t201 0900 How I got Hacked and So Can You

good morning uh welcome everybody uh always always just awesome to be the first one and and work through those technical difficulties but i'm happy that i get to be the beginning of the in the beginning track uh for b-side san antonio 2021 yes we all made it through 2020 hooray um so the title title of the talk again is how i got hacked and so can you uh my name is chip thornsberg and the little disclaimer so opinions expressed and as i go through this talk are my own and do not represent those of my employers other law enforcement agencies or other law enforcement officers so short bio uh i am the program coordinator for cyber defense at

northeast lakeview college so we're the newest uh campus for the alamo community colleges in san antonio and so i'm responsible for uh putting together curriculum and and uh getting that program up and running we're exciting we just had our first batch of graduates uh this spring so um excited for that i'm also a master peace officer in the state of texas uh still currently a detective with a lotus um suburb of san antonio uh i serve on the uh secret service electronic crimes task force for the south southern region i own a company called uh alamo cyber security we do network intrusion response um i have lectured and taught previously for river city college southern careers

north texas state college degree wise have degrees in management criminal justice law enforcement criminology and an mba as you'll see as we go through this talk sarcasm it's a gift and i have it in abundance um and just to sort of give you some perspective so the first hack that i ever pulled off so sound like i've been doing it i guess i'm showing my age was on a machine sort of like what you see pictured there and it was angelo state university this is before it was illegal by the way i should make that disclaimer um and so because they had a really awesome star trek game uh that i was just dying to pay uh on

their mainframe and so that was my introduction into hacking and computer security a long time ago so uh during this talk we're going to kind of go through an overview of how my own social media account was hacked we're going to talk about some motivations of attackers uh talk about some of the law enforcement uh tools that we use um and methodologies to to conduct investigations uh we'll talk some about some investigation challenges for both law enforcement and for corporations and for private individuals uh we'll go through some of the findings so how we what we gathered up at the end of that investigation and then finish off with some lessons learned hopefully all within 45 minutes

that is our prescribed timeline and then maybe some questions so september 9th uh 2020 i'm having my morning coffee checking my email and i see a an email from facebook at 3 25 in the morning and it says hey there was a recent login from this ip address in san antonio but at 3 25 in the morning being an investigator being a professor of cyber security i was pretty sure that wasn't me um but i thought hey this could be some kind of good looking fishing uh nothing to see here scroll on keep looking at some messages and then i find a second one dated same date but about four minutes later a password change was initiated

same ip address as it designated a san antonio so geo located in san antonio um and then some great advice from facebook saying if you didn't do this please secure your account and so luckily i had set up um challenges and two-factor authentication some other things in my account and i was able after several hours to secure my account looking through didn't see anything had changed but i started thinking how could this happen to me right i investigate cyber crime i've been doing this a long time i teach cyber security um and i have pretty good habits right i use complex passwords so brute forcing no i don't think that's how they manage to do it

i don't reuse passwords across sites so it doesn't matter if if my email or or a previous password was uncovered or leaked in a breach that's not the issue i'm pretty good at spotting phishing emails right so i get them all the time hey here's one from geek squad dash accounts dot ga okay nope not falling for your phishing email um here's another oh here's your invoice right and then the invoice is a number dot zip file and some uh no those are pretty obvious i must say i was a little um it was a challenging one for me yesterday when the reverend riley told me that he was gonna give me 5.4 million dollars yesterday but i

managed not to click on any links in that one as well um or smishing right so sending text messages same thing uh now i'm not clicking on your link so that's not how it so as i dug in more and started thinking how did this happen where did this come from i trace it back to an old email so the first time i retired um i was highly involved in mixed martial arts and started a company called texas amateur mixed martial arts association and so we did fights all over the state of texas in mexico a couple of other countries other states adopted our rule set but all of that was associated with the domain

