← All talks

Every Contact Leaves A Trace by Ken Westin

BSides Dublin42:19206 viewsPublished 2023-07Watch on YouTube ↗
Speakers
Ken Westin
Tags
StyleTalk
Mentioned in this talk
Tools used
ElasticsearchExiftoolPantherSplunk
Platforms
Facebook
Service
CraigslistMySpace
Vendors
eBay
Show transcript [en]

great so uh yes uh hi my name is Ken Weston um today I'm going to be talking about every contact leaves a trace I'm going to talk about this some investigations that I've been part of I've been involved in security for a little over 15 years now um again I live on the Oregon coast I currently work for a company called Panther we're a modern Sim I'm not sure if anyone doing the purple teaming workshop with me today okay I got one person in the workshop great um so uh yes we'll be doing uh some fun things with some Sim and some investigations and running defensive operations on OCTA so it's gonna be a lot of fun if you have space you know

recommend you show up um so uh yeah I've been involved in security for the last 15 years but prior to working for various vendors I've really like doing investigations so I've worked for companies like Splunk elastic I really like the analytics space and really trying to do Deep dive investigations particularly with a lot of times pieces of data that people may not consider forensic artifacts and things like that so I'm going to talk about some investigations that I've done where I've actually unveiled organized crime rings and also talk about how some of these tools and techniques that I've used can also be used against you one of the challenges I think that we have right now is that a lot of marketing

especially in the US they have a lot of information around you so when information gets compromised it actually makes you a bigger Target and a lot of people aren't aware of some of that so this is what I kind of refer to as my Wall of Shame so these are photos of people that I've actually put in prison um I had some technology that I was actually tracking um around stolen devices so it was a kind of fun little startup where you deploy an agent and then if it got stolen you'd activate a web camera I would get location from Wi-Fi networks do all the really fun things and along the way I ended up getting really

heavily involved in helping law enforcement I know you guys may not believe this but sometimes law enforcement are incredibly lazy and a lot of times they don't have the some of the resources to and or some of the tools to be able to conduct some of these investigations and sometimes they would piss me off and so that's when I would go out and I would try to dig a little bit deeper so I would gather more information around some of my targets and as a result of that I ended up unveiling organized crime Rings there was a lot of Russian organized crime groups in particular and where I live and um they would fence stolen a

property a bunch of other things that were they were doing that were pretty nasty um so uh I did a presentation around this at Defcon 23. um and of course uh you know the the talk I I titled it you know confessions of professional cyber stalker I thought it was being funny um but of course the BBC then says hey I'm a professional cyber stalker and they put this big face up there uh motherboard called me the real real life Mr Robot so if you ever want to get become a docs Target um you know get these kind of headlines it's all horse crap it's I'm not I'm not that great if I have a hacker I'm

actually incredibly lazy you'll you'll kind of see that um so I'm kind of curious did anyone know who this is this photo has anyone ever taken a forensics class like not digital forensics but like real forensics like all right so this is Edmund lecard so Edmund lecard was he was sort of the forensic uh I guess the grandfather of forensic science they referred to him in France as the um like whatever the French uh it was like a great investigator right uh Sherlock Holmes The Great the French Sherlock Holmes so he actually uh developed a lot of the concepts that we have for forensic science today um he uh his before DNA he was born in

1877. um this was before DNA and fingerprints and all that stuff but a lot of the things that he was telling us about forensic science are things that we learned I mean he has this concept um and it's called a lecard's exchange principle and it's every contact leaves a trace now the idea behind this is that when someone commits a crime let's say a murder the idea is that they leave something behind but they also take something with them and what I found true when I was I started reading about this guy I was like this carries over so much into the digital world the trick is how do we know where that data data might reside there's always a

way there's always a trace there's always something in a log that we can actually identify a suspect there's got to be a way for us to do it when someone's committing a digital crime what have you and I'm finding that this is even more so now we have iot like we carry our devices with us everywhere pretty much any sort of Investigation into a crime that's happening now is going to have a digital or a forensics component so just kind of keep that in mind if you're going to commit a crime make sure you leave your cell phone at home so uh you kind of think about this I kind of think about this as like the

