Weird Net Blues by Rob Pait I always wanted to be a spy, true story. I loved the old cheesy James Bond movies, and Soundwave was always my favorite Transformer. I had a talent for tech and puzzles, but about as much of a knack for subtlety as a sledgehammer. That last part killed any chance of me making it as a real spy. So, I settled for next best thing, doing incident response as a self-styled internet detective. As a pop-culture junky and bad hacker, I take the cases that no one else will. Generally because the pay being offered is terrible, and the case is too weird for anyone else to want their careers to be tainted by them. The new case is bizarre. Malware at the client site was discovered in a number of devices that are part of the new internet of things. I take a gulp of coffee from a thermos at my side and look at the briefing again. Sometimes the job throws you for a loop. For instance, should I be confused at why someone would want a smart toaster connected to the corporate network, or should I be more impressed that someone loaded it with malware. Next is time for a drag from my vape pen as I approach the door to the client site, I can already hear the yelling inside. "You hate me because I love Jesus, that's what this is about!" I hear a woman's voice screaming from inside. This job is already more interesting than the last one, and in last one, someone accidentally lit himself on fire. Hearing how religion could be used to justify a massive security breach would be fun, if nothing else. After taking another drag from my vape pen, I decide to open the door and make my presence known. "MDP, Internet Detective!" booms from my mouth with a flair for the dramatic, "I understand twenty three devices were compromised at this site." "Yes, MDP, I'm glad you're here," said the site manager, a fat balding man with bad teeth, "We already let you know what we know, but I think it could be far worse. Helen was caught on camera using the toaster right around the time it was compromised according to our logs. She is the only person to have used all of the compromised devices. We can't prove it was her, and she isn't talking." "Well, I'm not going to hit her with a wrench until she talks. If you wanted that, you should have hired someone else," I said as I sat down across from Helen, a young woman somewhat conservatively dressed, with very intense eyes. I was curious about what the client wanted me to do here, they had called me in to find out what happened, and how exposed they were. A lot of the basic work had been done for me by their people. They had logs that let them figure out which devices where compromised and when. What they couldn't figure out was what the hell the vector being used was. When they couldn't afford anyone else, they called me. "Obama sent you, I know it," Helen accused me. "President Obama hasn't been in office for a decade," I replied as calmly as I could. Not laughing was hard. "I know how this sounds," began Helen as she raised her hands in a stopping motion. When I saw her palms, I was struck by a curious mark on each of them. It looked as if they had been pierced by a large bore needle. It was time to cut her off, "What are those marks on your hands?" Helen was at first surprised by the question, then started beaming with happiness, all of her previous antagonism seemed to melt away. "Those are my stigmata," She explained, "I got them when I accepted Jesus three weeks ago." I pulled out my cellphone, and turned on the camera and asked, "Do you mind if I take a picture of them?" "I don't see why not," Helen replied as she held out her hands. As I moved my camera over her hands something curious happened. A prompt came up asking if I was sure I wanted to make a download. It was what I thought. I had seen wounds similar to the ones on her hands at Defcon a couple of years ago, when people were injecting themselves with RFID and NFC readable and writeable chips. They thought carrying around malware they could plant by touching things was cool, I thought it sounded like a cyber STD, and had declined the injection. I took the picture, then routed the download being offered to a cloud instance to evaluate later. I turned to the manager, and asked, "Do you sanitize RFID or NFC inputs on any of your devices?" "What does that mean?" the manager answered as he screwed up his face in confusion. I pulled him aside and explained that Helen was likely the vector for the breach, but not the responsible party. My suspicions were confirmed when I took an inventory of the compromised devices. All of them had NFC or RFID inputs. None of them sanitized inputs, or asked for any sort of approval or authentication before download. Someone has turned Helen into a walking malware vector. It was outside of the scope of the job, but I needed to know who, and how. I opened the file from Helen's palm in a cloud computing instance, and sure enough, it was malware. It was designed to make the infected device part of a botnet. Did I not say my job took trips on the weird side? Religious