texasfighter.org and my email account at the time was president texas fighter.org 2010-ish 2011 i got out of that business and i passed that along and i passed along that domain to another entity obviously they didn't continue to use it and they allowed the domain to lapse and so someone registered that domain the day before so september the 8th so the day before my facebook password changes um someone registers this domain and they stand up a mail server for the sole purpose of having access to that email president at texasfighter.org so at this point it's pretty obvious that someone specifically targeted me specifically targeted my account and here's how they were initiated the password change by the way

facebook doesn't ever forget anything we'll talk about that more as we kind of go through this so after i've secured my account and after i figure out this is how it happened well now i want what's the motivation behind this why me and i think is this like revenge it could be um i've been the last couple years i've concentrated on building the the cyber defense program for the college but uh prior to that i mean i've i've seized hundreds of thousands of dollars i've i've seized bitcoin wallets from bad boys so maybe one of them has a beef and says you know what i'm going to get back at this guy because she cost me a lot of

money i can see that in the law enforcement we we place a lot of emphasis on the motivations of an attacker and so since we're extra clever in law enforcement we we came up with the acronym of mice right lots of lots of mouses since it's computer oriented not mises and so we say that there are four primary motivations for an attacker the first one being money uh the second one ideology right so hacktivism uh compromise either compromise that person or further compromise uh an entity further compromise an organization or use it as a staging site to compromise other entities or ego and so that's kind of associated with the old school uh kind of that hacking

mentality that we all kind of have i say i just want to kind of see if i can do this sometimes people go a little further than they should legally and so that'll get him into trouble so ego being probably the the lowest risk but still i'm thinking you know what um for me i'm still thinking this is some kind of revenge right they didn't post anything didn't have time to do that and that brings us to our first challenge of investigation so why even bother reporting something like this right so someone tried to take over my account i secured it i figured out how they did it i made sure it couldn't happen again

no harm no foul um the problem is is that law enforcement and other entities that do investigations we need data to to to determine what the emerging trends are for types of attacks and so we used to say that about 20 of crimes are actually reported and in the cyber world in cyber fraud we're we're thinking that might be down around one of ten so only ten percent of crimes are reported so that means for every one crime reported there's nine others that are out there and that data's not getting put into any sort of um pool for us to see these emerging trends so for me personally i thought hey this is a good it'll be a good challenge i

teach a forensics course at lakeview and we'll just use it as part of uh we'll use this real investigation as part of our curriculum in the class we'll step through it with our with our students so we like to think that law enforcement um that this is our current state right so that we're uh it's penelope garcia or i have issued so there and everything's high tech and we've got all these computer screens around us and we have all these awesome tools um and the reality is we're probably closer to these guys right uh adam12 and and dragnet if anybody's even old enough to remember those so a lot of what we do in investigations

is we kind of have to start off a little bit old school and we do that with open source intelligence and a lot of non-tech tools before we get to use our cool spiffy analysis computer tools so using open source intelligence i can look at that ip address right that 104 ip address that was used to log in it's geolocating back to san antonio so it's bypassing some of the fencing that facebook has in place to prevent unauthorized password changes to an account so good for them um as a private person that's about all you can get is okay um who owns that and and where does that ip come from so as law enforcement we have

a few more tools in our arsenal if you will and so the first one being subpoenas uh there's civil subpoenas there's administrative subpoenas um both of those are somewhat useful but big companies you figure they're getting a lot of requests for data and requests for information and so they don't really respond um enthusiastically to civil subpoenas or to administrative subpoenas but a grand jury subpoena that's kind of different right so grand jury familiar with that grand jury is something that was established in the constitution and a grand jury's job is to investigate crimes or to help investigate crimes that may or may not have been committed within their county so in san antonio that would be bear

county so the bexar county grand jury has the ability to issue subpoenas and say we want this document from your company that is legally binding in every state in the united states so most companies do a good job of responding to a grand jury subpoena there's also court orders that investigators can apply for those are pretty limited in scope you don't run across them too much sometimes when seizing bank accounts you might use court orders but for the most part we rely on search warrants if i need actual data or to seize physically some bit of evidence so there's federal search warrants so i think fbi doj they're a little bit harder to get the assistant

