Confessions of a Professional Cyber Stalker
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 109 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/36385 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
00:00
Exploit (computer security)Multiplication signOperator (mathematics)QuicksortEnterprise architectureMalwarePhysical systemData recoveryWebcamHacker (term)Flash memoryPhysical lawSystem callCartesian coordinate systemInformationBitHard disk driveBackdoor (computing)CybersexNetzwerkverwaltungSoftwareAntivirus softwareRight angleIP addressCASE <Informatik>Online helpPresentation of a groupNumberTrojanisches Pferd <Informatik>HypermediaInformation privacySource codeAddress spaceDifferent (Kate Ryan album)Web 2.0Process (computing)LaptopServer (computing)Type theoryWebsiteNeuroinformatikDigital photographyClient (computing)Revision controlSlide ruleMobile WebVulnerability (computing)Information securityIntegrated development environmentWindowAttribute grammarSystem administratorHome pageHash functionVisual systemMereologyDegree (graph theory)MappingNP-hardUtility softwareGeometryUniform resource locatorScripting languageFreeware
07:39
Identity managementCausalityComputerData recoveryBuildingScripting languageInterface (computing)Content management systemGastropod shellMultiplication signScripting languagePhysical systemIP addressLine (geometry)Process (computing)CodeVector spaceMP3CASE <Informatik>MalwareFlash memoryVulnerability (computing)Revision controlNeuroinformatikWindowData recoverySoftwareIdentity managementInformationMedical imagingComputer-assisted translationSimilarity (geometry)Computer filePasswordCartesian coordinate systemInterface (computing)Trojanisches Pferd <Informatik>Bit rateOrder (biology)Ferry CorstenError messageWeb pageStreaming mediaPlastikkarteFirmwareFrequencyMobile appRule of inferenceBlock (periodic table)QuicksortAdditionDemo (music)MeasurementComputer iconBitObject (grammar)Connected spaceInformation securityTimestampUniverse (mathematics)CausalityLatent heatAddress spaceMobile WebStudent's t-testIn-System-ProgrammierungCodecSource codeFamilyLoginProgrammer (hardware)TranscodierungGame controllerRight angleComputer animation
15:19
Standard deviationGoogle MapsAddress spaceWireless LANSystem programmingOperations researchData recoveryLaptopVideo trackingLaptopMobile appQuicksortInformation securityCategory of beingBit rateSoftwareCASE <Informatik>Physical systemGroup actionSource codeTimestampInformationDigital photographyBitRight angleFirmwareUniform resource locatorState of matterNeighbourhood (graph theory)Metropolitan area networkInstallation artData loggerKey (cryptography)Type theoryMetreProcess (computing)TouchscreenLogic synthesisDifferent (Kate Ryan album)Logic gateDuplex (telecommunications)Direction (geometry)Operating systemMultiplication signBackdoor (computing)FlickrGame controllerHard disk driveService (economics)Order (biology)Trojanisches Pferd <Informatik>System callScripting languageOffice suiteIP addressGame theoryData recoveryAreaWebcamServer (computing)Wireless LANElectronic mailing listLoginMobile WebNumberEvent horizonGoogle MapsAnalytic continuationGodExtreme programmingComputer animation
22:58
Video trackingMyspaceMobile WebAddress spaceBackupLogical constantInformation privacyDigital photographyCategory of beingValue-added networkNeuroinformatikGroup actionPresentation of a groupRow (database)LaptopDigital photographyBitIP addressDevice driverInformation privacyDifferent (Kate Ryan album)Internet forumSoftwareVideoconferencingMyspacePoint (geometry)Physical systemInformationProfil (magazine)CASE <Informatik>Server (computing)Data storage deviceMultiplication signRight angleNumberMobile appMereologyKey (cryptography)Medical imagingQuicksortPhysical law8 (number)
27:31
WebsiteTrailElectronic data interchangeData managementSoftwareDemo (music)Data storage deviceSquare numberElectronic visual displayMeeting/Interview
28:04
Data storage deviceDemo (music)Moment (mathematics)VideoconferencingTape driveSoftwareUniform resource locatorComputer animationMeeting/InterviewSource code
28:40
CodecPoint (geometry)InformationSoftwareRight angleDisk read-and-write headWindowMetropolitan area networkOnline helpMeeting/InterviewLecture/Conference
29:11
Digital photographyMetropolitan area networkBlock (periodic table)Uniform resource locator2 (number)Duplex (telecommunications)Row (database)Source codeMeeting/Interview
29:58
Data modelSerial portCellular automatonTimestampVideoconferencingComputer-generated imageryData miningIntegrated development environmentVideo trackingCybersexLogical constantNeuroinformatikNumberUniform resource locatorFlickrMedical imagingVulnerability (computing)Execution unitFlow separationForm (programming)SoftwareSign (mathematics)BitPrice indexWritingQuicksortCategory of beingCartesian coordinate systemTwitterMetadataInformationDigital photographyPower (physics)Data recoverySerial portFacebookScripting languageEndliche ModelltheorieProof theoryService (economics)HypermediaWebsiteTraffic reportingElectronic mailing listCuboidTimestamp1 (number)DatabaseData miningExploit (computer security)International Date LineMultiplication signUniverse (mathematics)ResultantIP addressProjective planeProcess (computing)Point (geometry)Profil (magazine)Port scannerCASE <Informatik>Intrusion detection systemOptical disc driveEmailPasswordSystem callPhysical systemBlock (periodic table)DigitizingInternet forumTracing (software)FamilyGoodness of fitBefehlsprozessorRight angle
38:58
Mobile WebInformation privacyGroup actionInformationCartesian coordinate systemMessage passingSpywareUniform resource locatorComputer fileCharge carrier
39:58
Mobile WebTwitterEmailMP3Trojanisches Pferd <Informatik>Server (computing)SoftwareDemo (music)Doubling the cubeCartesian coordinate systemConnected spaceGodGroup actionUniform resource locatorMobile appMacro (computer science)Multiplication signComputer animation
Transcript: English(auto-generated)
00:02
going to be talking about being a professional cyber stalker. I actually founded a company called gadget track. Kind of fell into it. I was sort of a reluctant hacker and CEO and I actually learned quite a bit along the way. I basically started developing various theft recovery tools to help recover stolen devices. I kind of got into also the
