Deceptive Hacking: How misdirection can be used to steal information without being detected

Video thumbnail (Frame 0) Video thumbnail (Frame 1729) Video thumbnail (Frame 2520) Video thumbnail (Frame 3414) Video thumbnail (Frame 4478) Video thumbnail (Frame 6330) Video thumbnail (Frame 8123) Video thumbnail (Frame 9428) Video thumbnail (Frame 14488) Video thumbnail (Frame 17002) Video thumbnail (Frame 17885) Video thumbnail (Frame 20097) Video thumbnail (Frame 22097) Video thumbnail (Frame 23951) Video thumbnail (Frame 25249) Video thumbnail (Frame 26835) Video thumbnail (Frame 29323) Video thumbnail (Frame 30226) Video thumbnail (Frame 31191) Video thumbnail (Frame 33138) Video thumbnail (Frame 34518) Video thumbnail (Frame 35679) Video thumbnail (Frame 36834) Video thumbnail (Frame 37913) Video thumbnail (Frame 38976) Video thumbnail (Frame 41013) Video thumbnail (Frame 42995) Video thumbnail (Frame 44932) Video thumbnail (Frame 46979) Video thumbnail (Frame 48739) Video thumbnail (Frame 49935) Video thumbnail (Frame 51500) Video thumbnail (Frame 52813) Video thumbnail (Frame 54179) Video thumbnail (Frame 55327) Video thumbnail (Frame 56292) Video thumbnail (Frame 57239) Video thumbnail (Frame 58407) Video thumbnail (Frame 59231) Video thumbnail (Frame 60387) Video thumbnail (Frame 61463)
Video in TIB AV-Portal: Deceptive Hacking: How misdirection can be used to steal information without being detected

Formal Metadata

Title
Deceptive Hacking: How misdirection can be used to steal information without being detected
Title of Series
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
2013
Language
English

Content Metadata

Subject Area
Abstract
There are many similarities between professional hackers and professional magicians. Magicians are experts in creating deception, and these skills can be applied when penetrating a network. The author, with 30 years experience in both security and magic, will explain the basic principles and theories magicians that use to create illusions. This includes definitions of magic terms such as gaff, gimmick, fake, stooge, feint, sleight, bluff, timing, and different types of misdirection. It will be shown that all of these techniques apply to hacking as well. A scenario is presented where normal hacking techniques would be detected and information theft is prevented. The only solution is to use deception and trickery. Bruce "Grymoire" Barnett has been a scientist at a large Fortune 50 company for 25 years, with a focus on security and advanced algorithms. Some of the tools, developed for military contractors, dealt with attack trees and vulnerability chains (NOOSE -- Networked Object-Oriented Security Examiner). Other projects include data provenance, steganography, key management algorithms for sensor networks, and advanced network analysis. He has also written several tutorials on Unix shell scripting, and Google ranks his Sed tutoral as #1. Bruce has been a part-time professional magician for 35 years, and belongs to societies such as the International Brotherhood of Magicians, and the Society of American Magicians. He currently runs several forums exclusively for magicians, such as the Electronic Grymoire, and the Shadow Network.