district attorneys and and the ausa's they kind of like to write their search warrants by committee and it might take two or three days to get a search warrant done through the federal system but state district courts any peace officer can write a search warrant go in stand in front of a judge who's presiding in the court and say hey i have a search warrant and i need to get this this information i need to get this evidence and i think it's hidden here or it's located here will you grant me permission to go get it if the state judge says yep i agree that's legit they sign off on it and away you go and

and you can get a lot more data with a search warrant as opposed to a subpoena so we start an investigation open up an actual criminal case i run a whois on that address everyone has access to this and it's microsoft right so this is a microsoft azure account a machine that was located in the san antonio office in the san antonio data center that was used to initiate the password change that was used to prompt the initial login so i want to find out who has that account right so who owns this account um and what ip address are they logging into this is your account from so they're using virtual machines okay pretty common to do that but where

did where did that originate from and so in order to see that i need a grand jury subpoena get one signed send it off to both microsoft and my registrar if you caught that on the last slide um was wild west domains they're a subsidiary of godaddy and so also sent a subpoena off to godaddy to say hey who registered this texasfighter.org this person is obviously up to no good i want to try and find out who it was so whole purpose of our investigation so then the waiting game happens right so you send off your subpoena and although they're required to respond within 14 days that typically doesn't happen on most big companies but about a week later i get

a notification on my phone that hey paypal just try to hit your bank account for ten dollars and then six hundred dollars um for facebook advertising and i'm kind of shocked by that i'm like hey wait i'm not running facebook ads i haven't run facebook ads since 2010 back when i was in the fight game and promoting events so this is is this a smishing attempt that looks good right somebody is somebody trying to compete or is it legit and so i log into my facebook and facebook says no there are no ad accounts uh associated with you um there are no payment methods associated with you an amount spent zero dollars but i log into paypal and paypal says

nope facebook absolutely sent this request over for money i disputed and say this is obviously fraudulent and pace paypal says nope uh it's a legitimate charge because you've done this before in the past 12 years ago so a multitude of issues there thinking really 12 years later an account suddenly becomes active nobody doesn't trip anyone's threshold for problems and when i reported his fraud you're going to argue with me and say no it's legitimate um that's a whole different conversation there with with the way paypal handles but then i start thinking okay paypal is associated with my bank maybe i should contact my bank and make sure there's no debits going on and hooray for local banks so i call my

local bank and i'm on the phone with them they're very helpful as most banks or credit card companies are if you've ever had to deal with with a fraudulent purchase they kind of take the statement and i'm on the phone and i'm talking to them it says no your bank accounts are fine no one's trying to um no one's trying to access them there's nothing here but just to be safe we'll reissue you new cards okay great idea um and then the representative says let's look at your credit card banking so i have a business credit card that's associated with the company let's look at that just to see what's happening and while we're talking on the phone

the representative says holy cow i've never seen anything like this before i'm watching this in real time and so it starts off 35 35 35 50 50 250 then 300 then 600 and then 900 900 900 every few seconds facebook advertising is trying to charge my business credit card um thankfully local bank again says obvious is fraudulent he was excited because he had never seen anything like that before he was like wow i've never seen this happen real time i'm like well i'm glad that i got to get you some excitement in your life for me it's more of an irritation but still thankfully i'm not out any money because i've stopped it this is investigation challenge number

two so for law enforcement who becomes the victim i'm not really a victim anymore i didn't lose money my bank didn't lose money they didn't have to reimburse they just blocked all of the charges and so technically speaking facebook is the only victim here right they're the ones running advertising and they're not getting the money for it um facebook probably is not going to call back to chip thorns over and say hey can you investigate this further we want to try and figure out who did this right big company who knows how much fraudulent advertising is run uh on any given day for them so it's a challenge as far as who is the victim and then you go back into that

