You might say to-may-toes and I might say to-mah-toes, but we’re both clearly talking about the same thing. If you hear someone is proud to be a “professional cyber-stalker,” do you automatically realize they are a spyware developer? You might not think being either a cyber-stalker or spyware developer is a good thing, but what if that person, who knows how to be tricky with tech for tracking purposes, starts handing out privacy tips? Would you be interested or would you think “whatever helps him sleep at night?”
At Def Con 23, Tripwire Senior Security Analyst Ken Westin presented Confessions of a Professional Cyber Stalker. He’s proud to be a stalker who targets “foolish” folks because he’s using “technology for good” to track down criminals.
In Tripwire’s Def Con preview video, Westin said he tracked thieves via technology he developed to turn the “device into a sensor of sorts” which “allows it to defend itself by gathering information” such as from webcams and Wi-Fi. If it were your stolen laptop, high-end digital camera or smartphone, then you would probably welcome the technology; otherwise it might creep you out while raising your privacy hackles.
Several years ago during Ignite Portland, Westin said, “I develop spyware; software that hijacks your computer, accesses your web camera, tracks location, as well as tools that track you down through photos posted online and gather intelligence across social media. But don’t worry, I’m on your side. Maybe.”
He didn’t start off as a cyberstalking spyware developer; when Westin previously researched malware, he “accidentally” developed “a tool that would hijack computers when you would connect a device to it.” His spyware was used to recover stolen devices; in one example the tool captured photos of a thief, as well as his location information, and led the police to a tattoo parlor that was full of other stolen items. Another busted theft ring story included thugs who were targeting Portland schools, stealing PCs, waiting for the school to replace them, and then stealing them again. The six people arrested had no idea software caught them; they were led to believe they ratted each other out.
Regarding this spyware that hijacks webcams, Westin told BBC that he included privacy protections “to limit the spying potential” – just in case some creep abused his software – so the webcam would only take pictures “every 30 minutes or so.” Software used to hijack webcams for ratting is worse, he said, referring to jerks that use remote access Trojans to spy on people. Even “legitimate” spyware tools get abused and misused; rent-to-own retail company Aaron’s used spyware to track down lost or stolen computers, but the company is embroiled in a lawsuit alleging it “secretly collected thousands of computer webcam photos, screenshots and keystroke logs of customers.”
There’s currently no video from Def Con to show you, but in the 2011 Ignite “Pwnd by Gadgets” presentation, Westin explained:
“There exists fragments of data on our devices and across the web that for the most part are hidden and anonymous; however once we start drawing connections between those pieces of information, we can start to develop a profile. Not only who you are, but also where you’ve been, what you’ve done, and in some cases even your personality type. Now the devices that we carry ourselves actually provide all the tools we need to conduct surveillance.”
Laptops have webcams, microphones, spyware can capture screenshots and location from Wi-Fi networks and “your phone is a snitch.”
At Def Con, Westin touched on the forensic science principle of “every contact leaves a trace;” it’s something he also talked about during “Pwnd by Gadgets” when he mentioned smartphones “know everything about us. They know who our friends are and where we’ve been; they have access to our photos and all of our personal information. And they are very easy to interrogate,” Westin added. “And yes, I built an app for that.”
That’s not his only app. His Def Con talk included slides about a USB flash drive that was reported stolen, then was plugged into a PC where forensic data was retrieved from the system. The slide, showing an email from 2007, mentioned GadgetTrak USB was compatible with Amazon’s Kindle, was tracking 200 USB flash drives from a plethora of manufacturers, could track all iPod versions, high dollar digital cameras, GPS systems, cell phones and other devices like Sony PlayStation Portable (PSP). Another slide mentioned Windows USB Trojans auto-running to collect passwords.
At some point he was involved with building Apple USB Trojans using AppleScript because it is “trusted” and “interfaces with most OS X apps.” Westin made his Applerazor available on GitHub where he wrote, “These scripts are examples of how to gather information, execute commands and exfiltrate data using iTunes with AppleScript apps. To disguise the exported application as an MP3 file, you will want to add this to the end of your file name: ̨mp3.” That includes the funky Turkish character in front of mp3. “You will also want to replace the application icon with the MP3 icon to further disguise the file as an MP3.”
He clearly worked with law enforcement, but his Def Con slide about IP seems controversial. Legally an IP is not the same thing as being a person; Westin points out other problems with using an IP as evidence such as “probable cause is a challenge.” I’m not sure that justifies using spyware to track a person down if there’s not enough probable cause to get a warrant! Then again, I didn't hear his talk so maybe that was regarding stolen devices that were being tracked?
There are numerous ways to view EXIF data and tools to read, write and edit the metadata embedded in photos, videos and audio. Cell phone cameras embed GPS coordinates if are silly enough to leave that turned on. High-end digital cameras embed the make, model, and serial number in photos. Westin created an EXIF search engine to search social networking sites like Flickr, Twitter, Twitpic, 500px, Picasa, Tumblr and Panoramio; it scans images for metadata and stores camera serial numbers in a searchable database to act as a stolen camera finder.
Regarding privacy, Westin suggested sanitizing images as in stripping out EXIF data. Otherwise it can come back to bite you and maybe get you busted. If you don’t strip out EXIF cause you’ve got “nothing to hide,” then consider doing so since a pro cyber-stalker says you can be stalked that way. His “privacy tips for app developers” included not collecting or storing customers’ data in the first place; stripping out EXIF and other identifying data, and encrypting data if it is stored so that not even the developer can access it.
So what kind of privacy issue bothers a spyware developer and cyber-stalker? Westin mentioned the mounds of data created “by us, for us, and about us” as well as “bogeydata.” He’s less concerned about the security of IoT devices and more concerned about the data they generate.
The Internet of Things threat, to Westin, involves the data the devices harvest. He wrote, “The ability to connect seemingly anonymous points of data and link them to devices which are then linked to individuals allows law enforcement, nation states and criminals alike to create rich profiles of individuals and track them physically, as well as online.”
“Bogeydata isn’t dangerous now, but down the road” it could be a different story when new tech is capable of harvesting and then tying that data to a specific device or person. Westin believes bogeydata could come back and “haunt us later.”