tag:blogger.com,1999:blog-17432917132226110192024-03-07T23:47:17.699-08:00Jamal B's Blog - Infosec MindstormJamal Bandukwala's personal blog on information security related matters. The views expressed here are my own and are not of my employer or any organizations I might belong to or be affiliated with.Jamal Bhttp://www.blogger.com/profile/08693981309315471937noreply@blogger.comBlogger21125tag:blogger.com,1999:blog-1743291713222611019.post-55177493465825810672017-02-06T18:29:00.001-08:002017-02-06T18:29:42.930-08:00Welcome to OSINT: Fun with Open Source Intelligence!<div dir="ltr" style="text-align: left;" trbidi="on">
Hi Everyone,<br />
<br />
2016 and 2017 so far have both been insanely busy years for me and consequently I have not been able to post much at all.<br />
<br />
I am very excited to announce that my course OSINT: Fun with Open Source Intelligence is going live soon on Pentester Academy http://www.pentesteracademy.com/course?id=29<br />
<br />
Enjoy!<br />
<br />
Jamal</div>
Jamal Bhttp://www.blogger.com/profile/08693981309315471937noreply@blogger.com1tag:blogger.com,1999:blog-1743291713222611019.post-46175087192454961662016-01-01T12:37:00.001-08:002016-01-01T12:37:13.965-08:00Happy 2016!<div dir="ltr" style="text-align: left;" trbidi="on">
Hi Everyone,<br />
<br />
2015 has been an insanely, insanely busy year for me and I simply haven't been able to post anything. The custom search engines continue to be updated with new sites and I have some interesting news; I am in the early stages of developing a mini course on OSINT (Open Source Intelligence), stay tuned for more information. Here is to an exciting 2016!</div>
Jamal Bhttp://www.blogger.com/profile/08693981309315471937noreply@blogger.com0tag:blogger.com,1999:blog-1743291713222611019.post-2555436451768995602014-04-17T22:33:00.000-07:002014-04-17T22:33:14.644-07:00Heartbleed<div dir="ltr" style="text-align: left;" trbidi="on">
As of now, everyone has heard about the Heartbleed bug (vulnerability CVE-2014-0160). There are a number of articles, postings and blogs about the bug and its implications. I have listed below some of the most useful links and articles relating to this vulnerability and managing this situation.<br />
<br />
<br />
Recommended reading:<br /><br />The Hacker news has a list of FAQs on this vulnerability, it also includes links to PoC code and sites/ services that check whether a server is vulnerable<br />
http://thehackernews.com/2014/04/heartbleed-bug-explained-10-most.html#<br /><br />Bruce Schneier has a very interesting post on Heartbleed and its implications<br />
https://www.schneier.com/blog/archives/2014/04/heartbleed.html<br /><br />Pentura Labs has a very good writeup and includes instructions for testing if your version of openssl is impacted even if you are offline<br />
http://penturalabs.wordpress.com/2014/04/08/yet-another-heartbleed/<br /><br />the SANS Diary has some very good posts on this evolving situation<br />https://isc.sans.edu/diary/The+Other+Side+of+Heartbleed+-+Client+Vulnerabilities/17945<br />http://digital-forensics.sans.org/blog/2014/04/10/heartbleed-links-simulcast-etc<br /><br />A large number of servers and devices are impacted, some of the vendor notifications are listed below<br />http://www.symantec.com/connect/blogs/detect-heartbleed-vulnerability-remediate-and-harden-your-infrastructure-control-compliance-su<br />http://support.f5.com/kb/en-us/solutions/public/15000/100/sol15159.html<br />http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10623<br />http://kb.bluecoat.com/index?page=content&id=SA79<br />https://isc.sans.edu/diary/Heartbleed+vendor+notifications/17929<br />
<br />
<br />
<br /><br />
Even if your main business servers are not impacted, it is possible that a web appliance, phone or networked device on your infrastructure is at risk.<br /><br />Happy Patching!</div>
