Counterspy: Are You Being Watched?
Topics in This Chapter:
Now that you know how online activities can be collected, you should think about your own vulnerability. As you are collecting your target’s Web traffic, e-mail, and instant messages, someone else may be collecting the same from you. As demonstrated earlier, online applications come with little to no expectation of privacy; therefore, unless you take precautions, you are inherently vulnerable to being spied on.
This chapter provides the tools you need to minimize your exposure and make it difficult for others to spy on you. Beyond all of the technological plug-ins that can enhance security, you must recognize that each action you perform on your computer leaves evidence for someone else to analyze. This chapter starts by teaching you how to keep a low profile online, which means avoiding activities either by limiting where you conduct them from or surrounding yourself with secrecy enablers such as encryption and steganography.
Next, we teach you to identify if you are being spied on by pointing out warning signs to watch for; we also teach you about traps that you can set to catch others. Finally, we conclude by helping you prepare in the event that you are the target of someone’s spy attempt. Keep in mind that knowing how to protect yourself from those trying to watch you will only help make you a better spy.
There are many ways to introduce stealth and operational elements into your daily interaction with computers. As with most situations, caution introduces inconvenience. You must decide what level of suspicion makes the most sense for your situation. We begin by suggesting some methods to use to limit your dependence on your home network and then we discuss methods of concealment for when avoidance is not an option.
One of the easiest ways to reduce evidence on your home computer is not to use it for anything that you do not want discovered. There are three ways that this can be done: the exclusion of media, the exclusion of a network, and total exclusion. We recognize that each of these carries some level of inconvenience; however, keep in mind how minor the inconvenience would seem compared to the agony of being caught.
The exclusion of media ensures that the internal media of your home computer is not used, meaning you never allow sensitive information to touch the hard drive of your computer. Not storing evidence on the hard drive prevents someone from conducting after-the-fact forensics. This can be done with removable hard drives, virtual drives, virtual operating systems (OSes), and bootable OSes.
One of the easiest and least expensive removable drives is a portable Universal Serial Bus (USB) drive, which is a great place to store sensitive information. USB drives can be purchased for less than $50.00 at any retailer that sells computer accessories. These drives provide up to 1 gigabyte (GB) of data storage; you can also go with a larger drive and purchase a USB hard disk. These drives are essentially laptop hard drives encased in a USB interface and can be purchased for less than $100.00. USB hard disks can hold more than 100GB of data.
One thing to keep in mind is that anything introduced into a scenario must have a legitimate cover story. If you begin secretly using your new USB drive, you may draw attention to yourself. Instead, be sure that you have a solid explanation of why you purchased it and ensure that it can be backstopped if investigated. Indicating your desire to maintain “secure backups” of financial information may suffice. Then make sure to actually use the device.
Another option is to utilize a storage device that you may already have connected (e.g., an MP3 player). Very few people think to look on music players for hidden files. Apple’s iPod is an appealing option because of the large amount of disk space it offers (up to 60GB). Portable music players are plugged into the computer to transfer music files, so a cover story is already incorporated. Figure 11.1 shows how an iPod can be “explored” just like a removable drive.
From here, you can create a new folder on the drive named “hidden” to maintain your secret files. (For even more sensitive data, see the file encryption and steganography section later in this chapter.) An ideal scenario to consider is using strong encryption on your sensitive files and, using steganography, implanting them into an existing song on your iPod. This should withstand tremendous interrogation, especially if you have a large number of songs loaded on your player. Even if someone suspected that the file contained steganography, they would have to break the encryption to access the information.
A random-access memory (RAM) drive can be created for the temporary storage of files. A RAM drive simulates a regular hard drive, but completely disappears when the computer is powered down. This is a great option if you do not need long-term access to a file. To download a free copy of this application, go to AR Soft’s Web site at www.arsoft-online.com/download/ramdisk.zip. As Figure 11.2 demonstrates, there is a few options to select from once the application is installed.
Under the General tab, select the drive letter that you wish to have the RAM drive mounted under. Be sure not to select a drive that is already in use. Next, select the size (in megabytes [MBs]) of the RAM drive under the Geometry tab. Do not make the disk any larger than 100MB unless you have installed additional memory in your computer system.
The File System tab allows you to name the volume, give it an ID, and change sector and entry counts. Do not change any of the values in this tab. When finished configuring your drive, click the OK button to proceed.
The next step is to open up the RAM drive so that you can save files to it. To do this, launch Explorer from the Start | Run menu. By default, the RAM drive does not appear on the screen; however, if you enter the drive name into the Address box (see Figure 11.3), it will open the disk.
The RAM drive is now ready to store files, folders, and applications as if it were a regular hard drive. This is a good place to store temporary files or executables such as steganography tools that you do not want installed on your regular hard drive. When the computer is powered down, all information on this drive is permanently erased.
Another option beyond using a virtual RAM drive is to use a completely virtual OS. A virtual OS is an entire computer with OS and software simulated within a single program. There are several applications that do this; our favorite is the commercial program VMware (www.vmware.com). Using VMware you can install one or more virtual machines inside your existing “host” OS. Each machine is completely self-contained and is graphically displayed in its own window (see Figure 11.4).
As can be seen, the virtual machine looks and feels almost identical to a true machine. The prime difference is that the C: drive of this computer resides entirely in a virtual file system located on the host computer. This makes forensics of the hard drive more difficult because the investigator cannot easily extract information directly from the host computer; the virtual computer would have to be started and examined.
Another advantage of using VMware is the Snapshot and Revert capabilities (see Figure 11.4). You can install a virgin system and take a snapshot of it, thereby saving a copy of the “state” of the machine. This means that when you press the Revert button it will appear identical to when you took the snapshot. From an operational perspective, you can take a snapshot of a clean system, access the Internet, and revert to a clean state when you are finished. These steps will completely erase any evidence of your Internet activity from the virtual machine. Likewise, because the entire virtual machine is saved in a file on the host machine, the file can be securely deleted to remove all evidence of the machine itself. Virtual machines such as this provide an excellent opportunity to access the Internet in a stealthy fashion.