00:24
investigation side because law enforcement needed a lot of help and I'll kind of talk about some of those challenges and things I learned along the way. So I've actually assisted law enforcement with a number of investigations and not just with the tools I developed. A lot of times they would come to me for other theft recovery tools or other data that they
00:43
may have and I'll kind of talk about that, too, sort of how to harvest information from social media and other sources as well. I'm not with gadget track anymore. I'm currently a senior security analyst at trip wire catching a different type of criminal and dealing with different types of data. But I
01:00
still keep involved in some of this stuff with some of the investigations. So for those of you into some hardcore justice porn, this is my wall of shame. These are actual cases I've been involved with. You'll see a lot of photos taken by web cameras. I blur their faces out to protect the guilty. And some of these are also some of the
01:24
folks I actually recovered devices for if we didn't have photos of them from the web camera. So what's interesting is that more than half the time when I went to go recover a device, the police would go in and they would find other crimes that were committed. A lot of times there were
01:40
fencing operations, drugs, they would find people that actually had warrants for other crimes, even got involved with a very violent carjacking and the laptop sort of served as a Trojan to help us identify and find the people that were involved. And also, you know, by basically Trojanizing devices, you know, itself becomes a Trojan providing visibility into these larger criminal
02:02
enterprises. And I'll go into some of the details of these cases throughout the presentation. So that being said, you can probably imagine some of the work I do doesn't have its critics. It's usually from folks who don't quite understand the intentions or the background of the tools. The fact is there are incredibly ‑‑ tools that are much more
02:20
invasive that are available to do more nefarious things such as rats, a lot of malware out there that people can use if they actually want to spy on someone. You know, during the process of developing the tools, I was very concerned about how the tools might be used and also concerned about privacy. Actually investigating some of the other theft recovery tools that were out there, I found a lot of them actually
02:40
had back doors into the systems. They would actually gather more data than they really needed. And so I tried to develop a tool that was both useful for law enforcement investigations but also balanced the privacy implications as well. So I also found on mobile devices in particular that applications gather a lot more information than what I
03:01
did. And I'll talk a little bit about that. So a lot of things that marketing applications do are more scary than some of the information that I would gather for theft recovery purposes. I got started with this when I was working for a company that was specializing in blocking USB devices. This was a long time ago, 2007, 2008. My
03:22
exposure at that time to security was basically just as a server administrator trying to secure web servers and managing websites. And I got really interested in actually how these USB-based tools were being used to compromise networks. You know, hacking is hard. Trying to access a network from outside is very difficult. But being a lazy
03:44
hacker, you know, using USB devices to compromise a system or steal data, it's a lot easier. So I started actually working with these tools and I actually created a website called USB hacks where I actually started posting some of the tools that the community was developing. I started working with some of these myself. And it was
04:00
really interesting. I started getting some interesting inquiries from both sides of the law. That was the first time the FBI gave me a little call. But I think once they understood my intentions that this was more about raising awareness because at that time nobody was actually talking about this or providing these tools. And now, you know, at least they had those tools to play with. So
04:20
network administrators can actually test their networks to see how it would react to these particular tools. A lot of researchers actually still ask for those tools. So I actually put the URL there just below the title. So if you want to download those, just be careful. Most should be picked up by antivirus. But you can still modify some of the scripts and it will still work. So, you know, after
04:42
I brought it down, I thought about, you know, what if I was able to utilize these tools and actually make them more friendly, right? So instead of taking a trojan and actually causing damage, what if we turned that into a happy trojan? Right? So, you know, the idea is very similar, is that,
05:00
you know, you plug in a flash drive, utilize auto run capability, you run a binary and you're able to gather a lot of information. And, you know, you can do a lot where you can grab hashes, you can grab all this stuff. But for theft recovery purposes, I figured, you know, we get the IP address, we get internal network address, we can do some geo location just off of the IP so we at least know what
05:22
city they're in. But the more useful information was the computer name and then the user name of the person that actually is using that system. And through that, I launched this as a free tool. It was actually part of my master's degree. It's the system that I built. And I put it out there for free. You know, I was just kind of curious if people would be interested in this. It got on
05:42
the home page of Digg and it got dug to death. It was like 20,000 people registered over the course of two to three days. And as you can imagine, this was all coming to a central server. So it actually, you can actually activate tracking remotely and then when the device gets connected, it will then send data to the owner. So I was
06:00
able to harvest a lot of information about the devices that this was working with. And it was far beyond USB devices. I found it was working with external hard drives, GPS devices, because that's how you update the maps at the time. It worked with also the iPods. So if they didn't have the right software all the time and you plug in one of these iPods and you access it, it would
