The Truth, You Thought We Wouldn't Know? Open Source Intelligence in the Wild

good go ahead for those of you that are in here I'd like to thank you for coming and for those of you that are watching either watching on the stream or watch later I appreciate it um the title of my talk is you thought we wouldn't know for reflection on ENT um if you're not familiar with o it's open source intelligence um it's used primarily in the osc industry to do um reconnaissance and information gathering either during a penetration test or prior to penetration test for techniques like spare fishing and other similar methods in they attack but the methods that the penetration testers are taking are very limited in scope they're told they can't do stuff to this individual they can't

do stuff to that individual kids are out of scope husbands and wives are out of scope whatever the case may be the malicious actors and criminals out there don't care that information actually has value to them so the title of my talk is you thought we wouldn't know um I'm systems administrator by day that's my day job I'm not here representing that company I'm here representing myself on the side I also do penetration test work with uh Georgia vman at bulb security.com um so I do oent gr pin tests and the reason is because I love it um I started think about the fact that there were weaknesses and the information that people put out there and the information

that is already out there and compiled together it paints a pretty dark picture so that going forward uh George is always pushing me to get up and talk get up and talk talk talk a test conference submit a cfp and she told me I should submit a cfp here to bide Las Vegas I'm like well I don't want to talk about some of stuff I've already talked about before let me talk about something that I actually love and I think is important so my talk is not just aimed at people who might be in the industry and penetration testors and want some other ideas and avenues on how to approach it it's not just for employers

or companies who are worried about what dangers ENT May apply to their environment but also as a wakeup call to the real situation that goes on with osin as it applies to real criminals and the type of stuff that they do with with that information so recently in the news everybody's really on this whole thing we don't have any privacy anymore um and it's really dangerous you can't say in public that you don't have any privacy because then that violates you know may open you up to Fourth Amendment issues so I'm not going to say you don't have any privacy I'm going to say that you may want to question how much privacy you have

and how much of your information is being leaked by others that it's not on your behalf that being said information is being leaked on you that's not a have um some of you may have a gring card or a discount card and that card is used to track your purchases a uh husband and wife have a newborn baby and they go to the store and they buy one month diapers then they go and buy 3mon diapers the next thing they know they're getting coupons and advertisements in their email for the next set of diapers for baby food they didn't ask for that it's being given to them because those marketing companies are tracking that information but it's not just those

companies it's Google it's yahu when you do a search they're tracking your search to an office the problems with Google Mail that Google's monitoring people's mail there's a story that I saw last year on the internet a guy his wife sent him an email about the fact that she had just been in accident with her mother the grandmother and the the baby in the car and as he's reading that email there's a Google popup ad for diapers he's like coincidence maybe maybe not so the DAT of out there about you is being sold it's being shared and you don't have any control over that and that's doesn't even include the fact that the stuff has already matter of the public

record your property taxes what kind of car you own you know the records of the BMV or DMV in your state all of that stuff is a matter of public record you've been arrested for a crime it's a matter of public record you go to a hospital some of that stuff AC the stuff that's not um I'll give you an example somebody get injured in a car accident it becomes part of the news it becomes part of the public records out there you can't hide the fact that you were just in an accident it was on the news so again this is information that's out there and then of course there's the big huge scare right now

the NSA in prison they're listening to your phone calls they're monitoring your text they're trying to find out who you talk to who cares they want to find out who you're talking to they're just going to go on your Facebook page to see who your friends are they're just going to follow your Twitter feed and see who you're talking to on Twitter they don't have to listen to your phone calls or your text messages people are literally giving the information away they don't have to search for it then there's the issue with social media people do things that can actually impact their lives they can cost them their friends they can cost them their jobs it can cost them their

lives 13 posts that got people can these are pretty extreme the the article that I got this from um and there are regulations in different states and different environments from different countries that say what an employer can do maybe an employee can post something on Facebook and in that state the employer has no recourse in other states the employee the employer may actually have a recourse or it can get you killed a post on Facebook about the actions of of a Mexican cartel got a woman beheaded the video posted on YouTube because of what she said on the internet she's a reporter she made a posting so the Mexican cartel retaliated lethally by cut cutting off

her head and posting that video on YouTube so this information is out there that you post and has posted about you could cost you your job cost you your friends or can cost you your life so with regard to research and getting the information how hard is it how difficult is it to get the information assuming that you know next to nothing about somebody and we're going to discuss potential criminal activity in a moment without knowing that much about anybody given just a couple small pieces of information how much more information can you get and how hard is it to get it the impetus for the story like I said is George is always pushing me to