Quantified Self cell phone you think about all the pieces of data that you actually have about you and they're sort of these little artifacts you have your social security number in the US you have you know these device IDs phone numbers Mac addresses you think about all these little pieces of information out there we're actually leaving trails of this every single device that we have our our watches on all of our maybe home automation systems that we have like everything that we're doing here we're actually leaving a digital exhaust uh Trail as as well the trick is being able to try to connect some of those dots when we're conducting investigations so um everyone here seeing these kind of

things and you're like your your investigation like your CSI right they're called crazy walls so it's great to have all these little pieces of information but you really need to be able to connect those dots and what I found is once once you can connect one dot it may be part of another dot that's when an investigations really start to unveil themselves and you can actually get a lot of information about a particular individual or a particular group um you guys are familiar with Maslow's hierarchy of needs you might also be familiar with the Pyramid of pain with ttps so I I figured in infosec we all like our pyramids right so um this is what I like to refer to as

the hierarchy of data bleed so it starts at the top as data that we create so it used to be you know back in the day before the cloud when we had our computers we had we had we had software we would run on a computer called Microsoft Office and we would be word and we would generate that we would generate these documents we wouldn't necessarily be sharing with them but that's information there as soon as I I upload that or I email that that's when um you know there's additional logs and traces that get associated with it but when we're interacting with websites and applications and apis what happens is there's actually data that

gets created for us what happens here is as we start to move down this hierarchy that our control of that data gets lost particularly when we start to get further down the Spire here when we get into Data created about us so when I go and I buy a plane ticket right a lot lot of information gets sent to them to the airline the airline maybe cross references some of that information with no fly list there's a lot of places where this information is actually getting shared in almost real time and then we have Shadow data and that's where a lot of times we have data that gets compromised in data breaches we have sometimes that information is

collected for us from like credit bureaus all sorts of information data Brokers people always talk about doxing back in the day as a form of hacking nowadays the only tool you really need to docs anyone is called a credit card that's all you need to be able to get information about particular individuals so if you get access to to this information whether it's from data Brokers or if it's compromised data Maybe from a breach you can actually you know search for that information in the dark web and get access to again a lot of information that you shouldn't really have but if you really are wanting to learn something about someone their passwords there's all these sorts of

things it's very easy information to get nowadays which could scare the crap out of all of us so um how I got started with a lot of this stuff was um I was working for a company I was sort of a one-man web Army I was building their websites I ended up having to secure the web servers that was sort of my introduction to security just basically securing a lamp server um the company I worked for they then started selling a tool that would actually block USB flash drives there was an issue now like great we're securing the perimeter but if I can plug a flash drive into a computer I can install Trojans I can do all sorts of

interesting things with stealing data and this tool that they were selling would actually block that and give you more control over who would be able to download or use those particular tools and so I got really interested in a lot of the black hat tools that were out there so I started downloading them playing with them started creating some of my own and I thought you know it'd be really great to build a website to raise awareness around this because this is a big issue very easy for me to download these tools put it on a flash drive plug it into a flash drive or a network and I can compromise the entire thing you guys

ever heard of a little spyware or a piece of malware called stuxnet yeah that's how that's one of the attack factors where the USB flash drive I happen to work for some people that were involved in that um but uh um so I I wanted to uh create this just the idea here was to raise awareness right I didn't want to go out and show like here's a bunch of hacking tools go do crime um I wanted to raise awareness to administrators so I created a website called USB hacks where I would upload some of these tools explain how they work started creating my own um that was the first time the FBI contacted me

um they are you know they want to know what the hell I was doing once they realized you know this is about raising awareness um and I even had situations where I had people that were true cyber criminals I think they were nation state actors actually reaching out to me asking me how to set up certain things it sounded like sometimes they actually had um an Insider in some of these facilities and they were looking for help and how to compromise networks I just forwarded those on to the FBI right away like hey see like I'm helping you um and uh yeah I end up collaborating with them on a lot of Investigations later on

this doesn't work there we go um so basically what I did was I decided to take some of the the malware um that was being written and um I was working on my Master's dissertation at the time and I was like what there's got to be a way to turn this into a good thing um and I started messing around a lot of my friends I would be putting these flash drives on um or the the malware on flash drives and send it to my friends you know see them plug it in um you know I'd send all this other information that was able to get about their computer and I said hey I'm going