Related Material

Video is accompanying material for the following resource
Googol Hacker (term) Ontology Oval Computer science Similarity (geometry) Counting Right angle Information Hacker (term) Information security Number
Category of being Key (cryptography) Hacker (term) Hacker (term) Graph coloring
Well-formed formula Hacker (term) Similarity (geometry) Hacker (term) Group action Software development kit
Computer virus Group action Software Website Lie group Group action Neuroinformatik
Slide rule Frequency Group action Multiplication sign Instance (computer science) Group action
Type theory Functional (mathematics) Hacker (term) Rootkit Function (mathematics) Tape drive Right angle Object (grammar) Instance (computer science) Equivalence relation
Point (geometry) Functional (mathematics) Hoax Thread (computing) Easter egg <Programm> Direction (geometry) Fehlererkennung Trojanisches Pferd <Informatik> Instance (computer science) Number Twitter Type theory Emulator Software Function (mathematics) Website Right angle Object (grammar) Simulation Pole (complex analysis)
Type theory Email Software Website Bit Right angle Instance (computer science) Table (information) Product (business) Social engineering (security)
Point (geometry) Email Noise (electronics) Natural number Expert system Sound effect
Graphics tablet Area Word Computer file Reduction of order Website Quicksort Instance (computer science) Buffer overflow Oracle Oracle
Scripting language Scripting language Multiplication sign Online help Instance (computer science) Group action Social engineering (security) Social engineering (security) Electronic signature Pattern language Quicksort Vulnerability (computing) Physical system
Counting Sound effect Bit Right angle Control flow
Facebook Email Personal digital assistant Different (Kate Ryan album) Multiplication sign Bending Focus (optics) God
Game controller Freeware Uniqueness quantification Multiplication sign Group action Control flow Event horizon Word Event horizon Integrated development environment Hacker (term) Different (Kate Ryan album) Computer network Uniqueness quantification Quicksort Freeware Physical system
Constraint (mathematics) Integrated development environment View (database) System administrator Multiplication sign Virtual machine Hacker (term) Control flow Physical system
Computer virus Existential quantification Goodness of fit Computer file Different (Kate Ryan album) Personal digital assistant Electronic mailing list Software testing Table (information)
Revision control Multiplication sign Sound effect Instance (computer science)
Shared memory Object (grammar) Computer programming
Hacker (term) Bit Quicksort Hacker (term) System call
Server (computing) Information Source code Instance (computer science) Limit (category theory) Machine vision Category of being Software Hacker (term) Internetworking Database Quicksort Information security Information security
Server (computing) Game controller Existential quantification Computer file Information Server (computing) System administrator Patch (Unix) Computer file System administrator Plastikkarte Directory service Computer network Directory service Line (geometry) Plastikkarte Web 2.0 Software Hacker (term) Partial derivative Quicksort Hacker (term) Form (programming)
Computer virus Web page Server (computing) Web crawler Computer virus Computer file Server (computing) Multiplication sign Computer file Bit Web 2.0 Uniform resource locator Uniform resource locator Hacker (term) Internetworking Database Backup Website Right angle Backup Hacker (term) Website
Web page Service (economics) Service (economics) Hecke operator Information Server (computing) Multiplication sign Source code Mereology System call Uniform resource locator Data management Malware Hacker (term) Hacker (term)
Web page Dependent and independent variables Hoax Blog Dependent and independent variables Hacker (term) Blog Hidden Markov model Quicksort Website Hacker (term) Twitter
Computer virus Point (geometry) Email Random number Service (economics) Email Computer virus Dependent and independent variables Content (media) Bit Chaos (cosmogony) Electronic signature Antivirus software Malware Roundness (object) Blog Internet forum Website Hacker (term)
Computer virus Web page Email Random number Computer file Direction (geometry) Virtual machine Directory service Chaos (cosmogony) Content (media) Public key certificate 2 (number) Revision control Uniform resource locator Roundness (object) Blog Hacker (term) Physical system Service (economics) Computer virus Computer file Public-key cryptography Electronic signature Blog Internet forum Website Quicksort
Point (geometry) Computer virus Randomization Email Server (computing) Computer virus Computer file Information Multiplication sign Computer file Virtual machine Directory service Bit Chaos (cosmogony) Directory service Trans-European Networks Plot (narrative) Connected space Web 2.0 Roundness (object) Internetworking Different (Kate Ryan album) Software Website
Web page Computer virus Source code Computer virus Web page Source code Hidden Markov model Directory service Chaos (cosmogony) Chaos (cosmogony) Directory service Complete metric space Punched card Roundness (object) Circle Intrusion detection system Circle
Computer virus Radical (chemistry) Category of being Circle Internetworking Personal digital assistant Virtual machine Chaos (cosmogony)
Data management Server (computing) Data management Circle System administrator Confidence interval Chaos (cosmogony) Session Initiation Protocol Leak
Information Database Database Information Hacker (term)
Direct numerical simulation Cache (computing) Server (computing) Server (computing) Database Direct numerical simulation Backup Website Backup Quicksort Tracing (software)
Web page Information Googol Denial-of-service attack Quicksort Hacker (term) Group action Mereology Event horizon Computer forensics Neuroinformatik
