Running Away from Security: How Your Online Information Can Hurt You

thank you thank you thank you um I'm going to go ahead if I stand behind the podium I will literally explode I'm highly caffeinated I apologize for that but I think it'll be to the benefit for all of us um thank you for spending your afternoon this is the last talk of the day from what I understand before the hackfest the drinking and other party stuff going on so thank you for spending it with me I do appreciate it um this is a little bit about me I am a standards instructor or Nova hacker yeah I know but Nova hackers anybody else oh look at all you good um so I'm a Nova hacker I am also somebody that really enjoys

doing open source intelligence on other people um some people refer to this as stalking I prefer to call it open source investigations um I'm a backpacker I love the Appalachian Trail as well um this talk is not a highly technical talk it's more of a talk to get people understanding what the risks of online activity are okay we're going to go through some web application stuff and of course I need to throw this up there um I am representing myself Michael Hoffman not my employers so my words are my own and so I have a question for you I'm going to do a little survey and find out what your comfort level is with information on the Internet okay so

let's find out what information you're uncomfortable with people in the world knowing so on the Internet would you be uncomfortable if other people knew your name your address and your phone number just raise your hand if you're uncomfortable with people knowing that okay some people out there that's cool um you know there is the the white pages and phone books and stuff we used to get this huge book in the mail for those of you that are older you remember the white pages um that's out there that's kind of public information that stuff we can't control we're going to talk more about that later in the talk but what about where you work now in this area some

people are not allowed to have other people know where they work right just raise your hand if you're one of those people it's getting late in the day might have gotten somebody but yeah I mean your places of work some places don't want you telling where you're working and so especially if you're an instant responder or defender you don't want people to know that your defender for a certain company because you might get targeted your personal account might get targeted let's take another step into the creepy what if people on the internet had pictures of your kids your pets family would that freak out some people I know this is starting to get into that quasi area and what about had

pictures or videos inside your house now that's starting to get freaky right okay well up until recently I stopped here but we do have another thing that's out there and I think some of you know about the data breaches I'm talking about we'll get to that in just a second but if somebody knew this I think people would really have some some problems right if they could tie that back to you at the embarrassing when we sign up for a council on the internet when we sign up for Facebook or Twitter or Instagram so we have the option of securing that data we have the option of making that data private or public for the whole

world to see by default it usually is public right we have to take action to make it private and you know what if I have to authenticate to a website in order to post data I expect that the service provider does something to protect my data make sure that only I or the people that I want the people in my circles or my groups or my friends or whatever only they can see the stuff that I want them to see I don't want them sharing it with the entire world otherwise I just tweeted so here's a question how does our data get divulged to the entire world well there's a couple of different ways in

the first way which you're probably very familiar with is companies have created a business model where my data becomes their price point it provides money for their company um this is something that happens RadioShack went into bankruptcy they're like damn what do we have resistors LEDs oh we had this huge customer list with all of the things that Michael likes to buy how about somebody buy this nobody wanted it but that was a prune thing that they could have sold all right what about this stuff people stealing our data all the time now we seem to have this I don't know if you remember number of years ago there used to be this hacker safe badge

I know it's still out there on some websites and you see it's like hacker safe no one can hack this site okay that's cool now it's almost like I expect to see right next to that is we've been hacked three times yeah yeah because it's like a badge of honor now to be hacked to have your data so important that hackers have targeted you broken into the systems and then spread all the data throughout the internet in fact some of the breaches and some of the information that's out there is highly personal information that nobody expected that it ever got out there on the internet right hey there's a website out there for people that want to cheat

on their spouses now there are reasons why people did this I read some of the comments and some of the things and there are legitimate reasons but that stuff is personal it is kind of private but it gets out there on the internet and then we have the other category which is the oops category where companies buy an actually by mistake by accident have divulged our data or bits of our data to the rest of the world and what I want to do is go through an example of this with you to show you that sometimes these vulnerabilities are still out there and this is how we tie in the open source intelligence with the

web so one day I went for a bicycle ride with one of my friends and no I wasn't in Paris or anything like that but that was a good picture of bicycle riders um so after the ride she sent me an email and said hey Micah just wanted you to know I used this cool app called Strava and what Strava does is it was running on my phone and created a geographical map of where we Road and you can access it by just clicking this link and as a security reach researcher what do I do I click links so I clicked it don't you guys so I clicked it and what did I see I saw this it was like ah this is cool