talk so she's like submit a talk to besides Las Vegas I'm like okay I do o right around the time she made a suggestion a bank got robbed in the pway area I live outside of pway Indiana a bank got robbed in the pway area with regard Banks being robbed in for Wayne they there are hundreds of bank robberies not hundreds globally not hundreds nationally not hundreds in Indiana hundreds in the pway area loans since I moved there in 1996 it appears in at least in my part of the country we have a lot of wannabe bonding in cents but the methodology that the people used in the bank robbery struck me as completely stupid so these

criminals go to a bank follow a tell her home hold her in her own house and kidnap her take her back up to the bank after hours and have her open the vault and give her give them the money out of the Vault and then leave her in the bank we discovered later I don't know about you guys but that seems pretty darn stupid we've all watched CSI and CIS Los Angeles the police and criminal investigators have some pretty fancy tools you can DNA evence at the crime scene you're going to have your face potentially Expos the video cameras the car you were driving when you came to the bank to follow the teller this is

just stupid behavior and then I'm going to talk about the fact wait a minute we're a cashless Society Banks don't have cash on hand and when they do it's not a very large amount and a small town bank has very little tens of thousands of dollars not hundreds of thousands not Millions when they need a large cash amount they contact another bank and they have a armored car bring it over most banks have very little cash on hand so these criminals took incredible risks for very little gain but this wasn't isolated I'm like wait a minute so these people did this in Indiana how many other times has this particular attack been try was support

an isolated incident or was it a copycat situation well it turns out that in sanord North Carolina a couple years ago in 2011 this very same type of attack was used there Bank of America in September 5th just a few months before the bank robbery in Port Wayne again similar attack method was used kid kidnapping a bank employe trying to get to give the money so maybe the people in Port Wayne were just copycatting technique that had already been tried somewhere else in none of these cases did the kidnapp her succeed or the bank rob her succeed they got away for a short period time they all got caught so for very little potential financial gain these people brought the

bank risking many many years of prison and P Indi is in their state line bank across the state line you can get life and prison so for maybe a couple thousand dollar these people potentially risk a life in prison now we have pretty bad situations in our prisons um I hear stories about on my dinner table almost on a daily basis um why risk this for a couple thousand do if you want to be a lifetime criminal and spend the rest of your life because in the sht go ahead and go out and rob a bank just standing away for the cops to show up but if you're trying to commit a crime if they were trying to commit a

crime and succeed and get away with it then the methodology that they use was stupid so I'm going to discuss some Alternatives what would happen if you were hit by a smooth criminal not a stupid criminal went to the bank potentially got captured on camera Then followed the teller home kidnaps him takes him back to the bank and again exposes DNA evidence Vis visible evidence of faces or voices you know all kinds of stuff that can be used in the communal investigation what if they acted a little bit smarter so smarter would be not to rob the bank by going to the bank physically but to convince a high ranking Bank executive that it was in

their best interests to transfer you a large sum of money hundreds of thousands of dollars millions of dollars and provid such incredible threat that they had no option but to comply all without ever physically exposing yourself to that person no DNA evidence no photos no video no nothing but using the information that's already out there provide a credible threat that they then believe remembering and that these criminals if they don't get what they want will kill you the Mexican cartels they would kill you the Russian mob they would kill you the Cubans they would kill you you're talking about millions of dollars and you say no they would kill you just to prove that the threat was

credible to the next person that they went to again they have no real risk in the situation the risk is all the bank employees um problem and they get but they get all the reward so again most of the stuff that I'm going to talk about with regard to open source intelligence is used in penetration testing the same kind of methodology same kind of tools and it's and it's type of scenario that during a penetration test we would come to a bank and say this is why this is a risk this is how we got this information this is how we would go about using a spear fishing attack against you but I'm going to take that just a few steps

further so I started out by okay so I'm talking about a bank robbery I need to find a bank employee so I did a Google Search and that's just too random let me do LinkedIn LinkedIn on a major Bank in Indiana and see what I get so I get list of their employees and so I come across JB here Chief Operating Officer for credit and where she went to school at I have a picture a first name a last initial the employer and where she went to school how much information can I get given just those four little facts I don't even know her last name can I really find Jimmy buo out of all the

people in the United States Well turns out that Jimmy bu is still nice enough to post a on a Forum Credit a Twitter account and in that Twitter account she mentions not only does she go to Ball State she has look father um she lives in Fishers Indiana and if you'll notice the first tweet there is the fact that on June 7th it was her birthday so now I've had another piece of information I've added an additional School I've added her her date of birth not the year yet but the date of birth and her current city of residence there's also an awards photo there in the in the corner it says that she's worked there for 13 years lucky