06:21
actually get triggered as well, which was pretty interesting. I've gone ahead and I've put the actual USB client source code, at least one version of it, up here. So if you guys get the slides or you want to download it, it's C++. But then here's the autorun capability, right? So this was a massive vulnerability that Microsoft put
06:43
out there. It's still present today. You'll even see systems that are vulnerable in industrial environments, healthcare. They're still going to be running Windows XP and they're still vulnerable to these types of attacks. And I'll kind of show some examples of that, too. So you think that this, we would have learned by now that USB
07:01
devices are bad. But even Black Hat this year, a lot of people, they scattered a bunch of flash drives out and they fell victim to it and had data stolen from their systems. I'm not sure if it was an instant bystander, hopefully it wasn't any of you guys. If it was one of you, get the hell out. So one thing I learned is the
07:20
trouble with getting the IP address. We talk a lot about attribution. You know, this attack came from China. Well, you know, IP address, you know, it's very, very difficult to use for attribution. One thing I found is that law enforcement don't like paperwork, they actually don't like doing a lot of work. So when you're dealing
07:40
with IP addresses, they have to do a lot of filing. They have to go through to get a court order, to get that information from an ISP. You know, some of this process can take anywhere from two weeks to three months. It really depends on who you're dealing with. It also doesn't, it's not identity. It doesn't actually put the person in front of the computer. So you can go and you can recover that and it's like, yeah, that wasn't me. I
08:01
don't know. There's also, you know, it can help with the probable cause, but it's increasingly becoming a challenge to use IP address for probable cause. It's not always accurate as well, especially nowadays, you know, you have mobile hotspots, people with Starbucks, things like that. So IP address really isn't working very well. In general, it takes a really long time. When you're trying to recover a stolen device, it's a major hassle
08:22
because time is of the essence, especially when these devices are getting fenced. So with this, though, I had the first that I know of, the first iPod recovery. And it wasn't from IP address. I was getting a lot of these things where a lot of kids were installing on their iPods and it was easy because a lot of times these kids would steal it and then they would go home and then they would plug
08:41
it in and then it would be like the Colopagus family. There's only one kid that had that last name. So the school was able to actually get the iPod back for those kids. So it was kind of fun. And I think it was cool, too, is that this time when we did this, is this the idea that if you steal something, it can be tracked. So I like to think that maybe that had a little bit of an impact on people's
09:02
wanting to steal these devices. And also through this process, when I learned all the devices it was working with, I found that it was working with these high end thermal imaging cameras. So I was actually approached by a company to develop a custom agent for them where we actually would use this to protect these devices that are
09:21
around $3,000 to $300,000 thermal imaging devices. So it was a very similar process. The one thing with this was that they actually wrote the images to an SD card. So they're like, well, what if someone takes out the SD card, you know? So we actually wrote some custom code in the firmware where when it puts in a new SD card, it will
09:40
actually write a new agent back to the SD card. So even if you put a new one in, it's still going to block it. What's really interesting, too, is that they were just concerned about theft recovery but also these devices are export controlled. And they were finding some of these devices were ending up in countries that they shouldn't be. So that was another sort of additional measures that they
10:01
wanted to take. So if one of these cameras ended up somewhere and was connected to a computer in Iran, for example, they would be able to map that back to the reseller who actually sold it to them. And so with this, too, is that I disguised ‑‑ and the other agents I disguised the agent as a passwords file. On this one I disguised it as a thermal image of a cat. Meow. So this is
10:28
actually some stuff that I was working on. I never actually released it. I was actually looking at how to do similar things with OSX. You don't have the auto capability but you can still trick people. One of the big vulnerabilities I like to exploit is greed and stupidity. But I found some
10:45
things that were really interesting is that, you know, using Apple script and why Apple script, why not objective C. First I'm a shitty programmer. And two, Apple script is trusted. It actually has a lot of interfaces with a lot of other applications. So if you're targeting an Apple
11:00
system, you know it's going to have iTunes and it has an interface with this. And that's what I'm going to leverage. So one thing I found, too, was that Apple is a little tricky. Sorry, it's kind of tiny. You guys can't see that. But I disguised the Trojan as a MP3 file. What's
11:21
called a dot MP3 on an app. It'll throw a dot app at the end of it. So it's trying to help the user so that they know that's an application. So the first rule was to try to trick that. And I've used what's called a homoglyph. So basically trying to find a character that looks like a period. And there's a little Turkish character called an oganek. If you put that in there instead, it won't throw the dot app on
11:42
the end and it looks like it's a dot MP3. And I have a demo of this, too, which I'll try to do at the end if I have time. But then further, you can disguise the icon, which is pretty simple. And I've actually put some of this code up. I'm just going to go through some bits of it. So there's an object where you can get system information.