that's exactly where we Road and and here's a map and there's how far we went ten nineteen point two miles that's cool wait a second I looked at the URL and the URL looks something like this was like I didn't have to authenticate to get at this data I click the link I went to this site which has an integer on the end so I started thinking and I know that some of you were thinking the same thing I see your smiles so it's like well if I could just get it get to my event by clicking on one number what would happen if I incremented that number or decremented it and sure enough if I went ahead and did that I found

that I got different events different activities oh this is probably not something that they wanted to do so I looked in the page code a little bit and I saw that not only could I do this with activities but I could do this with athletes as well so here I have two different athletes and but I think I have Zach and Eric whoa that's pretty cool well if there's a fleet and activities is there other stuff in the code so I'm going to solve a webpage and I looked at it and if you right-click on the page you can look at the source code of the page looking at the source code now I put in these colored boxes if you

do the source code you're not going to see the boxes but the day is there I had one person come after me you can come up afterwards like I see it on my phone but I don't see any boxes yeah that's magic of PowerPoint so um so I hat I saw this data I was like wow there's actually a ton of data that I didn't have to authenticate to get that is being disclosed with every page that's out there now what Strava does is it may or may not present this to you in the web browser it doesn't mean that you can't see it doesn't mean that's not being transmitted just you don't see it so I was like

well I'm a cissp and so I'm like I have to do the right thing you know that that badge of honor and I said Strava you know I don't use your application but I saw this vulnerability I wanted you to know that you're using integers it's really easy to find all this data bad people could do that things with this and I want you to know there's a good way to change this and strawberry back and says well thank you very much for for your email um we think that we're doing okay but thanks very much no we don't have to change anything it's like well wait a second so I can do all these

things and you don't think that we should change so I said to him that's like well if you don't think there's a problem would you mind if I did a talk on this and they were like yeah you can do a talk thanks you know we have security settings where people can restrict certain information they can throw that privacy bit so we're cool with you making a talk about this and I thought to myself sir so I was like yeah okay game on let's make a talk about this so that's tight take a quick look at pry at the privacy bit that you throw on the Strava website it's a master switch it's on or it's off who thinks

that it's off by default yeah yeah your public your data is public so if you throw this master switch to protect your data your name will be anonymized now anonymizing your name means just getting the last the first initial of your last name not the whole name and then only Strava athletes that you approve can follow you and I like the last one here only approved followers can see and download your activities whoo boy am I glad of that so I went to Google and I typed in Strava dot-com / activities Google knows - about 25 million of these activities now I'm not sure about this but if we go one slide back I'm not sure I approved Google to

go ahead and harvest all my data so uh so since Google had all of this data I thought Strava must be okay with me grabbing all that data yeah so so how can I get it and I didn't grab all the data I would I must admit Verizon would probably have a problem with my bandwidth while I'm sucking it all down so if we look at the webpage itself um we again go into the source code and we can see that certain fields are here right activity ID eighty thousand and one activity type ride these things are easily parsed out using a script Python Perl Ruby whatever you want to do I'm a web guy so I use a

web-based tool or a tool for um for looking at web sites that tool that I used is called burp suite and what we can do with the pro version of burp suite is we can tell it that we want to change one section of a request all right so this is activities I want to change this number from 80,000 and here's what I want you to do burp burp suite I want you to change it pick a random number between 80,000 and 240 million because at the time that I wrote this there were over 240 million activities out there on the Internet well guy I told burp sweet to go ahead and grab two hundred thousand events

make two hundred thousand requests my thought was I could create a master dictionary see I couldn't go ahead and say just give me all of john doe's rides that's not how the this vulnerability will work but what I can do is I can request two hundred thousand activities and hope that I get multiple activities from the same person so I went ahead and did that now I want this to pull out certain pieces of information sorry if this is getting technical this is as technical as the talk gets so I tell it hey in this area I want to go ahead and pull that information and put it into a column and I do that for a whole bunch of different

sections then I hit the Go button and I get this which is an Excel spreadsheet with over 800,000 entries excellent um so I did it multiple times I did the two hundred thousand multiple times and then there were some overlaps and some errors and stuff but over time I got over eight hundred thousand entries who this is what they look like so I have what type I have the athlete ID the name gender and the profile which will come back to so putting on my attacker hat I thought what can I do with this data if somebody were to harvest all of these records from Strava what would they do and the answer that I came up was threefold one

find patterns of behavior if I had that description field that shows your description for the ride or I'm not saying that any of you use Strava but I was in California I was giving this talk and I was thinking when we travel is out here in California excuse me does anybody work at Strava no good um scared me for a second other than end up in handcuffs or something um so one find patterns could I find people going to and from work to and from home that might be interesting could I find the real person you know Strava anonymizes the name if they astronomies the name does that really provide you protection hmm and then I just decided to look at