Jamal Bhttp://www.blogger.com/profile/08693981309315471937noreply@blogger.com0tag:blogger.com,1999:blog-1743291713222611019.post-29524997903035652013-12-24T12:41:00.000-08:002013-12-24T12:41:01.901-08:00Merry Christmas and Happy Holidays to All!<div dir="ltr" style="text-align: left;" trbidi="on">
Merry Christmas and Happy Holidays to All!<br />
<br />
It's been a very busy year overall and unfortunately I haven't been able to post as often as I would have liked to.<br />
<br />
I recently had the great pleasure of speaking at the TASK Oct 2013 event (Toronto Area Security Klatch).<br />
The presentation was very well received and there was plenty of quality discussion. I had a great time, made some new friends and got some excellent feedback. It was very special to speak at an event at home-base.<br />
<br />
TASK is a very interesting group that holds monthly events with various speakers from the security community. These talks are free and also qualify for CISSP credits. The organizers of this event are also responsible for bringing the well known Sector Security conference to Toronto each year. More information on TASK and upcoming TASK events can be found at http://www.task.to/ <br />
<br />
<br />
Interesting course from SANS:<br />
<br />
SANS has a new course offering by Benjamin Wright called LEG523: Law of Data Security and Investigations, if you are an investigator, law enforcement, deal with legal counsel or are called as an expert witness this is definetly soemthing to think about.<br />
<br />
Ben has some very interesting insights from a legal point of view; I am a big fan of his ideas on using a screencast or video capture to complement or replace an investigator or incident handler's notes:<br />
http://computer-forensics.sans.org/blog/2011/01/26/preserve-cyber-investigation-evidence-screencast-tool#comments<br />
<br />
You can find more of Ben's insights and Blog posts at:<br />
https://plus.google.com/+BenjaminWright1/posts<br />
https://twitter.com/benjaminwright<br />
<br />
<br />
Updates:<br />
<br />
I have added a number of new sites to the OSINT engine. If you use this Google Custom Search, it is worth checking out.</div>
Jamal Bhttp://www.blogger.com/profile/08693981309315471937noreply@blogger.com0tag:blogger.com,1999:blog-1743291713222611019.post-74288204554343220462013-02-02T12:00:00.002-08:002013-02-02T12:06:20.129-08:00Updates - new sites added to various engines<div dir="ltr" style="text-align: left;" trbidi="on">
I have added new sites to the<br />
Open Source Intelligence Deep Web Search<br />
<br />
(http://www.google.com/cse/home?cx=013791148858571516042:eygbr9xc-ys),<br />
<br />
the Social Networking Intel/ Footprint web search<br />
(http://www.google.com/cse/home?cx=013791148858571516042:ntbykhk-kus )<br />
<br />
and the Pastebin and collaborative tools intelligence deep web search<br />
(http://www.google.com/cse/home?cx=013791148858571516042:gqsws13ehog&hl=en ).<br />
<br />
Enjoy!</div>
Jamal Bhttp://www.blogger.com/profile/08693981309315471937noreply@blogger.com0tag:blogger.com,1999:blog-1743291713222611019.post-42105094270476125742012-10-27T21:25:00.000-07:002012-10-27T21:25:41.837-07:00Malware and domains search <div dir="ltr" style="text-align: left;" trbidi="on">
I've put together a custom google search for malicious software, known bad sites and dangerous ip addresses, it can be found here:<br />
<br />
http://www.google.com/cse/home?cx=013791148858571516042:mkgwsgd9da8<br /><br />Examples of the sites on the list include:<br /><br />https://atlas.arbor.net/summary<br />
http://www.blade-defender.org/<br />
http://mtc.sri.com/<br /><br />I will be constantly updating the search engine.
