RECON VILLAGE - I fought the law and law lost - TIB AV-Portal

RECON VILLAGE - I fought the law and law lost

00:00

2

Formal Metadata

Title

RECON VILLAGE - I fought the law and law lost

Title of Series

Number of Parts

322

Author

License

CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.

Identifiers

10.5446/39949 (DOI)

Publisher

Release Date

Language

Content Metadata

Subject Area

Computer Science

Genre

Conference/Talk

Abstract

“I fought the law and the law lost” is a series of talks that aims to collect vulnerabilities in the field of Argentine Security forces. This chapter focuses on both Federal and Buenos Aires City Police, which according to the Head of Government Horacio Rodr√≠guez Larreta, has the ““most modern technology in the world””. We will analyze four particular cases (two on the lightning talk version), all of them ending in national scandals: The leaking of the Police Reports database. Which led to the disclosure of private information of criminals, informants, involved police agents and even original reporters. This database contained cases related to drug trafficking and proxenetism. The leaking of Proyecto X, a joined intelligence task force composed by members of different forces. The leaking of the SNIC (Criminal Information National System), that led to the disclosure of intelligence information regarding criminal gangs undergoing federal investigation but not prosecuted/captured yet. The leaking of Buenos Aires City Police entire database, that led to the disclosure of every agents personal information, including religious and health related concerns, like STDs, clinical and psychological history, and more.

Speech

Text

Image

00:00

Design by contractRight angleLink (knot theory)Video gameVulnerability (computing)Physical systemForcing (mathematics)MereologyHacker (term)Event horizonInformation securityWebsiteLeakOffice suitePasswordTask (computing)Core dumpBinary fileDatabaseInformationDigital photographyWeb 2.0Entire functionProjective planeFamilySeries (mathematics)Physical lawGroup actionProof theoryFacebookServer (computing)LiquidRoboticsDifferent (Kate Ryan album)Figurate numberMedical imagingGenderTransport Layer SecurityInformation retrievalAsynchronous Transfer ModeGodPolygon

07:19

Graphics tabletInformationInformation securityEmailCASE <Informatik>Entire functionProjective planePasswordPolygonRow (database)Different (Kate Ryan album)Digital photographyForcing (mathematics)Service (economics)Physical systemDirected graphOffice suiteTask (computing)Computer fileInformation systemsChainWebsitePoint (geometry)Query languageNumberCategory of beingDefault (computer science)Turing testMixed realityServer (computing)Source codeIntrusion detection systemTemplate (C++)OvalCore dumpThread (computing)LeakSoftware testingLine (geometry)FacebookInternetworkingOrder (biology)Information privacyForestInternet forumSelf-organizationMultiplication signLatin squareWorkstation <Musikinstrument>Personal identification number (Denmark)Data dictionaryData conversionDisk read-and-write headPhysical lawDemosceneWeightReal numberTraffic reportingTwitterLecture/Conference

14:38

View (database)Cellular automatonEndliche ModelltheorieForcing (mathematics)DatabaseMultiplication signMeasurementPublic key certificateGame controllerRoundness (object)WebsiteLoop (music)Matching (graph theory)System administratorAreaOffice suiteLeakSeries (mathematics)Block (periodic table)Key (cryptography)EmailProcess (computing)Software repositoryAddress spaceRevision controlCodeMetropolitan area networkTheoryDivision (mathematics)Line (geometry)AnalogyObject (grammar)Computer crimeOperator (mathematics)InformationDecision theoryWordPoint (geometry)Event horizonGroup actionPerimeterMusical ensembleRow (database)CASE <Informatik>Domain nameMessage passingVulnerability (computing)Disk read-and-write headError messageDifferent (Kate Ryan album)Lecture/Conference

21:58

Formal languageScripting languageServer (computing)Default (computer science)WebsiteLetterpress printingProduct (business)Software developerSoftware testingoutputVulnerability (computing)Error messageComputer fileCartesian coordinate systemPublic key certificateInformation securityInjektivitätService (economics)Query languagePoint (geometry)Directory serviceDomain nameMilitary baseCivil engineeringInstance (computer science)Multiplication signSoftware frameworkSoftwareSource codeIntegrated development environmentLoginSoftware bugProof theoryElectronic mailing listFreewareMetropolitan area networkLecture/Conference