the data and see what's there let the data drive what I'm looking for and what my analysis is let's take a step back open source intelligence or OS int or OSINT is really just doing things that we do on a normal basis you want to research a company to invest you want to research your school a new partner a friend somebody else that you've met on the internet or something you google it or DuckDuckGo it or something like that that's open source investigation seeing what the information out there that's on the Internet provides about something the most important part of this is the analyze getting the information is really easy anybody can Google it's what

you Bleen out of it that's so important what can people do with it while there's a ton of things that they can do but these are just my top five things identity theft if I can find out enough information about you maybe I can find what school you went to or the name of your first pad or your your favorite teacher I don't know people put crazy things in their blogs and other things on their Facebook pages and youtubes um could I since I have geographic information about where you do your rides or your runs or your walks maybe somebody could stalk you or or wait for you as you walk around the lake and then physically

assault somebody somebody that could happen social engineering social engineering is all about gaining somebody's trust right it's me gaining your trust and then exploiting that trust to some end will show you that a little bit later on how easy it is in certain situations to do that with the disclosure of the Ashley Madison and the Adult Friend Finder information and even OPM data how about extortion and espionage those are some prime things that people can do with this and then of course dating now I've been out of the dating market for a long time and but I am told that one of the first things that happens now when you meet somebody is you look up what their online profile

is if that's your key if that's a case for somebody out in the audience I'm going to show you a really easy way to do that very quickly that's safe it's like so let's go back to those questions that I asked and take a look at the Strava data alright so let's see if we can find repeated activities by the same people in the Strava data what I found was that you don't even have to go to Strava Google knows about these things already like all right well if I started doing that that would be I mean that that's bad enough but let's go to my data and I did find that this is my Excel spreadsheet I

did find that yeah we found Aaron Turner went to work and and Alex h-he went to work and this is what some of it looks like here we have Aaron Turner commuting to work he started here he finished their lives in Sydney Australia well that's pretty cool the interesting thing about Strava is that the longer the ride the the the less detail is shown on the map so i started looking at that going well you know what I want to find something where somebody did a short ride or a short walk or short run so that I can see street names because if I can see street names and I can see where you started and where you ended I might

be able to find out where you live or where you work so let's move to number two right can I find the information it just using straw and open source intelligence about where the person would live enter Dan now Dan likes to take walks Dan walked one point four miles he lives over there in Sunnyvale California and on two different locate in two different dates as you can see here let me go back on Wednesday in December he went and he started his walk here on near Hebrides way on flamingo driver flamingo Street and he walked around this park and back to there okay residential area I make an assumption doing penetration testing doing open

source intelligence we make assumptions educated guesses and then we refine them based upon the information we get back so I'm going to make a guess that he lives somewhere around that area so the next thing I do is I look for corroborating evidence okay in October he again started in that same area around flamingo and he ended in the same area so he probably walked out of his house started his phone walked his dog came bat stopped his phone tracked it put it on Strava expected Strava to protect him because he threw that bit see that they've anonymized his name Sunnyvale has a population last time I checked of 147 thousand people so let's see if we can find Dan s in one hundred

forty seven thousand people first thing we do is we go to the Google's Google map knows everything right so Google I put a pin here that tells me that then that house is 1501 flamingo away okay makes no difference to me I'm going to go ahead and take that put Dan's first name in 1501 flamingo away Sunnyvale California and I get this now this is an interesting piece of data because Dan didn't put this on the internet this is that information that our governments or other people put on the internet about us because there's freedom of information and this stuff is public information we cannot control this and as an open-source investigator I love it

because what I can do is I can take that information go to the details of it and I see that oh my god his name was anonymized it's his full name is daniel sato and there's his wife's name too and they didn't live at 1501 they lived at 1507 the land values twenty nine thousand dollars you see where I'm going with this because I can take this information go to white pages com get his phone number look at his house and then we have the magic of Google Streetview we can see what his house looks like and that's all within five minutes without me living leaving my chair so does the straw a privacy bit we're done autumn eyes is

your last name does that work oh hell no no so what is the really the point of this well with Google Street View and with all the other information that we have out there on the internet it's really easy for people to do reconnaissance about you or about the places you walk or the places that you ride your bike then when I first started giving this talk in February of this past year um I hypothesized I said hey you know if somebody were to do this you know and see where you started and ended your ride maybe they could use Google Street View and see where you know if there's a some is around that area where you usually