hello everyone it's great great to be here I like to start off with a demonstration I'd like to have everyone please stand up and on the count of three I want everyone to go like this okay now wait one two three oh cool standing ovation one minute into the talk all right it can't get any better all right my name is Bruce Barnett I've been doing a lot of computer scientists some of the work I do isn't quite as exciting to people around here things like data provenance and security ontology and stuff like that but I'm also a magician up in the magician for 40 years and I have maybe some of you who have read my tutorial on said I don't know anyone number one on google but anyhow so I so I kept thinking about the similarities between what magicians do and what hackers do and there's actually a lot in common you know there's first of all ever notice
magicians are always wearing black which seems to be you know dominant color here they also they like to shock people and we've got a few interesting people around here who in that category but mostly they have secret knowledge and secret knowledge is the key to both hacking and to be a magician because
secret knowledge and you go against something who has very rigid assumptions it just blows right through it and you
get profit got the formula in there somewhere so what I'm going to do is
going to talk about the magician's tool tool kit you know the different things they use to accomplish the illusions that they're doing and I'm going to talk about the similarities between what magicians tools are and the hacking tools I'm going to talk about basic psychology and some advanced psychology and then i'm going to give an example putting it all together saying how i would apply it if I was backing into a into a company so first
let's talk about actions like the the
first one is important to know is is the is the faint it's the it's the oh here who's the pencil see that was a fate I knew exactly where the pencil was that was just pretending I didn't know where you know and that's a very rich group so I'm and you see this in hacking like you go to websites and saying we're now scanning your computer for viruses and you have seen little dial spinning around and all its not doing anything it's just a faint you know and the next thing is the bluff for you we know where they basically saying something just an outright lie and that's typically you know like the websites saying oh we've just detected a virus on your computer please install this software so now the
third the thing it's very important this is this is the the most important thing is the is the slight you know you take something in like this and you know it just hope there it is over here it's no big deal its just oh there it is again okay it's just a just a secret action with some technique that magicians use and a lot of times it requires a lot of practice to really be good at it some magicians will spend 20-30 years just doing one slide doing it really good also flights are less valuable the more they're known if you know what's happening it's not as effective also slides can be worth a lot of money there's and there's an underground economy for magicians where they a barter secrets with each other so what's you quit in this and hacking it's the exploit it's a zero-day you know all these things are true I mean a really good exploit is worth quite a lot of speaker yesterday said they're worth like a hundred thousand dollars up for a really good exploit that works a hundred percent of the time you know also again if you know about it it's not as valuable anymore and there's an underground economy as well so and and
the fourth action is a timing you know that's very important in magic to get the timing just right that could use ply to hacking to for instance you doing a port scan you do it over a long period of time like over months or so or probably would not be detected now props props are the
objects magicians use and some of them just regular objects but there are special objects to first of all there's
the gimmick the gimmick is a secret device you don't see it but it has a secret function you know for instance if I had a piece of tape sticky thing right here and I could you know I could then to put this pencil right here and have it stay in my hand now now there's also another type of gimmick where you don't actually have a special gimmicks you use another gimmick that has a secret function which is what I did here with my finger you know so so in the equivalent in hacking or the gimmick is the rootkit you know it's hidden you can't find it can't see it very easily but it has a secret function now the
next thing is a gaff a gaff is a device that has it that you see that has a function that you're aware of but it's been modified if I think a pencil and I stick a magnet on it or thread it becomes a gaffed pencil okay now and what's neuk?lln of this in hacking that's like a backdoor an easter egg function and some software all right now the third type of object which is use is a fake for instance if i have a rubber tube and I paint it yellow and stick of an eraser on it it would wouldn't really be a real pencil would just be like a rubber tube that looks like a pencil you know but but it's but that's that's what a fake is and what's you cook this at hacking less like a Trojan horse or remain in the middle it's not really the website you're going to it just pretend to be the website and things are passing through it all right now there's people