133 so proud to be employed there it's the best place one of the best places to work in Indiana I'm sure it is so researching those School connections I come across remember she went to Ball State she's on the ball State Alumni Council executive committee I wasn't sure if I had to write Jenny bu with a Twitter account there's possible there could be two Jenny BS at F cred Union and maybe I didn't have the right Kenny B but this one that went to Ball State the woman on the uh back left there second from the left is Jamie Bujo she matches the picture from the LinkedIn account so let's do some more searching around the Ball State website little

Google search Vice chairman Jennifer jimu Joe cut of 84 a home address a home phone number The spouse's name and an Gmail address I'm maybe 10 minutes into my searching and I already know where the person lives I know their spouse's name and I have an additional email address well she got an award 2008 for the award of achievement from the School of Business I'd like to say congratulations to JY on that award so let's go to some other sites I use a lot of different sites I'm going to tell you I don't pay for anything they're going to tell me they're going to give me this little piece of information then they want me to pay for the rest well I'm not

going to so we have Jennifer J buo of Fishers Indiana married to Martin buo we saw that a couple slides ago um she's age 51 well her birthday is June 7 she's 51 years old we can count back to get a birthday year now it's not that hard and we have a Jay Alexander Jennifer J Alexander so I'm thinking that might be a maiden name or a prior name we're going to probably assume maiden name in most cases so I go to another site guess what some pity information but they're they are corroborating everything that I've seen so far and they're adding a prior employer they're confirming that this person went to Ball State University they're confirming the age

again so I have corroboration and I have some other pie of information each one that I can use to search a little bit deeper a little bit deeper so I jump over to my life and we get a little bit more we get a partial phone number now it's so nice that they ex out that phone number I'm sure they think that it's not available on the internet but we'll find out um and they give me some other information well I could have done the math to find out she was born in June 7 of 1962 by taking the ag51 and count it back but my life was so kind to tell me I don't do the math anymore they just

gave it to me so and giv the fact that she lived in these prior cities like Indianapolis back in '94 here's another site confirming the exact same information we now know June X of 1962 well I already know it's June 7th thank you um and we get other previous addresses we get a confirmation that that she lives in Fishers Indiana and we get a map they won't tell me the exact address but they give me a map and you can kind of zoom in zoom in map you get to the point where you really don't know but you can find the neighborhood at this point I'm not going to go and go into the person's neighborhood we do

that little later so I jump on spoko spoko is one of the first information sites for o that I started using and they give me a lot of information they want me to pay they really do but I'm not but again I have more cooporation of the age that partial phone number again they wanted to pay for it her marital status I can click see available results they're going to want me to pay her her occupation she work form Credit Unit I already knew that before I came here um and the fact sh in P Indiana again with a map and another address something at yo.com family background Jennifer P mared to Mark a picture of her neighborhood I

didn't zoom in on the neighborhood earlier spoko did it for me I don't spoko zoom in on the neighborhood they gave me an estimated home value estimated home value of $373,000 on a golf course we're going to that Jen and her husband Market done pretty decently refine the phone number search well I did need those other sites to give me the phone number because the Ball State Alumni Association was so nice of giv me that address and that phone number earlier but if I do a look up on that phone number I found out that yes indeed that phone number is the landline that goes to that address and again there's another map that could be us in so I didn't go too

deep into to Jennifer I'm going to go a little deeper into my next but I wanted to show you that at this point I only have about 45 minutes to an hour invested into the research I know the woman's name I know she's married I know the neighborhood she lives in I know the estimated home Val the house she lives in the next one I'm going to go a little deeper say could I do this again and how hard would it be so we're going to do it again we're going to jump on LinkedIn and to find a nice lady named Angela Beck she's the banking center manager at Old National Bank in Ms Indiana she also

went to Ball State I just love Ball State they gave me so much information I didn't have to do any searching for the but the address Ball State was nice enough to give it to me we'll see if they do that again this time I don't know if he knows but on Jenny B I had no connections to Jenny B at all I live in Indiana I'm sure 6 degrees of separation at some point I'm pretty well connected to somebody in Indiana I'm three connections away from this person so I can't get their full details like I could with a second degree or a first degree but at least I managed to get a little B

