Next time your company hires a chatty young woman for whatever role, it may pay to check the contents of her handbag. Find an iPod, a couple of USB flash drives and a Bluetooth dongle and you could have a security problem on your hands.
Laura Chappell, who runs her own company, Californian-based Protocol Analysis Institute, frequently works with US law enforcement organisations, including the FBI, both as an undercover technologist fighting cyber-crime and as an instructor. She teaches police officers about wire tapping, for example. This is her prime area of expertise, along with key-logging and the use of card keys for doors. Her exploits include cracking a paedophile ring and shutting down a methamphetamine lab using nothing more than her wits.
Chappell, who visited New Zealand last week, is a member of the High Technology Crime Investigation Association (HTCIA), which plans to open a branch in New Zealand soon.
At one of her presentations she showed the content of her make-up bag, which she discreetly brings into companies when posing as, for example, a receptionist or interviewee at the request of FBI. It holds two key-logging devices; one is a KeyGhost device from the company of the same name, which is based in Christchurch.
But sometimes it is necessary to log laptops and having a device like this, which hangs off the side, could look a little bit suspicious. In such cases, Chappell tries to install key-logging software by emailing a birthday card or similar to the person concerned, or, as a last resort, she will install one of her own keyboards which have key-logging circuits built in.
Chappell’s little make-up bag also contains a Bluetooth connector; a Stealth Surfer USB device, which allows the user to anonymously surf the web while storing sensitive internet files on the device instead of on the computer.
It also contains an iPod with Slurp Audit, an application that enables the aforementioned device to quickly copy (in less than two minutes) all business documents from a hard drive.
Chappell’s other hi-tech spy devices include a watch with a built-in USB connector, a headband with built-in wireless aerial and USB dongle earrings, and a cellphone that has FlexiSpy installed.
FlexiSpy, an application that runs on all Symbian devices, is very easily installed on cellphones, says Chappell. It allows for easy spying. All you would have to do is innocently ask to borrow someone’s phone to, say, send an emergency text message to your children.
“You type in a URL into the mobile phone’s browser and the software will download automatically. The whole process takes less than a minute.”
The application, which is undetectable to the user, uploads all call history and all text messages, and the contact names in a phone’s address book, to a server in Thailand — and it does it every five minutes.
Chappell urges IT staff to seriously consider undertaking complete audits of traffic on a regular basis, as well as undertaking inside vulnerability and penetration tests.
She also recommends reconnaissance and trace-back, host and network forensics, and the use of honeypots to investigate any suspicious activity.
Chappell says one thing on her side when it comes to fighting cyber-crime is the fact that criminals are often stupid and lazy. It is a misconception that hackers are smart, she says.
“The majority [of cyber criminals] are tremendously stupid,” she says.
“Their passwords are often not difficult to crack.”
She also recommends companies establish relationships with local IT law enforcement officers or organisations that fight online crime as soon as possible. These can be a valuable source of information and feedback.
“Make them your friends. Take them out for coffee. Start kissing up to these folks,” she says.
“It will pay off when your company is hit by an attack.”