12:02
There's also another one you can get where you can get all the applications that are currently running, which is cool. You can then write some scripts that will then interface with those applications and try to steal data. The biggest one was I was trying to, you know, exfiltrate data. Sure, you can do things with shell scripts and whatnot, but sometimes that will throw errors or alerts. So what I did was I just found a way to
12:23
actually exfiltrate data through iTunes. So I will basically grab all the data that I want and then there's some transcoding that I do. It's included in the URL here on my GitHub page. It's got the full script. And then I'll pass it out through iTunes. And then iTunes, I
12:41
actually will stream an MP3. So you think you're listening to some music while in the background we're doing some bad stuff. What's neat, too, is you can actually do shell scripts from AppleScript, which is great. And I'm not sure if you guys saw the new vulnerability. So I threw that in here. Just be careful if you run that on your system. It's not on the one on GitHub, but still
13:00
review the code, please. I don't want to get in trouble. So, you know, USB is still an attack vector, you know, still a threat. We saw that with Stuxnet. We recently saw some U.S. power plants that actually were
13:22
infiltrated with employee accidentally bringing in infected USB sticks. Again, a lot of those systems are still running vulnerable versions of Windows XP, which I think pretty much all of them are vulnerable now. And also we just saw this here again at Black Hat. So, you know, it still is a threat. So kind of moving on. You
13:42
know, IP address, you know, that's the one piece of information, but a lot of times you're going to need a lot of other data. This is a crazy wall. You guys have seen this in all the CSI shows, right, when you're trying to track a murder. They have all the evidence and they put these lines, right. And that's kind of the thought process that I follow as well. Tools that actually make this a lot easier nowadays are like
14:02
Maltigo. It automates a lot of that process. So I'm not sure if you ever used it, but it's a pretty great tool. And you can actually write all the custom transforms to do a lot of this work. But basically I had a case where I was tracking a flash drive, just to give you an example. And, you know, we were able to get the initial IP address and it was a weird
14:21
user name, too. It wasn't something that would actually identify a person. And we mapped it to an AT&T subscriber. But, you know, AT&T is going to take like three months to track it down. And the flash drive was from a professor and he had some research data on it. But it was still hard to convince law enforcement to spend their resources to go out and actually track this
14:40
down. So but we did start getting connections from a university and a specific computer lab. So that was useful. Because we also get the internal network information, which is useful. So we went to the university IT department and their campus security. And we found that, yeah, so we got a time stamp, we have an internal address, but these are guest
15:02
computers. So there wasn't actually a student ID when you log in. So we're still not able to get the specific person. But I started asking questions like what other data sources will we have here? And come to find out, you have to swipe your student ID card to get in. And so they have logs there, right? So we were able to access those logs. We tied that with the
15:21
time stamp. Now we have a list of who is in the actual room. Add to that, they also a year before had a number of systems that were actually stolen out of that lab. And so they actually had cameras as well. What's really cool is that a lot of people don't realize that a lot of these cameras when they actually store the data, there's also a log file that gets generated. So we're able to correlate that time stamp as well to identify who specifically was
15:42
in that room. And they were able to use this information, found out who it was, you know, had the professor as well as the campus security outside of the guy's classroom the next day. And he got his device back. And all his information was still there. Yay.