more I actually got the last name with this one I could have like made friends or or made connections with a a banking recruiter that would have tied me to more banking employees it might have got me more second degree connections get more information but again I want to show that I'm not having to go to those steps I'm not having to act actually try and get into their industry or pretend to be in their industry to get the information so good old Ball State I do was another Google search with Angela's name and Ball State and I find out that Angela was on a panel discussion about the dangers of using credit cards back

in 2009 so she's at least aware of security I wonder what she would think if she knew that she was the subject of of a security talk right now would it make her a little more aware or would she want to be more involved in the discussion we would hope to should we want to be more involved in the discussion so Angela Beck well one of the sites that I used earlier was a site called Ben verifi.com Ben verifi.com was advertised in my area on TV usually in prime time or just after Prime Time as if you want to know about your a blind date somebody's like hey you need to go out with so and so well

you could go to Ben verify.com and find out who their employer really was if they said they were a doctor you're not a doctor you do construction they said they had no kids you got three kids you they said well I make $100,000 a year you you make $20,000 a year that was that was Ben verifi marketing concept so like spoke you been verifi one of those mon okay let's see if I can get a blind date let's see if I can get a blind date with so Angela Beck also known as Angela hfield so now we have prior name m name she's 43 she a m d it there's some guy Nam Vincent back

in the picture my blind dat so I go to another site he the same type of search criteria find Angela be find a picture of a child we're going to assume this is hers this this picture is going to help me uh in a few moments we confronted the employer prior education that she went to high school in Portland Indiana and I go to Facebook looking for Angela BS and a picture from that other site that probably pulls data from Facebook or Facebook sells them the data again data mining either one company's pulling it or the other one's selling it but the information's out there one of them shared that Facebook photo Facebook photo from the Facebook profile to that

other site so I see this same picture so now I have coroporation it's the same person this Facebook page is actually linked to the person I was just looking at Vincent got the stomach flu I got a sinus infection Chase is running off both of us he's a nice boy Vincent's obviously the husband chases the son more information each little a piece adding up again is that Facebook page public that you can read the comments yes that's I've given a talk before my eyes to I to say chapter about this dangers of social media the the digital footprint explored and in that talk I deliberately went out and made friends with people via Facebook games to try and get

connections during this talk no this talk is about I use no paid information and I don't try and become Facebook friends to get them this is information if you want to look for this Pages you can get it these people are not securing their Facebook profiles these are high profile people in banking IND so you think they'd be a little more or a little more respectful in the way they do their profiles so I go further on the page and we get another picture of Angel she's got a slightly longer hair we get a picture of the husband we get a picture of the child again now if a real criminal organization was interested in

this this is very important information they don't have to go like follow the people to find out who they are they have pictures that they can use so I go to my life again one of the sites I like to use and again I get more confirmation and more corroboration of the same data I've already seen and each of it a little more little more piece I didn't have a birthday at a birthday I had 40 three we can do the math she was born in 1970 um we have prior residences we're going to find out whether or not I can get an address in one of those residences and whether or not you get her birthday as well we'll

see but just for just see what I can do I want to look at Vincent as well I'm like this time I'm not just going to look at one of the parties I'm going to look at the spouse because that's other information that may actually be helpful and I find cooperation again with partial phone numbers I find out that he's a year younger than she is that he also lived in Portland around the same time they that she did I'm going to guess they were childhood sweethearts went to the same High School J J High School in Portland Indiana prob met each other young got married and now they mve to M and it looks like they were following

maybe her career as opposed to his those are judgment calls um so I go to this site and this one again cores the same information now it gives me a map that I can zoom in on shows me the neighborhood and while I don't have the exact street address gives me the neighborhood they want me to paper email address I want to paper a phone number oh she was born in January I know if you notice that it was January blank of 1970 I had the 1970 before now I've got January so doing some Google searches of Muny and her name Angela Beck I come across a flyer on the internet for a rumage sale this flyer the arrow indicates

shows her email address address at oldnational.com and a phone number phone number that I didn't have before one of the ones that one of them sites wanted me to pay for and now thanks to West Val West View Elementary ran sale I don't have to they gave me the phone number but it turns out that Angela is very very dedicated as a parent she's very involved in her child's life information that a malicious person a criminal would use to threaten her her child obviously matters to her family life obviously manag to her and that West Community Association well they gave me an address or they gave me an email address and a phone number it's