25:28

Repeating decimalLine (geometry)Trojanisches Pferd <Informatik>Link (knot theory)MalwareSeries (mathematics)Incidence algebraDefault (computer science)Motion captureNumberLine (geometry)Query languageMetropolitan area networkIP addressGame theoryLeakHash functionWebsiteAndroid (robot)Division (mathematics)Office suite2 (number)LiquidCodePhysical systemInformationPolygonPasswordRootMechanism designRight angleBlogServer (computing)LoginHacker (term)Computer fileService (economics)Uniform resource locatorLogic gateFirewall (computing)Multiplication signBuildingVideoconferencingFamilyComputer-aided designEmailWeightMobile appAreaPublic domainRoyal NavyDigital photographyInformation securityRoboticsReal numberVulnerability (computing)Revision controlTraffic reportingLetterpress printingSoftware bugCAPTCHASoftwareGateway (telecommunications)Online service providerRow (database)DatabaseCellular automatonTouchscreenLecture/Conference

32:08

Computer-generated imageryIcosahedronNumeral (linguistics)PasswordMereologyInformationLeakRow (database)NewsletterShared memoryContent (media)WebsiteEmailLink (knot theory)Sheaf (mathematics)Multiplication signAddress spaceNumberOptical disc driveChief information officerDatabaseOrder (biology)Point (geometry)Internet forumMessage passingVulnerability (computing)Basis <Mathematik>Information securityCore dumpCache (computing)Entire functionSystem identificationMultilateration

36:49

LeakCountingPasswordCore dumpLink (knot theory)Very-high-bit-rate digital subscriber lineCopyright infringementIP addressSeries (mathematics)Connected spaceInternetworkingEntire functionGame theoryGateway (telecommunications)Lecture/Conference

38:33

Gateway (telecommunications)Patch (Unix)LeakMultiplication signPhysical lawPoint (geometry)Proof theoryPhysical systemDatabaseMusical ensembleDemosceneBitMereologyMoment (mathematics)WebsiteWater vaporRAIDForcing (mathematics)Traffic reportingInformation securityCASE <Informatik>InternetworkingStandard deviationLecture/Conference

Transcript: English(auto-generated)

00:00

I'm going to say the name wrong, I guarantee. I've got my speaker Mauro here. If I've said the name wrong, I've said everybody else's name wrong all day long. So he's just going to smile and be like, yeah, that's me. Okay. The final talk of the day is I fought the law and the law lost. This is part of a series of talks that aims to collect vulnerabilities in the Argentinian security forces. And without further ado, I will pass it over to

00:22

Mauro right now. Thank you. Okay. Hi, how are you? Well, glad to hear that. Well, this is a talk that was intended for me to be a series of talks of many Argentinian security forces. I know my pronunciation is not the best, so I ask for your pardon in advance. If something is not understood, just

00:45

raise your hand and I try to say it slowly or better. As this is the final chapter, it's intended to last at least for an hour. So I have cropped it out and trying to make it on a shorter way. So I'll go a little faster on the first part. It's not as important as the

01:05

last one. The first part is basically every antecedent that got the Argentinian security force system to what it is today. A bad one. So let's start. This is a brief

01:21

introduction. My name is Mauro. I was born in the 90s in Argentina. I worked all my life for the government on different sides. Not something right. I have a really little security firm. We are very few people from Argentina. We work on every contract is based on government or security forces. So we are apocalyptic in an apocalyptic situation

01:50

now or what is related to security forces. We have four, what we call the four husband, four events that carried out what it is today to be the current status of our

02:08

security forces. As this talk is the final chapter, I have divided it into four events. Everything disclosed here is publicly available or reachable on making us inquiries or

02:25

even reaching the news or pace bin or any other place when I'm here. So the four events that took us to what we have today in Argentina were the following. We have a