but first I'd like to do a demonstration I need I need three people to have a dollar bill anyone has a dollar bill you'll get it back I promise okay there's one I needs I need I need two more come on come on this way we're stay right there okay two more people okay come on up not just just no I'm not touching that bill I'm not touching that bill okay why don't you go to okay look at the bills so you looking at the president okay so he sees right in the middle then fold it in half right down his face so the president's on the inside you got that all right now fold it again the same direction again okay now fold it top to bottom fold the other way down okay a trend and now should give your bill to someone else so you don't have your original bill anymore all right now I need I need someone else let's see okay let's make sure I have all my stuff here okay I need someone else to hear okay whoever whoever gets it okay pick up pick pick it up and point to one of these three people or just tell me which one you want first second third number two all right don't you come on come on up now I was going to bring a longer pole here I'm not going to touch the bill but I'd like you to put the bill in this clip now I was going to have a longer one but TSA had issues with it so just put the bill and the clip yet all right and the rest of you you can sit down you've got to bill you're all set okay so i would like you to do is once you come over here step over here and and and hold this up real high okay now i am going to i am going to try to read his mind i'm going to try to determine the the serial number of that bill all right okay please open up the bill and look at the number you got it all right now I want you to did I get the number correct yes thank you very much oh you people are so gullible no no no no wow actually why don't you read why don't you read the the the fuel number of the bill step right up here and tell everyone what it is f7 608 to 155 I thank you very much keep the bill you're all done thank you all right so we're going to talk about people and of course the first one you're all thinking
of a show us do just secret accomplice you know now I made things a little bit interesting to you because maybe all three of those people were accomplices you know who knows now for and of course in hacking this would be the insider threat someone on the inside now for this to work you know you really have to trust the person if you don't trust the person you know or suspect the person then this might not work so that's very important that if there it would have trust in the person the more you trust in the more like you're going to be deceived by them there's an also interesting little ploy it's been used in the magic on a stage production where they had the magician was the main character and they had a protagonist the enemy someone who hated the magician the magician you know put something you know on a table and covered it up with a cloth and its enemy that his nemesis says I don't believe you and he pick up the cloth yep okay it's still there and then boom the thing vanished and and what really happened is the person who was the enemy was the one who was secret accomplice he stole the item out when no one else no one knew about it so this could be this could be applied in hacking to for instance if you have someone who's an enemy of someone else and if they say something about this other person you're more likely to believe them even though there might be an accomplice let you see this is also how it works you know the you know the you get email and it's more likely to leave it from a friend and a stranger so on so now the second type of
accomplice is an unwitting accomplice this is like social engineering that's that's what I did with the with the say yes gag you know I had him go along with it you know for you know just for some fun and you see this happening when sometimes social engineering they call someone up and give it big you know one of your colleagues is visiting our site today and they're having problems getting access to the network and he's kind of busy right now I'm trying to help them out could you please do me a favor you know so you see that happening a lot all right and the third type is the Patsy of the fall guy so if you want
to know how you know how that bill work just just asked our appt at Co Pratt see here so I'm sure he'll tell you how everything all worked there oh don't ask me because I'm not going to tell you all
right now let's talk about psychology
the most important principle in magic is naturalness the professor divernon is a noted expert magic he always stressed how magic had to be natural tarbell talked about a bunch of other people talk about it if you're doing something and it doesn't look right like I could have the best light in the world but if I had to go like this when I'm doing my slight it's going to be suspicious so you have to do slight so they look completely natural you know and that's that's really most critical thing in fact someone says someone said all magician all magical effects have a flaw and the stuff they do around it helps disguise that flaw because they really can't be natural I mean it but they were really that good they could just you know point to someone do something who make a car appear with waving their hands and all that noise have to disguise it and do things around that then to make it look somewhat natural so but but what if you can't what if you can't be natural what if you
can't do it can't be a hundred percent natural well well the first things magician tries to do is they try to make it look as natural as possible for
instance if you have an exploit it generates three log entries if you can illuminate three log entries and go down to two that's better if you go down to one that's even better still if you have no log entries at all no alarm stuff like that that's the best so that's the goal is trying to you know reduce anything or remove anything that is unnatural if you're going to have use a buffer overflow if you pick you no padding of all A's or something like that the log files might show that up and that'd be more suspicious than putting something that real file named involved in there there's even someone a mason had an interesting paper on shellcode using the English words which is very interesting idea so and if you can't if you can't eliminate it you try to find ways to hide it listen to know Paul calm podcast and they had Mike Murray and Mike maroubra talking about how they used a d instead of cl for oracle and youth they were they able to trick a lot of people into thinking that was the legitimate website when they tried nickel because similar as possible so that's again it same sort of principle and given that now and if you can't do that sometimes you just can't