Beyond OSes that execute virtually on your host OS, you can use specialized “boot” disks that do not require a hard drive. Because of size limitations, most of these are Linux-based OSes, one of the most popular being Knoppix (see www.knoppix.net). After you burn the image to a CD, you have a completely portable, bootable OS that executes without the use of a hard drive. Figure 11.5 demonstrates the “look and feel” of the Knoppix distribution of the Linux OS.
To use Knoppix, place the CD in your player and recycle power; it automatically attempts to configure your Internet connection using Dynamic Host Configuration Protocol (DHCP). By default, Knoppix comes with a Web browser, Instant Message (IM) chat client (Gaim, which is discussed later), and an e-mail client. Figure 11.5 shows Koppix using anonymous Hotmail and IM accounts. Because this entire session resides entirely in memory and not on the hard drive, all evidence will be erased from this computer when the power is turned off. In addition, conducting your Internet activities in a Linux-based environment may give you the edge in anonymity.
While not relying on the hard drive helps prevent some actions from being detected, remember that evidence travels across your home network, which leaves you vulnerable to sniffers and other network-based collection mechanisms. The next step is to leverage wireless network services offered by restaurants, coffee shops, hotels, and so forth, so that no evidence of your activity can be collected from your home network. Keep in mind that forensics can still be collected from the hard drive, so be sure that you do not rely on any internal media if it can be accessed by others. In addition, many of these networks restrict activity to Web surfing; consider combining some of the media exclusion methods with network exclusion to enhance your level of protection.
The last step is to take advantage of full Internet access services offered by libraries, business centers, and Internet cafés. Most Internet cafés have automated systems that erase and reinstall the OS of each computer between each session. However, some do not, and it is possible that they could have keystroke loggers installed. Because of this (and other lack-of-privacy issues), do not conduct any banking or other important activities from these computers. Internet cafés do, however, provide a perfect means for the totally anonymous and untraceable sending of e-mail and chat sessions, especially when combined with disposable e-mail addresses such as those available from www.hotmail.com, www.yahoo.com, and www.gmail.com and a disposable chat ID. Many people believe that this is where a lot of Internet Spam is originated from because of its potential for untraceable messages.
Venturing out of the house every time you want to use the Internet is not always practical, and for many applications, you cannot get away with installing them on removable or virtual drives. For these cases, the best advice we can give you is to use constant vigilance. In other words, erase what you can, hide what you cannot erase, and encrypt what you cannot hide.
As mentioned in Chapters 6 and 7, histories, cookies, and caches can be erased using almost the same steps. With Mozilla Firefox, you can access this option by clicking on Tools | Options | and the Privacy tab. This tab opens up a window that gives you the ability to delete individual components, or you can click on the Clear All button (see Figure 11.6).
The same can be done with Microsoft Internet Explorer by clicking on Tools | Internet Options | and the General tab. In the “Temporary Internet files” section you can click on the Delete Cookies and Delete Files buttons. Likewise, in the “History” section you can click on the Clear History button. To keep your Web surfing private, be sure to always clear this evidence from your browser.
One problem with privacy and Microsoft Windows is its lengthy collection of history lists saved for nearly everything. As an option for users that prefer secrecy, Microsoft offers Tweak UI from Windows XP PowerToys. Download it from www.microsoft.com/windowsxp/downloads/powertoys/xppowertoys.mspx and search through all of the options for those that fit your needs and preferences. Make sure that Clear document history on exit is checked under the “Explorer” settings and that both Maintain document history and Maintain network history are unchecked. See Figure 11.7 for an example of suggested configuration options.
This section introduces the concept of “secure” deleting. To prevent erased files from being recovered (as demonstrated in Chapter 6), utilize a utility such as the one included in Pretty Good Privacy (PGP) freeware version 6.5.8, which can be downloaded from http://web.mit.edu/network/pgp.html. There are newer versions of the software available, but 6.5.8 is the last completely free version with full functionality.
The encryption software included in this package is utilized throughout later sections of this chapter, but for now we will use only its “Wipe” capability. Once the software is installed, you can safely delete a file so that it is not easily recoverable by right clicking on the file (or directory) from the Explorer screen and selecting PGP | Wipe. Alternatively, you can use the “eraser” icon on the PGP Tools menu launched from Start | PGP | PGP Tools. Once the file to be deleted is chosen, both methods open a confirmation window warning you that the selected files will be permanently deleted (see Figure 11.8).
Similarly, this version of PGP freeware includes an application called “Free Space Wiper” (see Figure 11.9) that is designed to cleanse any lingering files that were previously deleted by non-secure means (e.g., the default Windows “Delete” application). “Wipe” every sensitive file you delete from your hard drive so that it cannot be recovered by anyone else.
At this point, we have illustrated several techniques for excluding and removing sensitive data from being obtained by someone spying on you. However, some things cannot be hidden and must remain in plain sight. For those items, we will teach you methods of encryption and steganography. One problem with using advanced techniques is that if they are detected they indicate that you are intentionally trying to hide something. An intelligence officer traveling overseas on vacation with a digital camera is one thing, but an intelligence officer caught with a secret concealed camera is a completely different circumstance. Be careful using these, and make sure that you are ready to give a well-thought-out cover story if confronted.
There are several encryption possibilities when it comes to e-mail, but the option that we feel is best suited for the casual home user is PGP freeware 6.5.8. In addition to providing the disk-wiping utilities discussed previously, PGP freeware 6.5.8 also provides a robust mechanism for securely sending e-mail that is easy to use. As we will demonstrate, this integrates easily into several e-mail clients such as Microsoft Outlook and Outlook Express.
Using encrypted e-mail comes with some initial overhead in the process of key generation and exchange, but the benefits of sending private e-mail far outweigh the minor inconvenience of this process. To make things easier, we have outlined the steps that you need to take to accomplish this.
1. Download PGP. If you have not already done so, download version 6.5.8 of PGP freeware from http://web.mit.edu/network/pgp.html.
2. Create a public/private key pair for yourself. Click Start | All Programs | PGP | PGPkeys and accept the default options. Next you will be asked to enter a pass phrase (see Figure 11.10). Make sure that you select something that is easy for you to memorize, as you will not be able to recover this (or read anything encrypted with this key) if you forget it.