kind of Handy that I know the exact school that her son probably goes to and I can find the neighborhood that that school belongs in so let's do a little search on Westby Westby Community Association well they gave me one phone number back on back up back so they gave me this phone number the for no they give me the 4645 on the Rin sale slide thank you w element Ren sale you give me a 4645 but the West Community Association page gives me two other numbers not the 4645 but two other numbers along with her email address at oldnational.com once again confir that I definitely have the same Angela back that's the employee at the bank that's

so devoted to her child she's heavily involved in school activities so much so that she was the president of the Community Association so here's another flyer for them from once again confirming the 4645 number and the email address Old National Bank here's their street address that comes in handy the one K's Main and M but it also gives the phone number and I wish this was wasn't as blown up as it was the phone number is 765 254 3900 one of the pH numbers on the previous side was 3930 it doesn't take much logic to figure out that the 3930 number is one that's within the pvx system at the bank and it's her extension at the bank so

the 3930 is obviously not her own phone number the 9670 number is a mobile number according to Verizon the 9670 number belongs to a mobile phone Vincent Beck has a home phone of 4645 so that number we saw the 4645 one that's been a home phone number all the time and thanks to this profile for Vince that I have a confirmation and they didn't give me the address before but this one and Tellus was nice enough to give me the exact stet address so I jumped to a couple of the other sites that do data mining on a regular basis and and I come across again Angela Beck at North wi Road they don't want to

tell me the address and tell you it's just did for Vincent I don't need to get br's profile I already have it and again more coroporation more confirmation that each of the pieces of data that I've seen are the valid are valid information it's not falsified or if it is it's it's falsified pretty deep because more than one entity is claiming the same information I jump over to spoko and spoko is pretty much the same thing spoko wants me to pay for the money they only want to give me a partial phone number well thank you spoko but the School Association are the um and as you'll see that they're going to give me a

street map of where the house is located they won't tell me the exact street address because they want to pay for it but they'll show me the address that's located they give me a map and they make a spoko makes an estimate that this home is valued at $600 $800,000 musty Indiana I find that very hard to believe unless it's in one serious neighborhood but the house is right off Main Street well Main Street that's kind of interesting to me because her the bank address for the bank is at 110 East Main Street and she's right off West Main Street I'm going to guess just as a matter of course that her commute is very short the distance of time the time

that it takes for her to get from her home to her place of employment is a very short commute put have been handy no for those other bank robbers that were like in pway Indiana that followed the bank teller home family background again Angela Beck married to Vincent Beck so go to Vincent Beck again I'm going to do some more cross coroporation go to Vincent back it should be the same kind of information again partial phone number a partial email address we can extract probably a VB or a Vincent back or you know typical naming schemes to try and do other research later if we wanted to Bas in the Comm that were partial address

doesn't matter we already have it thanks anyway um and the the relative found there in M Indiana all this other information they want me to pay for that I already have um but again the same kind of smokey map shows where the home is located in mun that I can zoom in on shows the previous locations that um that Angela didn't show but his does the um other residents in Portland and again pokeo Rec estimates that the house is worth $600 $800,000 again I say no family tree um Angelus profile didn't include these two people so I'm going to infer that Manfred and Elona are Vincent's parents that's just going to be my assumption but a truly malicious

actor a criminal might use actions against those two elderly people to influence the actions of of Angela and her husband so but if I go to the actual map that spoko provides me satellite view of the house well now I see the house is only worth 111,000 so I don't know why they said it was worth 600 800,000 a moment ago when this link cly shows that it's worth around 111,000 and it shows the neighborhood but I'm not going to use spoko Bing map to get a view of the neighborhood I You Bing but I'm not a big fan of Microsoft so let's go to Google Maps using that 107 North wi that we so nicely got from

the one link about Vincent we have a front view of the house pretty decent home it's not fancy but it's a decent home heavily shaded I come in very handy to um somebody who was going to threaten physical harm that there's some decent cover around the house some decent Shad so that late evening or afternoon you might not be as easily seen so that house value of 111,000 where does that place Angela and Vincent with regard to their neighbors in their fellow community are they very well off are they extravagant in their wealth what is their lifestyle well it turns out that an estimate of $111,000 puts them about $36,000 higher than the median home value in Mony put

right about on par with the medium value in Indiana so the home value is about the same as the average house in Indiana but in M while it's not a super expensive home it's on a higher end it's in a decent neighborhood so we're going to use Google Maps again and get a good view of the overview like I said we showed the front view a moment ago with all the shade and here we can see there's tons of shade there's lots of Ingress and agress routes here for potential attacker to use there's a presence of Main Street right there while it's handy for Angeles commute to work also if I was to expand out the map