</div>
Jamal Bhttp://www.blogger.com/profile/08693981309315471937noreply@blogger.com0tag:blogger.com,1999:blog-1743291713222611019.post-49995692814903958652012-09-03T14:07:00.001-07:002012-09-03T14:07:42.722-07:00Attacks on the stock market: some thoughts<div dir="ltr" style="text-align: left;" trbidi="on">
I have recently been thinking about stock markets and possible attacks on them; Die Hard 4 (http://en.wikipedia.org/wiki/Live_Free_or_Die_Hard), Hackers and any number of hacker movies have some very complicated looking system with great looking Angelia Jolie lookalikes or other attractive people who have these super elite skills and can hack the Gibson or do some increasingly complex attack to bring the main system down etc. <br /><br />These attacks are certainly entertaining and also complex, and have a greater likelihood of being detected and also failing. What if there was a simpler way to launch attacks without directly attacking the market itself? <br /><br />Let's look at day-traders as an example:<br /><br />
<ul style="text-align: left;">
<li>When launching trades, you need to use trade execution software</li>
<li>Most of these pieces of software are proprietary in nature and supplied either by brokerages or independent software houses</li>
<li>Since these pieces of software have a smaller market share, I began to think about how many people actually check to see whether the software they are downloading is really what it is supposed to be. How many people actually check the md5/sha-1 hash to see if there is a match?</li>
</ul>
<div style="text-align: left;">
<br />An attacker could conceivably put a link on a legitimate vendor page that re-directs clients to a malicious piece of software (for a temporary period of time) or offer a 'free' version that works just as well. </div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Another plausible scenario could have an attacker flooding various message boards and other locations that he/she is leaking a great new algorithm that is similar to or used by traders at a large firm like Goldman and watch to see how many people download this just to get an edge in their trading strategies. </div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
This malicious code could behave in a manner similar to which the the user expects or remains dormant until several trades have gone through and when the traders funds are in their account, execute its own trades and transfer an amount to a another brokerage or western union account.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
If these transfers are randomized or if the malicious code monitors the traders' behavior and carries out transactions that appear similar to the traders own activity, or deletes itself after x number of successful trades or transfers, this can make things much more difficult to detect. </div>
</div>
Jamal Bhttp://www.blogger.com/profile/08693981309315471937noreply@blogger.com4tag:blogger.com,1999:blog-1743291713222611019.post-67799456391869812622012-04-14T19:25:00.003-07:002012-04-14T19:41:13.125-07:00IIT Guwahati and the Market Intelligence SearchIn February, I had the privilege of speaking at the Indian Institute of Guwahati as part of the ISEA 2012 workshop and conference. I had a wonderful time, enjoyed amazing hospitality, got some very encouraging and positive feedback and made some great new friends.<br /><br />I have put together a custom search for stocks, bonds and related securities. While there are a number of different sites and blogs that provide market intelligence this engine leverages various sources to bring a large amount of relevant information in one place with the ease of a simple Google search. <br /><br />The engine can be found here:<br /><br />http://www.google.com/cse/home?cx=013791148858571516042:lse_tm-ugfq&hl=enJamal Bhttp://www.blogger.com/profile/08693981309315471937noreply@blogger.com0tag:blogger.com,1999:blog-1743291713222611019.post-30025700571242112182012-01-30T16:54:00.000-08:002012-01-30T16:59:00.411-08:00i2p, and onion/ tor searchI have put together a custom search for the hidden web. This search goes through various sources to leverage and scour through various i2p and onion/ tor sites. The advantage here is that even if you do not have tor installed, or do not want it installed you can still search for the information you need and then using your results either dig deeper by installing tor or take any actions you need to. I do not link directly to any of the sites in question.<br /><br />http://www.google.com/cse/home?cx=013791148858571516042:adxvhgecf4m&hl=enJamal Bhttp://www.blogger.com/profile/08693981309315471937noreply@blogger.com0tag:blogger.com,1999:blog-1743291713222611019.post-71551544540069958622012-01-29T16:10:00.000-08:002012-01-29T16:11:55.444-08:00Black Hat Abu Dhabi - AmazingI was at Black Hat Abu Dhabi 2011 last month and had an amazing time. I got to listen to some very interesting research, had the pleasure of meeting some very cool people, made great new friends and got some excellent feedback on my presentation.<br /><br />I just came across the following article from the Wharton school of business, which briefly mentioned me and some of my work, which I thought was really nice.<br /><br />http://knowledge.wharton.upenn.edu/arabic/article.cfm?articleid=2774<br /><br />I have also updated all three searches with new sites.