3. Export your key. Your key must be exported so that others can use it. This is done using the same PGPkeys program as in the last step. Right click on the entry that belongs to you and select Export (see Figure 11.11)
4. Selecting Export causes a second window to open, which will ask where you would like the key to be saved. Once your public key has been saved to a file, send it as an e-mail attachment to anyone that you want to use it with. In turn, you must ask that person for a copy of their public key so that you can send/receive encrypted e-mail to/from them. When you receive a key, you can import it by using the same PGPkeys utility. From the top menu select Keys | Import (see Figure 11.12).
5. If the key you received from the other person is not signed, it is considered invalid and cannot be used to encrypt or decrypt e-mail. In this case, the circle in the Validity column will be grayed out for that user. If you are not certain of its validity, ask the sender to digitally sign the key and verify the signature. Otherwise, if you are certain that it can be trusted, you can sign it yourself. To do this, from the PGPkeys menu select Keys | Sign. As Figure 11.13 demonstrates, this prompts you with a second window that explains the process.
When you click OK, a third window appears that will prompt you for your pass phrase so that the key can be signed (and therefore considered valid). Once a key is considered valid, it can be used to send and receive e-mail.
Although there are more recent releases, we demonstrate this version of PGP freeware because of its nearly seamless interface with Microsoft Outlook and Outlook Express. A message can be sent encrypted using this application in nearly the same way as sending a plaintext message. Create the message as normal, but when you are finished select the Encrypt (PGP) option from the drop-down tool bar on the right (see Figure 11.14).
Once you have done this, click the Send button to securely e-mail the message. A window will prompt you to select all of the keys that you wish to include in the encryption (see Figure 11.15).
By default, the window will have an entry for the key that matches the e-mail address of the recipient. However, if you want others to be able to view this message you can also drag their names down into the “Recipient Selection” window. When all of the keys have been included, click OK and the encrypted message will be sent to the recipient(s) (e.g., the encrypted version of the ice cream message in Figure 11.14 can be seen in Figure 11.16).
Likewise, you can decrypt e-mail messages in much the same manner. Most email clients send the encrypted message as an attachment that ends with .asc. When a message like this arrives, click on the attachment and either Open it or Save it to disk, depending on your preference. If you choose to Open it, you will be prompted to enter your secret pass phrase before you will be allowed to read the message (see Figure 11.17).
Other freeware versions of PGP exist, including GNU-licensed version GPG, which is available at www.gnupg.org. (We encourage you to experiment and decide which version best suits your needs.) Encrypting e-mail is good practice and helps maintain privacy both on the computer itself (if messages are stored encrypted) and across the network as messages are sent.
Microsoft Windows XP Professional (not Home Edition) comes equipped with the ability to encrypt files and folders with its default installation. This is done using Encrypted File System (EFS), which operates by marking files that you want encrypted with a special attribute that tells the OS that the file should be stored encrypted. This attribute can be set by right clicking on the file, selecting Properties, clicking on Advanced, and checking the Encrypt contents to secure data box (see Figure 11.18).
This encryption is based on public key cryptography and only works when the file is on the New Technology File System (NTFS), although it will protect the file even if the disk is mounted remotely or from a different OS. If the file is transferred to another (non-NTFS) system, it will be decrypted. Also, since the ability to encrypt the file is tied to your account, anyone who accesses your account can read your encrypted files. In general, we feel this encryption method is too limiting; we only recommend it if the measures discussed next are not an option.
Another use of PGP freeware is its ability to secure files using strong encryption. Once the PGP application is installed, you can do this by selecting the file you wish to encrypt, right clicking on it, and selecting PGP | Encrypt (see Figure 11.19).
A second prompt appears that asks you to drag the names of the recipients into the bottom window (see Figure 11.15). When you are finished, a second file is generated with the same name as the original, but with an .asc extension. In our example, this process creates a file named chat_log.txt.asc. It is your responsibility to securely wipe out the original file (chat_log.txt) using PGP | Wipe (discussed previously in this chapter). This is useful because files can be encrypted using multiple recipients and sent securely as an alternative to encrypting entire e-mail messages. Similarly, this can be used to protect files that are transmitted across networks through other mechanisms such as via Web sites. This type of encryption is also good for files you want hidden and protected on your computer.
Entire portions of a hard drive can be protected with encryption using an application such as the TrueCrypt cryptographic file system (available from truecrypt.sourceforge.net). Once installed, TrueCrypt is easy to configure and use. Configuring the application takes place in five straightforward steps.
1. Specify a volume. Select a drive letter and press Create Volume. This will create a window asking you to enter a location into the field (see Figure 11.20). When you are satisfied, click Next.
2. Select an algorithm. Select an encryption algorithm and click Next (see Figure 11.21). Be careful with your selection; some of the algorithms included require a special license prior to legal use. We recommend sticking with the default (Blowfish) encryption.
3. Designate volume size. Next you must specify the amount of space you want to set aside for the EFS (see Figure 11.22). It is important to note that this is an immediate use of space and not an upper limit. The entire amount of space is consumed when the volume is created, even though you do not technically have files utilizing the space in its entirety. The amount of space that you select is dependent on your anticipated need and the amount of free space that is available.
4. Choose a password. This password must be between 12 and 64 characters long (see Figure 11.23). When matching passwords have been entered, continue by pressing the Next button.
5. Volume format. The final step is to press the Format button presented on the next screen. This may take several minutes depending on the size of the file system you selected. In this case, it took less than 10 seconds because of the small volume size.
At this point, the volume named C:\Private, which is 100MB in size, has been created and encrypted using the special password. To use this volume, it must be mounted, which can be done using the main TrueCrypt interface (see Figure 11.24).
Beyond providing a means of encrypting individual files, this can be used for more robust purposes such as encrypting folders used by e-mail (or banking application) clients. As discussed in Chapter 6, these folders can be identified for each application and changed by selecting Tools | Options | Maintenance | Store Folder. Figure 11.25 demonstrates how you can change your folder for Outlook Express to now be stored in the mounted EFS (drive E:).
When you are finished accessing the data on the encrypted drive, click Dismount All from the TrueCrypt interface, which will prevent others from accessing your data (see Figure 11.26). In this case, the encrypted drive has been unmounted; therefore, when Outlook Express is launched it is not able to access any of the securely stored e-mail.
Experiment with which applications that can and cannot operate with encrypted drives. Encrypted drives are a good way to maintain information securely because they do not require the overhead associated with encrypted individual files.