to show accesses the highways shows ways that attackers either get in very easily in the neighborhood or get out of the neighborhood very easily oh in the elementary school that she's so proud of that her son went to is just down the street to so let's do some research to find out according to spoko the house worth 600 800 then said no was 111 so I do go to Real Estate site and they tell me that 107 road is worth about $118,000 three bedrooms one basketball basement neighbor down the street only two bedrooms that has 2 and 1/2 pass is slightly more Val full basement down on the corner right beside um the beex is another house that's

slightly cheaper in price two bedrooms to Bass basic another neighbor 108,000 or 108 across the street about $66,000 two bedroom one bath but it doesn't have a basement well in my story about the malicious actors in for Wayne that kidnapped that bank teller and the two other new stories that I found that corroborated that that wasn't a unique thing if you were going to kidnap somebody and hold them in their home wouldn't the basement be a good place to hold them you're less likely to have the activity being heard or seen by neighbors so houses with basements aren't necessarily the best thing to have not so I was thinking what came to the conclusion of

all this I didn't too deep into these people's lives I want to point out right now that I use no paid information I also use none of the tools that most people think I when they think G people now when they think G think tools like Malo none of that was done this this was all done with simple Google searches good old Google clue using the information that was provided in simple Clues and then using the coporation that other sites provided taking those additional piece of information and building a puzzle the one thing I didn't do in this talk that that a true malicious act would have done would have been to go really deep into their Facebook profiles really

deep into their Twitter profiles and really digging into that information I could have done all that and I could have exposed all of it but I wanted to leave these two people with at least some degree of dignity and some degree of privacy that I'm going to say does not exist but will at least leave them the illusion that it does I'm going to take off on another tangent for a moment so do Criminal really do bad things we we can all agree that they do would a criminal really kill you for the information you put on inter we talked about Bank Proby now I want to talk about the information how easy it is to get it and how much

information people put out there and the harm that it can cause like I said this poor reporter posted something on the social media site about the actions of the Mexican cartel they took her in the middle of the street and beeditor and they filmed it and they put on YouTube so the actions that you do may have serious consequences could the information Jenny and and and Angela have out there on the internet actually result in them being the victims of a serious crime because somebody wants to rob their bank and they're going to use them as the intermediary and they're going to threaten their families I seriously hope and I hope that the information I gave doesn't bring them

harm but like I said the information was out there I didn't have to do anything my total research time for the information that I got was 2 hours in two hours I got a pretty darn picture of those two people's lives a smooth criminal or a truly malicious actor would have gotten much deeper and they would have done it in much more depth and they would have acted on it so then as an employer let's say I'm at Old National or I'm for credit un I'm in another place of business how do I as a business owner as an employer in with the actions that my employees take whether personally on social media or that they the things they post on how do

I make sure it doesn't affect me my brand my reputation at the end of the day you really can't there are some places where again companies have legal course but in a lot of them they don't so what information this information um our criminals really using it is this just me postulating it is it just penetration testers alleging that this is how we would go about doing the T this news story shows that in fact criminals right now are actively using social media against their victims either reconnaissance purposes or making threatening allegations against the person or against a company ruining their brand and this article talks about the fact that they use Google Google Earth to plan their Ingress and erress

vals they don't go and follow the person home a smart criminal doesn't follow a person Home Smart person finds out where you live and and they find the route in and out of that neighborhood and then they use it there's ABS no reason for a smart criminal to be like those bank robbers did to follow the follow the tell that's just stupid do they use social media to choose their victims huge danger in social media of posting where you're at and I know all us here at the conference we tend to be like I'm the Beast Las Vegas it has consequences me I'm smart I have people at home I have four big dogs the people in my house armed

everybody's a shooter I have cops tutor down each side I'm pretty I'm pretty comfortable in my neighborhood that my house is pretty well protected if I post and I'm a beid Las Vegas but people post this kind of stuff on a daily basis where they're at they're out at dinner not only do do they do that but if somebody goes out and posts a picture of that brand new Xbox One when they get it or that brand new PlayStation 4 when it comes out somebody's going to watch those pictures he's going to watch for those postings and those people are going to be right for the theft of that device that's I'm making this very

simple case but um the burglers small criminals are using this not just the not just the big criminals like Mexican cartel the mob or or the small criminals the pity thieves are using the exact same information do you put too much information on the internet about you like I said all of us here pretty much guilty of posting what we do um those us Community tend to be while we know the dangers we also know that we don't really have an expectation that people aren't going to to find out where we're at so we just posted I mean it's been on the internet that I've I was going to do this talk so if I didn't say I was at