<br /><br />Enjoy!Jamal Bhttp://www.blogger.com/profile/08693981309315471937noreply@blogger.com1tag:blogger.com,1999:blog-1743291713222611019.post-69641297421529150962011-08-01T15:41:00.001-07:002011-08-01T15:44:13.603-07:00Social Networking Intel/ Footprint web searchI've put together a custom google search for social networking related searches, it can be found here:<br /><br />http://www.google.com/cse/home?cx=013791148858571516042:ntbykhk-kus<br /><br />This can provide an idea of what an individual's social networking footprint looks like.<br /><br />Examples of the sites on the list include:<br /><br />facebook.com<br />flickr.com<br />plus.google.com<br /><br />I will be constantly updating the search engine.Jamal Bhttp://www.blogger.com/profile/08693981309315471937noreply@blogger.com0tag:blogger.com,1999:blog-1743291713222611019.post-53572542307862998232011-07-03T13:00:00.000-07:002011-07-03T13:02:31.940-07:00Pastebin and collaborative tools intelligence web searchI've put together a custom google search for Intelligence/ information posted to pastebin and other online collaborative service and information portals, it can be found here:<br /><br />http://www.google.com/cse/home?cx=013791148858571516042:gqsws13ehog&hl=en<br /><br />Examples of the sites on the list include:<br /><br />http://pastebin.ca/<br />http://nopaste.info/<br />http://paste.pocoo.org/<br /><br />I will be adding more sources as I come across them.Jamal Bhttp://www.blogger.com/profile/08693981309315471937noreply@blogger.com0tag:blogger.com,1999:blog-1743291713222611019.post-74178821160009854812011-05-05T17:46:00.000-07:002011-05-05T17:49:33.446-07:00Open Source Intelligence Deep Web Search- updatesI have updated the OSINT custom google search.<br /><br />http://www.google.com/cse/home?cx=013791148858571516042:eygbr9xc-ys<br /><br />The following sites have been added:<br /><br />http://www.isn.ethz.ch/<br />http://isnblog.ethz.ch/<br />http://theosintjournal.blogspot.com/<br />http://www.robtex.com<br />http://serversniff.net<br />http://www.peekyou.com<br />http://com.lullar.com/<br />http://www.checkusernames.com/<br />http://knowem.com<br />http://www.isearch.com<br />http://www.pipl.com<br />http://www.123people.com<br />http://www.spokeo.com<br />http://webmii.com/<br />http://www.zoominfo.com<br />http://samy.pl/androidmap<br />http://www.bing.com/maps/<br />http://twittermap.appspot.com/<br />http://tineye.com<br />http://youropenbook.org/<br />http://picfog.com<br />http://www.whitepages.com/find_neighbors<br />http://www.archive.org/web/web.php<br />http://boardreader.com<br />http://omgili.com<br />http://www.onstrat.com/osint/<br />http://www.onlinenewspapers.com/<br />https://wits.nctc.gov/FederalDiscoverWITS/index.do?N=0<br />https://www.cia.gov/library/publications/the-world-factbook/index.htmlJamal Bhttp://www.blogger.com/profile/08693981309315471937noreply@blogger.com3tag:blogger.com,1999:blog-1743291713222611019.post-23750851661117290542011-04-12T19:05:00.000-07:002011-04-12T19:16:42.914-07:00Open Source Intelligence Deep Web SearchI've put together a custom google search for Open Source Intelligence related topics, it can be found here:<br /><br />http://www.google.com/cse/home?cx=013791148858571516042:eygbr9xc-ys<br /><br />It currently searches the following sites:<br /><br />http://www.turbo10.com/<br />http://www.deepdyve.com/<br />http://infomine.ucr.edu/<br />http://vlib.org/<br />http://www.intute.ac.uk/<br />http://aip.completeplanet.com/aip-engines/browse?thisPage=%2Fbrowse%2Fbrowse.jsp&successPage=%2Fbrowse%2Fbrowse.jsp&errorFlag=&errorMsg=&event=loadPageEvent&directPage=&directSection=4&treeQueryExpr=&treeQueryType=phrase&treeQueryTarget=tree<br />http://www.infoplease.com/index.html<br />http://www.deeppeep.org/<br />http://www.incywincy.com/<br />http://www.deepwebtech.com/<br />http://www.scirus.com/srsapp/<br />http://www.techxtra.ac.uk/index.html<br />http://www.osint.org.uk/<br />http://www.phibetaiota.net/<br />http://www.onstrat.com/osint/<br />http://extremesearcher.com/handbooklinks.html#chap1<br />http://rr.reuser.biz/<br />http://osintdaily.blogspot.com/<br />http://www.reversenumberdatabase.com/416-524<br /><br />I will be adding more sources as I come across them.Jamal Bhttp://www.blogger.com/profile/08693981309315471937noreply@blogger.com4tag:blogger.com,1999:blog-1743291713222611019.post-27021720931096553692011-02-14T18:55:00.000-08:002011-02-14T20:01:38.257-08:00A possible security bug in plenty of fishI think I may have found a security related bug in plenty of fish...<br /><br />It looks like your session can remain active even if you have attempted to clear out your cookies and cache (provided you have multiple windows open).<br /><br />Here is the scenario:<br /><br />I was logged into plenty of fish, and had multiple (plenty of fish) windows open; I was looking at different profiles and am in a habit of opening new windows when browsing.<br /><br />After surfing for a while I decided to clear out my cache; I was using the latest stable build of firefox and went to tools clear recent history (everything) and hit ok.<br /><br />After clearing everything (which includes cookies and active sessions), I got the impression that this would mean my session would be killed and that if I attempted to click on a new profile or send a message I would be asked to re-authenticate. This is not the case.