do it so what else can you do you can make something that is unnatural become more natural and you can do this with like some sort of contrived justification you come up into some sort of situation that help explain this and maybe even adding things to it to to make this sort of things seem more reasonable you can do that social engineering engineering does us a lot another thing you can do is repetition
if you do something once it's suspicious if it happens a hundred times you know and nothing happens it's not so suspicious for instance if you had an exploit which you may want to do that you couldn't you know that would leave log entries you could for instance create a tool that you let script kiddies run that looks like probes for this vulnerability it doesn't actually do anything and if people started using these tools they would start generating alarms on systems but they realize oh it's just that script kiddie tool it's harmless doesn't do anything they might not notice it if you have a real exploit that has exact you know signature as a script kiddie tool all right now here's
here let's let's do something else I'm going to do a coin vanish okay I want to take this coin I'm going to move away from the mic a little bit I am going to make this coin vanish by tapping it with my my wand here on the count of three one two three and the corn in vanish the pencil vintage I stuck at me how many here say you weren't looking for that see you thought the coin was going to finish win it well let's let's look at my pencil all right that thank you thank you there were no slights whatsoever in that illusion all was was misdirection that's
all I used to do that I just made you look somewhere else when I was doing it and that's how that particular effect works so misdirection what is it's a way to control some detention so that they look over here when you're doing something secret over here now now how
can you do this one of the most important things you want to do is you want to find something that they're going to be interested in you know something that they're going to want to take a look at something that appeals to them or you know has a great interest to them and it's hard to tell exactly what it is because there's so many different cases people are different and all that I mean you can you know you can do things that might you know magicians like a lot of times would have an assistant in a skimpy outfit and she might drop something and bend over to pick up something and all the men would be looking at what you know her bending over while this bitch is doing something secret over there those are examples of things like that it all depends on what the crowd you know what the what appeals to the crowd and I've seen this in the
in some email and Facebook things who says oh my god you won't believe what she's doing in this picture and you don't may not realize this wait a minute or something kind of hinky about this thing here but the topic is such an say I got to take a look at what this is and you click on it so so and now that's
some that is ok there's different kinds of misdirection the first one is the directed misdirection will you say look over there you know and of course that doesn't always work you know it has to be enhanced something logical that makes sense you know you can do certain things like if it doesn't make sense that might be suspicious and if you're suspicious you may not you may not look where they want you to look at me look elsewhere so it's really important to make those make sense you know so you get to find out what attracts their attention you know you know Lady Gaga or Justin Bieber or free iPad you know that gets people's attention a lot they start they stop thinking about certain things so now the other thing you can do is to is on the uniqueness of the event some things that just sort of grab your attention hackers have set off fire alarms when they've broken into systems they might be able to get access to the HVAC that's you know attached to a computer network and manipulate the environment that way or they could set off another attack Sony was just mentioned recently how they had a very sophisticated attack that was happening while another attack was occurring and that's why they missed it if you believe them now there's another
kind sort of which is a little subtler it's called discovered misdirection in other words you don't tell them about it you wait for them to discover it on their own so it's sitting there ahead of time waiting to be discovered and when they look at it they say oh look at this so it can be very useful but you have to control the timing because the timing is not always under your control if you can do certain things to make them want to go there and look at it that that's what this will do so i'm going to give an example this later on there's also
another kind of misdirection called constrain misdirection Penn and Teller do something where they throw something over where someone's head and he doesn't know what happened to what everyone else does because they're controlling what he sees that can happen you know it happened a long time ago i'm not too sure how happened at how happens right now but if you can control the environment maybe get an administrator have remote access into a machine that you control they may not see the things that you know that they want it they think they're saying because you're controlling the environment so that's a possibility now now here's some more advanced
psychological techniques I was just mentioning the misdirection but there's a lot more magicians can apply to a to you know to fool people all right one of