02:42

leak from two federal forces happening to work together. They were the federal police of Argentina and the national gendarmerie. The leak of the Ministry of National Security during a spear phishing campaign that lead to the disclosing of many

03:03

officials, officers and public figures, accounts. They were assigned a city police internal leaks led by unhappy cops. It was an internal leak. And they were assigned a city police entire database dump contained the personal information of every officer,

03:23

agent, and even the political side of the force, from the security minister of the city. It's a long way to get here, so let's talk. The Argentine federal police suffered three attacks. Two were made using the same technique. On 2010, it was a

03:47

defacement led by the ICAB gang. They are very popular on the police side hacking scene. The PFA was brother on 2011 and Project X, which was a national scandal. Let's

04:04

start. Abusing the put method on the web server, they lead to a simple defacement. Everything was hit, was nothing really, really surprising. It lasted for an hour and it was gone. They just restored the site like nothing had happened. Then, this is the

04:27

photo of the leak, of the defacement, sorry. Then, the next year, they made another defacement using the put method again. It was, in Spanish, La Federal Vista La Moda is a

04:43

reference to the movie The Devil Wears Prada. Using the put method again, the face of the site and some animation of someone dressed as a policeman during a gay parade. This was intended as a simple joke, but it posed, it exposed, sorry, what was

05:02

our security set up from a federal force. A federal force that deals with trafficking, with human trafficking, with money laundering, with things that might be hosted there or not, but are dangerous to be exposed in that way. Then, the 2012, it was a year of really hard political tensions. There were many people doing what

05:28

we call the cacerolazos, the popular march. People gathered themselves via Facebook to march on different places of the city. During one of those marches, this leak and

05:48

defacement happened. There was a rumor that is in verified to this day that the Argentine federal police participated together with the general on a civilian surveillance or espionage campaign. There wasn't any, any proof of that. It was like a rumor. Then, the

06:11

group was leaked to be called Project X. Okay, then, on September, during one of those marches, the PFA sites suffered one of the last attacks. During the defacement, the

06:27

hacker published some links to internal databases of the sites. One of the databases contained information about PFA, the federal police, and GNA, the Gendarmerie. There are

06:42

two forces that are not related. They didn't even have the same tasks. The Gendarmerie, it's like a border patrol. Aside from having tasks like drug trafficking, smuggling, human trafficking too, and the PFA have other tasks different to them. So, why

07:03

were they working together? As there were no political agreement, no police agreement to work together, the leaks went viral during months. People used those leaked passwords, those re-used passwords to enter their personal accounts, personal police accounts. Then, it

07:25

started like a viral thread on many Latin American sites disclosing what it was later a new leak. From the original leak happened here in Project X, people started doing their

07:45

work, we like to call it that way, into the police accounts, the personal accounts, creating new dumps. For example, Facebook of police officers, Twitter of police

08:00

officers, everyone with its user and password. Some people reconnected some of the names in the dump and they discovered that there were only officers. There were personnel of ministries, the justice one and the defense ones, that by law, by constitutional law, are

08:20

not allowed to work together. Justice and security is for internal use, while defense is for external. Then, in another forum, people started using OSINT against those names and exposed them on the internet with information such as wordplays, other contact information, and created like a viral chain of new leaks every day. Passwords were

08:43

stored in plain text and mostly were reused in other sites. Many of them can be easily found on, uh, dictionaries like Rakyut XT. The polished files were MDB Microsoft Access databases, so anybody could have downloaded them as they were served publicly. This

09:04

is the fault of the leaks. For example, here is people mocking their passwords. For example, here is another one saying, hey, those passwords from the police stations' accounts

09:22

are working. Go now and download them before they change them. So people was advising other people to keep on leaking. Once again, hey, information is true. This information is true. I have entered on the Facebook of a girl. Those passwords are used on this system,

09:41

but many other people reused them. And later, the attacker didn't ask me anything on their Reddit, uh, and confessed she had used a default template file, a GSP file, to upload items, to upload files. There was an example that was never deleted when