16:04
So after working with USB devices, I wanted to find ways of, you know, looking at how to recover more expensive devices like laptops. You know, I looked at a lot of existing tools and they relied heavily on the IP address, you know, which is, as I mentioned before, takes a lot of time. Some of them, actually
16:21
they'll utilize more invasive techniques as well. They'll actually open up a back door into the system. So they'll have recovery teams that can deploy that. They can install key loggers and other things like that, which I found that to be overly intrusive and I think in many ways makes the system more vulnerable. They also will sometimes put stuff in the firmware and muck with that. So there's
16:42
a lot of risks. And I found that, you know, we don't need to go to that extreme. I think there's other ways of going about it and recovering devices. So I combined utilizing the web camera and, you know, with Wi-Fi based geolocation. There was a company that was already doing the web camera on the Mac, but no one was utilizing Wi-Fi location. This is around when
17:01
the first iPhone came out and that's what it was using. So I worked with Skyhook and got that deployed for this. So we're able to get geolocation, we're able to get camera information. So this was sort of a game changer, especially for law enforcement. There were some challenges with it. So the way it worked is that you would activate tracking on a remote server. The device would
17:20
check in to see, you know, if it's been stolen, if it's been flagged, if it's supposed to start gathering evidence. And there's a lot of different things that would trigger that. If it moved to a new network, if the IP address changed, if there was a log in event. So it was pretty smart. It would also note if it changed location that it would also check in. And so it would then send information. And at the time I didn't want to
17:41
manage a server, especially with the photos and things like that. So we just had to go directly into Flickr. So you actually register your Flickr account so that way you have control of all your data. You don't have to worry about a third party accessing your information or activating your camera and spying on you. I don't trust myself. So whenever the laptop would connect, it would get the location from Wi-Fi, it
18:02
would capture photos and it would do this every 30 minutes and it would do it very quickly. So the location would be like a blip. You wouldn't even notice that it was on. So for location, I used Skyhook wireless. It was a great service. But now geolocation is embedded in all the operating systems. There's APIs for it. And
18:22
pretty much every major, both laptop as well as mobile operating systems. You can also get location from the Google maps API. So here's the call to how to go about doing that. So if you want to write your own scripts to track your devices, that's a good way to go. So the first recovery I had was actually with this
18:42
tool was in New York. I had to work with a New York police officer who was kind of an a-hole. He was basically saying, he was really frustrated because he had to deal with these types of tools before and he's all pissed off because he's going to have to deal with his paperwork. And I'm like, no, you're fine. So the location is
19:00
within 10 to 20 meters. And he goes, okay, well, what's that mean? I go just print out a photo of the guy, go to that location, ask around. And he's like, yeah, don't tell me how to do my job, all right? But then he did, right? And they go in and it was this owner of a tattoo parlor. And if you look at the photo in
19:21
the background, you're going to see a lot of cool toys. So there's a nice big screen TV. There's all sorts of cool synthesizers, all kinds of audio equipment. And so when the police finally went in there, they found the customers, it was an iMac, and they also found three laptops from different cases and a lot
19:40
of others still on property. So this is one of those examples where you trojanize an app and then the trojan app is sort of unveils all these different crimes that are being committed. So at that one I said we had a 300% recovery rate because the other laptops were recovered. So another case we had was in Portland,
20:05
Oregon, where I live. There was a group that was repeatedly breaking into schools. So they were targeting a bunch of Portland schools. They kept stealing laptops. What was really frustrating was that they would do this continuously. They would go in, they would steal the laptops, the district would go and replace
20:22
those laptops. A week later these guys would come back in and they would steal them again. It was like four or five different schools that this kept happening to. So I approached them and I said, hey, I got an idea. So we deployed this software to a bunch of bait laptops and we left them out. We didn't even put them in
20:41
their locked cabinets and just let them out there. Sure enough a week later they got ripped off. So we got the network information. This was a bit of a challenge. We were getting some photos. We actually got it to a house that was in Vancouver, Washington. So that's kind of the next state over. It's right next to Portland. We got the location to this one
21:03
particular neighborhood. Again, the location is within 10 to 20 meters. So I told them about this and gave the information and the detective working on it. So he goes there and he thinks it's an exact location. He just goes to this one, it's a duplex and he goes to one side of it and the guy that answers the door, he knows
21:20
him. It's the guy that works on his roof. So he's all pissed off at me. He's like, you guys don't know what the hell you're doing. So I was pissed off. So I drove out there and I started actually looking at the wireless. I don't know if you guys see it, but there's a little street there. I pulled in and I pulled out my laptop and I started looking at the wireless networks in the area to make sure it was accurate. And sure enough, the thing is there was a
21:43
wireless network that was called Russia and I look over and right next to the other side of the duplex there's a car and there's this big Russian pride bumper sticker on the car. I swear to God I'm looking there and a girl comes out and starts watching the car and the
22:01
guy who we have a photo of walks out and I'm like, oh, shit. And he looks at me and I'm looking like I'm looking for directions on my laptop, right? Like I'm lost. But I called the detective and they came out and finally they were able to continue the investigation. What's interesting with this is they never actually told the software was involved in their case. I was an
22:20