well why is someone going to bother investigating if we can't even determine who the victim really is in this case so as i'm pondering all of these things a month or so later microsoft responds and they have this really cool and and most companies do actually so they have an online portal for law enforcement use so you can submit your search warrants and submit subpoenas and it's all kind of an automated process and then they respond through their automated process and so um oddly the microsoft portal has issues if you have an existing outlook account it can't differentiate and so they recommend in their documentation that you just make up a fake microsoft outlook account in order to get

the return for your legal process which is odd to me um it seems like they could figure out maybe a better way and maybe use your law enforcement email like other companies do but it's microsoft and and they do what microsoft does but i finally get signed in with some help with them and i look and the response is sorry we have no records we can't tell you who logged into that ip address who owned that account we have no records for that particular time which okay it could happen but again i'm a fairly bright guy and i know how computers work and there should be logs of people making connections and there should be logs of who's using an

ip address during a certain time it's not that rural shouldn't be that challenging for microsoft to provide this information but for whatever reason they were unable to do that so challenge number three during an investigation lack of compliance so law enforcement relies upon companies corporations right to respond to our subpoenas to respond to a search warrant to give that information back so we can continue an investigation a lot of times companies are not compliant and it's not that they're maliciously not complying there's a lot of issues with overlapping laws between federal laws and state laws and different states have different laws providing user privacy so if you're out in california which microsoft is and some of the other big tech companies

microsoft and that ninth circuit companies have been sued for violating a user's privacy by responding to grand jury subpoenas by responding to law enforcement search warrants um they've been sued and obviously sued enough to where they're very aware of that and and so they almost take the side of the bad guy and so you send a uh you send a subpoena you send a search warrant they contact many times they'll contact the user and say hey we have this legal document they want your information is it okay if we give it to them um i'm going to guess most bad guys probably say no we'd rather you're not but whatever right it's just it's just it's

just a challenge um and then there's the lag time so a grand jury subpoena says you have 14 days we need this information microsoft responds within a month or so right and say hey sorry we don't have any records i'm still waiting for godaddy's response i still don't know how that domain was registered was it used um did they domain kite could be was it a stolen credit card that was used to pay for it who knows at some point hopefully they'll respond and i'll have an answer to that question so i'm thinking i am sunk in my investigation and that's a little depressing since we're going through this in a class and and we're teaching it so but good

things come to those who wait so as i'm waiting we come into the new year it's 2021 yay 2020 is over with and then it i get a report from an individual that their facebook has been hacked and the reason that they're actually contacting late law enforcement over this they're a politician they're an elected official and their facebook was hacked and they are dead certain that it is their opponent right my opponent i just know that my opponent has either done it themselves or they've hacked my facebook and it's all to prevent me right from from being effective because an election is coming up in just a few weeks um and of course i counsel them and say

wait slow your roll um and share with them a little bit of i was certain that this was revenge and then weird things are happening with facebook ads and so double check your account make sure you don't have any of those things um sort of lingering in the background they assured me no no that's not an issue they've never done facebook ads okay good for you um facebook provides the ip address that we use to log in and so i've redacted this one for well i'll tell you why in a little bit um so it's a local not a local but it's it's in the united states address based out of california so this is a

california server california virtual machine and it's hosted by a cloud provider so what a smaller one this isn't a microsoft azure account this is a smaller company and so i contact them say hey here is a grand jury subpoena i need information on this account and within a day they respond which is why i redacted their name because i don't want to burn them they actually did really great compliance um all of their login ips were from vietnam or vietnamese internet providers the address given for the owner of the account and a name was a vietnam address the most important thing from my standpoint the virtual machine that was used to compromise this politician's account

it's still up and running with a subpoena i can get account details like these but now i want a copy of that i want to copy the virtual machine i want to see what tools they're running i want to see what kind of malware they might be right i want to see how are they compromising these accounts i'm pretty sure i understand why right they're somehow making money um using facebook advertising haven't quite figured all that out yet but they're definitely trying to monetize compromising someone's social media account so investigation challenge number four for law enforcement getting a hold of cloud data requires the help of that provider's i.t staff we can't roll down to a local