start your ride and then they could hide there and they could assault you and people like you have like a that's funny huh but what's happened since then is that there have been attacks people have followed people on Strava or look for those patterns met them and what they've done is they've actually broken into their cars while they while the persons out on their 28 mile ride somewhere they the other person just waits for them the attacker waits for them breaks into their cars and they've got time right because they know that the person's out on a bike ride dude comes back from his rides like oh my god how did they know I was here

son Strava there are other activity trackers out there and I'm not going to make this talk about all going through and telling you which is the best ones Fitbit but but I have done a little bit of research and what I found overwhelmingly is that the one that has the the allows you to control the most amount of information that you disclosed is Fitbit they have very granular controls that can allow you to to hide a lot of your information but if you don't use them there are still ways to get at this and this this goes into some other ways that we work on the internet now okay this is John John is a woman on the

internet and she has protected her Fitbit profile and we can tell that because we see that her mood is private her allergies are private and even today is Tuesday Wow whatever um so here's John and John for those of you in the back she's a 40 year old woman from saline Michigan saline Michigan has 9,000 people in it as of 2013 what we're going to do is we're going to exploit another open source web application vulnerability to find John because if I did the exact same thing again you guys would probably throw stuff at me and those badges will hurt me if you throw it as an open source intelligence investigator one of the best tools I have is my brain

I have to be observant and I have to record stuff and look at the differences in the data for instance her name is Jonathan J right if we look down here we see Zhanna Z H a n a hmm that's weird something I'd log just put in the back of my mind let's take a look here one of the things that some sites don't allow you to make private are your pictures for instance on Facebook last time I checked if you went ahead through all of those privacy settings to protect all of your information so that only your friends can see your stuff the one thing that you have no control over are any of your profile pictures that you've

put up for your profile so if I had a profile picture of myself surfboarding at the beach one time anybody that knows my that can stumbles across my profile even though I've made everything private they can still see that and they can see the comments and who made those comments on that picture so same thing here Jonna has gone ahead and created some pictures here we have our picture here um if you didn't know it in google chrome you can right click on a picture and search the image on Google in Firefox you can do this with a plug-in and what we do is when we look at Google for that image Google will pull up all the pages that

it knows about where it sees that image or one like it luckily for us Jonna has used that image on other sites now this goes into the human behavior part of the talk we as people sometimes want others to find us across our multiple social media accounts right I mean I want you to come to my Instagram a town a my my Twitter account and so to do that I have to have some kind of tie-in yeah I might use my hacker name my web breacher name that's cool but what if you just saw a picture of me oh that's mica yeah okay that's his account because I see that as an open source intelligence gatherer I can

exploit that because this picture from her Fitbit now appears on Google+ and look it appears in two different accounts on Google+ why would they appear in two different accounts anybody yeah they friended her or in Google's parlor in terminology they put her in a circle so there is some kind of relationship between Oleg to can and John omission Koba oh we have her last name now nice let's take a look at this if we now google John emission cover from sailing Michigan we see her LinkedIn page we see more information about Oleg and since the goal of this is to find the where they live and all I'd go ahead and take Oleg's information put

it in here to white pages comm I get his age his phone number this and at the bottom that there is some kind of relationship between Jonica token and John emission Cova so my thought is that maybe John emission kova is really John a token and these people are married or something like that and all of this kind of goes together and you build that open source intelligence profile so if I can get name an address and zip codes name address and phone number and stuff how far down the rabbit hole can we go how bad can it be what can people really find about us before we get into that and answer that question we share data

on the Internet and we as you know as Americans or people in United States I'll say we share a lot of data on the Internet and that's okay what we think though is that when I give LinkedIn a little bit about me and I give Facebook a little bit about me when I give Instagram a little bit about me and tumblr a little bit about me nobody ever is going to go through the work of tying all those accounts together and creating a whole profile about me so in some situations one bird is no big deal but when I put a whole bunch together we have a problem right so putting aggregating all the information about

you together can really make a compelling argument and can really put us at risk depending upon how much we share there's an extreme version of people that are out there on the internet there I call them over sharers one overshares do is they think that the internet the public facing internet is their personal diary they were there these are the people that you see taking pictures before during and after their meals because they want you to see them digesting the food as it's being eaten these are the people that are are location-tracking themselves in five different applications because they want everybody to see who they are and what they're doing there's a problem with that because not everybody in this world

and I'm talking on I'll be very honest with you not everybody in this world is a good person there are bad people out there let's see how a bad person would go about doing this so I wanted to find somebody on Fitbit so what did I do i typed in anyone want to be friends and there are people out there now okay this is a very Google centric talk I know so I used the other search engine um DuckDuckGo and I typed in I need some Fitbit friends there are people out there whose basic needs of a belonging to a group are not being met maybe they're isolated in some part of the country or some part of the world where