Even though many people divulge some of their greatest secrets during an IM chat session, previous chapters have shown that this is not secure and leaves your messages vulnerable to spying. In most clients, messages are sent in plaintext by default, which means that anyone with a network sniffer between you and the recipient can retrieve your messages. To help prevent this, the following sections demonstrate three available encryption options.
Trillian is a multiuse chat client that is available for download at www.trillian.cc. Unlike AIM, Trillian can send and receive messages on other networks such as MSN or Yahoo. After Trillian is installed, encryption can be enabled through the “Preferences” menu by checking both boxes in the “SecureIM” section (see Figure 11.27).
In order for someone else to communicate with you using Trillian, they must install and enable Trillian SecureIM. Once this is done, both parties can communicate without fear of observers snooping on their communications (see Figure 11.28). Note the lock icon in the bottom center of the chat dialog; this is how Trillian shows that it has established an encrypted session.
A second option with a similar look and feel to AOL’s AIM client is Gaim. Like Trillian, Gaim is free and can be obtained at http://gaim.sourceforge.net. While this application itself does not come with encryption capabilities by default, you can obtain an encryption plug-in for Gaim at www.sourceforge.net/projects/gaim-encryption. To use Gaim with encryption, download and install both the client and the encryption plug-in. To configure encryption, from the Gaim client select Preferences | Plugins, and check the Gaim-encryption box (see Figure 11.29).
Once the plug-in is configured, encrypted messages can be sent to and received from users that also have Gaim encryption installed and configured. You can verify that messages are being sent and received encrypted by the status of the “lock” buttons on the chat dialogue box (see Figure 11.30).
Skype provides low-cost long distance telephone calls over the Internet through their client (available at www.skype.com) and for noncommercial users, it provides free encrypted IM and voice chat. Skype does not participate with the AOL IM network; therefore, anyone that you want to securely chat with must have a Skype account (see Figure 11.31).
The biggest difference between this client and other chat applications is that if you click on the telephone in the left-hand corner of the chat window, Skype establishes a secure voice connection between the two parties (see Figure 11.32). In addition, there is a commercial Skype plug-in called SkypeOut that allows you to call traditional telephone numbers using Skype. By using Skype, you are avoiding two problems that may plague you if you use a traditional telephone. First, you avoid any traditional phone taps on your side, since you will be using the Internet to make your outgoing phone calls. Even if you use Skype over a dial-up modem, its protocol will make it much more difficult to decipher later. Second, by using Skype in place of a real phone, your call record is modified. Calls that you do not want other people to know about can be done over Skype, where there is absolutely no record. With SkypeOut you merely pay for minutes, so there is no record of the numbers you call.
Steganography is another good way to hide information in files, either over e-mail or in chat. The difference between steganography and encryption is that steganography hides information whereas encryption secures information. Encrypted files visibly look protected (see Figure 11.16) and steganography hides information by subtly placing it in ways that are not visibly apparent. For example, imagine the following e-mail message.
Even though it does not look protected, it contains the secret message: Hi Molly. Call me at seven at night. Sound and image files are ideal places to hide information because subtle changes in them are not visible. In addition, because their data is not stored in a human-readable plaintext format, the information stored can be encrypted for additional protection.
Freeware tools such as S-tools, that easily drag and drop secret messages into files, are available at www.snapfiles.com/get/stools.html. Most of these tools offer additional security by using password encryption in addition to their hiding capability. However, we recommend that sensitive data be protected with strong encryption (such as the kind demonstrated with PGP) before they are hidden using steganography. Figure 11.33 demonstrates how a password gets added to the image of a boat containing a secret message.
Dragging the secret file into the image causes a prompt to appear asking you to specify a password and encryption algorithm. This password must be known by whomever you want to open the file if you intend to use it as a secret storage mechanism locally on your computer.
The benefit to using steganography over encryption is that it already has a built-in cover story. For example, imagine an e-mail from the owner of this boat with the picture attached. This e-mail could be completely legitimate and contain information such as:
To the casual (or even well-trained) observer, nothing appears to be unusual or secretive about this message. In Figure 11.34 there are two images that appear to be identical; however, the image on the left is an original and the image on the right contains the secret message from Figure 11.33. Any recipient that knows the password and has a copy of the S-tools can read the secret message from the e-mail.
Steganography also lends itself well to a concept referred to in the spy community as “dead drops.” Although the secret message is hidden in the boat picture, the mere act of sending an e-mail directly to another makes a connection between the two parties. If you want to secretly communicate with someone else, consider “dropping” the image at a third-party location such as an online auction, newsgroup, or Web site. The intended recipient could see the picture while searching for boats and secretly decode the message. If done carefully and using a believable cover, catching this method of communication is nearly impossible.
One trick to avoiding keyloggers is to not use the keyboard at all. While this sounds impossible, it is indeed doable. The technique for doing this is definitely inconvenient, but it is a useful secret to know in the event that you are confident someone is monitoring your keystrokes. The Microsoft Windows OS comes prepackaged with an application to do this.
1. Click Start | All Programs | Accessories | Accessibility | On-Screen Keyboard to launch the application. This keyboard can be used to do anything that the regular keyboard does, but without the worry of being logged in (see Figure 11.35). Instead of touching the keyboard, you use your mouse to “click” on the keys.
While using this avoids keystroke capturing, keep in mind that many of the logging programs (such as the one demonstrated in Chapter 6) also capture screenshots; therefore, you may not be completely safe from monitoring.
You have learned how to undo and defeat everything that we have taught you. However, we feel that teaching this without teaching counter-spying tricks would be like releasing a deadly virus without an antidote. We want to arm you with the knowledge and ability to defeat every means of collecting information so that you know what to do if you become someone’s mark. First, you must determine if you are actually being spied on. The following steps will help give you confidence in determining this, but like many things discussed in this book, there is no 100 percent way to know for certain. In the Central Intelligence Agency (CIA), it was often said that all the bad spies are found, but you will never know about the good ones.
Your computer is the most obvious place to look for evidence that you have been spied on. Most methods of spying leave behind some clues. If you think your computer is being monitored, carefully examine it for evidence of unsavory activity. Treat it like you would treat a machine you are monitoring.