10:01

deployed. He used it to upload a show. Then, he got it right and hacked it. Finally, the site went offline forever. While no one had, no one got an explanation of what happened, not from official sources or from the police sources. Project X was never had again. Well,

10:23

the walling of the Minister of Security. During January, this is the, every time I talk about a force, a security force, or a government, uh, office, I put their logo here. Sorry. Okay. During January, the last year, the Minister of Security's Twitter account was

10:46

hacked and also her retirement and publishing personal data. Their personal phone, not their work phone, not the one this Twitter account was registered to. The attacker claimed to have owned more than 30 mail accounts from the Ministry, including one

11:04

reserved to, uh, organized a crime. To this day, something I haven't written here, uh, even our intelligence service was leaked and they were using, to this day, hotmail accounts. They haven't used any, uh, institutional accounts, but they were official. They were

11:26

used for official, uh, business. Okay. Until the entire national criminal information system was leaked, too. Here you have Patricia's number. Patricia Woolrich is our Minister of, uh, Security to this day. Then, Patricia Woolrich. Minsec is Minister of

11:48

Security. Ministerio Seguida. Here we have, uh, Movistar. It's a phone company. It's just like IT&T. This is an official request, what we call official, an official request

12:01

for official information. For example, uh, federal police wants to listen to this, uh, these lines conversations. So, whatever, uh, request for official information that was made, it was copied and dumped and leaked. So, try to imagine what is happening behind

12:23

the scenes. Let's suppose you, uh, report a drug trafficker. This guy is a drug dealer. Okay. Now, that drug dealer knows someone ratted him out. I know it was you who ratted him out. And even knows who the cops working on his case are. This is

12:47

really dangerous. Suppose it's a real threat to, uh, to the original guy who reported it and to the original, uh, cops that are, that were investigating him or her. Here's the

13:02

attacker saying, I have complete access to the national criminal information system. And you might see, it was an SQL server with every port open to the world. So, he wasn't lying. At this point, as I was saying before, personal data of three sides

13:22

were revealed. From the national criminal information system, the data of all criminals and organizations, even those who have an intelligence, an intelligence task ordered upon. What means having that, that you're not, uh, prosecuted legally.

13:41

You're just being investigated. Would you, it's supposed that you don't have to know you're being investigated. Well, now you know. Then, from the mail accounts, particularly from the one of organized crime, the data of all, once again, the data of all the agents that participated in tasks of record and intelligence. That poses a real danger,

14:05

as we'll see later. In Argentina, public information is really misused, really misused. Some people think that, uh, for example, you Americans have the, uh, social security number. We have, uh, a tax ID, a DNI, a national ID number. Our tax ID is

14:23

composed of public data. Uh, for example, as we'll see later, uh, what you earn, your tax category is also public. So everyone knows where you live, how much you earn, and probably which hour you are away from home. Then, uh, another, another thing, the

14:47

organized crime division using an email without any key, any cryptographic key. So, a simple plain text email. From the mail account of compliance, the data of all civilians reporting a regular situation shows as Polish conivants or abuse. You are denouncing

15:05

your own police, and they have been leaked. So if you have denounced any cop, he's in conivants with a smuggler, he's in conivants with a human trafficker, now he knows you ratted him out. Is it understood to this point, uh, I know my pronunciation is not

15:22

the best, but sorry about that. Ok, two people were found guilty of the attack and later prosecuted. Later it was found they commanded a spear phishing campaign where they compromised 30 accounts, including the ministers. Data from people with criminal records and police officers, feds mostly, obtained from the leaks, uh, is currently being used

15:44

on certain data stashes. In Argentina, it's really popular to have, uh, what I call parasite sites. Every time, every time, uh, for example, all federal revenue agency has a

16:00

leak, these parasites are abusing it and keeping and storing it. For example, uh, during some years, our federal administration, uh, got a bad control of the RAPI, so anyone could query it infinitely on a loop. These stashes armored themselves with a database,

