Answers by Mike Fitzpatrick:

Here we go:

1. Q: Why hadn't the privacy settings in Tom's AIM client or the digital
certificate in Meg's client cncrypted theeir connection?

A: For an encrypted session to be established, both parties must have
a digital certificate loaded in the client. Once that's done they will be
prompted each time a new chat session is being established, asking if they
want to have an encrypted session with this party.

2. How can Meg and Tom employ an encrypted protocol for communication using
AIM? What other chat programs offer better security features?

A: Establishinig a SSH connection and then tunneling port 5190 on both
sides would encrypt the packets being exchanged for AIM chats. As for other
chat programs I haven't used any personally but a quick google search
reveals the following as a valid candidate:
http://www.secureaction.com/chat/. This tool uses the Blowfish encryption
algorithm to encode all client->server communication.

3. Given the evidence presented in the narrative above, which system had
the attacker most likely compromised: Meg's computer, Tom's computer, a
machine on a network sitting between Meg and Tom, or AOL's messaging system
itself? Why?

A: Packet #5 shows Meg's computer doing a DNS lookup to
"w-wcom.netfirms.com", a web-hosting service. That doesn't sound too good
for Meg as she should be using her ISP DNS resource to resolve. I would
guess she has had her system compromised and her DNS settings poisoned. The
watcher could be running his own modified chat engine to simulate the AOL
server, or possibly using a netcat relay while sniffing traffic so he can
watch the packets before having them sent on to the AOL server.

4. What steps should Meg and Tom take next to deal with the bad guy and
eradicate him from their lives?

A: I would recommend Meg rebuilds her system, forces Tom to employ a
x509 cert, or better still switch to a secure tool such as the one noted
above. Even better? Turn off the damn computers and buy a plane ticket to
meet in person.



Not sure how these answers will hold out but regardless of the results
thanks again for a fun week of SANS training.

Hope your wife enjoys her Malware book.

-Fitz