to put this out there and see if people are interested in this for theft recovery purposes so if someone steals a flash drive or an external drive you know the idea here is it has this USB Trojan you plug it into the computer it hijacks the computer it's connected to when you try to access the drive and it sends information to the Mothership the username the IP address and things like that and I was just curious I put it up on dig.com so for those of you who are young it's like Reddit for old people like back in the day um it got on the home page and it got dug to death I twenty thousand people

sign up for this free service and what was awesome about this is I was basically crowd sourcing what devices were actually supported because I had a little bit of code in there that would actually tell me what devices were being uh were being accessed so I found it was working with external flash drives I found those working with the old school GPS devices I know it's hard to believe that it wasn't actually in your car like you know just kind of letting you guys know how old I am but I even have the specific models and everything and then that's when I decided I was actually going to do a little startup around some of this stuff and it actually worked I

started actually getting people that were installing on um on like iPods and there would be that people would change their usernames and their family this were very easy for us to identify who actually unstole the iPod most stuff was like high school kids things like that screwing around with this stuff and then it got uh pretty serious I got one case where a university Professor had installed it on his flash drive where he had his PhD dissertation um and he had a student that looks like they they stole the flash drive off of his desk and it was difficult because initially we were getting just an um IP pings from just a t like an ISP it's

very difficult to get information just from an IP address unless you have law enforcement involved to actually fill out all the paperwork and again I'm lazy and a lot of law enforcement are lazy so we don't want to deal with that but I started getting additional connections from the University of North Texas and then I contacted their campus security and they on their I.T folks and they work with me we're able to identify that in that particular IP range it was actually one specific computer lab the year prior they had actually had a bunch of laptops stolen or a computer stolen out of that particular lab so they actually installed cameras and they also have this these sort of card swipers so

I was able to give them the time when this occurred the computer that was affected and we're able to figure out specifically who was actually in that room at that time and there was only two or three students and they were able to narrow down to one they waited outside of a class as he was leaving and they were able to get the flash drive back but it was just an interesting thing is that we had IP address but it wasn't until we had access to all this other information we had a video of the person doing their card swipe right so we had plenty of evidence to identify who specifically that was um and then um I kind of got a lot of

noise in the media and there's this company called FLIR anyone heard a Fleer before they make a very high-end thermal imaging cameras these cameras cost anywhere from like three thousand to three hundred thousand dollars um and they were really interested in this not just for theft recovery they want to offer it as a sort of a premium service but also they were having issues with export controls these are devices that are not allowed to be um they're an embargoed into certain countries because they can be used for nuclear purposes um and they were running into situations where these cameras were showing up in places they shouldn't and they wanted to see if they can utilize my technology to

solve it one challenge we had though is that the the agent would get installed on the SD card and one thing is if someone rips the SD card out and then puts a new one in right the agent's gone so I actually work with them to actually embed something in the firmware so it would actually look for the SD card if it was new is the agent been deployed if not redeploy the agent along with some other files and then I disguise the the the executable and that's my cat knobby there's a thermal image camera so that's why I disguise the application as and they ended up using this for quite a few cases they they got a few cases where it

was stolen um they couldn't tell me specifically where um but they did also track down um a couple of cases where uh devices were being sold by a particular distributor they were going to countries that they shouldn't be selling they couldn't give me all the details because you know of course investigations but it did work so that was the important thing um so then I I started getting interested more and okay the flash drives are great but what about laptops I started looking at the time and they actually had a company um called it was like LoJack for laptops it was a company by copy Trace they actually licensed the name and I was looking at how they were

actually doing their theft recovery and it was incredibly invasive and basically when you have this technology you provide a back door into your computer and they hire like ex-law enforcement folks um and then if you get it gets stolen then they can log into your your computer and they can do various things for tracking it um and I was like there's got to be a different way at that time the first iPhone was just being released and I noticed that it didn't have a GPS chip but it was able to get location what they're able to do is use Wi-Fi location and so I contacted the company that um that made it called Skyhook and I said I

want to I have this idea I want to apply this for theft recovery purposes for Max will you work with me and they gave me access to the API and we set it up so that if someone steals your laptop will activate tracking um and um I didn't want to have a server uh at this time I didn't want to have to deal with like photos you know being sent to my server then I have to secure it again I'm lazy I don't want to deal with that um and it's it's also a big issue if someone does get that compromise that server um you know there are certain liabilities associated with that when I

