Case Studies

Case Studies

Notes from the field

These are real people in real situations. Their data has been anonymized as much as possible to protect their identities. Most of the emphasis is the technical details of the cases. Case studies 1 and 2 are from Andrew. These were originally summarized in a tor-talk post in January 2012.

Tech Stalking Victim 1

from Andrew

Summary

She called out of desperation. She figured tor is ‘technical and computery’ and may be able to help, since the local computer stores and police dept were useless. She said her computer would randomly do things she didn’t tell it to do, like move the cursor, turn the webcam light on, and one of her coworkers in another country seemed to know far more about her than she remembers telling him over the years.

The local computer stores ran anti-virus/anti-malware and found nothing. One suggested she see a doctor for dementia (she’s older). The local police told her to take classes to learn how to use her computer and even if her coworker was stalking her, he’s in a different country and therefore out of their jurisdiction. I was the first to tell her she’s not crazy and yes, infected computers can do exactly what she’s experiencing. After about 5 calls over two weeks, I eventually handed her off to a local domestic violence organization who can also help with internet stalking. It’s surprisingly hard to find an anti-abuse org that also knows how to handle the Internet. Comically, the first two orgs I called pointed me at NNEDV.org, who then point people at Tor for help with privacy online.

Technical Details

Her co-worker in the other country insisted she had to use a specific version of Yahoo Messenger for her Mac. When I asked why, she was told that it supported VOIP and was the last version supported on his operating system (Microsoft Windows something). At one point, she had her grandson re-install her Mac from scratch. After this, she downloaded the current version of Yahoo Messenger and had successfully chatted over voice and video with the co-worker. Before the co-worker realized he no longer had control over her computer, everything seemed fine for a week. When doing some searches on the version insisted by the co-worker, there are known, published exploits which provide local system access for Macs. The out-dated Yahoo Messenger was the vector used to attack her Mac and then install spyware.

The victim didn’t know that the Yahoo Messenger application is just the userspace application to use the Yahoo Messenger protocol between her, Yahoo servers, and him in his foreign country. She could have successfully used Adium or maybe even iChat to have phone and video chats with the co-worker.

Closure

The user called back months later to say that her laptop was free of “that jerk” and she changed jobs to avoid having to work with him again.

Tech Stalking Victim 2

from Andrew

Summary

This person is an adult video performer, and as she put it, ‘there are fans, super fans, creepy fans, and stalkers. I love the first three types of fans.’ The local police detective basically told her that because of what she does for a living, there is nothing they can do about her stalker and that she brought this on herself. She found [email protected] through Google searches. She talked to other companies who just wanted to sell her software, but not actually answer her questions. She had a lot of questions.

We covered online privacy, how the internet works, how to un-infect her work computer, and how to keep her personal computer safer than the work computer. Generally helped her setup tails on a USB drive, Tor Browser, and what happens when you login to google, twitter, and facebook over tor (who does that provide privacy from, what does it protect, etc). She wanted to know how to keep, in her words, ‘the public me separate from the private me’ on the Internet and from her non-stalker fans. In the end, she said the internet was far more complex than she thought, and wishes she could just buy something that ‘just worked’ without her thinking about it. She realized it’s unlikely that will ever happen.

Technical Details

She was assigned a work laptop by her current employer (an adult movie studio). As this laptop was far more powerful than her personal computer, she commingled personal and work data right away. Editing personal videos, pictures, facebook, twitter, text/video chats with her boyfriend and kids, and email were all on this laptop provided by her employer.

The victim mentioned that after an AVN expo, her laptop “started acting funny”. She would notice her Internet at home was slow all the time. She then had her credit card number used to buy a lot of drugs from providers in Eastern Europe. And finally, she started getting emails from seemingly random people emailing her personal photos. She insisted these personal photos were never put online, partially out of the concern that an adult video actress with pictures of her kids doesn’t sell as well as the fantasy that she’s single and a nymphomaniac.

She was highly motivated to figure out what was going on, so we started poking around her work laptop. On advice, she asked the IT staff if she had a spyware infection. She then learned the employer used employee monitoring software to protect the laptop, “in case it was stolen”. She was told it was “part of asset management”. Remote monitoring of employees is a growing practice, becoming more common with each year. This software allowed a remote admin full control of the Microsoft Windows operating system when connected to a network, such as wifi, 3G/4G mobile, or physically plugged into an Ethernet port.

Unfortunately for her, her employer’s admin didn’t change the default password for remote admin access. Anyone who discovered the listening TCP port on her laptop could quickly Google for information, find the remote admin access, and then fully control her laptop. The IT staff was unable to login to the remote port with the default password. It seems whomever had logged in did change the remote admin password, and systematically cleared the logs relating to “admin access”. Luckily, through conversations with the IT person, the victim, and [email protected], we discovered the software did log a disconnect in the native system log, which also recorded the IP address of the session. The IP address was registered to an ISP in Latvia.

Closure

The victim’s next step was to re-open the police case, log all of this as evidence, and proceed to clean up after the identity theft, credit card fraud, and see if they could unmask the stalker. Her employer issued her a new laptop, copied over all her data, and changed the default admin password to the employee monitoring software. This was the end of involvement by [email protected]