the most useful techniques magicians use is they want to encourage a false conclusion magicians have these things they call sucker tricks and it's designed so that when it's being performed it's pretty obvious to you what's really happening and you you know you start seeing you know you start thinking what it's going to be they do this a lot with kids you know the kids will they want the kids to yell out and saying I know what you're doing you know turn it around it's on the other side whatever and of course the very end the magician reveals the fact that well no you're wrong this is this is what really happened they turn the other side and something Apple II different or they'll make you think that you've someone's hidden underneath the table that's surrounded by a curtain and then they pull away the curtain at the last minute so you know they're not under the table you know so this is um this is really really useful it's you have to basically get them to you know experience a false premise a false alarm is also another
thing that can do this so that if you can generate an alarm you might make them think something's happening when it's not so that's that's another useful thing to do you could you could repeat that and when they would also then learn to not trust alarms if you kept using that some examples the dark markets staying the guy was pertained to be involved in illegal activity another case I saw on the sands mailing list someone had a shock wave file and it had it had malware inna they had a virus in it but also had the icar test virus in it why would a file have a harmless virus and a real virus in the same file I think was of someone trying to be deceptive another good thing magicians
love to do is they like to be able to use multiple methods if I can do the same effect using three complete different concepts it becomes really hard for someone to figure out what's going on for instance let's say I was doing a trick and it required a trapdoor okay but I could also do the same trick but this time I didn't use a trapdoor I used the mirror and if I and they looked identical you can look at you can if you saw both versions of it you say I've seen him more than once and he didn't use a trap door and he didn't use a mirror so I don't know what he did but meanwhile it's like when I not using a trapdoor i'm using a mirror when I'm not using a mirror i'm using a trapdoor and that's very useful so if you have multiple ways to do certain things that makes it really hard to figure out which one it is that's really happening and
it's a very good psychological thing because they say you know once they say well it's not this I know it's not this they tend to want to believe that again
so oh another thing that some magicians have done specially when they're working trying to steal market share from another magician is they will come up with illusion that maybe is an improvement over someone else's illusion and they'll tell people says unlike some magicians we don't use a trap door or whatever it is you know and they purposely reveal the technique that other people are doing to improve the illusion of what they're doing and that could be useful too we'll talk about that all right and another very useful
thing for magicians is a switch where they they're using something a gimmick sorry a gap using something that's gaffed and what they do is they let you examine it and then these regular object and they switch it for the gaffed object or maybe they do it the way around where they use the gaffed object and they switch it for regular object and then it out let people take a look at this so that you know that's very common and you can do this in hacking too if you had like programs you can switch games in and out very quickly your programs of self destruct after they accomplish certain things so there's ways that this can be done as well now
so the thick revelation i mentioned this before and I'll give an example of this and a little bit in the sense in the scenario okay all right so okay all
right so let me summarize some of the stuff or talk about then we're going to give you the scenario see I first of all I believe there's a lot of things in common but I what I do not think is a lot of people have applied the psychological techniques of the magician as they're hacking as much as they could and I'm going to try to describe this and and we'll call them sort of call this person a magician hacker I guess I
don't know what else to call so let's pick a scenario we've got this company
and they have some very valuable intellectual property I'm thinking for instance they could have a server that has all their source code of everything on it or some sort of database with very valuable financial information or something but they also have very good security this you know the XYZ company has really good security and they got sharp people now the hackers inside he's already gotten into the network and he has act limited access to it but and also one more thing too if this intellectual property is sold and they learn about this it may not be worth as much money it might be for instance trade secrets that if you can steal this without them knowing it it's more valuable but if they know that it's stolen they might do something else and also in this scenario any obvious attempt to extract information and send it out onto the internet would be detected and blocked so the initial thing of what what might be done can't be done you have to do something else so what would the vision tacker do all right let's let me build the scenario a little bit first we're going to have a
patch involved this is unlucky Lucy she is the administrator of this of this server ok she's responsible for it and she's smart she's really learned she's smart if anything strange happen she detected she makes sure it got stopped alright but