16:21

crowded one by one, constantly, and there, for example, now you have to pay in bitcoins to search for anyone. Just a little satoshis and you can search for anyone, have their address, have the tax ID, how much they earn, and so on. We'll talk about this

16:42

during the last leak. And a lot of lost. Upon dissolving, uh, Buenos Aires Metropolitan Police, our mayor, head government, Orazio Rodriguez da Reta, announced the creation of the Buenos Aires City Police. If someone knows the difference between Buenos Aires City and Buenos Aires Metropolitan, I would gladly hear it. Okay, in his

17:06

own words, this new force is the most modern police in the world. You know, we're Argentines. We have the better things. The best things are ours. Always. I know you can love. No, no problem. As the original members from the Metropolitan Police,

17:26

remember, a Metropolitan Police is just for the Buenos Aires City Police. A big city, but you know, you can't compare a city police to a federal police in any way. Okay, so, uh, he signed a political agreement to convert federal agents to local

17:45

agents. Mostly because he could not cover what he had promised. The most modern police in the world. What happened here is the first thing, the first important thing, more than the other antecedents, that lead to what we have today. Cops

18:03

became unhappy. You know, one day you're a federal agent. You take care of, this is without meaning any disrespect to local agents, obviously. But, you train them for years to be a federal agent. You are trained and you can take action on their trafficking, economic crimes, money laundering, human trafficking, cyber crime. Every

18:25

time the local police meets on a cyber crime case, has to call the feds. Then, you are trained on criminal intelligence. You are trained for years on whatever specialty you want to take. But now, you cannot exercise it. You cannot use that specialty. You are

18:46

like degraded to local agents. Then, a new series of technological control measures were implemented. These new officers, who had their own freedom of working, they

19:08

have a new series of measures they are not used to. For example, carrying an Android device with them at all times, with a GPS enable and a battery, how you call it, a

19:21

portable battery, that tracks their activity and their world turns. They can leave a mid-area. That seems good in theory, but what happens when it starts to fail? Let's see. So, when all these new technological measures stopped working as intended and

19:41

generated a further conflict, instead of resolving situations, the personnel started ranting. First, between them. Hey, this phone, it's not working. It says, I located one block away so I cannot start my turn. You know, when you need a cop, you need him

20:02

here doing his job. Why does he have to deal with a phone that doesn't work? With a GPS that marks him two blocks away? With a timer that says, hey, you owe me one minute. Stay one minute longer. What happens when you have an emergency and say, hey,

20:25

you left your area? Of course, I left my area. Then, remember, sorry. First, between them, and then on the net, this created what we later see as the blue-whistled lowers. People started ranting online and sharing information that should be shared.

20:42

Remember, this Asian world wants PFA operatives and their data was leaked before, and they continued leaking, but voluntarily. Let's start checking the perimeter of the most modern police in the world. We'll use a passive recon and we won't try to exploit anything once again. So, all of the Buenos Aires city police sites share the same

21:04

SSL certificate, causing errors like domain name mismatch and marking them as insecure. Every one of them is vulnerable to poodle, slot, and drown from 2014. Okay,

21:22

this can be checked with third party tools like Komodo SSL Analyzer, and also, our objective was to prove that it was easy as writing four lines of code. So, we made a repo on GitHub, a site that you can check this with any other tool you like. Our

21:40

objective was that, to show that with four lines, you can prove our point. Choose four or three lines, nothing more. Okay, checking the common name mismatch, that works on every certificate on every site, and for checking poodle, slot, and drown, vulnerable sites. As you may see, it fails. Sorry, the message is in Spanish, but I think we all

22:03

get the error. Then, it was, they are using one certificate for six sites, six main sites, and it works only for one. Obviously, I think we, most of us know about

22:21

or all the SSL certificate service for free. Well, they seem they don't know it. As you may see with Komodo, this SSL certificate name is matched. In Spanish, it says that the certificate was issued for, a domain that doesn't point to anywhere,

22:44

but they have implemented that way. Then again, private security, public safety, internal network is vulnerable to poodle, poodle, drown, and poodle. One of their sites, a Drupal, sorry, will randomly serve the default Drupal installation script upon