When examining your computer there are several different things you should look for, including but not limited to, hardware keystroke loggers, newly installed software, duplicate files, new accounts, and recently run programs and file lists. Changes in multiple fields can be a strong indication that you are being monitored.
Newly installed software can be an indicator of suspicious activity on your computer. Several of our spy techniques require us to install software on our target’s computer; therefore, you can assume that someone spying on you is doing the same. There are three primary places to check for software that has been installed on your computer. The first is the Start menu, where some programs put items for easy access. Only the most amateur spy would carelessly install software that leaves items on the Start menu, but it can happen, and checking is an effortless task. Merely open Start | All Programs and look for new software that you do not remember installing. Sometimes, a small dialog box will pop up in the Start menu informing you that “New Software Is Installed.”
The next place to look for software is in Start | Control Panel | Add or Remove Programs, which returns a list of software that is registered with the OS, and any unusual software that has been placed on your machine. You can also remove the unwanted software from your system at this location.
Finally, open Explorer, browse to your C: drive, and look inside your “Program Files” folder, which holds almost all of the programs that are installed on your machine. Examine every folder carefully so that you have a good idea of what is on your machine.
Duplicate files are an indicator of unusual activity on your computer. Someone who is collecting your e-mail, chat logs, or other documents may be making a backup in case you ever delete the originals. It is a good idea to occasionally search all of your hard drives to look for all .doc (Microsoft Word) and .pst (Outlook) files.
Another thing to watch for is whether someone spying on you has created a new account, either to covertly install software or to provide them with a method of continual access, should you ever change your password. You can easily take stock of the accounts you have on your computer by checking Start | Control Panel | User Accounts. On most machines, there is usually only one account per unique user and a by-default disabled Guest account.
Recent lists can also yield clues as to what is happening on your computer. The first one to examine is the recent program list, which appears in the left-hand column of the Start menu. This list shows all of the programs that were recently run; anything appearing here that you have not used recently or do not use frequently can be viewed as a warning sign that someone is running software on your computer.
Recent file lists show what files have been recently accessed. The first and most important one to view is on the Start menu, which shows recently accessed documents and other types of files. You should also open up programs like Microsoft Word and Works to see what files were opened up recently. Find every program that can be used to view “interesting” files, and look at its recent list. If the lists contain files that you know you have not accessed recently, there is a chance that someone found the data interesting and viewed it on your machine.
There are many security tools available, both commercial and free, that can help you identify and trace a potential spy. Firewalls and virus scanners are invaluable for catching dangerous programs, and they are also good at catching spy software. You can also search the Web and look for companies that offer different products that are designed to locate spy software. Since we have not evaluated many commercial spy software detection packages, we cannot vouch for their effectiveness; however, remember that any single piece of software is just one part of the puzzle, and should not be your only method of checking your computer. Use your best judgment and the other techniques mentioned here to supplement any software you purchase to keep yourself spy-software free.
The same techniques you use to watch your mark can help you find a potential spy when turned against yourself. The more information you have on your personal computer, the more likely you will have information revealing the presence of a spy, if there is one.
A keystroke log is a great tool for sniffing out possible spies and giving an accurate picture of what has occurred on your computer. Occasional review lets you know if there is any unusual activity, since any keystrokes you do not immediately recognize are usually signs of activity on your computer.
While this is a very powerful method, it has several angles that should be considered before adoption. A keystroke log on a typical computer, depending on usage, can become huge. Collecting all of the keystrokes on a machine does no good if you do not take the time to analyze them. Since you are creating a log of all of your activity, you are now doing the spy’s job for them by handing them the information they are probably looking for.
Sniffing your own network traffic is another good technique. Collect daily logs of all traffic on your machine and occasionally analyze it with Ethereal and OWNS. When examining the traffic, look for unusual Web connections and e-mail messages, which is how many commercial spying implants communicate. They transmit your private data to their operator using e-mail or the Web. It is also a good idea to look for Virtual Network Computer (VNC), Back Orifice, or Norton Remote Desktop connections, which are all methods by which your computer can be remotely controlled.
Similar to keystroke logging, sniffing your traffic can be a double-edged sword. While its collection gives you a wealth of information that can be used to protect yourself, it is also the very information you are trying to protect from others. A packet dump from your personal machine will contain all of your e-mail, Web browsing, IM, and other online activities. Complexity is another issue; while a keystroke log is relatively easy to go through and understand, packet dumps are not as straightforward. It takes quite a bit of training to be able to successfully analyze a packet dump. Even tools like OWNS that can automatically classify traffic from packet dumps are not sophisticated to the point where they make traffic analysis a trivial task.
Treat this as one tool in your arsenal for catching spies. Since it is a difficult method to use, only use it when other methods or signs have aroused your suspicions and you are trying to home in on a specific tool or person. When used correctly, this can be a great technique for discovering how someone is spying on you.
To perform passive forensics, select Start | Search | All files or folders | More Advanced Options and check Search files and folders. Next, click When was it modified, specify dates, and change the drop down from Modified Date to Accessed Date (see Figure 11.36).
Intelligence agencies such as the CIA have used traps as a means of validating their assets for years. The simplest example is the spymaster who hands his asset a closed briefcase and requests that he take it unopened to a third party; the briefcase is trapped and designed to indicate whether it was opened in transit. An opened briefcase means that the asset did not follow the directions of his spymaster (a career-ending mistake). Even more alarming is the fact that it could mean he is a double agent attempting to gleam intelligence and “methods of operation” from the spymaster. In practice, though, this example has one crucial flaw: it is not natural. On a day-to-day basis, how many people do you know that hand their confidential briefcase to a relative stranger for courier?
Setting a trap that is not natural will fail because it is obvious to the targeted party that it is a set up and it divulges your operational intentions. Instead of concocting something new as your trap, draw from subtleties that already exist and are a natural part of your usage.
The default view of files is very different from the one shown in Figure 11.37. After launching Explorer, select View | List to list additional information beyond the name and icon of each entry. Next, click on View | Choose Details and check both the Date Created and the Date Accessed boxes.
In this case, we are observing the directory for the Web browser, Firefox. You can see that the application itself (the first entry) was last accessed at 5:34 AM on 12/7/2004. This would be particularly interesting if we knew that we were not awake at that time.