data center and say hey i'm here and i'd like to image one of your servers in this huge array right we have no idea where it's physically located there's just no it's just not going to happen but the data provided the cloud provider has i t staff they can narrow it down they could make a copy of this right they can create a snapshot image or create a forensics image you are reliant upon their good graces their goodwill as to how quickly they might do it or or whether or not they'll do a full job for you um in this particular case they did a great job and it was pretty quick so 57 gigabytes

of encrypted data later um i now have an image of this virtual server that was used to compromise this politician's facebook account so i mount my image ftk imager i use autopsy right so nothing wrong with free with open source software when you're conducting investigation just like you can use open source intelligence using open source software is just as valid it's all about our methodology and how we document what we've done so one of the first things that catches my eye hey look there are 11 different accounts with logins that were created using this machine 10 of them are facebook the 11th is for an app called zala which is a vietnamese anonymizing chat right so it allows you

to to send smishing right to send text messages um over or out to uh phone so okay that's pretty encouraging lots of information and the web cookies lots of form autofills lots of web history in there it's a lot of information on this system and it took several days of looking at it to really go through it so interesting things there were only three bookmarks that he had so this person has a bookmark set up in their browser for facebook advertising right for the ad payment inquiry hey i'm having a problem i have questions about my payments so um apparently their payment hit problems happen when you hack someone's facebook account and you're using your billing advertising

campaigns them fraudulently apparently it requires a lot of help so that was pretty interesting a few user accounts so as i look through the user accounts on the machine itself there's really only one so there's one active user account and it's i butchered that if someone has a better grasp of vietnamese i apologize for that so there's one single user who's been using this machine who's logging into and out of that machine and i already established that it's from vietnamese uh internet provider so it's actually out of hanoi is where these the law all of the logins into this machine are coming from so other notable artifacts um there were a total of 4079 email

addresses most of them were not part of uh data dumps we're not part of breach dumps so if you're not familiar with have i been pwned you can put in an email address it'll show you all of the associated data breaches that that email has been compromised in or potentially compromised in the majority of these 4079 emails were not found in existing dumps so this was fresh ground he's not relying upon uh credential stuffing right this person i say he this person is not relying on credential stuffing to try and compromise uh facebook accounts as any good hacking machine we would expect to see right multiple text files with uh surnames with first name so you can create usernames um

password um files with uh so the you know top 100 and top ten thousands so brute forcing is obviously a potential in this person's world uh there were two uh executables uh that were on the on the system and not not that had been that's the best way to say that uh two uh known rats right so known malware the 13 kilobytes in size so very small file that are used right to fish other users right so they're where this person is using this rat malware to fish for credentials uh assumably right from those 4079 email addresses the web cache though has lots of stuff so i find my victim's login information so my politicians law

enforcement my politicians uh facebook login is in the webcast so obviously this is the machine that did it and there's the credentials on that and i also find that there's cash there for credentials for our email address admin at newenhainam.net and that was also the email that was listed with the cloud provider as the contact email so now i know who it is where i know what machine it is i think i know who it is right i know how they're compromising facebook i know why they're compromising facebook's they've managed to monetize which is something we weren't seeing a lot of previous um and i might even have a lead as to who this person is so of course

pull out the trusty um web browser um and i go to the website and so hey look it's juan hainam and with google translate currently i'm a lecturer and of course on facebook advertising and the ceo of mybeady mybe media a company with five years experience supporting dozens of advertisers we will show you how to use facebook advertising to be successful and i guess it's pretty profitable if you're taking money from clients to run facebook advertising and you're not actually spending that money you're doing it fraudulently so um there was contact information i couldn't resist right so yes i sent him an email and said hey i have putting together a talk um for a conference and i really would love

to talk to you beforehand about um hacking social media accounts and this whole facebook and how that happens um not surprisingly um they haven't responded to me which is kind of a bummer i would thought that would be pretty cool to get the hackers right perspective on how much how how successful are you doing this and and how much money are you really making i think that would have been pretty interesting and would love to put it into the talk but they chose not to respond but we certainly can we can follow him on facebook so we've had that and i have not done so but um and again we see the address right same address that was