23:04

accessing it, so any visitor can interact with the instance by installing a new one atop the original. They are browsing a black Drupal. Welcome to installation, and you say, what? The rest of the sites tend to have their listing activated by default, showing not only the server has great files, but also custom tests the original

23:24

developers wrote and committed to production. Also, upload directories are publicly available. Let's stop for a second on this. If the original developers do not clean up what they are committing, it reminds me of what

23:40

happened to PFA with the default, remember the default example for uploading files. It's basically the same situation. You know, noticias polyciares means policy-related news. Go baras, you may see it's an official site. Okay, they are

24:02

listing, this is the private security site. If you might know, there are tinyMC, it's a little IDE for how, sorry, rhythm in JavaScript. Here, an instance of tinyMC is hosted there, and it can be activated using an XSS, for example. If one could be found,

24:24

the policy recruitment site is highly rated from the original metropolitan site. You can check this. Look, 2016. During eight years, seven as one of the site's metropolitan police, and one as one of the city police, that site suffered from an

24:42

XSS vulnerability. So, we can activate tinyMC. For obvious reason, we won't do it. We deployed two bugs for testing the vulnerability, just proof of concepts. That wasn't dealing, again, available at the GitHub. When abusing the input for triggering the XSS, the site logs and prints an error stating a failed SQL

25:04

query. You know, an SQL injection is possible. For example, what's the malicious script you want to load? Malicious.com, that site doesn't exist. The framework. It writes your URL, and as you might see, the source, it's located. You

25:23

already load a big framework instance for anyone to visit. This time, what we do is execute an inline JavaScript. We change every link to malicious.com slash trojan.x.

25:45

For the city police, click here. Malicious.com trojan.x. Also, we can note that none of the sites implemented CAPTCHA systems to avoid automatic requests, not even their firewall or gateway. Also, the private security site contained many client-side

26:04

log-in mechanisms. As we all know, you can disable any or tamper any mechanism written in HAVA script. No CAPTCHA, no CAPTCHA. This was one of the site leakage. This one, too. No CAPTCHA, and also uses the client-side HAVA

26:25

script. This site wasn't leaked. This is the real great Sophos. Again, file it as a cell and no CAPTCHA. This version of Sophos provides no CAPTCHA by default. So, on the other hand, Sophos was questioned, too, a few months ago

26:41

because its API uses MD4 hashes without Sol, without PIPR, simple and plain MD4 hashes. You know, hashkiller.co.uk or any online service for free, can break them in a matter of seconds. It was broken in 2007 and should not protect

27:01

anything. The blue freaker. This is a character that appeared during the blue whistleblowers. Every police and every officer had an assigned phone, a custom Android phone assigned. One of these guys, isn't a hacker or a freaker by

27:22

itself, started playing with the phone and located a lot of bugs and even rooted his phone and all his partner phones. And they are now out of the police systems. So, as a lot of cops went online, ranting that the phone struck them at the current

27:43

location, what we were talking before, does not allow them to enter their service. Other simple, went offline during work hours. What looked like they were absent from the service or abandoned the service. They are having to explain the situation caused by system failure. They went online exposing this. This blue

28:04

freaker pushed online a series of videos of him breaking the Android's lockages, obtaining billing information from the whole Buenos Aires Police City account, millions more expensive than what was publicly said, privileged escalation to install apps, whatever apps you like. And so, with it, he

28:22

installed Kingroot and definitely contrived his phone. With it, he scanned his IP and network finding a lot of weak assets and even some of the printers that were vulnerable to flaming. You remember that botnet that printed robots? All are all around the world. Wow. The default port opened 9001 without any password. This

28:45

step is beyond our talk. As you may see, these are like homemade photos. He was just walking around his service, taking photos of what he was breaking. He started social networks, then looking for rootkin. Sorry for the quality. He submitted. He

29:03

submitted it this way. And then, this gift. This is him making a query that any phone can make. Can make, sorry. He's asking with a number about his billing

29:22

information. How much money do we owe to the company? This might take a second. As you might see, nine millions. Well, it's not really. Then, another incident happened.

