ZOMG It's OSINT Heaven!

yes yes like have you seen gilmore girls just talk like them really really really fast all right cool yay so again welcome to day two that's really loud I'm going to step back here so welcome to day two this is the proving ground track this is test has and she's talking about to oh my god it's Olsen Tevin ok we have 25 minutes and 24 slides so we're just going to go as quickly as i can so i can answer questions if you need if you have questions for me i will be working the underground after this talk I'll have I can meet everybody outside for questions and everything else oh so whole questions to the end and my contact

information is going to be on the last slide so this talk just a going to have a quick card overview this is a spawn off another talk that we were going to do here that we weren't able to do then i'll show you how we're all worried about what you're putting out tweeting your debit cards and things like that on the internet we'll talk a little bit about what open source intelligence is not what magnifies it and i'll do a quick ones out of a case study and answer questions and if there's time we'll run the demo of the credit card guessing program that i wrote all right me just as I don't represent any

particular employer I love fight and play hard that should probably start with fight love and play hard and my contact details again on the last slide so some of you have seen me tweet retweet actually beat up people about tweeting their debit card this is one of our friends who thought that you don't need the three digit code on the back of the card or you must have it to go purchase something yeah you guys go ahead and think that if you want to but you're going to give them their credit card people think oh it's you know all redacted you can't see my name you can't see things that I would tell you that if

a bad guy wants to show you a credit card he's actually probably more interested in stealing your life so how easy is it to steal a credit card number credit cards conform to a set of rules in the industry there are 14 to 16 digits I know you guys are thinking 14 yes there are credit cards that require only 14 digits they're American Express is 15 and they don't put the 16th digit on there because it's calculated they all follow the same rules though it has must have an industry a vendor bank account and a checksum at the end of it if I know where you work and I know you have a corporate credit card I know what

industry you're in I already know the first digit of your credit card the numbers are also set of permutations you have a basic set so if you cut up your credit card and you cut it into three pieces and you take out some numbers in the middle I can still get your credit card number because all I have to know is how many numbers do I not have I have my options of zero through nine four digits how many places do I not have if I don't know too well then that's 10 to the second power of how many possible credit card numbers are so people are thinking 10 x 10 that's a hundred possible credit card numbers right

she'll be there all day trying to steal my credit card number well thank you to the line algorithm which tells me which out of those 100 are not valid credit card numbers will never pass a credit card check and that just throws it out so i have now cut my options down and honestly if you get take out to it the logarithm will result in 10 valid credit card numbers available to me I write a little script i go out i do once and charges to a website and being one of them is going to go through and i now have your legitimate credit card number stealing your life is actually almost as easy as stealing your credit card number

the reason is we have all of these things about us we try to say well I'm only sharing this much information over here and I really didn't nobody knows my last name and nobody knows my real birthday my whole birthday well it's easy because the overlap in the center and anybody was enough time and patience can steal your life if you give them just enough information to get started so we'll talk a little bit about open source intelligence the acronym is austin toros sent depending upon who you ask and one single OPSEC fail is austin heaven to somebody like me when I'm doing things for a good purpose legally and legitimately so what is not open

source intelligence open source intelligence is not the open source internet is actually intelligence is actually going out getting pieces of information putting them together so that they build a picture and allow people to take action or make decisions those actions and decisions are usually not going to be in your best interest it is not the dark web you do not none of the information you're going to see here came from the dark web or whatever term we have for dark web now the other internet or something like that it is not conducted with a magic button is not somebody that has 6,000 scripts and 25,000 api's and they put one piece of information into press go and it comes back and tells

them everything it does not require expensive tools everything you see here was you'll see in this talk was done without a single tool that cost me anything I did not spend a penny other than my time to do what we are going to cover here in the case study and it's not something that only the government does and truth be told the people that are screaming and making noise in public forums about Oh take that don't take that down we're not the ones dealing your identity because a real criminal isn't going to let you know that he's looking and take stealing your identity so the multiplier for what I call the US Internet we're going to go off center

adding these are just a few of the applications that make my hobbies easier most of them are free almost all of them will allow me to do a free basic search for information that I take as a pivot point or a springboard and I go forward so our case study is going to be about a single post where there was a single user ID and a single comment and how I was able to find out everything about this guy even down to where what coffee shop he goes to him probably would toothpaste he likes before I get started do not break the law we do open source intelligence unless you work for a law enforcement office that says you can