listed in the cloud providers [Music] account information and it's in hanoi vietnam so investigation challenge number five sometimes we can determine who did it and how they did it and why they did it but what can we do about someone who's in vietnam right u.s law enforcement has no jurisdiction outside of the country to to try and arrest or to try and even question someone in a foreign country you have to involve the state department and the embassies and all that and i'm pretty confident our current uh administration wouldn't get really excited about saying hey we'd like to talk to this hacker guy in hanoi vietnam um about compromising facebook uh accounts so at this point we're just sort of

stuck and and even within the united states um state law enforcement sometimes will have issues right so it's pretty rare that uh a data breach happens within a single state and so you have this multiple jurisdictions that might claim uh sort of um claim control over that investigation which is typically why we see fbi doj secret service kind of take over when when something moves beyond state lines because it allows a federal entity to conduct or to pursue an investigation that hopefully results in an arrest of some sort so some of the lessons learned one if you have not set up two-factor authentication on any important account really on all the airpoints shame on you if if the company offers

two-factor authentication absolutely it needs to be implemented this is a way to prevent uh some of the things that that can happen inadvertently or more from myself conduct an email audit and so think back make a list of all your previous email addresses and see if any of those right the audit part is how what what accounts were they used to log into at any point in the past because as mentioned facebook never forgets these things they they didn't forget credit card data that should have been very outdated um at that point but it was still in there and they were still able to um to try and charge ads against it there was an old email that was previously

previously associated um with the account um you you would think that um that would be something that that facebook might block but apparently not um and then those connections between the two right between facebook and and paypal it's like hey how can this still be an active connection when it has been used for you know at that time 10 years or so it's like okay this is a problem if it was a private domain that you had um your email with um take steps to secure it right so i now i have a list i have a list of several domains that i will pay for every year pretty much for the rest of my life right

i don't want to allow them to potentially uh be used against me for someone to come back and and try and compromise one of my accounts um lastly if if you were a victim of any kind of internet fraud um please report it uh law enforcement reports it and private entities can report it as well so it's the internet crime complaint center the ic3.gov it's an online form it's not a whole lot of data but that allows law enforcement to begin to compile um these trends right and we see is there an emerging trend that now hackers from vietnam are going to compromise social media and then attempt to monetize facebook advertising it's certainly a possibility one i had

not seen before i was completely unaware of it as were other law enforcement uh officials that i talked to um about that right so this is well we haven't seen that before so is this kind of an emerging trend is it right it's like ransomware we we sort of point towards russia and the baltic states and uh banking uh trojans uh we we look at south america and brazil and say this is sort of that type of crime comes a lot from here um maybe social media attacks um and monetizing facebook advertising campaigns then maybe that's the thing the crime of choice in vietnam uh as we collect more data we'll be able to see that we'll know more of that

so uh with that uh we are almost at our 45 minutes um i apologize if i went through quickly i didn't want to run long my contact information twitter is cyber leo so underscore leo law enforcement officer um facebook is at c thornsburg i'm on linkedin to see thornsburg or through the uh college uh websites and emails right northeast lakeview college in in san antonio and with that if anyone has questions i will be happy to answer them okay chip so in the question and answer section you can see um in the chat here um the first question we have at the top uh well like it's more of a statement isn't it oh amazing presentation chip i have a

story to tell you it can happen to any one of us um this is from hernandez um well i think that might maybe be best handled uh over discord so if you get into the track two room in the beginning we can definitely talk through all of that after now but i'll go ahead and move on to the rest of the questions the second one is a if my email shows up on have i been pwned what can i do if that's my primary email address aside from just changing my password what what things might i go about doing there um so obviously making sure that you you keep your password changed kind of regularly and using complex

