1 2 3
FIYAPOWA
FIYAPOWA Reader
8/15/18 7:15 a.m.
rustybugkiller said:
Wally said:

In reply to Robbie :

With repos we’d try a mom or ex, tell them the person in question had won a prize and you needed to contact them. Moms will happily sell you out for a big screen tv, an ex girlfriend will drive me to your house to see your car get snatched.

As a former Repo guy, that’s  actually illegal.  

 

That depends on the state.

FIYAPOWA
FIYAPOWA Reader
8/15/18 7:23 a.m.

In reply to SVreX :

IRT the OP: if it is something you are tracking that has your name on it, almost everything is legal.  For example, if it is your internet service you are paying for, you are allowed to put spy software on devices that you paid for inside your network.  You cannot go across the ISP's network, but if it's a laptop that your minor child uses, and you want to see what he/she is up to, you can install a keylogger and it's perfectly legal.

Cell phones are kinda the same, except it's difficult to install the software to track it, so the best bet is usually get an app that tracks everyone for you (I use Life360 for the fam, and I sell it as a safety app).

Cars can be pretty easily tracked if you use a GPS tracker.  I have Vyncs plugged into my youngest's car (OBD splitter, with the module tucked out of site, and the OBD port is still accessible), under the guise of insurance discount (true), troubleshooting codes (true), and theft recovery (true) but in reality it's because I'm a paranoid overprotective parent.

If you are trying to track someone not under your roof, it's pretty sticky, from a legal standpoint.

RossD
RossD MegaDork
8/15/18 7:48 a.m.
mtn said:

A gps tracker that we could stick in my bosses backpack would be great. Guy is all over the country all the time, and it'd be nice to know which office he's in at any given time to know if we should or shouldn't call.

Look up 'share location' on google maps. I keep track of my wife (and she see's my location too) since she goes to sketchy rural farms to doctor up horses.

The0retical
The0retical UltraDork
8/15/18 8:23 a.m.

Not sure if you're serious or not.... Things I've learned over the years from having OpSec beaten into me:

The lowest barrier of entry for most people is the phone linked to an Apple or Google account. Social engineering a way to enter into their Apple or Google account will typically yield a pretty complete locational history.

Another fairly low barrier of entry, or good place to start, would be the infotainment systems of cars. People can't resist sync'ing all their crap to either their car or a rental car. A lot of the systems will rip out all a phones contacts and locational history which gives an attacker a good spot to begin a spear phishing campaign.

Slightly more complicated is a RAT which allows you to snoop computers, phones, etc. Again, immensely illegal to install on other people's hardware but pretty common for targeted attacks. A common way to install them is through an email targeted phishing campaign but a super low tech way of doing it is to drop a USB drive somewhere the target will find it. There's a known vulnerability with USB which allows an executable to run with no user input. Again, people can't resist plugging that crap into their devices.

Open WiFi networks are also a pretty good way to snoop on data. There's a number of off the shelf tools which allow you to watch traffic and potentially capture data sent over the network. You'll see a recurring theme here about E36 M3 people can't seem to resist.

Hardware wise it's been possible to roll your own cell site simulator (Stingray) for years. That allows interception of calls and texts. You can build one for under 100 bucks, the FCC really frowns on this and you'll probably catch some extraneous data.

There's a number of devices like LoJack which operate off cell signals. There's also just the dumb GPS recorders that have been mentioned.

Camera's are pretty decent these days in small form factors, hidden mics the same.

 

Overall hiding a piece of hardware is the most risky way of snooping. It's much easier to use existing devices/hardware in most cases. Everything here has varying degrees of legality depending on where the device or software is going to be installed, and who owns the hardware or network. The most up and up way of gathering information is the infotainment system.

spitfirebill
spitfirebill MegaDork
8/15/18 8:33 a.m.
Pete Gossett said:

In reply to SVreX :

GPS trackers for trailers are getting common enough that I expect it’s your cheapest route for tracking a vehicle. Getting it placed on someone else’s vehicle unknowingly would be the difficult part I believe. 

Is it legal if you can get it one on there?  Also asking for a friend.   

spitfirebill
spitfirebill MegaDork
8/15/18 8:38 a.m.
rustybugkiller said:
Wally said:

In reply to Robbie :

With repos we’d try a mom or ex, tell them the person in question had won a prize and you needed to contact them. Moms will happily sell you out for a big screen tv, an ex girlfriend will drive me to your house to see your car get snatched.

As a former Repo guy, that’s  actually illegal.  

 

Cops do it all the time.   "You have won free Super Bowl tix". 

FIYAPOWA
FIYAPOWA Reader
8/15/18 8:44 a.m.