29:47

Sometime ago, before the leaks, a subway camera with an attached monitor failed and crashed to desktop. The monitor then showered a long screen with an unmasked password and a public IP address. Probably the camera server. It was visible during

30:01

almost three hours before one of the sign-in police technician repeated it on site. The password was leaked in plain text. This is a really crowded area where anybody who happens to be can see the password. The blue was the blowers. Out of the blue,

30:23

several pasted containing personal data like users, emails, and password from various police sites were published on past print. It was later found that those credentials belonged to critical assets. The recruitment sites, the one I said had no caption was hacked, contained medical and psychological records. You know, that three that you draw to prove you are not crazy. Religious, family, and personal

30:45

information for every officer, chief cadet, and patrolman. And the police report database contained information from both criminal, informants, and complainants with PII. Most passwords were one, two, three, four, five, six are numeric only. A lot of

31:04

passwords were personal names. We might see this later. As you may see, personal names like Felipe, Emilio, and so on. MD5. Okay. All of the passwords were

31:28

online. On 2011, an anonymous blog posted a complaint about money laundering in the metropolitan police, exposing telephones and institutional mails of officers, chiefs, and divisions. Once again, these accounts are used for official purposes but are not

31:43

institutional. So they belong to public domains like Gmail, Yahoo, or Hotmail. It was never taken down. It's been some years since it is active. So we'll try to make some awesome queries over that and find where the leak could have happened. Who

32:01

could have been the patient zero? As you may see, laundering in the metropolitan police, blog spot. Let's start crafting intelligence from these smashes, database, old dumps, and online runs. One day it happened. The Buenos Aires

32:21

police was hacked and lost three gigabytes of databases with important information. It was a national scandal, as you may see. They were offline, and they were offline for like seven days without having any notice until the fourth

32:44

day, having that message. So we have a lot of loose ends to follow. In order to reconstruct how the last leak was carried on, the regional leaks, the ministry leaks, the multiple vulnerabilities they have already, the Buenos Aires city police leaks, the previous one, the intelligence gathered

33:04

crossing information from all the above. All worries. We'll see this if we have time later. Okay, let's try to cross information from the previous section, the police. The police have been pounded. It's a place where you simply enter a

33:23

username or a password or an email and it tells you if it had been involved in any leak. We searched for three of the higher chiefs of the police. Three were leaked before. We searched for another chief from the ministry, not the police

33:42

itself. Leaked two. And also, he's featured in an entire user database leak from microelectronic cache. Then the CIO, he was leaked too. Remember, most of these leaks contain the password hint in plain text. For example, name of my daughter.

34:03

Then it's easy to crack it. This is the secretary of public safety. Pounded two, three times. Three chiefs, two civilians, one of them the police CIO at the time and secretary of the public safety were compromised, that's what we were saying. By

34:24

checking the right forums, you can get a free copy of the reached database simple by earning points, commenting, sharing, and so on. In previous leaks, they use a numerical password for the password containing their children's name. Even the hints pointed this out like my first child or DNI, the national

34:42

identification number. As we say before, this data is manipulated in a way that almost anything is made publicly available, whether you want it or not. For example, if you Google me, you can find my tax ID, my fiscal address, as I am not a company, that's my personal house, how much I earn. So it's really easy to find valuable

35:06

data. Sites, the parasites I was talking about, that they are,

35:21

they are trying desperately to keep as much information as possible, so you can query the copy. Okay, with these hints, my daughter and my DNI, let's find those passwords. By searching him by his name, we have the tax ID and the DNI, and then we have the

35:42

central part of the tax ID is the DNI, so we have the password. And where he lives, he says, and so on. The tax ID, when you got the first two numbers and the last one, you have the DNI, the password. Now let's find the CIO's daughter. We'll search him

36:01

online, then based on the address we have, we'll search how many people lives under the same street number, the same roof. It's easy, if they all share the same surname, the same last name, they must be related. The only problem we have here is that when