zealots were an odd choice for a malware vector, even if a creative one. I also found it unusual that someone would take to religious body modification so quickly after finding religion. How long ago did Helen say she had taken to Jesus? Three weeks? This made less and less sense the more I thought about it. I pulled Helen's employee file. She had been working in tech support at this firm, but desperately wanted out. Helen hated dealing with the customers, but genuinely seemed to love the company she worked at. It seemed what she considered to be the best option was to move up into systems administration, but lacked the necessary skills. I could honestly feel for her, I had been in the same situation before I became an internet detective. Three weeks ago, she had come back from vacation extremely religious when she hadn't been before. Then, she had declined in quality at work and started having behavior issues. Most disturbingly, she seemed to be hallucinating on the job, Helen kept saying she saw angels at work. The next step was to figure out where Helen had gone on her vacation if I was to make any sense of this. I started digging through her social media history. The difference between the last three weeks and any time before was jarring. Something had definitely happened to poor Helen. I knew it was breaking the rules and becoming invested to the point of doing work I wouldn't be paid for, but I didn't care. I had begun to empathize with Helen and relate to her, I needed to find out what happened for my own peace of mind. I put together a very thorough profile of her social media history for the last year. In the olden days, in the days of the hard boiled private eyes, you would have to spend weeks hitting the pavement and asking questions people did not want to answer, and tipping off those that you were poking around for. Now I could do it all in an evening from my couch without even putting on pants. I am not a creeper, I am a professional adult putting a valuable skill to use. Two months ago, Helen decided she needed drastic change in her life. She was unhappy with her current situation and role at work, but felt the administration and scripting classes she was talking were moving too slowly. The next step, she had decided was to find a way to accelerate her move to better things. Six weeks ago, Helen had been accepted to a technology boot camp in a city about an hour away. She had been so excited to have the opportunity that you could feel it in her posts she made when the vacation time to attend had been approved. The camp was called "Better Living Through Technology," or BLTT for short. It was time to research BLTT. BLTT felt like a scam. Too much about it seemed too good to be true. None of their successful graduates that talked about their stories on the BLTT site seemed to actually exist once you dug a bit deeper into the net. I dug up the IP address of the BLTT site, and did a search to see what else was on the server. Then I hit paydirt. In the file index of the server was an old page from the now defunct Bleeder Inc. Bleeder had been the name in top of the line cyber weapons, security admins hated them, state actors and corporate intelligence services thought Bleeder was the best thing ever. Eventually, Bleeder was shut down, and many of its executives were arrested after they sold North Korea a piece of malware that resulted in a Japanese nuclear reactor melting down. It was a stretch, but if Helen had come back from BLTT as a walking malware vector, and the server had been used by Bleeder in the past, it was worth a shot. I needed help, someone who would know what the hell she was doing. I called up AJ, a friend of mine who had helped clean up the aftermath of many attacks launched by script kiddies armed to the teeth with Bleeder warez. If anyone could tell me if my hunch had any validity, it would be her. AJ agreed to take a quick look at malware that came from Helen's palm, while I did some more digging into BLTT. BLTT was very secretive, I liked it less and less. For all of their success stories, the descriptions of what happened at BLTT were vague at best, often non-existent. They definitely marketed to the desperate, much like ITT and DeVry back in their day. The target audience of BLTT were those so desperate to improve their lots in life that they would not question how a camp could turn them into internet ubermensch in a week. I noticed another very worrying thing as I looked into the social media tracks of others I could find who went to BLTT. They all seemed to have become Born-Again Christians shortly after returning from BLTT. Worse, when pictures of their hands were posted, they had the same injection marks on their hands that Helen had. They did provide me with one piece of valuable intel. Most of them had posts when they were supposed to be at BLTT that were geotagged. Running the locations of their posts all brought one location. A motel in a city about two hours away. I got an alert on my phone, there was new mail from AJ, "LOL! Hey, MDP, you will love