can activate someone's web camera and send a photo every 30 minutes right uh so I I integrate with Flickr so if you you sign up for your Flickr account you download the software um and then you would activate tracking that's all you would do on our our end uh and then it would send photos it would send the GPS the GPS coordinates um uh to your Flickr account and it actually worked we actually ended up getting my first recovery it was this uh it was in New York it was a it was an iMac Not only was the iMac stolen but a bunch of camera equipment was also stolen from someone's apartment and we activated tracking and I was getting

these uh photos and you'll see in the the background here there's a lot of other interesting toys like uh mixers tars you got all these musical instruments almost like a pawn shop and I had to work with law enforcement on this one and it was this cop from New York he was kind of an sorry I shouldn't swear but um but he was a real jerk and uh he um he's like you know I haven't had to deal with this stuff before you know I've dealt with his competrees jokes I have to get this IP address I got to go fill all this paperwork out to get information from the ISP and I'm like no

no this is a wholly different approach like I I got the Wi-Fi positions within 10 to 20 meters of where it actually is um and and then all you need to do is just print a photo out here just ask around and he's like don't tell me how to do my job I was like okay like just do it of course he did it and uh come to find out it was actually a tattoo parlor and this was the owner um and he this is the office in the in the back they went in and they actually ended up recovering all sorts of other stolen property he was running a fencing operation out of the back of his tattoo parlor

um and uh there was like four or five other laptops that were recovered in this one so is that when I said we had a 500 recovery great um but uh that was that was the first one that we had and then there was a bunch of other ones that we had in Portland Oregon where I live uh we had a bunch of schools that kept getting robbed of laptops so I I worked with the school district I said hey here let's set up some bait laptops um so what would happen is like they would uh get laptops stolen then a week later they would get new ones and then like that weekend they would get stolen

again I was like you guys really need to up your security system in the schools um and so what we did we set a bunch of bait laptops we didn't lock them up or anything we just had them laying out sure enough they got robbed and we I was able to trace it to a particular house and I gave that information to the police they went there and I told them it was within 10 to 20 meters I go there you know it's not going to be exact you know GPS coordinates it's going to give you the general area the police officer shows up and and uh the guy that answers the door um it's the guy that does his roof and

he's like you have no idea what you're talking about you just wasted all of our time and I got pissed off so I went out there and I had my laptop up I had my Alpha I was I was getting sniffing up the Wi-Fi signals I wanted to make sure that it was valid and I I go out there and I'm like I'm right here actually across the street from uh where it was and I look over and the Wi-Fi network I kept seeing was like Russian Pride kind of thing I look over and there's a bumper a car with a bumper sticker that says Russian Pride on the bumper sticker and it was next to it was a duplex it

was the house right next to where the police had gone and so I'm sitting there with my like a like a nerd just like my antenna sticking out of my car and then this guy walks out this person and he's looked right in my car and I'm like I'm panicking I started looking at my laptop like I'm looking for directions um and then I finally called the detective I told him the situation um and they ended up getting in there and there was a six or seven people that were actually involved in this um this uh organized crime ring um and then he goes yeah like you know these some of these guys are really bad

like not not this guy but the guy that lives across the street that's his friend he just got out of jail for like um the manslaughter and I was like you mean where my car was parked thanks um but yeah we ended up busting them um it was funny I thought I was going to have to around this time I thought I was gonna have to go to court and like you know say who I was um in front of a bunch of Russian organized crime groups um I was getting a little nervous around people with Adidas tracksuits um but uh it was it was so yeah but um they ended up getting them to all think

that they all turned on each other so they were all they ended up all ratting each other out so I didn't have to go to court that was nice um and so I had another one um this time we had a laptop that was stolen and it wasn't getting any connections for like two weeks I'm like great they ripped out the hard drive reformatted it like you know we'll never see it again but then two weeks later I started getting the uh pings um and it was very far away from uh where it was originally it was out in Missouri um and uh I started seeing that there's this kid and he actually he was nice