passwords the most important thing about the have i been pwned is is not reusing passwords across multiple uh sites so credential stuffing is is one of the primary ways that that uh criminals are accessing accounts so you use the same password on eventbrite that you used on some other account and then suddenly right as they as they go through once that's hashed out now they have your password if it's reused that's the biggest problem so when you've looked through the have i been pwned just make sure that you didn't use that password because even if it says the password hasn't been recovered don't rely on that right so computers get faster and faster and faster

and password hashes are they're just they're not gonna if they are still secure they won't be secure for very long so the biggest thing is is that making sure you're not reusing passwords there's nothing you do about it the data is out there and just make sure you never use that password again okay great i will go ahead and move on to our next question here this is from sage and clements does texas require peace officers license in order to establish digital forensics firm if so how rigorous is that process no they don't anymore um so previously texas said you had to be either a law enforcement officer or you had to hold a private

investigator's license that's actually why i have the company alamo cyber security because back when i started doing network intrusion response you had to have a private investigator's license to do that and they've they've eliminated all that they kindly have figured out that just because you're a digital forensics person you don't need to worry about the law enforcement side of it and you don't need to be registered or licensed by some state entity to prove right that you understand the private investigation laws in texas which is really what that comes down to so no you don't and that's a great thing it opens that field up for lots of people we have students that are going through our programs or other

programs that are majoring in forensics computer forensics you no longer have to be a peace officer to even work for a law enforcement agency in the field of digital forensics and so to become a peace officer it's a it's almost a full year of an academy there's it's not just a i want to take a study for a test and do that texas is really antiquated in its its law enforcement laws and so you'd have to go through almost full time for an entire year to become a peace officer and then if you become a peace officer unfortunately no matter what your background is in forensics or or digital stuff most agencies they're gonna put you out

on patrol so i worked patrol for five years uh three of your three of those years working overnights and so not a lot happens in san antonio area i shouldn't say that some cool things some fun things happen between 10 in the morning or 10 at night and and six in the morning but you no longer have to do that to prove your worth before you can start doing investigation so that's a good thing okay um it looks like we're getting close to time but i'm going to go ahead and ask one more question live here and then we can take the rest of the questions offline into the the discord room so the last question here is um well

first thank you for the presentation how do you believe that service providers can get better at preventing this type of abuse um gosh that's a that really is kind of a challenge um i'm not insensitive to them because you know someone like microsoft they have so many accounts that are out there and so many people trying to interact them it's it's tough for them and they're relying on um algorithms to prevent fraud so this particular cloud provider they ran an algorithm when that account was established based upon the address based upon what they wanted to do based upon the credit card data and it had a fairly high fraud score they still opened up an account for that

person because the credit card wasn't a stolen credit card it was legitimately that business it was legitimately this person's credit card that was used to pay for the service and so short of monitoring the user's behavior i don't know how they could do that and uh for privacy purposes we probably don't want um a cloud provider monitoring all that we do with our virtual machines on their network right as long as i'm within your your uh your uh user agreement then you shouldn't really care exactly what i'm doing um and so i i don't know that's that's a that's a challenge i don't know that they could the biggest thing is just being responsive when they

get a subpoena when they get a search warrant that's legitimate right assisting in the investigation it it moves things through quickly when they resist it um it slows things down to a crawl or kills right so for my account i mean that that my investigation died because i'm still waiting for godaddy right and maybe it's this same person i don't know um it could be it might be someone different maybe there's at least two different people that are doing this so that that's just a that's particularly a challenge so we're running out of time so i will jump over into um discord um and uh see you all there and thank you so much um for spending some time this morning

and i'll see you guys over in the discord channel hi my name's jenny and i'm here for operation safe escape an initiative of the 501c3 organization the operations security professionals association as someone you know is affected by domestic violence you're not alone we're here to help we offer tools information and resources to help someone safely leave their abusive partner and find a safe place to go with centuries of security expertise brought together for this specific purpose our only mission is to get you or your loved one out safely we do it all for no cost it's just what we do operation safe escape focuses on protecting you and your family from the moment you decide to leave up

until you are at a safe place when you want out we are on your team

do [Music]

[Music]

[Music] you