36:21

you're talking about children, men or age, you might not have the same information disclosed as with adults, but this method never failed me. So as you might see the link, it is redacted, just for security question. It's the one with the R role. As you

36:42

might have, as you might see, we have five people. Camila, Pilar Lucia are women. They are all candidates. Five people living under the same roof. We try to do the LinkedIn dump. They are showing passwords on Salter. So the secretary account won't

37:05

disclose it, his password is plain text. So, sorry, we hashed one of the passwords, I won't say which one, which one and it coincided with the LinkedIn dump. So we have his passwords. So this might be the way they will link it. Just one minute and we

37:24

finish. Waris, it should be noted that during the leaks, Waris could have played an important role. I recommend you decide, I know what you don't know. It's like a bogus tracker, not always, but a strange tracker that exposes what you were downloading

37:44

with your IP address. So I have found that the Buenos Aires City Police is involved in the federal crime of piracy. Strange enough. This is the gateway. Look, some of you may have seen the series, but look at this, Counter Strike Global Offensive,

38:06

Warsaw, GameTorus.com. Will you trust downloading that? Oh, no, I know. You have the entire police internet connection to download at really high speed, but really, you

38:21

shouldn't be downloading this. Once again, Lego DC Comics, Super Heroes, Justice League Comic Clash, Lego Scooby-Doo. You may notice it's dangerous, whether you are in the police or not. So, conclusions, thanks and credits. My own conclusions are we are not

38:40

safe, even those who have to take care of us, neither are. A false sense of security is a slow and insidious killer. Do not trust your data to be kept securely. This is especially for Argentine people. It is not stored safely. Internet has not forged, even if that means those old leaks someone made at a label some years ago. And no, we don't have the most modern police in the world. Let's stop being

39:03

Argentines for a moment. We don't have the best things in the world. We are Argentines. Corruption, money laundering, we have moderate true prosecutors, third world mindset, we lost. Out of question. Okay, special thanks to the Reconvillage crew for receiving me. A heartfelt thanks to my working team,

39:21

the Latin Argentina, to the Blue Freaker, who shared with everybody what really was happening behind the scene. Okay, if any one of you has a question. Yes, we

39:47

have many laws about data accessing, but what happens is that they are not respected at all. For example, I'm going to answer you based on my experience on government. I worked for local, for federal, for security forces, and for

40:06

example, when you need a federal place to get data from a local place, it's a real hassle. They mostly resolve it with, okay, I share a database name with you, or I share the damn, take this disk, have it. Please don't lose it.

40:25

That's the national standard. Aside from what is written, so we have many laws written, but they are not taken seriously. For example, one of the cases that has shaken me the most, people in the Buenos Aires City Police were

40:45

sharing reports with USB drives, personal USB drives, whenever the system went offline. Say, okay, we have to keep working, USB drive, then you have, you send like a messenger, working there, sending them. I think that might be, but I

41:05

have no proof, that might be also an important point in the leaking part, as everyone could have a copy in their pocket. If anyone has any other questions, yes. It's possible. Argentina is really well known for having many

41:31

behind-the-scenes, how do I tell it, they have some shady interests between Asian scenes. Yes, you know, during the last years, during a federal

41:47

investigation of terrorism, one of our prosecutors was murdered, and it's unsolved to this day. You might see how the law is moving in my country, how they work, so it's, yes, it's possible. Mostly because it was announced as a

42:07

political asset, as a campaign, a political campaign promise. We will have a newer police, with no corruption, the most technological in the world, etc. etc. So it could be, yes. Well, they budgeted a lot of these things, but that

42:30

doesn't stop the leak from being available on torrents, on RAID databases, or on other sites. They budgeted, for example, the XSS, the access to the

42:45

gateway, at least. I don't know the rest, but the last time we tried it, they did that. We always try to update this because they were patching some things, but they are a little bit slow. Excuse me? I don't have a really

43:20

ready-to-be-public answer. Okay, any other questions? I hope you liked it, and I ask you once again pardon for my pronunciation, it's not the best. Well, I hope you enjoyed it.

Recommendations