CHAPTER 3: UNINTENTIONAL CRIMEWARE
This chapter describes the “gray area” software: legitimate commercial software that is made for legitimate, non-criminal purposes, but which can be used by a malicious user to steal, disrupt, and manipulate.
SkyGrabber
The creators of SkyGrabber, a small Russian software company named SkySoftware, describe SkyGrabber as:
offline satellite internet downloader. It accepts free to air (FTA) satellite data (movie, music, pictures) by digital satellite TV tuner card (DVB-S/DVB-S2) and saves information onto a hard disk. So, you’ll get new movie, best music and funny pictures for free.
You don’t have to keep an online internet connection.41
It sounds innocent enough, although at second look this software could be entering a “gray area” of copyright infringement.
This $26 software was used by Iraqi insurgents in 2009 to hack into live video feeds from US Predator drones, providing the insurgents with information they needed to evade or monitor US military operations.42 Granted, the US Air Force did not encrypt the video links, so it was an easy “hack” using regular COTS software and a little bit of ingenuity.
Passware Kit
The Mountain View, California company Passware.43 released Passware Kit 10 in May of 2010. Passware Kit 10 is the first commercially available software to accelerate distributed password recovery using both software and hardware. At $795, Passware Kit 10 can utilize the computing power of multiple computers running Passware Kit Agents to increase performance in the password recovery process.44
Undoubtedly, recovering a strong password became much easier with the release of Passware Kit 10, due to its ability to connect multiple computers to one password recovery process.45
The IRS, US Army, US Department of Defense, US Department of Justice, US Department of Homeland Security, US Department of Transportation, US Postal Service, US Secret Service, US Senate, and US Supreme Court all are interested in becoming customers.46 So are hackers and cybercriminals.
Maltego
Maltego by Paterva47 represents data mining and data visualization software at its best. It seamlessly creates visual networks of interrelated data based on freely available open-source information. It reduces every piece of information into its basic components, such as “individual,” “place,” or “address.” Every “entity” can be linked to other entities – people can be linked to addresses, for example. All different entities can be matched or grouped according to rules.48 It can be applied to information from social networks to discover who is related to whom, personal e-mail addresses, phone numbers, and websites.
Law enforcement and intelligence communities are interested in Maltego. Large corporations want to visualize some of the internal data that they have.49 Intelligence communities have used information visualization tools similar to Maltego to “connect the dots” and outline social networks among people, places, and events of interest for years. These tools, however, were either custom designed for a specific agency, or inaccessible to the mainstream users due to the cost. Now, Maltego is released as a “Community Edition,” i.e. a free scaled-down version available to anyone.
Anyone who has a Facebook or LinkedIn page posts some information there. By itself this information can be relatively useless to someone who wishes to cause mischief. Linking this information, however, with other bits of publicly available information about a person throughout cyberspace can disclose enough to have his/her identity stolen or private information misused.
41 “SkyGrabber”. SkySoftware. www.skygrabber.com/en/skygrabber.php (accessed May 24, 2011).
42 McCullagh, Declan. “Predator drones hacked in Iraq operations.” CNET News. December 17, 2009. http://news.cnet.com/8301-1009_3-10417247-83.html (accessed April 7, 2011).
43 Passware. www.lostpassword.com/.
44 “New Tool Speeds Password Cracking With Distributed Password Recovery.” SecurityWeek News. May 25, 2010. www.securityweek.com/new-tool-speeds-password-cracking-distributed-password-recovery (accessed May 25, 2011).
45 Ibid.
46 ibid
47 Maltego, www.paterva.com/web5/ (accessed May 10, 2011).
48 Ibid.
49 Buley, Taylor. “When Everyone Can Mine Your Data.” Forbes.com LLC™. November 21, 2008. www.forbes.com/2008/11/21/maltego-data-mining-identity08-tech-cz-tb_1121maltego.html (accessed May 23, 2011).