Because it is trivial to change the date on Microsoft Windows, an even better experiment is to set a trap. When you have finished using the computer, explore this directory, write down the exact access time, and take it with you. Before launching the application, browse to this directory again and check to see if the time has changed. If it has, someone else has used the browser and may or may not have tried to access cache and cookie information from it.
A similar trap can be done on directories that contain mailboxes. In the example in Figure 11.35, we saw that the folders for our user account “Admin” in Outlook Express were last accessed at 6:06AM on the same date (see Figure 11.38).
At this point, you know that legitimate applications can be observed for changes in their access time. Now, consider a slightly different concept: honey tokens. The idea of a honey token is to create a file that has the look and feel of a legitimate file, but never access it. For example, using the Notepad.exe application, you can create a file that resembles an Excel spreadsheet with relative ease (see Figure 11.39).
This file is populated with what appears to be legitimate information, but is actually a trap. In this case, there are two ways to check the access of this file. The first is to monitor for the file name Purchases.xls in Excel’s recently used documents list. For example, in Figure 11.40, the file “Purchases” is listed on the right hand side. Since this file was created using Notepad instead of Excel, it should not be listed, which indicates that someone else opened the file. We can now analyze the access date on the file to determine when it was accessed.
Someone spying on you may not be doing it through your computer. There are many other signs that can indicate that you are being spied on. This generally works when you have close access to those who you think may be spying on you.
Are your things, especially papers and other documents, always where you left them? Does your spouse “accidentally” open your mail or pick up a phone extension more often than chance would indicate? Are you interrogated at length about numbers on your phone bill or items on your credit card statements? Does your spouse question you about your whereabouts and drop by your office just to see that you are there? These are all behaviors that indicate that you are being closely watched.
In addition to the behavior-based signs, there are also physical clues to look for. What type of material is your spouse or kids reading? Have they taken an interest in computers, spent an unusual amount of time on the family computer, or started reading lots of computer “security” books. Look through credit card statements for unusual purchases, especially those from online companies. When you find them, make sure you go online and check what type of organization a service was purchased from.
You will never know if a really good spy is watching you; however, the previously mentioned techniques will give you a head start into investigating. One of the most important things to do is to “trust your gut.” In many cases, “a bad feeling about this” has uncovered a well-planned spy operation. Gut instincts are a spy’s worst fear, as they are a very important factor that cannot be planned for or modeled.
While this is the last technique mentioned, it is usually the first one a person uses. A gut feeling is a good start and can lead you to using more complex technical means. Once your suspicions are aroused you can look for other clues, set traps, and spy on yourself to try to find your pursuer. Although we feel your instincts are one of your strongest tools, we also caution you to be careful and not get overly obsessed.
Once you discover that you are being targeted, it is time to determine exactly how you will react to their efforts. This is important since it can have a profound effect on their spying operation and your relationship with the spying individual or organization. When you realize that you are being watched you have a multitude of options, but they all boil down to either avoiding your spy, confronting your spy, or maintaining the status quo. Either choice poses many possible issues. Being spied on can be a very emotional and touchy subject, and there is rarely a good way to handle the situation. It is important to pick the action that will result in the best solution for your particular situation.
Someone is spying on you and you want to avoid them. Instead of confronting your spy, this choice involves modifying your behavior so that you avoid the spy’s techniques. In order to successfully avoid a spy, you must be fully aware of their capabilities and methods. Any mistake on your part when evaluating this can cause you to fail, make you a more suspicious target, and alert your spy that you are on to them.
Once you have identified your spy and their methods, you can practice the age-old technique of feeding them false information. This is a very useful tool in your counter-spy arsenal. You can cause your spy to expend time and effort on as many wild goose chases as you can design.
When you decide to maintain the status quo, you are sure that you are being spied on, but since you are not doing anything wrong you choose to neither avoid nor confront your spy. You may choose to do this because you have discovered your spy’s methods, and know that they are not catching anything. Forcing a spy to continue their operations, especially when the mark is aware and can control the information, can cause the spy to expend time and energy on a pointless exercise. This option is generally the easiest on your part, as it requires doing pretty much nothing new.
Confronting your spy can result in more dramatic scenarios and will most likely put an end to the spying. During a confrontation, let them know that you know they are violating your privacy and covertly monitoring you. As mentioned, this can be a very dramatic event; several things can play out here. If you are doing something of concern and have been “caught in the act,” now would be a good time to handle the issues. Although further denial at this point is generally useless, it is your prerogative (e.g., the CIA will never discuss matters of intelligence or classified documents, regardless of their authenticity or how they were obtained). Changing the questionable behavior that brought someone to spy on you in the first place is also a method of a gentle confrontation. A dramatic change in behavior is likely to alert the spy that something has occurred and that they have been discovered.
If you feel that the spying is unwarranted, a direct confrontation may be more appropriate. In this situation, everything is brought out into the open: your suspicions and evidence of being spied on, and your activity, right or wrong. Accusing someone of spying is a very strong accusation; if you select this path, be prepared for all of the issues that can occur.
Harder than determining you are being spied on is finding out who is doing the spying; good spies are very difficult to detect. Now that you are fairly sure you are being spied on, it is time to determine by whom. This is a question that may not always be answered satisfactorily, if at all. Many times just knowing that you are being spied on may be enough, but when it is not, there are several steps you can take to narrow down your list of possible suspects.
Make a list of all of the people and organizations you think may be spying on you, including your spouse, your children, or a private detective. Your spy could also be a hacker or some other complete stranger.
Now that you have built an exhaustive list of those you think may spy on you, narrow it down by examining each entity and looking for their motive and their means. While some entities on your list may be interested in spying on you, they may lack the means (e.g., your children may not have physical access to your computer or the technology to set up a complete spy operation). Other entities may have the capability, but not the desire.
Use the methods we have discussed to search for evidence that you have been spied on. The type of evidence you find should reveal clues as to your spy’s capabilities (e.g., you might expect a spouse or child to use a simple homemade or commercial tool, and a company might monitor you with a popular Spyware program).
When looking at your computer you may see that some of your more interesting files, or e-mails have recently been opened and viewed. You may want to stop and consider the cause before you accuse someone of spying. Perhaps your wife was looking in your e-mail to see what you talked with your friends about to better decide your birthday present. Maybe your kids were examining your online calendar, looking for a good day to surprise you at the office. There are generally plenty of relatively innocent reasons for someone to “browse” through your files. Take this into mind before accusing someone of running a spy operation against you.
