Another well written article on the lack of privacy in the digital world, how conversations are no longer ephemeral with excellent referenced examples, entitled “Wy Obama Should Keep His Blackberry – but won’t”. Personally I find it quite amazing what people use and transmit via e-mail, SMS messages, IM conversations. Add to that the explosion of wireless devices that do all this, people (myself included) are not careful enough. The article is by security technologist Bruce Schneier.
Archive - November, 2008
Obtaining a mms video stream for analysis
A friend of mine sent me an e-mail which contained a file called “Technology.wvx”. The file was 328 bytes in size. Selecting the file, played a video mash-up which was obviously larger than 328 bytes. I also was curious as to what a “.wvx” file was.
Looking at the file showed it to be a XML format file with a reference to separate URL:
mms://a215.v47369f.c47369.g.vm.akamaistream.net/7/215/47369/v0001/sonybmgsftp.download.akamai.com/34732/promommxnonflash/GMM_Rome_DidYouKnow_300.wmv
MPlayer is a very powerful and robust movie player. Besides supporting a multitude of file formats from MPEG, VOB, AVI, ASF, WMV to list a few, it is often able to play damaged files. Although I primarily use *nix as my operating system, mplayer is available for Windows, Mac, and other operating systems making this process available on those platforms as well. Mplayer source code is also available for those wishing to compile it.
Mplayer has many features which are beyond the scope of this post, but one nice feature is the ability to read in a raw stream and write it to a file. The two parameters we used to tell mplayer to read the stream and write the file to disk were:
- dumpstream: Dump the raw stream, not making any conversions or changes to it. In our case it is the URL from the ‘Technology.wvx’ file above.
- dumpfile: the filename to dump the stream. I chose ‘s.wmv’ for this example.
The full command used was:
mplayer -dumpstream “mms://a215.v47369f.c47369.g.vm.akamaistream.net/7/215/47369/v0001/sonybmgsftp.download.akamai.com/34732/promommxnonflash/GMM_Rome_DidYouKnow_300.wmv -dumpfile s.wmv
Mplayer will output a bunch of messages. This version outputted several error messages during the process, but these did not affect the final video file. The result was a local file called ‘s.wmv’, which when played with a video player nicely played back the sound and audio.
The ability to save streaming media is necessary and has many valid uses. Ability to play when the Internet is not available is one simple example. A better example is investigations. From an investigative point of view you want to be able to save the actual data for evidence purposes. Investigations can take time and often you have no control on the server that streamed the data. The video stream could be removed, the server or URI could suddenly change. By properly documenting your activities, adding in time stamp information, trace files, log captures, appropriate hashes and the procedure used to obtain and verify the video stream, evidence can be provided to interested parties with reasonable assurance that it is accurate.
In the future as content on the Internet goes from a ‘download and play’ scenario to a ‘video streaming on demand’ scenario, the ability to forensically find evidence on a target device will become more difficult, simply from the fact that the data isn’t stored on the device. There may be evidence of it in cache, swap files and the like, but these can be overwritten quickly and software is getting smarter. Most browsers and players have the option to not cache if told to do so. Smart people create a ‘secure cache or swap area’. In this case the caches and swap files are configured to write to encrypted disks or partitions using file formats that do not have ‘journalling’. These are then wiped prior to shutdown. Smarter people boot from a read only USB key, and create a ‘secure cache’. By using the technique above, combined with proper documentation of the process allows reasonable proof that the file you have captured is what the target was viewing.
Google Flu Trends
I wrote about Google Flu Trends the other day. Yesterday, I came across this article discussing if there is a privacy risk with Google Flu Trends, and made a note that I was going to comment on the article. Lauren Weinstein has written a pretty good commentary on the article and I pretty much agree with what he has written.
Google Flu Trends is a result of taking individual personal data and aggregating it. This has the advantage of anonmizing the data as well as providing another tool in the toolbox of mechanisms to track flu outbreaks. This trending could be applied to many other concepts with similar results. I and others like me have done this type of analysis for our clients years now. While I applaude people that monitor privacy violations, attaching privacy violations to this data is incorrect. Privacy should be attached to the methods that Google and others use to track and store data. Associating IP addresses to search terms and unique cookies and keeping that data for extended periods of time as one example. Google and other search sites along with social sites such as Facebook all track detailed data. Facebook for example tracks every profile you look at including date and time, by IP and unique ID. This data can be obtained by interested parties. This is where privacy advocates should be focused.
Behavioural profiling … the next level
Most know that behavioural profiling is becoming more and more standard practice every day. Just by watching communication between mobile phones, communication between systems, where people connect to on the internet you can glean so much valuable information about a target. Johnny Long wrote a book about similar ways to accomplish profiling by information gathering on targets. Behaviour profiling can be used to find botnets, DDoS attacks, phishing and other malicious activity. It has good uses.
The next level. Google.org has a site that indirectly tracks flu trends by correlating search terms with location where the search was performed and other information. Appears the accuracy level approaches that of the Centers for Disease Control and has a lead of up to two weeks. This is cool stuff.
Analysis of spam marketing conversion
I’m sure you have heard a statement along the lines that says spam is profitable. The reason usually given is because spam still exists despite the improvements in anti-spam technology. The spammers keep finding new ways to get around the anti-spam technology so it must be profitable. Have you ever seen any real research and numbers to support this theory? This study attempts to show just that. How many users actually are fooled and make a purchase from a spam e-mail in their inbox and is it actually profitable. In the study they actually manipulated the architecture of the storm botnet; specifically the proxy nodes and hijacked them to conduct the study. They created an inline program that swapped C&C, template and spam data before it was transmitted to the storm ‘worker’ nodes.
They were able to count who downloaded versus actually clicked on the software that would infect a user with the storm botnet. Other data included number of targets, number of MTAs that accepted the spam, number of users that visited a site by selecting the link, time it took for a user to receive the e-mail then become infected, and response rates per country.
It is obvious a great deal of time, thought and technical effort was put into this research. It would be exciting to be a part of something like this.