they don't have friends or or I don't know what but there's a guy named Alfred Adler who's a psychologist around the same time as Sigmund Freud and he proposed that people have an overwhelming need to belong to groups for people to belong and want them and need their input and stuff and when people don't have those needs met they reach out for them so these are people that are trying that are saying hey I got a Fitbit I got a tracker you want to be my friend I have no idea who you are but maybe you can come support me and that sounds a little funny but it's the case and so we can exploit that sorry that sounds right um

we can exploit that by visiting some of these web pages so this is spark people calm which is a site that's a meta site for people that want to lose weight people that want to exercise and receive support in their journey to to be more fit etc let's take a look at PBJ mommy right here alright just the person that I found here here's her Fitbit user now again we could go to Fitbit and do all the other things that I did was Jana and stuff and but we're not going to do that we're just going to follow what she's opening up to us here so PBJ mama on the spark People website this is her profile okay

a little bit of blog there that's cool let's look at what what she puts on her profile section oh we have when she's a member here her dreams she wants to be a great mommy sister and friend now think about this I'm her social engineering social engineering we learn about people we research a person and then we exploit that wouldn't it be need to know what's driving a person what that person really wants to do and be in life it's being given away right here all you have to do is look for it my program here's what she does to stay fit know there's personal information here this is where um she lives in cameras Canada her

Facebook page and a link to her YouTube site now as an oversharer tricia is an avid vlogger video blogger she makes these videos of herself in her home and remember that too one of the first questions I asked you well who would be freaked out if I had pictures inside their home well when Tricia does some of her videoing she takes her phone and she goes like this right she's like this and she's walking around her house and she's she's video herself talking about her weight loss and all these struggles that she's having and all as a person that's doing open source intelligence gathering what I pay attention to is not her face I look behind her in the pictures I look

for what furniture does does she have does she have little kid toys what kind of socio-economic guesses can I make about her lifestyle does she have an alarm system on the wall in width in some cases she gives the me information now let's talk about social engineering right I need to get your trust to get you to do something bad if she she's holding her cellphone up to the screen and I can tell that she's got the Rogers cell phone carrier how easy would it be for me to call her up going hi uh Tricia yeah this is Mike Hoffman I'm calling from Rogers cell phone company we have a problem your cell phone is sending out malware can you put

yet it's a blackberry whatever blah blah blah and I need you to visit this website it's one of our support sites it's a tiny URL just go ahead and click on it click past all the banners and install the malware that's there exploiting trust so Tricia of course we can find her address we can find her phone number we can find out what our house looks like and do all the physical stalking things in fact Tricia is a very prolific person that wants all of her information be out there so her LinkedIn page has where she works there's even a biol on that page about her if you didn't have enough information about her here's even more to be able to social

engineers steal her identity et cetera in fact she even has a fax number in case you need to fax her Facebook hopes dreams what she likes what if I sent her a cake boss something something with an embedded USB stick or something that recorded all of the conversations in her house I mean the the the opportunities here are are really limited by my imagination so if Tricia was a person that I was interested in building a profile on I've got a lot of things that I have on her right in fact anybody in the world has a lot of information about Tricia I would argue a lot of information a lot more information than they should if I just did this as a

Google Talk you probably would throw things at me and the badges are sharp so let's go beyond it we talked about taking those individual pieces of where you've logged in and where you're you have accounts and putting them all together I like putting them together in a tool called a mind map now this is the free technology that's out there at the end I have a a link to one of the people that now one of the comp words are hard won them so bad as I was saying mine maps are free this is a Java based tool and X mind and free mind there's a link at the end with a URL and they are free software it's

really neat to be able to put things together and see relationships see the links between stuff and as we can see if I when I put the information about Tricia up here the detailed information from the pictures to where she works to other information about her it really makes an interesting compelling case about her in fact one of the things that I really like doing when I do open source intelligence gathering is focused on the user names that people use because we as people want others to find us if you want to find me on on Twitter you go to web breacher if you want to find me on github hub web breacher it's real easy we use the same

user names across multiple sites right what if I could exploit that too let's do that so enter recon ng now recon ng is a free Python tool that Tim tomes Landmaster 53 created it's a framework that allows people to create modules I wrote a module and my module what it does is it goes out it takes well let's take a look at what it does is it will take user names and it will talk to over a hundred and eighty different websites 190 different web sites and I'll say hey do you have this username do you have a user by this username oh you do okay cool I'm going to record that do you have this username it goes out and makes