let's say the magician hacker has partial access to some of her files maybe she's got a directory that she owns that he can put some files into it and also she also has some files that under her control that can be propagated throughout the network you know maybe he's got some sort of start up that file or something like that that people use or something along those lines all right and so what did you do with air he sort of scopes it out finds the Patsy and then first step he's going to go to some web forms and create an account using Lucy's name and create some interesting little pieces of information there which will discover later ok all right there's also innocent IV you know she's gonna something's going to happen to her too but but this is all like sitting up the discovered misdirection thing alright so
the hacker has to do a little bit more work he's going to create some files on
a public-facing a web server but these are files are not indexed in the main page surg the spider might not find them you have to know about the URLs to actually see these files so these files are created in the in there available on the internet but no one knows about them yet also one more thing to sort of make this work is they have to make sure that I've since some sites do incremental backups you want to be able to do a full backup but you wanted to you want to be able to make sure that the entire databases is going to be backed up so you may have to do something to make sure the size of the incremental backup is big enough so that it's going to be able to do a full backup now this file that Lucy is is distributing throughout the company it's got a zero-day virus in it you no one knows about this exploit get you know it's undiscovered and in fact that the virus doesn't do anything it just sits there might propagate it's just they're pretty quietly just waiting for the right time all right next the hacker generates a faked press release regarding the XYZ company they are now
announcing they're going into adult services and goes on this quote out the CEO you know John Smith and says there's a real need and all those real money in here and I love pornography so now you can imagine what might happen well let's go through let's see what happens here
so then the hacker makes a phone call to innocent IV okay said I was on this URL I found something on your webpage that I don't think should be there and notices and let so you know Ivy know about this and she checks it out and she reports at or two to our manager says oh my god and and also the magician at the same time reveals the deity the details of this new zero-day here's the exploit here's how it works maybe says I've seen this in the wild or something like this or whatever just they put all the source code but all the information out there to let people know about it and let the hackers play around with it so probably pretty soon you'll see malware's to using this stuff and all that okay so this is all this is things that we're doing the bluff or doing a wounded accomplice for doing a creating a false conclusion revealing any fear method by others so we're doing all that at this point and we're still having that a good part yet okay meanwhile the CEO hears
about this press release he's obviously not reading Twitter first thing in the morning someone has to tell him about this stuff and of course he's going to be outraged about this they're gonna you know the blogs are now talking about this press release because it you know it hit the news they're talking about this and and so they publish a press release in response you know let's say denying this whole thing it's just you know it's just a fake press release don't believe it okay but then they learn he's got porn on his website hmm so we might have to issue another press release it sort of contradicts the first press release you know saying maybe the you know the to figure out how to get around it he is going to be sweating bullets on this all right and maybe the hacker has some they found some of the screenshots of what these some of these uh you know what these pages are and publishes it on Twitter and stuff like that let people see what it is so it all gets around they're going to take it down quickly but you know it's it's going to be there and it might look like something you
know like air is the CEO saying this is good porn here you know our personally guarantee yet you know so he is going to be pretty upset okay and oh and this
point now virus antivirus companies now creating signatures for that malware that we just talked about that zero they just came out so this is the first round of chaos let's go a little bit deeper ok
so now Ivy gets some random email saying
um you know one of your people Lucy was talking about XYZ's company and their new porn stuff but new porn content and how she thinks it's a really good idea and all that we just want to let you know is it Lucy Lucy do this yeah so anyhow they um they check it out at and
lo and behold in Lucy's file there's some JPEGs that were on the website and maybe ref release a rough version of that press release on in her files uh oh she died he reports us to the chief and Lucy gets fired you know there's stuff like this they just want the people out of there as quickly as possible you know just hush hide everything and all that and get the person out of the door as quickly as possible but now the blogs are talking about this to you know about the porn the the porn pages that were showing up and how it you know sort of counters the first press release that came out and the virus senior shoes are now updated and propagated throughout the you know you know throughout the systems to say here is the new you know virus that we're putting signature into the system and they're all getting updated all right so this is sort of the second round of chaos so what happens now ok