Now, try to pull all the pieces together and determine who was spying on you. Was it a simple hack job done by a curious child? Do the software and techniques match the ones in this book, which your wife recently borrowed? Was the software a high-tech spy device that evaded every firewall and virus scanner? In addition, couple your discoveries with your activities. Are you cheating on your wife? Selling drugs, or nuclear power plant blueprints? Does someone have a good reason to be spying on you?
Put together all of the evidence you have collected and correlate it with your list of suspects. Does the evidence match anyone? Does anything you have found support your hypothesis of their desire and capability. Analysis of this data will help determine the most likely suspect.
Now that you have an idea of who is spying on you, it is time to act on the knowledge. We have already discussed many possible actions that you can take when you feel you have been spied on. This step requires some of the most intensive preparation and planning because the actions you take will have an effect on you, your spy, and the relationship between the two of you. As always, confronting your suspect is a possibility, although we would not recommend approaching the U.S. government or the mafia with accusations that they are “watching” you. When your accused spy does talk to you, be open to any excuse or reason they give. As recently discussed, they may have been snooping for totally innocent reasons. Sometimes acting like you have something to hide raises suspicions. Remember: calling someone a spy is a very strong accusation. Do it with caution and be ready for the consequences.
Spyware is a huge problem with most home computer users. It is usually covertly installed, coming bundled with different free applications or sneaking onto PCs through other insidious methods. Most spyware is set up to collect information on browsing and computer-user habits to help deliver targeted advertising. It may also collect and examine e-mail, keystrokes, and mouse movements.
Unfortunately, since most home computers have spyware, it is hard to determine which spy software was accidentally installed, and what was specifically put there to spy on you. One can argue that all kinds of spyware target you, whether it is a large advertising company or your wife, and they should all be destroyed. However, there is a big difference between having your Web sites monitored by a spyware company for marketing reasons and having your spouse read your e-mail because they think you are cheating on them. Because of that, it is important to be able to sort out what is corporate spyware and what is personal.
Luckily, there are several useful tools for weeding out corporate-sponsored spyware. One popular example is Ad-Aware by Lavasoft, which can be downloaded from www.download.com (search ad-aware). An example of this application in action can be seen in Figure 11.41.
For extra protection, periodically use more than one type of spyware detection and removal system. A second application similar to Ad-Aware, is Spybot Search & Destroy, which can also be obtained at www.download.com (search spybot). An example of this application in action is shown in Figure 11.42.
Spying is a very complex process, both technically and emotionally. Because every case effects all parties in very different ways, it is very important to follow the SLEUTH methodology, plan your actions, and do your best to anticipate the possible outcome. Failure to be prepared for the emotional implications of many scenarios could have disastrous results. When a spy fails to separate their feelings from their mission, they set themselves up for failure. Spying is one of the worst things to do in a haphazard manner.
Another common mistake that many amateur spies make is to underestimate the awareness of their opponent. While not everyone is a professional counter-spy, many people place great trust in their instincts and institution. Many spy operations are discovered because “something just doesn’t feel right.” It never hurts to expect that your mark is suspicious, and probably one step ahead of you.
In this case study a young couple is about to face their first serious obstacle. For the first time in almost four years, Greg will be spending the spring and summer apart from Camille. He will be working in a different state while she waits to transfer from her current job. Nervous about his fiancée’s party-girl lifestyle, Greg decides to keep a close electronic eye on her.
Together, Greg and Camille are a young, happy couple. They met their junior year of college and become great friends. Between their junior and senior year Greg confessed his love and proposed to Camille. She accepted and they had a wonderful senior year together. After graduation, Camille got a job working in their college town. She got an apartment and they moved in together while Greg looked for work. After about a month of looking, Greg found the perfect job. It had terrific pay, flexible hours, and great benefits. Even better, it was in the same town as the law school Camille wanted to eventually attend. The only complication was that Greg had to start right away, and Camille could not move until after the summer. They would have to spend the next four months two states apart. It was going to be a challenge, but they were a committed couple and would try to see each other every couple of weeks.
Greg was a little nervous about leaving Camille. It would be the first time in three years that they would be apart for more than a few days. He remembered how Camille definitely was a “party girl” before they met. He still cringed a little inside at all the guys around campus that waved and seemed to know her. Perhaps it was due to some of his insecurity or perhaps it was some subtle clues he noticed, but Greg decided to keep an eye on Camille when he was gone, to let him know how she was doing. It would not be any worse than listening to her talk on the phone, he justified it to himself.
So Greg left, and on his visits back he would check his little “friends” that he left on her computers. Things seemed to be going well so far, so there were no worries. He sometimes felt a little guilty about snooping on his fiancée, but his fears won out and he kept watching.
While Greg was away Camille was having a fairly good time. She worked with quite a few young, single, just-out-of-college people, so they were always out partying. She had been with Greg for so long she had forgotten what it was like to be out on the town young, single (relatively), and wild. Even though she was out painting the town red, the thought of straying never crossed her mind, until one night at a company happy hour where her friend Jackie introduced her to her new co-worker, Lorenzo.
Lorenzo was tall, European, and very sexy. He had a great “air” around him; calm, relaxed and confident. When she spoke, he looked deep in her eyes and seemed to be paying close attention to every word she said. Who would not be attracted to that? Knowing that a little harmless flirting would not hurt anybody, Camille spent most of the happy hour talking to Lorenzo, quite a bit of time drinking and laughing with him afterwards, and then the rest of the evening making out with him on the cab ride home.
The next morning, Camille woke with a start, sitting straight up in bed. She immediately grabbed her throbbing head with both hands. “Oh my God I drank way too much last night,” she thought, and then the images of the night started coming back to her. “Oh no, I didn’t do that!” She looked around quickly;, ok, she was alone, so at least things did not go too far. Her initial feelings of guilt and shock lasted about as long as her hangover. As the day wore on, Camille started thinking about all the things that she had done. “Well it is not like I’m married. He’s a cute guy; I’m a cute girl. We didn’t hurt anybody.” He was not the kind of guy she wanted to marry, not by a long shot. In fact, Greg fit that bill to a tee. But Lorenzo was fun and cute, oh so cute. Would it really be wrong for her to see him again? Just to play around a little bit before she left the dating scene for good? By dinnertime, she decided to send Lorenzo an e-mail thanking him for the wonderful evening and asking him if he would like to have drinks again.