enough to change the username on the computer to his full name so I had his I had his first and last name I started doing a lot of research on him like I had all these photos of him like there was even a photo of him in a hotel with a girl behind him kind of a sketchy situation all sorts of interesting things that he was doing um and then I also found out that he was really into cars um and so I was found um is MySpace he was a power seller on eBay he was selling um car parts right so kind of gave you an idea of what he's doing like stealing car parts

and selling them online um and the nice thing is he's really into really in the Scion cars and see what he's all these forums and so I I found a bunch of photos of his car so he also had his license plate number that was really nice um in this case I actually worked with the D.A we had enough evidence um they said even if he doesn't have the laptop this is enough evidence for us to get him for possession of stolen property what happened was um when um stuff gets stolen they would actually load it up into a truck in Portland Oregon and then they would send it to Missouri and then they would exchange

stolen property because the first place you're going to look when your laptop gets stolen is your local Craigslist right that's why they were trying to evade that um and the guy that gave his laptop was actually um Victor's father he was the one that sort of um the kind of the the leader of this whole group and he had given him his son a stolen laptop for his birthday as well as a stolen bike and then Victor sold the bike in the laptop to his friend Omar here that's Omar there so we're able to again we we ended up getting this back there was probably another seven or eight people that were involved in this particular

case but this is where I started again started getting more um uh like an OS Saints I started doing more investigations digging more into the profiles of some of these individuals um I had another one it was actually International this was an interesting one um there was uh two guys this guy was actually a Veterinary student um he had a laptop in the back of the car they were held at gunpoint um and they had the carjacking um and uh they beat the crap out of the driver almost to death um and then his uh then they they took off with uh the car and the laptop um and we got we were getting photos and

the um the police in Brazil were really interested in this because I guess these people were involved in a number of these cases and they ended up going in there and they were able to catch these guys that were doing these very rather violent acts um so again they didn't necessarily know they were stealing a laptop that was trojanized with my software but we were able to catch these people that were actually assaulting individuals um then I started getting more into phone uh smartphones I was more interested not just in necessarily tracking them because a lot of times people don't care about the value of the device what they care about is the data um and so I built a tool to actually

back up um encrypt data and it would do it in such a way that I wouldn't even have access to that information if the police like came to me and said hey we need this person's backup of their photos on their contact information I go here's the encrypted blob you have to go to them for the pin because I don't know it there's no way like even if they hacked into our server like and they download the data there's no way that they would be able to make any sense of it unless they had some of these keys so it was a cool technology it was a startup I had it was a failed startup

but hey at least we got to build some cool technology but here's a little video I actually ended up making a deal with a wireless chain of stores they actually deployed the technology to their demo units because they were getting stolen quite a bit and we had a really interesting case so I'm gonna stop talking so you guys watch a video spent the past two days with police investigators on the trail of swiped cell phones he's live outside the Washington Square Mall where the theft took place at well the managers of the Sprint Store here at the Washington Square Mall behind me say they're very confident that tracking software developed only miles away from here and put onto their

demo phones will lead to an arrest uh this is a 500 phone this ends up being a 450 phone two empty display cradles are all the remains after someone stole two demo cell phones from the Sprint store at Washington Square Mall on Saturday moments after surveillance video caught the theft on tape employees initiated tracking software installed on the stolen phones they were able to not only find a GPS location of the individuals that took them but also we've been able to uh to monitor any activity that happens in the phone that activity turned out to be pictures someone took shortly after the phones were stolen tiger police admit It's A Brave New World with pictures taken on cell phones

can be told to send back pictures once they're stolen and that has not only piqued the interest of our investigators but in essence appears at this point could be very credible information for us to follow up on the Portland creator of the software tracking the theft says police are on the right track if they're not the thieves they definitely know who stole and if you look over the head of this man you'll see in the window an organ temporary permit Philip this is Ed with the help of a gadget track investigator on the phone we tracked the stolen phone signal to this Vancouver apartment complex there we found the exact temporary permit and hi if the young woman who told us off

camera a man she called Peter had sent this photo to her but says she knew nothing about the phones hi my name is Eddie track the second cell phone signal to this duplex about eight blocks away you don't have an a Samsung Epic phone in this location finish were here yesterday looking for it we're back live now outside the Washington Square Mall retained within the MV records temporary permit tiger police say they hope the men in the pictures will contact him soon so they can explain how their faces ended up on a stolen cell phone back to you thank you and teach out the contractor is Accused by that's helping track them down so uh so that was a fun case um that was