break the law no not gonna send you to jail because we don't do that right um shut the [ __ ] up about what you do nobody's going to jail for you do not get on Twitter private diems IRC and talk about what the [ __ ] you're doing if you're not supposed to be doing it okay if you're wrote some tool to hack something to break any cheat not use an API key that you were supposed to buy it off [ __ ] come talk to me after the talk about this I don't want to hear that i don't like you that much and i'm not going to jail for you either nobody else in this room is be safe and don't

be a hero if you find something out there that is your pet peeve and it burns you because you discover child pornography do not be a vigilante you need to turn that kind of [ __ ] over to the authorities immediately if you are not a police officer or a lot of course maps or somebody doing a bona fide investigation and you stumble across [ __ ] don't download it to your computer so I was all looking into these things and I need to report this you need to stop whatever you were doing as a hobby and you need to report that any lately um consult a lawyer if you're afraid of anything before you go to the law

enforcement officers but don't be a hero and don't try to take somebody down by yourself okay so now we're going to get into the open source intelligence part of it i went from user ID to google he and oh wow so with one google search off of this person's user ID not even knowing his name at the time these are just some of the urls i was able to find immediately with a carefully crafted google search he's a guy men in their money right you guys in your dollars ladies we're here is your hand ladies okay pinterest hobbies you know Oh makeup blogs you know how am I gonna get my kids to school ways to save time at

home trying to get kids off to school yeah okay or just as bad as they are but poke at them in so a lot of blogs and forums that you go to you may not know it but most of them actually put a full year month date timestamp of your comments some of them make it obvious it's right down the side with the date and time was that you posted it some of that information isn't immediately visible to you on the UI but there are ways to extract that information without using API keys and without having to do any complimenting complicated a lot of times the f12 button works really good if you're an Internet Explorer because

it will be metadata that is tied to that post so I go to your post i put my mouse over and I click on it I hit f12 and boom in the metadata I can see whether your date and time was of your post okay I also was able to find a date of birth month in year based and calculate that based on those date-time group snaps i know that he was single and or dating and when he was single and when he was dating that his job title as he called it what he did is his passion and career in what state he lived in all of one forum now it took me a little while to read

through posts to get all the information that is why Austin is not a magic button I actually had to go to the sites i had to click on the post and i had to go through them and they made it so easy for me wow he had how many posts down in the bottom right hand corner you'll see search users posts because I like you and you're all about being popular in your blog form right because we all need our internet friends right yeah so I went to search his posts found his profile with the exact same user ID that was associated with the other post now I don't know at this point in time that

this isn't somebody else with another user ID right could be somebody else using the exactly how many times are we going to use get our user ID somewhere else and it's already taken right so I had to gather this information to put it by as possibly identifying this individual also that his job he's self-employed he was 26 when he made this post he lived in Texas and he was single all in that one for him so if you can math you can usually figure out somebody's birthday he helped me out by complaining on Twitter that UPS didn't deliver his Christmas stuff when he needed it and I was like okay all that was the other guy mm-hmm so I took the

one I got in that forum and you searched big you always have to start big and then get narrow and the reason is because if you go out and you pick something that's very narrow scope you may leave out your real target or be not there may not be enough information in another forum where you're trying to get the circles to overlap to find out who the person is so I started big with just a petroleum landman and a keyword of self-employed and I use keyword independent and LinkedIn again carefully crafted linkedin search didn't have to pay for LinkedIn and I got that I had X amount of results within why miles of Houston no I'm not going to tell you how

many and why cuz some you're going to try to take the slides and go out and find him yourself so then I narrowed it down I will tell you that I had slightly over 30 results so I've got 30 possible douchebags right so I go out and I eliminated them first got rid of anybody that wasn't 28 I know it's a guy so females were out that was easy I eliminated anybody that was a lawyer or a business owner that was in the petroleum business anybody at they stated that in 20 stated who wanted his post in 20 thousand something of the year of our Lord he um yeah was self-employed so I could go back and