those calls and it's very fast unless you're on a dial-up modem but it's very very fast in general I can do three user IDs across 190 sites in 30 seconds and you know what this is what it looks like I do have to warn you when I created the profiler module I thought you know what are some cool sites out there and I about Instagram and and imageshack and stuff I found this I am pregnant wouldn't that be interesting to know if your spouse the person you're dating or whatever um the person that you're researching if they had an account here or they had an account on an insane journal I don't even know what that is

but it's in there um and so what it looks like when it comes back is this hey this username was found on that server and here's the URL where you can go and do the research and see what's on that page now are there false positives yeah Missy trishy misses me I can't say that when PBJ mommy could be used by anybody in the world so it's up to you or me or whoever's doing the research to go and see oh is this really my target but does this get you a lot of places faster does it get you does it make your job of visiting all these different sites easier like hell yeah yeah I do have to warn you that

some of the websites that are out here are you can see that where I've classified them as social or shopping whatever I thought about what sites I should put in here so I put the normal ones in like that but I also thought about well if I'm going to do research on somebody might I want to know if the person has a site has a user name or user account on a pornographic website or a site that has some kind of sexual fetish or something like that and so the tool will go out and try to visit some of these other sites so if you're using it at work and and your firewall blocks access to certain pornographic websites

and then you know or you're using at home and mom or dad nut is monitoring what sites people go to make sure you tell them hey it's just recon gee it's okay so all right so we've stocked people but I decided to answer question number three and and see just looking at those 800,000 records look at the descriptions and see if there was anything that kind of popped out at me and this is the fun thing I like doing this I love looking for patterns in data and when I found overall was that there was one word that kept coming back it was patrol patrol patrol like what is this patrol thing and why are all these

the entries so I visited one of them this is the clever patrol on 24 514 Tilbury be they've used the privacy bit and in London England okay cool and the person walked well it looks like they walked out and then they walked back well that's interesting so Strava doesn't allow you to zoom in and that sucks but since we know that it's London England and we are looking for this little piece right here what we can do is go over to Google Maps and do the research ourselves so if we zoom in on that on the real Google Maps we look for that care of that feature which is a pretty prominent feature and then we

turn on the satellite view we see that it's a power substation an electrical power substation in fact it's the Tilbury B power substation so somebody was lazy and they thought it was to their benefit to have their security guard start the Strava application walk the patrol path that they're doing to protect the Tilbury b power substation and then clock off and then log on the website that they walk that route and that's probably to show that yes this security guard did their nightly rounds and Strava isn't protecting that information right anybody in the world can see it in fact if we look at some other ones barking saw beginning UK here we know that the people walking were

Dominique and Allen would that be helpful if you're trying to do some social engineering of whatever they're protecting well what are they protecting see the ripple Nature Preserve Reserve oh cool they're protecting animals - an again so Dominic and Alan are out on their nightly ride walk and we know that because here we know that it was done at 4:25 a.m. now of course I have multiple of these and I see that every day at 4:25 a.m. they go on this nightly walk so I call up this patently the company that's responsible this are like hey uh Dominic and Alan are out on their patrol they want need to have access to the facility so I'm just going to show up at

the front gate you okay with it yeah he knows Dominic and Alan yeah okay sure come on in could I do it maybe but the point is is that this information is out there on the internet and it's not being protected in fact it's not just the substations we have Britvic soft drinks we have tons of these and if again if we do this we look and they walked around this place near their Chelmsford cemetery the chumford cemetery is a really prominent feature and if we look there's kind of a boxy area right here oh wow look at that it's a building and if we zoom in there do the street view we see it's a soft drink company we see

how high their fences we see there's barbed wire so as an attacker from the comfort of my living room I can now do physical reconnaissance on my target and this is why in a penetration test in a Red Team activity you never ever skip the reconnaissance phase because you never know what you're going to see well it wasn't just patrols and other things that I saw in the data there were some things that I just couldn't explain for instance now I'm I'm a person that's never been hunting my life okay if you go on a bird list bird hunt isn't that just a walk and if that's the case I have no idea what this is the only thing I can figure

is he's either a South Park aficionado or after going 92 miles and with a suffer score of 232 it's in red so it's got to be hard he was like hallucinate he's like hairy legs a chocolate olive off-post yeah that's gonna be good what's that California that's right we expect that so let me turn the camera towards you all if I create if somebody in this room were to create a social media profile or an Internet profile on you your kids your spouse's because let's think about this you all are security people okay or married to a security person you all know to protect your facebook you all know to throw that security bit when possible right don't

raise your hands you all know that I'll just accept that but if I want information about you I'm probably going to go ahead and do that open source intelligence gathering effort I will look for the public documents with your spouse your roommate your son your daughter your parents and I'll try to access your information that way at work one of my co-workers came to me and said Mike and you know I know you do these open source intelligence things but you can't find anything about me I said really you want to do this he's like yeah yeah yeah this is like okay I'll bet I can so I take his name and I put it in into Google's and I type it in and

