on remotely at will.

Allegations are being launched against the school that they used these cameras to spy on students and their families, a massive breach in privacy.

If you are like me, we do a lot of things with the laptop in the room.  From personal conversations, arguments, dinner, getting dressed, heck I have even heard some stories about people taking the laptop into the bathroom with them (JUST HEARD STORIES PEOPLE).

So how far is too far?  I can understand the schools having monitoring software on the computers, I can understand filtering sites, heck I can even grasp having very strict rules on usage (although I might help my kids get around some of those silly blocks) but this, this is just too far.

I can only imagine those pervs sitting in their admin office and spying on the 16 year old teenage girls while sitting in their bedrooms at night.  This story just screamed out to me. As a social engineer I would love to be able to do this to my clients and get all their passwords and just walk in and say, “All your base are belong to us“, that is where the smile came from.

Yet on children?  our children?

Another question is who is responsible for our children’s behavior?  Is it the schools?  When they leave the school grounds, do the teachers still have a say in what is said or done?  Do we want to take the parents out of the equation?

From a social engineering point of view, how much information is too much information?  From a SE angle there is no such thing as TOO much information.  As a person, if you want to protect from this you need to seriously consider what it is that you release to the public.  Pictures of our family, kids, names, addresses and such personal information can lead to a serious hack on you and your family.  Take that to the next step, use this information from a business perspective now and what you have is a path to own your business too.  This is a scary story as it makes us reflect on the way information is released and the amount of it we allow out into the world.

This opens up a whole another topic.  Keep tuned because we will be posting some serious stories in the near future.

For a full story online check out:  http://www.boingboing.net/2010/02/17/school-used-student.html or

http://newsolio.com/students-spied-on-via-laptop-computers-by-lower-merion-school-district-in-philadelphia-claim,5537

Posted in General Social Engineer Blog, Interesting SE Articles | 1 Comment »

The Importance of Information Gathering

Thursday, January 7th, 2010

Our friend and contributor Matt was kind enough to put into writing a few stories from his law enforcement days. This excellent example shows how important it is to pay attention to the little details when information gathering. Sometimes the littlest details can make or break the story…..

I got into work one Saturday morning and was immediately called out to a home invasion. It was summer and I really didn’t want to be working as it was very nice out, but duty calls. It was 8:30 in the morning when I arrived at the victim’s house. The house was a multi-level home – not very big, but not very small. It was a fairly nice, quiet neighborhood and the house sat near the top end of a cul-de-sac.

When I got there, two male deputies and a female sergeant had spoken with the victim already. They relayed his story and I had a look around. The house wasn’t torn apart, but a few items were in disarray. There was a good amount of blood on the wall of the stairs leading up to a bathroom and the bedrooms. Only a few items were missing: a TV, the computer including monitor, keyboard, and mouse, and the victim’s wallet. There were other valuable items that weren’t taken.

After looking around, I started asking the victim a few questions. He was about 45 years old and had a pretty good black eye and some other bumps and bruises. Normally, when I would ask someone to tell me their story, I would ask them to start at the beginning. I don’t want to determine the beginning for them. Here is his story, starting from his beginning.

“I dropped my wife off at the airport on Thursday afternoon since she went to visit some family. I came home and hung out for a while. I went to bed that night, but didn’t go to work on Friday. I’ve had horrible back problems and I’m on muscle relaxants and pain killers. And yeah, I like to drink a little bit, so I had a couple of drinks too. Somewhere between 8 and 8:30pm last night, a guy and a girl I’ve never seen before open my front door and walk in. I start to yell at them and the man hits me in the face. They made me go upstairs in the bathroom and he tied me up. They kept yelling at me and the guy hit me a few more times. They took some stuff and then they left. I didn’t see what they were driving and the whole incident is a little hazy. I don’t really remember too much of it.”

So there is his story. Looking at the entirety of the situation, things didn’t make sense to me. There were seven red flags that popped up in my mind…

Red flag 1: The victim didn’t report the crime until 12 hours later. If someone had broken into your house and beat you up, wouldn’t you call the police right away?

Red Flag 2: Wife just left to go out of town. Interesting…nothing happens when she’s around, but she leaves and all hell breaks loose? This was also important as it was the beginning of his story. Normally an event like this would begin with the intruders entering the house.

Red Flag 3: Time and Location. The house was on a cul-de-sac. It was at the top of a circle and had other houses facing it. It was 8pm on a summer day which meant that it was still pretty light out. If anyone arrived at the house and went in, surely there was a chance they would be seen. The house was not randomly chosen.

Red Flag 4: Items stolen. I had never seen anyone steal a keyboard and mouse along with the computer tower. The fact that other valuable items were not taken was also an issue.

Red Flag 5: Intoxication. The victim had been taking pills and was drinking.

Red Flag 6: Front Door was unlocked. This may not be a red flag to everyone, but the victim didn’t go to work and had a car in the garage. Suspects generally aren’t that lucky to find unlocked doors.

Red Flag 7: The presence of the female sergeant was distracting for him. Whenever she walked into view, he would turn his head away and begin to mumble. He didn’t want her to hear his story.

Any one of these items aren’t a huge issue on their own, but put them together and you have the perfect storm of BS. Several things pointed to the story being incomplete, so to get to the truth I had to ask questions and draw out more information. I couldn’t just call him a liar (since he was a victim after all) and I used leading questions to get to him to finally admit. I decided to focus on the computer being taken and asked him questions about it. It turned out that the key question was asking him what types of things he does on the computer. He slowly admitted he looked at online porn which led to him admitting he had “ordered” prostitutes in the past. Getting the rest of the story was easy.

Here’s what really happened: The victim thought he would have a little fun since his wife was gone. He went online, found an adult website, and contacted an escort. She showed up, they had their fun, and she left. Half an hour later the two suspects showed up and beat and robbed the victim. He was scared, embarrassed, and didn’t want to get into trouble with either the police or his wife. The escort called her associates and told them about an easy “mark” who was too drunk to stop them. They took the computer since this was how the victim originally found the escort.

Now, is this the complete truth? I doubt it, but it makes a lot more sense than the original story.

There were a lot of little things that went into making a determination on the truth. I made a few assumptions and inferences before the victim ever opened his mouth. The questioning wasn’t as important as the initial information that lead to the right questions to ask. The surrounding environment and location were almost more important than what the victim actually said. Without the initial information, his story wouldn’t have seemed quite so out of place.
—-

Thanks Matt and we look forward to the next story.

Posted in General Social Engineer Blog, Interesting SE Articles | Comments Off

« Older Entries
Newer Entries »



Kids SECTF Registration

SECTF Registration is

SECTF Tee Shirt Contest