anonymous source and they ended up arresting six to seven people that were in this case. It was an organized group. They were stealing a lot of other property as well. Some of them were pretty bad dudes. And they got them to think that they ratted on each other. So it was kind of cool. So for
22:40
some reason there's a lot of sort of these Russian guys that are involved in stealing property in Oregon. I was involved in another case where the laptop was stolen and we didn't get anything for two weeks. I'm like, oh, man, they reformatted the hard drive or something, right? But, you know, I tracked it and we started getting a ping in Missouri of all places. I was like how the hell
23:01
did that happen, right? So we're getting this and there's this guy named Victor and he was nice enough to change the user name on the computer to his full name. That was really nice of him to do. So he's really trying to help us out. But I had photos of him everywhere. The first one we had was at McDonald's and at one point he was in a
23:23
hotel that was really shady and there was like a girl behind him. There was something going on there. But I was able to find that, yeah, I found him on his MySpace profile and I was really noticed that he's really into Sion. He's a big car nut that's really into Sion. I found that he has
23:40
a bunch of posts on a lot of different forums on Sion showing off his car. So that was helpful, too, because then he gave me his license plate number. He was also a big eBay seller. So he was selling, he had a store and he was selling all kinds of car parts. So you can kind of tell what kind of business he's involved in. And then he was nice, too. Well, not so nice, because he sold
24:02
the stolen laptop to his friend, Omar, as well as a stolen bike. And what happened here is when the police actually went in, this is the first time we worked the district attorney, he said, you guys have given us enough evidence that even if he doesn't have the laptop, we can bust him for possession of stolen property. So that was kind of interesting. Sort of like making case
24:21
law. But what was happening is that there's a Russian group that was here in Portland, they would steal a bunch of property, they would load it into this big white van and there's another Russian group in Missouri and they would swap stolen property. Because where's the first place you're going to look when your laptop gets stolen? Craigslist, right. So they're kind of
24:41
smart there, but not that smart. We got them. Oh, yeah, and Victor, too, it was actually his dad who was involved in the one. So it was a birthday present. So his dad's a nice guy, gave him a stolen laptop for his birthday. And now he has a criminal record. Thanks, Dad. There
25:02
was another case where he was in Brazil, so it's not just in the U.S. This was a little bit of a challenging, actually a little bit challenging working with the Brazilian police. But there was a couple guys that were in their car and these guys came out with guns and said, get out of the car. And then the driver, they
25:21
punched him in the face, knocked him to the ground and then kicked him. He had like broken ribs and a broken nose. And then a guy who actually installed my software, he had left his laptop, it was still in the back. So we started getting pings and then the police were actually really excited about this because they were, I guess they did this quite a bit, right?
25:41
So they were assaulting a lot of other people as well and stole a lot of vehicles. But it's just a good example of how this can work internationally as well. It doesn't just have to be the U.S. Sometimes it depends on law enforcement, how willing they are to help out. But there's ways of convincing them. And here's the customer with his laptop back. He
26:01
was a veterinary student, too. He just finished his dissertation and he didn't have it backed up. So he was really happy to get it back. So then I also moved on to mobile. So mobile is a little challenging because geolocation is easier because it was already in the device itself. But IP addresses becomes much more problematic. We also wanted to, we found that
26:23
people really don't care so much about the device as the data. So we built a system for backing up photo and contact information. And I was really concerned about actually doing that, like storing people's photos on a server. First of all, if we get hacked and someone accesses all of our customers' photos, that could be
26:41
really bad. Or the contact information as well. We saw this with the fappening, right, the risks that are associated with that. So we built a system so that when you actually install the app, you enter a key, a privacy key, so it actually encrypts your images and your contact information before it sends it to the server. I like this, too, because
27:02
if we do get hacked, their data is still protected. Also, if law enforcement comes to us and they want information, yeah, here you go. It's a big encrypted blob and they have to go to the customer to get that key. And then you can also do the data wipe and things like that. So I built this tool and I have a little
27:22
bit of a video here to walk through one of the cases. So hopefully the video works. ...that's helping track them down. News Channel 8's Ed Teachout spent the past two days with police and investigators on the trail of swiped cell phones. He's live outside the Washington
27:42
Square Mall where the theft took place at... Well, the managers of the Sprint store here at the Washington Square Mall behind me say they're very confident that tracking software developed only miles away from here and put onto their demo phones will lead to an arrest. This is a $500 phone. This ends up being a $450
28:03
phone. Two empty display cradles are all that remains after someone stole two demo cell phones from the Sprint store at Washington Square Mall on Saturday. Moments after surveillance video caught the theft on tape, employees initiated tracking software installed on the stolen phones. They were able to not only find the GPS location of the individuals that took
28:23
them, but also we've been able to monitor any activity that happens in the phone. That activity turned out to be pictures someone took shortly after the phones were stolen. Tigard Police admit it's a brave new world when pictures taken on cell phones can be told to send back pictures once they're stolen. And that has not
28:41
only piqued the interest of our investigators, but in essence, it appears at this point could be very credible information for us to follow up on. The Portland creator of the software tracking the theft says police are on the right track. If they're not the thieves, they definitely know who stole it. And if you look over the head of this man, you'll see in the window an Oregon temporary permit.
