Topic: A brilliant(ly evil) new social engineering scam  (Read 3008 times)

0 Members and 1 Guest are viewing this topic.

Offline Bonk

  • Commodore
  • *
  • Posts: 13298
  • You don't have to live like a refugee.
A brilliant(ly evil) new social engineering scam
« on: December 15, 2010, 05:41:36 am »
Spector360

Read it. The scam should be as obvious to you as it is to me.

I had no idea that such a product existed (or is legal?). I'm so naieve sometimes. This is a huge liability for everyone on the net. We need to reconsider all approaches to security now.

IMPORTANT: to all Dynaverse.net admins, staff, hosted site admins and project participants. NEVER login to - any of our resources - from work. NEVER. If you are forced to, then change ALL your passwords at the earliest opportunity from a secure workstation of your own construction.
« Last Edit: December 15, 2010, 06:48:38 am by Bonk »

Offline Bonk

  • Commodore
  • *
  • Posts: 13298
  • You don't have to live like a refugee.
Re: A brilliant(ly evil) new social engineering scam
« Reply #1 on: December 15, 2010, 03:46:38 pm »
Further, this company should be legally forced to reveal all of its customers. I need to blacklist them all immediately. No connection from any netblock with a Spector360 customer on it. Totally unacceptable. Connections from such networks are an immense risk.

What would the banks think? RBC needs to block networks infected by this product. The potential for harvesting personal information and credit card and bank logins is just too huge. No employer, employee or admin can be trusted with that data. None.

Also, I can almost guarantee that the product is hackable from inside (maybe even outside?) to reveal the data collected on other employees. Any employer willing to take on such an immense liability is a complete and total fool. This could even be used as a corporate infiltration tool - exactly what they claim to counter - actually it is perfect for the job - dirt and data on every employee of your competitor.

This really can't be legal. There is no way.

Offline Tulwar

  • Lt. Commander
  • *
  • Posts: 1333
Re: A brilliant(ly evil) new social engineering scam
« Reply #2 on: December 16, 2010, 02:11:49 am »
I've always assumed my employer was using something like this.  Where employers don't have computers, they sometimes hide cameras and microphones all over the workplace.
Cannon (can' nun) n.  An istrument used to rectify national boundries.  Ambrois Bierce, The Devil's Dictionary

Offline FA Frey XC

  • Site Owner
  • Administrator
  • Captain
  • *
  • Posts: 5695
  • Gender: Male
    • XenoCorp.Net
Re: A brilliant(ly evil) new social engineering scam
« Reply #3 on: December 16, 2010, 05:16:19 pm »
In actuality, this is completely legal in the US. Considering that employers own the computers, network and what-not that employees are surfing on, it's totally within their rights to monitor, control, and otherwise dictate what their network is used for.

That doesn't mean I'm for it, but there's a reason this stuff exists, and it's not because we're all a bunch of responsible, accountable adults.

:)

Regards,
Vice President of Technology,
Dynaverse Gaming Association
Owner, CEO XenoCorp Inc.


Offline Kreeargh

  • Retired.
  • Lt. Commander
  • *
  • Posts: 1476
  • Gender: Male
  • Life is as is worth only what you learn from it!
Re: A brilliant(ly evil) new social engineering scam
« Reply #4 on: December 16, 2010, 06:44:24 pm »
Its not new the concept anyway , maybe the software here is.
I think this should be Mandatory for all types of Goverment employment. Employers pay poeple to work not surf the net which has costed big $ in the long run. Its even worse if the pay is from taxpayers.
I know many who waist alot of time surfing the net for personal crap,Goverment workers that could afford their own personal pc and internet but would rather waist tax payer $.For the free market thats up to the employer.
 
Time for life!