another one where they they got like half a dozen people um they actually did recover a stolen car it wasn't that one but there was another car that was stolen that they recovered in the process um and it was another uh kind of Russian organized crime group um that was was doing that um so kind of with this too like I got um I was really nervous about some of the things we were doing with some of the mobile spyware um but the thing is like people would install it on their own devices that was the big thing is like you install this on devices you own we're not trying to hide it we're not doing anything like

that like stalker wear that was a big concern of mine but I see a lot of stuff that's happening right now particularly in the in the malware space and you guys probably familiar with NSO group and the Pegasus spyware so this is a kind of a scary uh shift I think in spite where where you have people that are building a commercial spyware leveraging zero day exploits and they're targeting people that are innocent it's one thing if you're targeting criminals with some of this technology but there's a real concern now aware if you're targeting a dissidence or you're targeting journalists which is the case here it's a really a big concern so I've been pretty heavily involved in trying to

fight some of this stuff so I I'm pretty against this approach one thing I've found is that a lot of times when organizations are May rely on some of this technology if they rely on spyware for their investigation it truly is a sign of lazy investigations it means that they have no other means to identify some of these these suspects and you know they're going to need additional information anyway but just my belief is I I think that we've sort of opened Pandora's Box when it comes to this and it's something I think we need to be really careful of um so kind of interesting is that you know we got a lot of information from

some of those images so you know we had a trip permit on the back right that that was really helpful um so sometimes especially when you're dealing with criminals one two of the key main vulnerabilities I run into um were uh stupidity or I guess arrogance and greed those are the two main things they they think that they're always going to get away with it or they get greedy those are the two things that usually get them caught um and so I was really interested in this too because when we were getting some of the GPS coordinates a lot of times it wasn't very accurate from some of these phones um but what was more accurate was with

the GPS coordinates that got embedded in some of the images and that's what actually led to us to tracking these folks down and so I started getting more interested in in the exif um image data that's actually embedded in these images and um I again went down another Rabbit Hole I actually found that a lot of higher end cameras like a Canon things like that they actually embed the make model and the serial number of the camera that took the photo in the image itself at the a time there wasn't really a way to search for that so I was screwing around and I started building a little database I had a crappy little python script that would go out to

Flickr download the image it would extract the information and put it into a database but I looked at it like it was like five billion images and Flickr at the time and I was like this is going to take forever there's no way I'm going to be able to do this with just me at the time I had a friend that had a startup and it was sort of like this sort of distributed computing concept you know study at home you guys ever seen those it was like that but you would basically you would give out your idle computer time and we'll run projects on those computers and we'll pay you for it and they had access to

over like 500 computers in various computer labs around the country and so I got to deploy my script to it and we mined basically all the Flickr within a week so I had this database and then I put it out in the media like you can do a search for the serial number of your camera and then it'll show you all the images I found online that um were took that from that camera um it wasn't just Flickr I found it with a bunch of other photo sharing websites I also found Twitter even though they they'll scrub the XF data from images you upload I found a lot of the profile pictures had the exit data still in it

so you have these tiny little like icons and I was finding all kinds of information like GPS coordinates like serial numbers all this other stuff so it was really really interesting project and this ended up working as well um there was a guy he was actually a photographer that was on assignment for Getty Images John Heller and he turned around and nine thousand dollars with the camera equipment were gone his bag was gone and he heard about this search engine I built this is a year after it was stolen and he contacted me and he goes we got a hit and he found that there was a photographer on Flickr he was also then able to see his Facebook

profile in that uh he was a professional photographer and he had all of his camera equipment on a bed here in a photo and he goes That's my camera right there and so what what happened was the camera got stolen it got sold to someone on Craigslist and then that person sold it to someone on eBay and that's the guy that actually had it he wasn't the criminal but he did have to hire a lawyer because he was in possession of stolen property he had explained the whole scenario they went back to the eBay seller he felt bad he gave him a refund and then he told the police where he actually got this on Craigslist and