look at his LinkedIn employment history and anybody that wasn't self-important that was self not self-employed they were out then anybody that was employed by while he was self-employed so he's not employed by anybody else right okay narrowed it down to associated with I wound up with one guy out of 30 after I had some other eliminating characteristics not on the slide one post with that user ID I knew what his alumni was thanks to the post that was up and so I was able to narrow it down to the only guy that went to UT oh did I say that okay yeah I needed his whole birthday voter registration is a great place to guess somebody's birthday this

site hmm did I'd say we're there Oh Harris County um Houston Texas they will allow you to put in a person's full name and their birthday to get their voter it verify I'm sorry verify their voter information well I get an e number of guesses I know he'd already told me he was at the end of the month of July his birthday was in a couple weeks so I start with July 31 and the year enter no such record found process of elimination in about five or six guesses I and had his oh yeah we found the person you're looking for here's your information so yet voter registration great place to get home address information so I now have his name his

career on his birthday and where he lives because they are so kind to let you know that your street is in which voting district I then take that and went to another online search source one that was mentioned in the previous slides of graphics I took his LinkedIn name for the guy that I had believed that it was and I went in and wow they gave me his phone number all the little associated with down there that includes his aunts his uncle's his cousin his grandmother and his mother and father so now I have all of the family's information and i also got to find another place that he lived that when he wasn't in Texas when he was in college

which oh by the way after i went back to the original source with the user ID in the post that spawned the whole thing i dug through that time line a little bit and everything overlaps poor back two overlapping circles and why it's so easy to steal your life i have not eaten been to facebook just let that sink in for a minute so i took something from the left side at a source on the right side which gave me more things that i took to another to the left side to another source in zigzag back and forth down your chart and that's pretty much how I follow the breadcrumb trail so again no magic button no expensive resources to

complete this we love our picture phones are smartphones except for Brandon Brandon raise your hand Brendan doesn't do smartphones he's so secure so so I take the so then the next thing i did was i just looked for a photo overlap so where did you post the same photo so i do finally go out to facebook and i find the guy that i think it is right i think it's this guy magically he has the same pictures on this other account this totally not associated with him because he's nowhere mentioned on facebook right um yeah and all of the photos like not all but like his LinkedIn photo overlaps his social media account that spawned

the investigation has some the exact same pictures I run thrown through and I will get 10 I some of you have heard of 10 I tonight was one of the things that I used for cross-referencing data but there are enough overlapping points that we were able to say with reasonable certainty that this was the individual again he also had travel dates and activities that were overlapping between accounts like he may not tell you when he was gone but he will say hey last week when I was in Florida blah blah blah and this is on one social media account and then another social media account with a completely different user ID you wouldn't know that it was

associated with him was oh wow he was there and on Facebook his friend was with him I found his friend in the other social media account hate that guy has another friend with the exact same pictures but a completely different name so at the end of the day this is where we come up with I started with one user ID and at the end of the day and I haven't shown all the tools and all the information I had his date of birth his current employer former employers almost all of his social media accounts and their other ones that were not supposed to be him I knew where he went to college when he graduated which high

school he went to what football team he played on what position he played I actually knew from the financial forums other places that he was keeping his money and things he was attempting to accomplish I had his name his address phone numbers emails I had a bunch of URLs that overlapped with where he was at and he was dumb enough to actually go favorite the same organization on his Facebook page although he didn't like and comment on things but he had them in you know the Facebook like things what are those things called the organization's you follow I don't facebook so sorry I stop facebooking so long ago and then probably the worst one is the Association details because a lot

of times people if there's you are coming after you they're not going to come after you directly they're going to start following your friends and family and as you can see I found everything down from that guy's grandmother great-grandmother father mother brother sister cousin uncle and their associations from one website so you actually if you're out there doing [ __ ] you shouldn't be doing you shouldn't have these social media accounts because you're putting your friends and family at risk and so if you guys have kids you guys talk to your kids about that putting the children at risk if you guys are out doing things that you shouldn't be doing I called one young lady's mother when she posted

stuff on Twitter yeah I looked her family haven't I called her mom and dad and I was like so oh by the way your daughter's making herself a target for a pedophile who lives two blocks over from you needless to say I had her mother's attention and I gave her mother the website to go find the pedophile to confirm that what I was telling her was not BS her daughter had posted her driver's license because it was a milestone event for a sixteen-year-old to get their drivers license oh my God look at my driver's license full name address I think she took like a little rid it pick art edit thing and tried to line through something like we couldn't