Offline FCM_SFHQ_XC

  • There is life outside of Windows..
  • Administrator
  • Lt. Commander
  • *
  • Posts: 2267
  • Gender: Male
  • Starbase Atlantis [X-refit]
    • 9th Fleet
Re: A brilliant(ly evil) new social engineering scam
« Reply #5 on: December 16, 2010, 08:19:29 pm »
Employers machine to do what they want with it, I personally find it a little silly since Im of the mentality that so long as your meeting your goals, and basically everything is well for that employee performance and productivity wise then they should be able to do whatever else they want within that spare time that doesnt harm the computer or is 100% legal. But when it comes down to it I can see why and how its ok for employers to use it.
Starfleet Headquarters out.

Fleet Commodore, XenoCorp, ISC Fleet.

Offline Kreeargh

  • Retired.
  • Lt. Commander
  • *
  • Posts: 1476
  • Gender: Male
  • Life is as is worth only what you learn from it!
Re: A brilliant(ly evil) new social engineering scam
« Reply #6 on: December 16, 2010, 10:39:25 pm »
If i was " In charge of a company"  I would not have net unless it was to order something on a day by day basis and most can be done more accurate on the phone anyway. Still not sure why Internet is usefull for buzyness, corperate, elite unless it was for add linkage/Websites ect. With cell phones/ text these days basic email is mostly worthless .  Ie my thought if employer dont want to waist $ dont let their slaves use the net! Tell them to buy the I phone 16 or get atntindows next gen3 to surf the net or wine and complain at a mate with text .   :coolsmiley:
Time for life!

Offline Bonk

  • Commodore
  • *
  • Posts: 13298
  • You don't have to live like a refugee.
Re: A brilliant(ly evil) new social engineering scam
« Reply #7 on: December 17, 2010, 06:43:06 am »
I of course understand the reasons for it, but this has in one fell swoop defeated all existing security measures on the net today. There has to be a better way? (Like respect your employees and pay them enough? You'd be surprised how far honesty, integrity and respect will take you.)

SSL is useless with a keylogger on the client.

This is insane overkill. If you want to block access you block access, you do not snoop. This is datamining under the guise of security - pure and simple. How much data collected by the local server is surreptitiously reported back to a central server run by Spector360? (entirely possible and so lucrative as to be almost irresistible, especially without the "employer"/customer's knowledge.)

The potential for abuse is insane here... so what happens when the sysadmin running it on behalf of the manager becomes unsatisfied/offended/loses-it/goes-postal and releases all personal information on emplyees that was collected to the net inculding bank passwords, credit card numbers all kind of personal information. If your corporate environment is so poison as to require this product then this is extremely likely to happen.

Horribly bad idea. Mark my words. Just wait for the first case. It will (already has?) happen.

(My mind begins working on a way to defeat keyloggers... randomise ar mask or distort or encrypt keyboard input somehow... change the mechanism? A new USB device that serves as a keyboard but uses none of the standard interfaces...? just for communicating with a browser plugin or js code on your "re-secured" webpage ... hardware dongles? gonna have to lock down the mouse too... perhaps a "frequency-hopping" paradigm would do it... continuously and randomly jump interfaces for user input in a way that only your webpage/servers understand...)

I would go so far to say that if you require such "shackles" for your employees, then they are not employees at all. This is what you call wage slavery.

Nice team.  ::) What happened to trust in the workplace? I'm so old fashioned... Your employees must feel part of the team and want to be there or your product/service will suck. Period.

Edit: No, it is not "old fashioned", that is just the way it is (for people of integrity).

Additionally, I might as well spell out an example social engineering scam indicated by the thread title: setup a bogus business with this product as it's main tool. Use whatever guise you want... (jewelery? Tupperware?) target part-time rich housewives, ideally with a "work from home" setup so you can monitor personal use as well... you might make a few bucks on the jewelery and crap in the meantime but just before your flight to a remote pacific island compound, you cash in the data and book.

Data, of course, also has value in currencies other than cash. (Read power.)