In reply to spitfirebill :

It's legal if you're tracking your own stuff, i.e. your wife or kid's car.  It's illegal to place a device on a vehicle that is not yours.

rustybugkiller
rustybugkiller HalfDork
8/15/18 9:49 a.m.
FIYAPOWA said:
rustybugkiller said:
Wally said:

In reply to Robbie :

With repos we’d try a mom or ex, tell them the person in question had won a prize and you needed to contact them. Moms will happily sell you out for a big screen tv, an ex girlfriend will drive me to your house to see your car get snatched.

As a former Repo guy, that’s  actually illegal.  

 

That depends on the state.

Well, in Ohio and PA it’s illegal. The state laws favor the debtor not the banks or the repo man. There is a lot you can’t do but some still go over the line. I just never did or needed to break the law to find/ get a car.

mtn
mtn MegaDork
8/15/18 9:54 a.m.
rustybugkiller said:
FIYAPOWA said:
rustybugkiller said:
Wally said:

In reply to Robbie :

With repos we’d try a mom or ex, tell them the person in question had won a prize and you needed to contact them. Moms will happily sell you out for a big screen tv, an ex girlfriend will drive me to your house to see your car get snatched.

As a former Repo guy, that’s  actually illegal.  

 

That depends on the state.

Well, in Ohio and PA it’s illegal. The state laws favor the debtor not the banks or the repo man. There is a lot you can’t do but some still go over the line. I just never did or needed to break the law to find/ get a car.

Should only be the lying part of it. You can call anyone you want, typically, and ask whereabouts. Of course nowadays the job is almost done for you--give me a name and an associated address/phone number/etc, I can find out where you live or work or used to work and find someone who will answer the questions. 

GameboyRMH
GameboyRMH GRM+ Memberand MegaDork
8/15/18 10:05 a.m.

Everything you mentioned can be done cheaply these days. A legal way to track someone now could be tracking their phone's Wifi and Bluetooth MAC addresses and perhaps their cell IMEI with an SDR device. Many phones now randomize wifi macs when searching for APs but revert to their default MAC to connect to known APs. These are all short-range tracking methods, you'd put a tracker around a location this person might commonly visit and it could notify you when they're there.

If they have a modern car you can also legally track their in-car wifi hotspot MAC, bluetooth MAC, and TPMS IDs (and of course their license plate number with computer vision, on any car).

The0retical
The0retical UltraDork
8/15/18 10:15 a.m.

Gameboy just reminded me. You can actually buy an individuals locational data in the US from any of the big 4 carriers (though they just got done super pinky swearing they'd stop selling it.) 

There's a couple of other entities out there though like 3CInteractive and Securus that'll sell access to the big four's API's with the most dubious of credentials yet.

Yay 3rd party doctrine.

Wally
Wally GRM+ Memberand MegaDork
8/15/18 10:29 a.m.

In reply to rustybugkiller :

He insisted that he was in a somewhat gray area in NY but it wouldn’t surprise me, he was involved in a number of questionable enterprises.  It was educational good and bad to watch him work but not surprisingly he eventually became a guest of the Feds for an unrelated business venture.  

Pete Gossett
Pete Gossett GRM+ Memberand MegaDork
8/15/18 2:29 p.m.

In reply to FIYAPOWA :

Damn, I’d have been grounded all the time in your house! :-p

EastCoastMojo
EastCoastMojo GRM+ Memberand Mod Squad
8/15/18 3:28 p.m.
FIYAPOWA said:

It's legal if you're tracking your own stuff, i.e. your wife

LOLZ

akamcfly
akamcfly Dork
8/15/18 3:48 p.m.

This is my latest piece of DIY spy gear. laugh

drainoil
drainoil HalfDork
8/15/18 5:20 p.m.
spitfirebill said:
rustybugkiller said:
Wally said:

In reply to Robbie :

With repos we’d try a mom or ex, tell them the person in question had won a prize and you needed to contact them. Moms will happily sell you out for a big screen tv, an ex girlfriend will drive me to your house to see your car get snatched.

As a former Repo guy, that’s  actually illegal.  

 

Cops do it all the time.   "You have won free Super Bowl tix". 

Pre internet I could see but anyone who falls for this nowadays?

Wally
Wally GRM+ Memberand MegaDork
8/15/18 6:10 p.m.

In reply to drainoil :

Seeing the crap my friends and family fall for makes me think it is even easier now.  Share this post on Facebook and Bill Gates will come put gas in your car while you're at work.

BoxheadTim
BoxheadTim GRM+ Memberand MegaDork
8/15/18 6:57 p.m.
drainoil said:
spitfirebill said:
rustybugkiller said:
Wally said:

In reply to Robbie :

With repos we’d try a mom or ex, tell them the person in question had won a prize and you needed to contact them. Moms will happily sell you out for a big screen tv, an ex girlfriend will drive me to your house to see your car get snatched.

As a former Repo guy, that’s  actually illegal.  

 

Cops do it all the time.   "You have won free Super Bowl tix". 