now the hacker decides to publish a second press release faked one from the XYZ company saying when now as a policy that all our press releases are going to be cryptographically signed and the public key to verify the contents that of the press release is on our webpage over here and sure enough there's a public certificates on the webpage they can go to it they can validate it and they say oh and by the way you know we are getting into the porn business and this is cryptographically signed and that the CEO has some issues with the current direction all right and and by the way the antivirus package just sort of says oh we have hundreds of machines and now infected with a virus this is the third round of chaos shall we go on alright so now next thing this virus it
does have one thing this virus does it was waiting for the right time the time is now it decides to make connections to random websites on the internet but in the HTTP GET in the header they have this big new header in the in there that contains all this random information random characters very large files now you know it actually really is random information but from an analytical point you can't tell the difference between something that's random and something that's encrypted so as far as anyone can tell there's this is sending encrypted information and all the different machines are connecting to all these web servers on the outside and sending megabytes of data to these you know tens of the websites out there and also the
antivirus package found some files in Ivy's directory and it got triggered and notified they look at them and these are a little bit different so this is the fourth round of chaos ok finally ok
here's whoever gets the the the final stage here so then in ids director they find source code of this virus hmm also they found some more of these adult pages and on there hmm and then the press releases are also an Ivy's directory so Ivy's now fired so this is the fifth and round of chaos now let me summarize what's what's going on here we
got this complete circle of chaos here first of all they got a PR nightmare you know they keep coming over these press releases and their press releases kind of kind of contradicts other press releases and they don't quite know you seem to know what they're going what they're doing they're trying to handle this trying to to smooth everything out and it's not quite too sure how to handle the situation they also have this
big virus inspecting all these machines on the center you know all over the place they've got to deal with that you know where's the virus how's it propagating what's going on they might trace it down the fact that that maybe was a you know Lucy that was doing it everything that makes sense but then maybe it's ivy she's involved too so and
the third thing is they got all this you know gigabytes of traffic going out to the internet that's encrypted what is in there it's maybe it's their intellectual property someone's doing all this stuff they better figure out what this is and stop it soon the fourth thing that they're worried about is they now they have two cases of wrongful termination I mean the CEO is not going to care about this they just want them you know the people gone you know they don't want to care about you no excuses what's that oh ok it says wrongful termination I don't know what what it is well I got chopped off ok all right and then and the next one is well you know now people are
going to have problems with their management they're not quite comfortable what's going on i ed and Lucy got fired people know these people they can't understand what's going on rumors rumors get spread you know people can't make up their mind as to what's going on and who's to blame for that it seems like they're blaming people you know for no real reason or maybe they are it's really confusing and and the fifth problem they have is the fact that well the server the
administration of the administrator of the server is now changed they lost the primary and lost the secondary so they have some other persons not familiar with that server now you think they're going to care about that last one it's just not going to be something as high in their radar so now we're going to
complete the illusion now like magic if you know once you know what's really happening you're going to be disappointed because it's so simple that's how magic is but it's not just the the effective stunt it's the whole creation of the illusion with all of the misdirection and although psychology the whole thing that's what makes magic interesting but the actual what really happens can be very simple so so what
we're going to remember what we're trying to do is trying to steal the information from the database and not be detected and be as natural as possible and leave no evidence so this is what's
done it's pretty simple well we're going to do a full backup of that database and using some dns cache poisoning or something like that that goes to a different website a different external server maybe in a different country or whatever but they may not notice it and when it's all done it's sort of cleans up all traces of it you know the DNS cache will be cleansed and and as far as they can tell everything looks perfectly fine so therefore yep profit thank
all right now just to summarize some things to talk about press releases should be signed I think detecting this
sort of technique is going to require a new sort of philosophy of new ways of thinking about things and new motivations understanding it the obvious answer may not be the correct answer it seems like it's the obvious one but that may not be good enough and unrelated events may not be unrelated they may out may the whole thing may it be part of a big big package of forensics are really important and people like computers are assets and they're vulnerable to denial of service as well so in the DVD and on my webpage there's going to there's an 18-page paper give a lot of detail all this stuff I've been collecting
information about this if you have any questions contact me at all to update the papers and hope you enjoyed it
Feedback