this. These people are so retarded. The file you sent me is definitely related to Bleeder. You know how I know? They accidentally left a comment left by a Bleeder engineer in the code. This didn't just come from Bleeder, it came from someone with access to its internal testing versions. You owe me, like five beers, a taco, and the story that goes with this job." I thanked AJ and suggested a time that we could get tacos. I knew something bad was happening at BLTT. I had an address for where I thought they were operating. Now, I had a couple of potential connections between them and Bleeder. It was time to do something stupid and noble. It was time to gear up. I grabbed lock picks, a tablet loaded with pentesting software, a SDR dongle, and my trusty crowbar. I set my GPS for the BLTT motel, and started driving my old beater. I liked driving, even in an age where many people were embracing self-driving cars. I liked that driving gave me something to think about for the trip rather than being bored for the duration. The drive to the motel was largely uneventful, when I arrived, I double checked to make sure I was at the right place. I checked my clothing to make sure I looked the part. Comfy shoes, jeans that were tighter than I would like, and a t-shirt from a startup that was in a hiring frenzy. The gear all went into a back pack. It would be far less conspicuous than trying to hide it on my person. I was considering how to social engineer from the receptionist what rooms BLTT was using, when I realized I would not need to. I saw two people in BLTT shirts leave a room not far from my car. One of them was putting back into a box what looked like an injector for cattle tracking implants. If they were using it on people, that would explain the wounds on Helen, and the ones in all the pictures. Repurposed implants could also transmit the malware in theory. This looks bad, very bad. I waited until they had left line of site, and went over to the door they had entered. It was locked and I could hear voices inside. No lights were on in the room, and there was no response when I knocked. I decided to do the stupidest thing I could do. I picked the lock, it was easy enough being a badly constructed mass market model, and went in. The room smelled of body odor. On the bed there was an overweight young man in his underwear, giggling and muttering incoherently. The TV was playing audio only, asking him about life events with very leading questions. They weren't just a little leading, but loaded with suggestion. They alternated between describing religious experiences they could have had, and describing events that might happen at a tech camp. The man had fresh wounds on his hands, he had just been injected with the implants. Next to his bed was a sheet of what looked like stamps at first. I picked them up, on closer examination, they had smiley faces and psychedelic patterns on them. Acid. This man was dosed up on acid. The man suddenly grabbed my arm, "Do you see it? The angels are telling me how the circuits work. They're full of truth!" After yanking my arm free, I backed away and left the room. Sitting down in my car, I went through everything I had found. BLTT was not a tech camp at all. My best were drugging people and brainwashing them to be religious fanatics. Maybe the audio on the TV was some sort of false memory implantation method? It would make sense if they were drugging them to make what they were hearing seem real, is they had found a means of suggestion that would control the hallucinations. It would also explain Helen's angels. She was having hallucinogenic flashbacks from the experience. This is the part where you are expecting me to take the crowbar in my backseat and go full Gordon Freeman on everyone. You are mistaken. I'm not stupid. I called the police and reported that I found a methlab. They came in force, and found half a dozen drugged people and evidence of human experimentation. It would come out in the investigation that the ringleader of BLTT was a former bleeder intern who stole a server from a rack when it collapsed. That's why the files from the old Bleeder site was there, and how he had access to Bleeder test materials. He was using the malware unknowingly spread by his "students" to build a massive botnet to sell to the Russians. Most BLTT employees would end up in jail. It also turned out I was right about what was happening. A seemingly normal American corporation brain washing people into religious zealot malware vectors using drugs, chip implants, and false memory implantation. I mean, it sounds way too fantastic to be true. On the other hand, robot cars drive people around town now. With the case solved, it was time to return to the client site, and finish the job, and do the paperwork. When the final report was submitted, and I had been paid, I did my final job as a proper infosec person, and wrote a blog post about the investigation. A swig of coffee, and a drag from a vape pen later, I opened my email. Time for the next case for MDP, Internet Detective.