Finally, I know for a fact that good old traditional honesty, integrity and respect in business practices will take you way further than using tools like this. If one is considering this product for their business then they are already doomed. Respecting and loving your employees is so much more lucrative in the long run that this is almost humorous if it were not for the abuse and security implications. Yes, I said love. It actually wins awards and recognition beyond the obvious and tangible benefits to your business.


edit2: aside: technological metahistory of Xenocorp - this takes us one step closer to the originally fictional origins and rise of Xenocorp as a semi- physically separate network implementation for service of the safe and secure fun and joy of the people. "Frequency hopping" user input as our first hardware product? (I just gave the idea away though, like I always do... maybe someone will build it and we can buy it cheap and brand it...)
« Last Edit: December 17, 2010, 08:04:02 am by Bonk »

Offline FA Frey XC

  • Site Owner
  • Administrator
  • Captain
  • *
  • Posts: 5695
  • Gender: Male
    • XenoCorp.Net
Re: A brilliant(ly evil) new social engineering scam
« Reply #8 on: December 17, 2010, 12:07:26 pm »
edit2: aside: technological metahistory of Xenocorp - this takes us one step closer to the originally fictional origins and rise of Xenocorp as a semi- physically separate network implementation for service of the safe and secure fun and joy of the people. "Frequency hopping" user input as our first hardware product? (I just gave the idea away though, like I always do... maybe someone will build it and we can buy it cheap and brand it...)

I read everything, but loved this the most.

Engage

Regards,
Vice President of Technology,
Dynaverse Gaming Association
Owner, CEO XenoCorp Inc.


Offline KBF-Crim

  • 1st Deacon ,Church of Taldren
  • Global Moderator
  • Commodore
  • *
  • Posts: 12271
  • Gender: Male
  • Crim,son of Rus'l
Re: A brilliant(ly evil) new social engineering scam
« Reply #9 on: December 26, 2010, 08:51:51 pm »
Ok...my head hurts...what does this mean in laymans terms?

This is a keylogger of some type?...yes?

Offline Bonk

  • Commodore
  • *
  • Posts: 13298
  • You don't have to live like a refugee.
Re: A brilliant(ly evil) new social engineering scam
« Reply #10 on: December 26, 2010, 09:47:05 pm »
It is a keylogger (and worse). They admit to that much. God only knows what else it does.

It means as a website and development repository administrator I cannot risk having staff login from work. (Since this product has not been challenged legally that I am aware of, you can rest assured that some pointy haired boss somewhere will think it is a good idea and actually use it.)

If you are a member of the Dynaverse.net staff, it means I do not want you to login from work (unless you run the business yourself and do your own IT).

I would also recommend that no one should ever login to a banking site from work. SSL cannot prevent a keylogger from gaining your bank account login. (In fact I am quite sure this really should be illegal and this product and others like it can't last...)

In laymans terms, it means there is no security on the web anymore. (short of a lock-down policy like this, or restricting staff logins to specific IP addresses or domains)

Offline Kreeargh

  • Retired.
  • Lt. Commander
  • *
  • Posts: 1476
  • Gender: Male
  • Life is as is worth only what you learn from it!
Re: A brilliant(ly evil) new social engineering scam
« Reply #11 on: December 26, 2010, 09:58:21 pm »
Simply think BOX of lies that is what the pc is and has always been sorry to say. You use it at your own risk  :crazy2:  :-X
Time for life!

Offline Bonk

  • Commodore
  • *
  • Posts: 13298
  • You don't have to live like a refugee.
Re: A brilliant(ly evil) new social engineering scam
« Reply #12 on: December 26, 2010, 10:58:47 pm »
You say PC like a mac user... ;)  ;D

From their FAQ:
Quote
Yes. The Spector 360 Recorder (Client) will work with Mac OS X v10.6 Snow Leopard and Mac OS X v10.5 Leopard on Intel processors. PowerPC processors are currently not supported.

Guess the old Mac Classics are still safe then! :) But they still have about a 30% chance of mounting a floppy successfully (no wise-cracks! :))  ... I just noticed the irony of the PC in PowerPC... ;)

But seriously, there was a day when you could trust your employer. The implementations are secure, and were. The trust is gone.

I can bank in the utmost confidence from my computers with my operating systems on my networks. But not at work anymore. This goes way beyond banking though. The potential for abuse and leaks is just too great. Even if the employer has the purest of intentions.