29:02
Philip, this is Ed. With the help of a gadget track investigator on the phone, we tracked the stolen phone signal to this Vancouver apartment complex. There we found the exact temporary permit and a young woman who told us off camera, a man she called Peter, had sent this photo to her Saturday evening, but
29:22
says she knew nothing about the phones. Hi, my name is Ed. We tracked the second cell phone signal to this duplex about eight blocks away. You don't have a Samsung epic phone in this location? No, at least we're here yesterday looking for it. We're back live now outside the Washington
29:41
Square Mall where we've just obtained within the hour the DMV records on that temporary permit. Tigard Police say they hope the men in the pictures will contact them soon so they can explain how their faces ended up on a stolen cell phone. Back to you. Thank you, Ed. Teach out. The contractors...
30:02
Thanks. Thank you. So, you know, it's helpful, you know, we had, you know, the footage, again, it's kind of like I was talking about with, you know, the video camera footage that's helpful, you know, actually see where they caught it. We had some challenges with some of these devices because the, for some reason the GPS
30:23
coordinates were, with our software that's accessing it wasn't right. But luckily the photos that they took of themselves did have the GPS coordinates embedded in it and we had a time stamp as well, so they're really helpful. As I mentioned, you know, stupidity is one of the better vulnerabilities that helps us out quite a bit. You know, we were able to get the location from that as well
30:42
and of course the trip permit, you know, that's just, that's just ridiculous. But they ended up getting these guys and they, again, they ended up, there was five guys that were involved in this and they're actually stealing other property. One of these guys actually had a warrant out for his arrest already and they also, in the process of investigating this, they also recovered
31:01
a stolen car, so. And so what I learned from this too is I started looking at, you know, the data that's actually embedded in the images where it's really helpful. So there's a lot of metadata that's actually embedded in it. A lot of you are probably familiar with it. It embeds GPS coordinates, it has a time stamp and I also started looking at high end
31:21
digital cameras and I found a lot of them actually will embed the make, model, and serial number and a really good tool here, there's a URL, it's called xif tool, if you want to mess with xif data, write scripts to do this kind of work, you can do that. I also have a tool called xifscan.com where you can upload an image and you can see what,
31:41
if there's GPS coordinates or serial numbers embedded in it, you can do that. And one thing I found is that there's several camera brands that actually will embed that serial number and many of them are high end cameras, so I wanted to go out and see if I could use this for tracking stolen cameras.
32:02
One thing I found too is I had a reporter that actually asked me, you know, there was a thing about celebrities getting their nude photos hacked and the xif data, the media kept saying, yeah, the phones were hacked, but in actuality the xif data revealed that it was actually multiple phones over the course of several years.
32:20
So the odds of it being one device that was hacked was very slim. So the point of compromise was actually email was a guy named Chris Cheney who was just guessing their passwords, now he's serving ten years in jail. So I looked at like, how can I use this information, there wasn't a way to actually search for it. You can search for a serial number, sometimes you'll see something on Flickr, but
32:42
I was like, I want a database of this data where I can actually go through and identify that. So I worked on an experiment with something I was actually helping another startup friend of mine, they were doing a thing called CPU usage where you can actually, you know, you give up your idle computer time and they'll give you money
33:01
for utilizing that, so a bunch of computer labs and universities were using this. Sort of like SETI at home, but for other projects, right, and then you as a researcher could harness the power of thousands of computers. So we wanted to experiment with this, so I wanted to go through and I wanted to mine Flickr. So the way that works is I wrote some scripts
33:22
that go out and hit the Flickr API. Flickr was very restrictive on the API and how many calls you can make. So trying to do that from one system and trying to do it quickly, they're going to block you. I actually talked with a friend of mine who had some issues, they saw the data and they saw the reports coming through, they're at Yahoo, and they were trying to figure
33:42
out who this was and it was me. So we basically were allowed, we had about 200 computers at our disposal and we went through and we mined all of Flickr and it took about three weeks to a month and it was like four billion images. So we had this huge database and then I put it out there in the media that this was available
34:01
and, you know, the way that it works, I also mined 500 pics, Panoromeo, I found other ones like Twitpik, Twitter and some other sites as well, we started harvesting some data from there. So the way that it was working is that we would harvest this information and then you can actually put in the serial number of your camera and then it will show back results, all the images that we found. So the idea is that
34:21
if your camera was stolen and then three months later you see a photo getting uploaded to Flickr, you can go recover your camera. And it was just a proof of concept, but it worked. We actually, John Heller, he saw this service, he actually had a camera that was stolen when he was on assignment for getting images at the Egyptian theater. He just turned around basically
34:41
and his $9,000 worth of camera gear is gone. He's a contractor, you know, he's not going to get that back. It's pretty hurtful here. But he did a search and then he found an image on Flickr that was uploaded well after it was stolen. And that mapped to Facebook to another professional photographer. And he had
35:01
a photo of all of his gear and there, sure enough, was his camera. The LAPD got involved and what happened was the thief, he stole the camera from him. He then sold it on Craigslist. And then the guy that bought it from him on Craigslist had sold it on eBay. So the person that actually had it had no idea that it was actually stolen.