I'm looking at the results that come back and I start paging up and he's like dude you're already missing things me personally what I'm looking for is I'm looking for the the the data about him that he can't prevent being posted you know the church bulletin that's put out every month that says oh thank you to John Smith for donating or for being on our refreshments list or if you went for a run somewhere in Montgomery County where I live um when you do the Montgomery County Road Runners things it publishes your full first and last name your age your your gender and your time up there because you got to know where you fit within the the people of your

age range and all and to see if one um so all that's out there and you have no control over it so I'm looking for that and sure enough I find something about you know Al and valuation thing or a taxes thing and I click on that he's like what are you doing I'm like well I'm finding out information about you and it came up with his name and his wife's name he goes yeah so what are you gonna do so I took his wife's name and I put it in Facebook in her account was not protected at all and I saw pictures of because she will take pictures of him right yeah yeah so so I was like well

let me just find out your Facebook account by going in through your wife's unprotected account and now I have pictures of your kids in your house and you and oh look now since I've got you now I can see all of your friends so it's easy if somebody were to do this now none of the things that I did in here was proprietary you all can go home or go into the next room and download recon ng and download Google well you don't have to down but you could use Google or DuckDuckGo to do these things these are easy things the question is is are people already doing that about us the last talk that was here in G Mark's

talk the keynote you know all talks about credit card theft and and and stealing identities and stuff like that well what if you take a target breach or an OPM breach and some basic open source intelligence if we can do that have a lot of information so here's some just overall tips and I know this is kind of a cop-out because this is this won't ever fix the problem the only thing that can fix the problem is you you telling your kids or your wives or whatever hey go see go ahead and tighten that down you don't need to share everything do you really need to take a pictures of us inside of our house all that think about

this from the attacker perspective you've got to limit what you post now that doesn't work for people if you're a millennial if you're somebody that's that you know my son is now on on the Facebook's and stuff and and you know he's liking things because well he doesn't see the the downside to it he doesn't see why or how somebody could use that against him or against me or against our family so educate the pee that you know and love enable and monitor your privacy settings I say and monitor it because you know what I threw all those bits to protect all my stuff on LinkedIn I was feeling pretty good and then I decided to do this this quick

talk you know what can I find on somebody in ten minutes and I decided to go ahead and do it on myself from an unauthenticated browser and and I went into LinkedIn and I saw myself in like holy shoot I'm sorry there's kids in there holy cow look at all the stuff that's out that I thought I turned on all those bits well I had but it's LinkedIn is data right so they decided to open it back up so you have to monitor your stuff you have to go back and go is it still protected okay cool understand the risks of using each service location-based services recon ng has an e module in there called push pin

push pin you put a virtual pin in a map say this latitude and longitude my kids school my place of work show me all the tweets Instagram photos and other things that have a geographic tag in that place and it will pop it up and you can see who's tweeting or or doing other things from that location it's pretty interesting to see who's tweeting during the middle of the day then the thing is if this works for you these are suggestions you know your social profile and what you want to get out of it much better than I do if it works for you make it more challenging for me to figure out that you are you you know if

you have accounts for work don't use the same usernames on sites like web breach or don't use web root I'll don't use web reacher but for you don't pick the same user names across multiple sites go organize things separate things these things I use for work I'm going to use this one name and then I'm going to use something else now is it 100% absolutely not but it gets you a little bit more secure don't use the same picture on all your sites it's easy too easy it's easy to find it and most of all limit the Geo traffic geo tracking when you enable the the track my location when you're when you're checking in on Facebook when

you're checking in on these other things and you're posting the latitude and longitude of where you are that opens up a lot of risk for you let's face it this real this whole talk is about risk a lot of us in our jobs we try to mitigate risk for our companies but you don't realize that you make risk-based decisions in your lives in your personal lives all the time this talk is about mitigating the risk that's being posed to you and your families so here's my information there's recon energy and there's mine map X mind net um that's the end of my talk I'll take any questions I have I don't know well there's no talks after this so I've