Pre internet I could see but anyone who falls for this nowadays?

How many people are clicking on the "accept your bitcoin transfer" link they just had had emailed from a stranger? Enough I would wager.

Streetwiseguy
Streetwiseguy UltimaDork
8/15/18 7:02 p.m.
The0retical said:

 A common way to install them is through an email targeted phishing campaign but a super low tech way of doing it is to drop a USB drive somewhere the target will find it. There's a known vulnerability with USB which allows an executable to run with no user input. Again, people can't resist plugging that crap into their devices.

 

 

 

 

Seriously?  Like, really?  That is very close to the last thing I would do with a USB drive I found on the sidewalk.

 

Well, unless it was labeled something like "Mary's naked pictures", but I would probably do it in somebody else's computer.

Curtis
Curtis GRM+ Memberand PowerDork
8/15/18 7:35 p.m.

Do a search for NR16 keychain cameras.  They're 720p, but they look like this:

Image result for NR16 keychain camera

They really look like a remote lock fob.  You can get multiple lenses (the wider lenses are external so they take away from the stealth.  They're cheap.  They are 720p, but as can be expected, the optics suck, so it doesn't quite look as good as expected. They also sell inexpensive extension cables for the sensor, so you could hide the fob out of the way and drill a 1/16" hole in anything.  I put one of mine in a clock radio so I could keep an eye on my dogsitter.  (it was the neighbor's adult son with pretty severe Autism and I did it with permission from his parents).  I drilled a 1/16" hole in the face, taped the sensor behind it, then left the fob hang out the back of the clock.  I could have tucked the fob inside the clock, but then I would have to tear the clock apart every time to get to the video.  Happy to report that the dogsitter was wonderful and I'm very sad he and his family moved.  My dog LOVED that guy.

They did come out with a 1080p replacement and I haven't tried it.  You can download a free software that lets you change a ton of options; white balance, brightness, motion detection, frame rate, microphone sensitivity, etc.

I might try a few of the 1080p versions and see if I can get them networked somehow.  More or less, make a Ring system for cheaper.  Hide one in the porch light so I can see who's at the door, hide one in the garage and the house in case someone breaks in (so I know what to tell the insurance company they stole)  It might be easier to do that with dedicated wifi cameras instead of trying to run USB all over my house.

The0retical
The0retical UltraDork
8/16/18 12:41 a.m.

In reply to Streetwiseguy :

That's literally how Stuxnet made its way into an air gapped network to infect Iran's Step7 software in order to destroy their centrifuges.

At my previous job, not my site or department thank God, someone plugged a found USB drive into the GCS, which for all intents and purposes is the cockpit for the UAV, and infected it with malware. That actually made the national news... Luckily it wasn't anything serious.

The general populace has no clue what sanitary data security practices look like.

Edit: Grammatical clean up. The text editor and my phone don't get along.

Stampie
Stampie GRM+ Memberand UberDork
8/16/18 9:30 a.m.

There are people reusing condoms.  You think they wouldn't check out what's on the USB stick?

https://www.cnn.com/2018/08/02/health/condom-cdc-reuse-tweet-trnd/index.html

¯\_(ツ)_/¯
¯\_(ツ)_/¯ UltraDork
8/16/18 9:48 a.m.

In reply to The0retical :

Fun USB port story- I previously worked for a medical device company.  We had test stations, which used basic workstation type computers- for security, FDA approval, and probably a host of other purposes, these test station computers had little cages around them and were not connected to the internet in any way.  One of them kept getting the same piece of malware, somehow, despite being connected to nothing but some little electrical probes and a power strip.

After exhausting every other possibility, they determined it was following a specific operator on second shift.  This person was snaking a USB cable through the cage and plugging into the computer to charge their phone during their shift, despite having a power strip inches away that they could use- nobody up to that point had even considered it being a possibility.  indecision

spitfirebill
spitfirebill MegaDork
8/16/18 2:48 p.m.
Stampie said:

There are people reusing condoms.  You think they wouldn't check out what's on the USB stick?

https://www.cnn.com/2018/08/02/health/condom-cdc-reuse-tweet-trnd/index.html

That must be those lambskins.  Those things are expensive. 

akamcfly
akamcfly Dork
8/16/18 3:49 p.m.
spitfirebill said:
Stampie said:

There are people reusing condoms.  You think they wouldn't check out what's on the USB stick?

https://www.cnn.com/2018/08/02/health/condom-cdc-reuse-tweet-trnd/index.html

That must be those lambskins.  Those things are expensive. 

How do you re-use a condom?

You turn it inside out and shake the berkeley out of it. laugh

1 2 3

You'll need to log in to post.

Our Preferred Partners
NIyVfqOF8mHM0oECxdRliB3tLGcfvkrafeaeFwKdwZHtzotua8yTNMxuG3BoWHqB