<br /><br />After my session being "killed", I was still able to view new profiles and even email members I was interested in and was able to authenticate that these messages had successfully gone through.<br /><br />What if you were on a public computer and thought that by clearing your cache and cookies, your session would be killed and that no one else would be able to use your profile? <br /><br />Something to think about...Jamal Bhttp://www.blogger.com/profile/08693981309315471937noreply@blogger.com0tag:blogger.com,1999:blog-1743291713222611019.post-63828002195961032852011-01-28T18:37:00.000-08:002011-01-28T18:55:08.665-08:00new security hole in facebookI was logged into facebook and just saw the craziest thing; you can have your apps activated and doing things while you aren't signed into facebook.<br /><br />I am sure you must be thinking, that doesn't make any sense.<br /><br />Let me describe my steps below:<br /><br />I was logged into two sessions of facebook (two windows open) and they were both on my home page.<br /><br />I was using firefox and on one of the sessions went into the mafia wars game application; I then clicked on the second session and signed out of facebook. One would think that by signing out of this session, it would have deactivated my other session as well; it did this to a certain extent. I carried out a few actions in my game, ie. deposited some money etc and was able to do this successfully. I then clicked on the home link and it asked me to sign into facebook.<br /><br />When I saw this, I re-signed into facebook and re-entered my application and checked to make sure the applications I had carried out in my game had been successful; they had, I was able to recreate this scenario without any problems.<br /><br />This is significant, if I can do this in mafiawars, can you picture the implications with other applications? What if other applications go further and connect to things like your location, or private pictures? What if you were logged into facebook, on a public computer like in the library? <br /><br />Something to think about...Jamal Bhttp://www.blogger.com/profile/08693981309315471937noreply@blogger.com1tag:blogger.com,1999:blog-1743291713222611019.post-26254576579150474502011-01-08T13:39:00.000-08:002011-01-08T13:55:04.015-08:00Some thoughts on malware analysis and vmwareThere are a number of different ways to examine malware, from using automated sites like threatexpert and virustotal to running your own sandbox locally (either on a physical machine or by using virtualization software like vmware). There are some in the malware analysis community who advocate using real hardware, as some pieces of malware have virtualization detection mechanisms built into them. Others point out that virtualization provides a greater level of flexibility and you can actually put measures in place for dealing with malware that tries to behave differently in a virtualized environment. I recently began to think a lot about this, since many companies are now using virtualization to a greater extent internally on things like webservers, as this can lead to lower costs and flexibility. It makes one wonder, does this mean that we are going to see a new trend in malware that ignores whether a machine is virtualized or not and just behaves the same anyway? If this does not appear to be the case, then does it mean that increased virtualization of both servers and desktops can actually reduce the likelihood of an organization being as heavily impacted by malware?Jamal Bhttp://www.blogger.com/profile/08693981309315471937noreply@blogger.com0tag:blogger.com,1999:blog-1743291713222611019.post-72064950310853296572011-01-06T20:23:00.000-08:002011-01-06T20:35:28.718-08:00Interesting information leak from facebookThe other day I signed into facebook and came across something very interesting. I noticed an update on my newsfeed from someone I had sent a friend request to. Having seen this I was under the impression that they had accepted my friend request, consequently I clicked on their profile and saw that it said awaiting friend confirmation. This is significant and may have some forensic/ investigative value because it seems to tell us that depending on what privacy settings a person has, if they don't act on a friend request, you can still get regular updates on some of their information on your newsfeed. This could potentially be used to track when a person changes, or updates their pictures, posts status updates or other information, without actually having to go to their profile page on a regular basis and without being part of their friendship group on facebook.Jamal Bhttp://www.blogger.com/profile/08693981309315471937noreply@blogger.com0tag:blogger.com,1999:blog-1743291713222611019.post-44448672766796429372010-10-04T16:27:00.000-07:002010-10-04T16:57:20.502-07:00Guessing ATM PIN's using publically available information via social mediaI was looking at the information a lot of us have publicly available and began to think about ATM PIN security. <br /><br />The ATM's I am familiar with have a 4 digit (all numerals) pin code, this suggests that your pin is probably going to be a year. If you look at facebook, linkedin, myspace, flickr and any number of other sources you can build a profile of a person which can greatly help to reduce the number of possible ATM pin combinations they are likely to be using. Once you have a profile of your target, asking the right questions can reduce the ATM pin possibilities to a substantially more manageable number.