just read the letters above and below and figure out what it said she tried so um it was that easy so Facebook is great but you don't need facebook to do open source intelligence and honestly I don't start with Facebook because it to me if you go out and you look for some a name that you think it is you may completely miss all the other stuff that's out there I like Facebook because Facebook at the end of the day it's right here Facebook will confirm for me everything in all of the other areas that I pal it will be where you've put it all together because we're an open source we're in the community of security and we do open

source intelligence and a lot of us run around with aliases everywhere else but we are real people to our friends and family right we have our real name up there and we're very careful we lock our facebooks down open security people do you really lock your facebook down so people can't see stuff yeah your friends in we probably don't lock their facebooks down as well so I would tell you that if you're doing something in security and its high profile or whatever I actually would strongly encourage you to get rid of your facebook account because Facebook brings all the pieces of the pie together to make a single apple pie and that's actually the end of my top I

[Applause]

think I have four minutes for questions we have any questions I just yes sir if you wanna 12 yeah hi my name is Paul I'm from Poland most of the tools you showed us are like us-based for searching for about people us in US but how about people living in Europe do you know about tools and maybe use them about the finding for about people in these may the screen captures you saw on the AUSA Internet's life those aren't limited to us-based people okay so it wouldn't be a problem to find in for about anybody living in Poland for example if they I would tell you that the e the EU has done a very good job about having a

forget me policy I will tell you that people that live in the EU have not done a very good job of using it oh ok thanks [Music] the question is what do I recommend we do to protect ourselves to make it harder my first recommendation honestly is get rid of facebook seriously that's my first recommendation and it's not only because of what I can find it's because the API is that they have the ability to search and eat you guys remember the big scare years ago about the graphing thing on facebook it's not gone I'm just going to tell you that you may go make an account now and it may not work for a car

accounts there are historical accounts to which I still have access that I can leverage that so we're facebook has publicly said oh we don't do these things there are accounts that still have access to I would honestly tell you to do that one you need to educate your family and your friends talk that I'm giving here now you need to take this information back to your friends your family your churches or social organizations and you need to have this talk with them you guys need to be getting back to the community in doing free talks to educate people on the risks so if you want to protect yourselves educate other people on how to not be stupid yes yes disinformation

disinformation is another good thing hey I was over here you know Florida was great this weekend even though you were in Germany or you were in Washington State this information is really good it has to be random it can't be like every Wednesday you post a new post because that's so obvious that every wednesday between 12 and two you've put that you or somewhere well i know that you aren't that's just too obvious i've seen that but disinformation has to be semi legitimate so what I used to do is if I talked to a friend and they're like oh yeah I was here last weekend I would go on whatever my other account was and i

would put oh yeah such-and-such was a great time you know and then next week some other friend that was over some well yeah that's right i want to go or i would just you know I'd flip a coin in the beginning of the week and you know my name is a friday was has Tuesdays Thursdays was tails Wednesday was reflect because I sorry too predictable and you know pick a friend and hey that's who I went to go visit you know and that friend hasn't mentioned anything about me being visiting them you know so that people like okay well maybe that's not the right person but this information is another good thing and you can and I remove yourself from

the grid it is very difficult but you can do it and if you i will repost these slides and i believe if you want to write it down i think it's albino com al bi NE they have a very good list of sources of and they offer a service to help remove you from the grid you can send that please remove me emails and you know some of them are going to require you to show that you are who you are and you have to send a copy of your driver's license redact certain things and then they will delete you out of their databases and they will prevent their databases from sinking with the other

databases where they're pulling in your data but i think it's albino aam yes I think I'm a question I their unfriend unfriend if you don't give a [ __ ] about me then I did at that level then I don't need to give a [ __ ] about you at that level unfriend yeah died well if you don't care about me enough to respect it unfriend i love you i love you from a distance i will text them on we will catch whatever unfriend seriously well if they come to see you talk they want to learn don't waste your breath on people that won't listen yes ma'am and I think we're out of time oh it goes okay

well while he sets up I can I answer one or two more questions than why you said it like us I'll get out of your way yes