besid Las Vegas people would assume I didn't even show up to do my talk it's just assumed I was going to be a speaker here I must be here but the people things that people post on the internet often times they come back and they regret it it's pictures of them being drunk It's pictures of being foolish it's something they said about their boss it's something they said about a coworker something they said about a friend do you know what Sally did well guess what since she posted it on Facebook not only does that person now know what Sally did but Sally knows you're the one that blabbed him so what happens to the person who

talked about Sally R and knous comments end up result of loss of context and this isn't just Facebook I want to point out the actions that you take may end up people not following your LinkedIn uh professionally ignoring your LinkedIn or never even being associated with you they may not follow your Twitter feed they may not follow your blog these all each of those things this is a very simple case with regard to Facebook but it's the exact same thing our our country and the and the world are now relying on social media and again 13 posts that got people can the things you say and do if they end up on the Internet they never leave

the internet can end up somebody losing their job over it something happened to P Pon is anybody familiar with what happened to Pon the fact that somebody made a joke that somebody else took offense to and the person that took offense commented about how offended they were there a joke about a dongle everybody fam with USB dongles and stuff there was a joke about a dongle anyway the first person lost her job later got hired the person that raised up the vacation stin about it has made similar comments on her own Twitter feed and her own Facebook post prior to that so her coming off is all offended looked a little duplicitous and Too Faced and the company she worked for

Ed having to Let Her Go stuff that you do and say can actually have repercussions so with regard to penetration testing we use these tools and Ence as part of our job to provide scenarios that we use to provide value to the client this is how I would go about constructing a spear fishing menu a spear fishing email this is where I got my information and this is the type of attack I would use and we describe it in a scenario and then somebody actually acts on that and proves that the spe fishing attack would work but the spe fishing email doesn't work without the prior Intelligence being done through most so I'm going to put on a white hat here

for a second I've talked kind of from the black hat the real malicious person I talked about the fact we got to protect some stuff I want to talk a little bit about being a white hat yeah D Adrian is not here I'm put on a white hat near the end of my creation of this presentation I had already had this whole you know the inspiration of the bank robbery and how I would have got the information is much smarter than doing the actions that those criminals did I want you know what what if I could do this for good what if I could put on the white hat and maybe come to the rescue room so

to speak and solve an issue solve a problem I didn't I didn't go that far but I want to show that maybe this same stuff can be used the same way so I don't know if any you're familiar with skip chasing but um a skip traser or a bounty hunter they use a lot of the same techniques they try and find some of the same information historically they've gone about it some real hard things literally following people in a neighborhood taking pictures trying to find out who somebody talks to so I went to Omaha's Most Wanted I was like Most Wanted and one of them was Omaha and so I went to Omaha's Most Wanted page and I found this young man

uh Cameron b he's 21 his his date of birth um he's wanted because he was involved in a shooting so what happens when somebody gets arrested and they go out on bond is somebody posts that Bond and they gives some information like three to five people to contact this person we're going to put up the money to actually Bond the person out the bondsman is so they're going to want to know if I need to find that person who do I talk to who are your parents who are your neighbors who do I talk to if I need to find you I would allege that in a lot of cases that information is falsified or even if it's not falsified

if somebody like were really to give their mom's name and address and phone number if you were to call that person's Mom I don't know where he is I don't know where she is so Cameron BT how many Cameron Burts can there be in om bras well I found this one and there's a webcamp photo here Pi of a nice's webcamp picture up in the corner I'm I'm thinking this might be the exact same young man from that wanted picture just a moment ago he worked in Roofing went to omahan North High School lives in omahan Nebraska so how many camera burds can there be in Oman Nebraska well if I go into his photos I find this

photo and I'm not 100% positive but I'm about 99.999% positive that's the exact same camera Burton that I just saw we're going to examine that that uh Facebook profile picture there nice looking young lady and again slightly better view of the picture of Mr Burton up in the upper right hand corner with some comments down down there um y'all are so cute you miss each other we sure do why do they miss each other why do they miss each other and then there's a Corey future Mrs Jones bton a I love you too well these two people must be together this person that I assume is is uh Mr Burton and this young lady Dusty Carley we love you