they even had the address of the apartment this is a year later the the police go to that apartment sure enough they they go in there and there's all sorts of stolen property that are in this apartment another fencing operation was unveiled so I think this is interesting because one little piece of information that was embedded in an image led to the unveiling of this larger crime that we've identified and I had a bunch of other like this too there was another one where I was in Virginia a guy he was showing this really nice camera to someone he's about to move to California and he's out in the garage and the guy just like shows him the cash

and then let's go look at the camera shows them the camera and then pops him in the face grabs the camera and takes off um in a car we started researching this guy and it was funny is he changed his camera every like one or two months he had a different camera I had all these different serial numbers um he I also found some of his other photos like he did some where he was going 120 miles an hour down the freeway while he's smoking weed um with his girlfriend um he also had an unlicensed firearm he liked to take photos of himself with so I I provided all of this to law enforcement and this was interesting

it's like they weren't really interested in following up I mean we had GPS coordinates of where they were smoking weed and going 120 miles an hour but this was a case where the police just didn't want to get involved at all so we didn't actually get any recovery but it was really interesting again combining sort of the the Telemetry I was getting with the exif data and then also adding some OS ins on top of that again I was able to show and unveiling sort of the crime that was actually committed um the exit tool um I got reached out to by Ice um there's a group they do child exploitation investigations unit um and they're doing some really cool

stuff like where they're even logging um like uh photos of hotels like what are the what curtain patterns look like what did the rug look like what uh what does bed spread look like um so in a situation if they get an image where there might be a child that's going about to be exploited they can say that is in California that's such and such a chain that can actually identify it before it actually becomes an issue and so I gave them access to this API for free they can't tell me if they actually utilize it that they said it was helpful but the idea here is that if um you know Joe pervert is doing this

sort of thing and he goes on vacation with his families taking photos to Disneyland uploads it to Flickr and we're able to get a connection like that same camera was used in these um innocent immigrant crimes then they'd be able to hopefully you know stop some of this before it happens again I'm not sure if it was actually a cat caught any bad guys but it felt pretty good that they found it was useful tool for them so um and then you know I was thinking about this too when actually I presented some of this stuff when I was at um Defcon um I had a lot of media that reached out to me um and one of them that actually wanted

us to to hack a smart home um there was a lot of you know Smart Homes for starting a new back then um and there was a lot of vulnerabilities with it uh and uh they said you know can you come in what we want you to do is we'll give you 24 hours um you can hack the smart home and then what we're going to do is we're gonna have a party we're gonna invite a bunch of people to the house and then you got to mess with people and I'm like sign me up let's go so here's another video Vicki Johnson's new beachfront house is not only spectacular it's smart she can control most everything from her phone

or tablet it's pretty smart the drapes go up and down automatically we can close doors we can flush toilets we can turn lights on and off we can turn the air conditioning on and off TVs music it's a brilliant house we were told it was hack proof we'll see about that they think they're coming to take a tour of smart house but what we're really doing is hacking her house during the party and potentially the devices of every guest who walks through the front door helping me are two cyber Security Experts Craig young and Ken Weston so first we need to break into the Wi-Fi Vicky has 28 devices connected to the home's wireless internet once they were

into the wi-fi system our hackers were quickly able to commandeer the home's cameras these are the security cameras to the house that you've hacked into exactly here we actually can see this is actually our car this is the front door if you don't secure them properly then they become insecurity cameras first we turn off the lights [Music] then with control of the security cameras we divert the video signal and play it on the TV in the living room with everyone's attention on the TV the hackers talk to the guests we have [Music] take the lights the security cameras now a special message from me in the car is piped in I'm Anna Garcia from Prime

watch Daily and this house has just been happening it was free or cheap for the people that are actually implementing the the installation but that poses a lot of security risks as you can imagine so that was fun um what's what's funny is like the what led us to get into it is um we uh we sent a bunch of data we actually use a cloud cracking service to actually crack the password and we get it back and I'm like wait a minute you know we spent like 200 bucks on the service and then I looked at it was like this looks like a phone number I Googled the phone number and it's his cell phone