35:22
But the police, they went in, they were able to recover it. The guy that got it on eBay, he went to the seller and he was able to get his money back. Yay. But the other guy, not so much. But they went in, and a year after it was stolen to the apartment where the guy bought it on Craigslist and they go in, the guy was still there and there was all kinds of other stolen property. So
35:41
it's the first recovery of its kind I think I've ever seen like that. Here's the report there, but yeah, he got arrested. So I had another case where a guy, Craigslist, I'm going to start calling it like Crime List or something because that seems to be where all this stuff happens. He was selling a bunch of gear, camera gear, before he moved.
36:00
And a guy came with cash in his hand. He wanted to take a look at this camera that he was selling. Takes him out to the garage, shows him the box. The guy just pops someone, knocks him to the ground and runs off. So, he actually found images that were mapped to it. I am just helping with this. We got a lot of
36:20
information about this guy and all the other photos that he was uploading to other social media websites as well. And he was doing some pretty interesting things, you know, taking photos of themselves, smoking weed, driving down the freeway, you know, a photo of himself with a gun showing how hardcore he is. And he also took a photo of his
36:41
speedometer, going 110 miles an hour down the freeway while smoking dope and we had the time stamp geolocation and everything so law enforcement really liked that. Vulnerability, stupidity. And this tool was actually also used by ICE so
37:00
they are really interested in using this in the Child Exploitation Investigations Unit. So they do some really cool work where a lot of these guys that are actually victimizing children, there is some sick forums out there where they will actually be giving each other advice and they will actually upload photos of hey there is this young girl I have in my car and they can actually look at some of the images
37:21
of the ICE guys like a road sign or something like that to look for some indicators that they can go and try to stop this before anything happens. And so they were actually utilizing this tool as well. So the idea is that you know, Joe Pervert, he is uploading child porn and maybe he is using the same camera when he goes to
37:41
Disneyland and takes photos with his family. So if you get a serial number of one of these images, innocent images is what they call it, and you map that and correlate that with a camera on Flickr for example, that can help them ID a suspect. I'm not sure if it was actually ever used or caught anybody, they couldn't tell me, but I thought it was kind of a cool application of it.
38:01
So basically what I learned a lot is like there is a lot of pieces of information out there that can be used to identify a suspect. This is Edmond Lecarde, and he is sort of the grandfather of forensic science and he has this thing called Lecarde's Exchange Principle that every contact leaves a trace. Of course he was talking about physical crimes, like when you
38:21
go commit a crime, you actually bring something with you and you leave something behind. So I believe that actually carries over into the digital world as well, from my experience. We have all these pieces of data, IP addresses, I get really worried about all these different breaches that are happening. We have all these data points and when we start to correlate them, we can actually
38:40
create a rich profile of an individual. And then we talk about in and of things and all the different places where we can find those indicators from device IDs, things that we may not even think about right now that can identify us. Technology can exist a year from now that will actually allow us to mine that and identify us. And I talk about interactive things. There is data that is created
39:01
by us that we are aware of. There is data created for us that we may not be aware of. There is also data created about us that correlates all this information. So I really worry about the marketing groups in particular. And then there is what I call boogie data. So a lot of people don't realize when you send an SMS message for example you delete it, the other person deletes it.
39:21
But the problem is there is 20 log files that get generated at least through the carrier. So there is always a trace somewhere of this information or when we talk about Ashley Madison and things like that where we think our privacy is being protected when in actuality it is not. So I call this boogie data because it is information that is out there and it can come back and haunt us later.
39:42
It is going to hit us really hard. I have been working with a group, privacy century, they have an application called spyware.b and it is actually looking at applications that are accessing your location and sending that information. We have been doing some really interesting research here identifying some very popular applications
40:02
that are actually gathering location your IMEI, IMSI and sending it to servers in China for example. And that's it for my talk here. If you guys have questions, feel free to reach out to me on Twitter or on my email. Do we have more time? Five minutes? Okay, I'm going to do a quick demo. Let's see if this works.
40:23
Demo gods. Alright, so here is the MAC trojan. You guys ready? So here you see it says .app. Here is another one that is an MP3. If I double click on this, if the network connection works, we should see it in action.