too I'm thinking Dusty carsley might be the other person in the picture if Cameron says oh thank you and the other person says oh we love you too I'm thinking that's the other person so I go to take a look at Cameron's Facebook friends because if you're trying to find Cameron the police are AC looking for Cameron they don't know where he is do you think one of these people might know or if not one of these people that I've shown maybe one of the one of the total of 77 book friends that he has might one of them actually know where Mr Burton is and the young Miss Dusty Cary up there um there's a picture of a nice young man

there sitting next to her I sincerely hope that it's not his father it's the one criminal but I look at her Facebook photos and I can see that there must be romantically involved do we really think that maybe Dusty might know where Cameron is I'm willing to bet that there's a pretty good chance that she might not guaranteed but that she might indeed know where Mr Burton is there was a Cody Burton mention it appears that Cody Burton from my other research Cody has two Facebook pages Cody is the brother of Cameron the mother's name is Corey future Mrs Jones Burton and there's an aunt named Connie Burton these people have a thing with C first initial C last

name Burton There's real big theme going on in his family or there's a cousin down there you think these people might actually know where Mr Burton is at so again putting on my white hat I'm like the information that was might be put on a bail bonds application or that the uh the police might have on file for young Mr Burton is probably incomplete but thanks to the miracle of the internet we can get an entire picture of all those people that are involved in his life that might know where he is and with regard to bounty hunters and Skip tracers they pretty unrestricted on what they can do if they want to go find out if Mr B was one of

those people's houses they can do it so that was fun I didn't go as as in depth with Mr Burton as I did with the banking employees and again I didn't go so deep into the banking employees that I really expose them to hopefully any more danger than they might already have been in so that was fun just to see one more piece of information I went back to Dusty Carl thing and I found out wait a minute Dusty's in Tennessee the police can't find our young Mr Bur Dusty and Cameron are pretty heavily involved I'm thinking maybe Cameron's in Tennessee either Mount Juliet or Lebanon Tennessee um given that those are two towns that are mentioned in in dy's

profile that's not a true indicator he may or may not be there but for investigative purposes I'm willing to bet that at some point law enforcement ship may be looking to investigating into those locations so that being said if any of you know a bail bondsman or a private detective who does this kind of work and has been doing it the old Gumi way I encourage you to have them contact me because I don't have to move to their City I don't have to live in their town I can do this in the comfort of my own chair and my home office the same way I do when I do help Hope security with a penetration test I

don't have to leave my house to do o I got all this information without ever having to follow anybody and it nod to my mentor my mentor one thought that maybe I could talk about actively going and getting information like digging through somebody's garbage um and doing other methods like that actually doing surveillance taking photos but the impetus behind my talk was I didn't want to show that information because that all can be done that's all actionable intelligence but it again exposes the individual to a risk and my comment back at the beginning about being a smooth criminal was to stay as far away from the actual location as possible and show that I can get this information from a

nice company chair at my house I want to thank you guys um I hope I gave you a little bit of insight on what PO is about and what it can do um how easy the information is to get um and then not ad in the audience a did a great um hting Workshop in for Indiana for our Issa chapter two years ago been a while yeah sometime in 2011 so anyway my contact information is up there like I said I'm a systems administrator by day that's my day job um I've got some fancy certifications up there in education my Twitter handle is at WL that's my that's my website not the company's website that I work for

that's my website wf.com and my email address that's my personal email that's the one that goes to my house that I check on a regular basis I'm sorry Terry I didn't I didn't check in the past couple of days anyway I want to thank you guys um does anybody have any questions about methodologies or or does anybody any comments on another way I might have approached those scenarios cuz all this good information when I when I'm doing a penetration test and I'm trying to provide a scenario why did I get the information that I did and what was my thinking behind doing it so that when you go to a client and you have that nice report you go okay well

this is where we think the Threat Vector might have came from so every information is good so how much do you think the searching can be automated I use automated tools when when all of the other other intelligence is starting to get harder to find I switch to automated tools I don't start with automated tools um automation is fine but it's going to miss a lot of the pieces that were in the cracks I could have used Malo I could have shown that with with a tool like Malo I could have gotten more information I could have shown a lot of other stuff I could have shown like the IPS that are used within the bank and

maybe done some other stuff I didn't want to use an automated tool because I wanted to show that none of this that I did requires an automated tool it requires a a mindset of of trying to approach it from the outside and do some uh puzzle solving some problem solving so to speak anybody else scare anybody I hope if Angela Beck or jeny ljo happen to see this video somebody points it out know I hope I don't scare them too much I want them to know that I have their best interest at heart I have the reason for giving this talk is to show that we all need to be a little bit more um aware of the information that we

have out there and what could be done with thank you guys very much [Applause]