number that he has on his website you see what's selling real estate um so I was like we could have saved 200 um but the interesting thing with that one we use the Wi-Fi pineapple for it like it was like default passwords for everything that's why it was very easy to get into all the systems um they didn't show it but I was actually able to flush the toilets too because they had a cleaning mechanism and so I would sit there and I was I kept kept flushing people in the bathroom um we ended up breaking their sound system too which uh luckily like we didn't have to pay for that but um yeah we got into a bunch of stuff it was that

was actually a lot of fun but it also shows like again like you know a cell phone number for your Wi-Fi like you know if someone can get into your house I also had access to a bunch of their file shares like you know he had again real estate like he had open file shares they weren't protected at all so we could have done a lot more like we were very cautious about you know how we're doing this particularly because it was on TV um Vicky Johnson's new house is here slide so another thing I kind of did too when I was there was an investigation I was working on where I kept tracking a

laptop that ended up going to Mexico we never got it back it kept it kept coming to California and it would go back over the Border we kept doing it I was able to get some information about a particular individual and I started doing searches for them and then I stumbled into this thing where I was like wait a minute this is a prodigy um I I actually can get into this person's email address without having any sort of authentication and I found out that it was actually a vulnerability those telemax that acquired Prodigy in Mexico and there was a configuration on the server so basically all authentication were removed and all of these emails were actually indexed by

Google so I did responsible disclosure I told Google about it and then I I told um uh a journalist I work with them about in the economista and we were talking about this and then uh it was there was a big article that was going to go out in a paper about this vulnerability because it was like thousands of people's emails that you know I had access to I could have done all kinds of Nefarious things um and then Carlos Slim which is a very wealthy individual in Mexico and also contacts with a lot of media he put the kibosh on that so it never got you know in the main newspaper but I still

counted as a win so I did a little bit of vulnerability research I also did some research into when I was investigating credit card fraud um and carding and things like that I found in like a dark bed forums there was a lot of exchange of information for hackers cyber criminals and white collar criminals at this time cryptocurrency was becoming a lot more popular and you actually had scenarios where people were actually advertising hey if you have Insider knowledge that we can use to trade on stocks we'll give you a percentage of it and there was uh this case um and I kind of help with this where those around 30 million dollars in illicit trades were being made there was

this guy a Duplo group he used to be a a VP at Morgan Stanley and then he became a minister at a church um and uh he ended up going to going to jail for this but um this was interesting this was like 30 million dollars and there was a recent one um another one with an FSB agent in Russia and on other groups that were colluding with this and they made around 80 million dollars in the listed trades but there's a couple of talks if you do a search for black hats and white collars you can read more about my research on this but I just think it's kind of a fascinating topic so again kind of we talked about a lot

today was like how we're able to use small pieces of information to gather larger profiles you know the everything I did I've done is really tracking criminals I I don't go after innocent people but you think about how a criminal can actually use some of these same data sets to Target you also authoritative regimes they're they're using these sorts of information piece of information as well to docs individuals and so I think this is something we really need to be conscious of all this exif data and stuff that I have access to like I like they've removed all that they scrub it but what's interesting is the FBI Twitter all these social media platforms do you

think they throw that data away no they have access to it and they can use it for investigations again if those Services get compromised and a hacker cyber criminal gets access to that information right they can use that information against us so that's one reason why I'm in cyber security now is because I think we need to protect that data best way to protect the data is not to collect it in the first place so I think we need to think about that in our risk models but then also how do we better secure that information in general um and with that if you guys want to learn more about how to protect your data come to my workshop right so I'll

be teaching a purple teaming Workshop later on today after lunch but I again I really want to thank besides Dublin for having me and thank you so much

Related talks

41:25
Command-Line Obfuscation: You Can Run, _and_ You Can Hide
BSides Dublin · 2024
45:33
Understanding Your Vulnerability Data To Optimize Your DevOps Pipeline Flow by Chris Madden
BSides Dublin · 2023
44:13
Using SOCMINT In Threat Intelligence by Matthias Wilson
BSides Dublin · 2021
39:46
Exploit Prediction Scoring System (EPSS) - The User Guide - Chris Madden
BSides Dublin · 2024
39:03
You Sh[e|a]ll Not Pass! Gentle Introduction To EDR Bypasses - Riccardo Ancarani & Devid Lana
BSides Dublin
28:06
Getting In: Initial Access In 2023 by Tony Gee
BSides Dublin · 2023