<br /><br />As an example:<br /><br />If you are looking at a single guy, building a profile can determine the questions you need to answer for this person:<br /><br />If this is a young unmarried single guy, you should find out:<br /><br />Year of his birth<br />Does he have a new job?<br />Did he get a promotion recently?<br />Does he have his own car?<br />What year model is his car?<br />What year did he buy his car?<br />Does he have his own place?<br />What year did he buy his own place?<br />Does he have a dog?<br />What year did he get his dog?<br />Does he have any hobbies he is extremely passionate about?<br />Do any of them have specific years tied to them?<br />For instance maybe he likes guitars; maybe he has a favorite guitar. Is that a vintage 1965 Fender Strat?<br /><br />This means you are looking at 6-9 likely possibilities for his ATM pin, given that you usually get about 3 attempts before being locked out the odds of getting the right combination are fairly high.<br /><br />If the individual is married and has kids, you may need to add a few more questions<br /><br />What year did he have his first kid?<br />What year did he get married?<br />The Date of Birth of his wife or significant other?<br /><br />The more complex the profile, the more you need to fine tune your questions. While we might recommend that people create a number only they know and that sort of thing, a lot of us are more likely to go with something that we are familiar with and likely to easily remember. I am just scratching the surface here, the better you build the profile the better you get to know the person and this improves the likelihood of you getting back improved information.Jamal Bhttp://www.blogger.com/profile/08693981309315471937noreply@blogger.com0tag:blogger.com,1999:blog-1743291713222611019.post-33875404984388484412010-07-27T20:01:00.000-07:002010-07-27T21:50:05.357-07:00Blackberries being viewed as a Security threat by various Middle Eastern governmentsThe Toronto Star had an interesting article on how Blackberries are seen as a potential security threat by various countries in the Middle East and Asia.<br /><br />http://www.thestar.com/business/companies/rim/article/840150#article<br /><br />From the article:<br />The UAE’s Telecommunications Regulatory Authority said Sunday that as a result of how BlackBerry data is managed and stored that “certain Blackberry applications allow people to misuse the service, causing serious social, judicial and national security repercussions.”<br /><br />This is certainly interesting information and raises the question of what specific applications are of concern to the government. I can imagine Blackberry messenger being one of the applications that causes some concerns from a privacy perspective but I am curious as to what some of the other applications of concern might be.<br /><br />Just thinking of some possibilities:<br />Youtube<br />Twitter<br />Facebook<br />Worldmate Live<br />Maximizer<br />Cellcrypt - possibly determining who is using this<br />various news portal applications<br />viigo<br />Wi-Fi Proxy FTP HTTP Servers (app)<br />SSH apps (PaderSyncSSH and Rove Mobile SSH) - possibly determining which non corporate individuals are using apps of this nature?Jamal Bhttp://www.blogger.com/profile/08693981309315471937noreply@blogger.com0tag:blogger.com,1999:blog-1743291713222611019.post-27266123343783617852010-06-30T19:47:00.000-07:002010-06-30T21:46:02.211-07:00Russian Spies and infosec some thoughtsAs most people are aware, several individuals were recently arrested and accused of being deep cover agents spying on the USA on behalf of Russia. There are some interesting details emerging on how these individuals were tracked, with some news papers/ sites stating that these individuals had been under surveillance for quite some time. <br /><br />One thing I found really fascinating about this whole event is why the individuals under surveillance did not change their MAC addresses; perhaps they simply did not see it as a major risk in being used to identify them given all the other layers of security they had in place, ie some level of stenography (there are mixed reports as to whether cryptography was involved as well), and the fact that they were using ad-hoc wireless networks. I think there is also a possibility that given that they were using ad-hoc networks the mac addresses may have been what the agents used to identify each other and determine whether they were in the appropriate network. <br /><br /><br />Reports, postings and other Media on this story:<br />The SANS storm centre has a diary entry which looks at some of the technical issues raised in this case<br />http://isc.sans.edu/diary.html?storyid=9094<br />http://www.thestar.com/news/world/article/829914--u-s-says-alleged-russian-spies-posed-as-canadians<br />http://www.dailytech.com/Russian+Femme+Fatale+Spy+10+Others+Busted+by+FBI/article18898c.htmJamal Bhttp://www.blogger.com/profile/08693981309315471937noreply@blogger.com2