got a couple hours yes sir yes yeah okay so the comment was let's talk about legal um there's a ton of information about you that I do Orbach not about you but about other people about whether they've been put in jail speeding tickets other things that could be very interesting for you to pull up now it's not so there's this whole stalking law right there are stalking laws out there there's daxing laws where if you do have open source profile like this with the intent or to actually execute it now I'm not a lawyer so don't quote me on this stuff but if you use that information for evil then that's breaking the law if

you use this for other purposes like research purposes or educational purposes that's different so within your company it excellent so if can you make higher fire decisions based upon this my answer is no I'm not a lawyer you need to talk to your legal department but I would say that one of the things and I'm not going to get into that whole well you know this losses this but you have to apply the same rules to everybody so if you're going to go ahead and do open source intelligence gathering against one person you kind of need to do it against everybody and that can be very time-consuming even with the tools that I showed you there so talk to your legal

department because if you don't apply the rules evenly then your setting yourself up for a problem yes sir so when you comes to tracking the movements of people you mean the Geo tracking and location-based information

yet not so tracking movements if you do that via like putting a GPS tracker on their car yeah probably but what we're doing while I'm doing is harvesting information that you have pushed out onto the internet for anybody in the world to see so people in Moldova people in Hawaii they can see this in aggregate this information too so I'm going to say no and again I'm not a lawyer but I'm pretty comfortable saying no yes ma'am

just does Facebook aggregate likes and stuff in your profile um so the very famous person said that if you're not paying for a service you are the service Facebook nobody pays for it so absolutely they are they most likely um his camera they're they most likely harvest and generate information metadata profiles on every single thing that you put into their system there's metadata in pictures yes metadata is the information about the picture so if you tweet something and then it came from your Samsung Galaxy s5 in the metadata of that picture it says hey I was taken from a samsung galaxy s5 from this location and yes that information can be aggregated or called

yeah you know it sounds like you might have some extra question I'm happy to talk to you afterwards but think about this if the data is out on their server you have no control over it when you delete something and it removes it from the public eye that doesn't necessarily mean that it's removed from their systems or removed from their backups or removed from other things they still may have access to it or law enforcement may still also yes sir so thinking about Facebook and what information that we can't control I'm sure that as security guys they're all more or less aware of what you're making public and Markel trying to keep drive by now what what's your advice

about stuff that's out of control for example or phone number you know I want I want made a fake account on Facebook that's something my wife's phone number I'm from Romania and all the details all the details that I lose were from the US Open in January so calm everything from that right okay now all the couple comments that Facebook recommended one of my wife's friends why because those people sent over crazy phone books which had I was sunburned so basically our data is being sent over to third parties by our friends and there's absolutely nothing we can do about it besides break their faces ah that's a different website um but so yes and that's the world that

many of us live in right now is that we have pushed so much data and our friends our neighbors our governments our stores have released so much data about us into the world into the internet that our efforts to remove ourselves remove our social media profiles remove information about us won't ever be able to purge all of the data out there just by living and operating in the in the society that we live in the stuff about us you go to church or temple or a mosque or something like that they may put your picture in there and Google Facebook and other places have great facial recognition capabilities so your face can be tied to you even though you have

no facebook profile there are absolutely things like that and it's up beyond our control so it's risk based decision right when you can change the way you look you cannot go out in public which with Amazon Prime makes it a lot easier to do um but I mean it really is about limiting what's out there your phone number has never ever been private even though people think it is you're where you are where you live it's not private data it might be harder to get was not private was there another question yes sir yeah

they are and actually one of the coolest so one of the things I did at work was um I did a profile on some executives saying hey what is what is the profile what does their social media what is the what on the internet shows about them and one of the things I found was that one of them had a an apartment or condo in a building that was in a vacation area and it was a second home I was like oh that's neat it's it's on this apartment that's cool I found in a tax record which they couldn't control and I was like well huh I wonder if and so I went to a real estate page and on a real

estate page I found a like unit and that real estate agent had not only published inside pictures of what the floor plan looked like but they published the architectural diagrams for what that apartment looked like the sizes of the rooms how the rooms flowed and stuff and I thought well do I not have the floor plan for the apartment above them that my targets in yeah so sometimes we go to other places and make those jumps up to to get information about our targets yeah there's tons of information out there anybody else yes sir so for recon ng that's an excellent question recon ng does require for some of its modules API keys that cost money which

is when API keys are those authentication pieces that say hey website I've paid give me this stuff that I want the answer is no sir my MA my profiles my profiler script and all of the sudden recon ng modules that I write are 100% free you don't need any keys there's no barrier to usage aside from just using the tool and also no any other questions all right well thank you very much I'll be up here if you have any more questions