When Camille grabbed her keyboard, she accidentally dropped it, pulling it from the back of the computer. “Well, that’s weird,” she thought, “It should not be that loose; Greg is always saying how loose it is and reattaching it in the back.” So Camille pulled her computer out and reached around. “Hmmm, what is this?” Before she could attach her keyboard, Camille saw a small little tan dongle sitting in the purple keyboard slot on the back of her computer; it looked like it was set up for the keyboard to plug into. “Wait a second! I know what this is!” It was a small hardware keystroke logger. Greg had shown her one a couple of years ago, that he had bought for a computer security class, and had a great time playing pranks on his roommates with it. “Why is this on my computer?” Camille wondered.
Feeling a little nervous, Camille brought her desktop and laptop into the “computer guy” at work. She asked him to check them out and told him she was worried that someone was watching her. When she stopped by that afternoon he told her, “The desktop is clean; it only has the hardware key logger that you pulled, but the laptop has a neat little software key logger that mails out your keystrokes every six hours to a hotmail e-mail address. Do you want me to take it off?” Camille was shocked. Greg was spying on her, which would explain why they keyboard was always loose, wouldn’t it? “No, go ahead and leave everything exactly like it is.” She could not believe that Greg did not trust her, and even more than that he had the nerve to spy on her. She would make sure he paid for that.
Before she left home, she decided to write an e-mail to Lorenzo. From now on, all of the correspondence with him would be from her work computer. She was pretty sure Greg could not get to that, so she sat down and wrote:
Content in her deception, Camille only communicated with Lorenzo from work. Occasionally, when she need to IM or write him from home, she would temporarily unplug the keylogger, always remembering to put it back when she was done. She did not want Greg to know that she was on to him, yet.
That Wednesday, she had dinner with Lorenzo, drinks afterward, and then they talked and did the things people do after dates. Sometime in the middle of the night, Camille got out of bed and started typing an e-mail to her friend Jackie.
I can’t believe how much in love with Greg I am. He is so amazing, and the best guy I’ve ever been with. One of the things I like about him the most is how he trusts me. Most guys would be uncomfortable with long distance relationship. He’s great and has never doubted me once. Its easy to love a man like him
She did not really send that e-mail to Jackie; she just typed into an empty document. She wanted to make sure that the keystrokes were picked up by Greg’s keylogger. The e-mail was not intended for Jackie, but rather for Greg.
As the summer went on, Camille had a great fling with Lorenzo. She also made sure to turn on the sweetness whenever she talked to Greg, and sent several “decoy” messages every day professing her love and devotion for her fiancée. Greg, on the other hand, was having a long guilt-filled summer. He was feeling worse and worse about spying on Camille. She was so sweet to him; everything he collected from her computers confirmed that.
At the end of the summer when Camille came over to Greg’s place, he decided it was time to fess up and come clean with her. “Camille, there’s something I need to tell you. I’ve been spying on your computer over the summer because I was worried about you being faithful. But all I ever learned was how wonderful you are and how much you love me.”
Upon hearing that, Camille made sure to act angry and disgusted and stormed out of the room in complete anger and disbelief. After he caught up with her, Camille made Greg apologize over and over, beg for forgiveness, and promise never to do it again. In the end she told him that things would be okay, but it would be a long time before she trusted him again.
So, they continued on as a couple and eventually got married. It took a while for Camille to get over being “mad” at Greg, and it took Camille’s parents a long time before they trusted Greg again. They could not believe that anyone could have so little faith in their daughter. While their marriage ended up being a relatively normal and happy one, to this day Greg still feels guilty and thinks that spying on his fiancée was the worst decision he has ever made.
Greg was wrong, and will have to pay for it for a long time. Camille cheated, and got away with it. Most spy stories do not have happy endings. Greg was worried (and rightly so) about his fiancée’s faithfulness. When those fears rose up he had many choices; with those, he somehow felt that keeping an electronic eye on her would be the best idea. He carried out his plans well and did a fairly good job of bugging her computer. Unfortunately, Camille found Greg’s spy devices and was able to succeed at cheating, despite his best efforts. In addition, once she knew she was being watched, she was able to play the victim role to her advantage.
Greg made the decision to spy, but he did not think through the outcomes. He fully expected to find evidence of cheating, and when he encountered the apparent longings of a loving girlfriend, his feelings of guilt led to his confession and the collapse of his spy operation. You cannot blame him; most people would have done the same thing in that situation. There were many potential ways that Greg could have come out clean, but emotions and a lot of bad luck ended it.
This just goes to show that the game of spying on loved ones is dangerous and not for everyone. Behind the sexy mystique lies tedious procedures and emotional conflict. As you embark on your amateur spy career, keep this and the other case studies in mind. Be careful what you do, be careful what you look for, be careful what you wish for, and most of all just be careful.
Being an excellent cyber spy means knowing how to observe others in a manner that cannot be detected. In this chapter, we demonstrated ways to increase the degree of your stealth while increasing your ability to maintain your own personal privacy. While there are many points that you should take away from this, the biggest key to ensuring privacy is to securely delete anything that you cannot afford not to lose; hide what you cannot delete at a location other than your computer, or encrypt what you cannot hide.
Consider using removable media with a good cover story to hide sensitive documents. USB drives that are also used for financial data backups or MP3 music players such as the Apple iPod, are great examples. Not only are these devices an unlikely location for a spy to look, but they can be easily taken with you when you leave.
Virtual RAM drives and bootable CD-ROMs can be used for temporary activities. When the power is shut down after using one of these techniques, the contents and history of the activities are completely erased.
Virtual machines such as those offered through commercial applications such as VMware, can provide an additional layer of obscurity. Anyone spying on you would need to gain access to the local machine, and then know to boot and access the virtual machine to track your behavior.
When you think you have detected a spy, be certain that you have the correct person identified before you confront them. Many times, spies are not around you, but are in a distant location across the Internet that compromised your computer through other means.