Identifying Appropriate Test Statistics Involving Population Mean
Coding to fight online abuse
1. Coding to fight online abuse
Or:
“My work from 2012 till today, and why you wouldn’t want to do the same, but somebody possibly should”
Einar Otto Stangvik
twitter/einaros
einaros@vg.no
2. Me
~34 years old
Security-minded developer
Aspiring strobist
Employed by VG.no in 2014 to do
ops / security / investigative journalism
3. Work résumé in chronological order, late 90s to 2012ish:
Turbo Pascal, C, C++, Linux and ops, Security,
C++/MFC, PHP, C++.NET, Flash, Java, C++,
SharePoint, C#, Silverlight, Javascript / Node.js,
Flash, Security, …
4. It all mostly felt like made-up solutions to artificial problems
Mid 2012: 😣💥
Desperately needed a change / purpose
5. Noticed: Revenge porn and iCloud hackers
Read articles described sites dedicated to hacking,
outing and shaming young girls and boys
9. I figured it couldn’t hurt to try
… in retrospect, it could have hurt many, a lot
10. Chasing an iCloud hacker
January 2013:
Monitored certain forums for geotagged pics from Norway
11. How the system worked:
Partial http downloads (Range: bytes=0-5000)
Processed millions of image headers
Parsed metadata, looked for GPS tag
Resolved location through Google’s api
Notified me when content from Norway was found
12. Before long:
Found a post which suggested iCloud hack of 5+ Norwegian girls
“Who said they know I got them? iCloud…”
17. Contacted the police - got no help notifying the girls
Eventually I contacted two of the girls,
one of whom filed a police report
The police dropped it immediately
18. Police: “Since we don’t know who the perpetrator is, we can’t help you“
20. Bought a domain (spun.xxx) and established a honeypot,
contacted hackers asking for help hacking the
iCloud account of a made-up step-sister
21. The honeypot:
Claimed to be a near-mythical stash of revenge porn
Claimed to have operated for years, being built on absolute user trust
I casually mentioned it in emails with the hackers
Told them I was a long-time member
Eventually told them I trusted them, and sent an invite
Invite process: Many steps, meant to build trust and gather info
The final step of the registration process: Phone number
Once the code sent by sms was typed in, they’d get an error
22. Got several to trigger the honeypot,
revealing (often residential) IP addresses
and a few phone numbers (verified by the two-factor response)
24. I now seemed to have the hacker’s (anonymous) Hotmail address
25. I examined the password reset info for the Hotmail account
Found that it pointed to a Gmail account
26. I also noticed a hashed value in the reset page’s markup
27. Turned out to not be salted for any specific source account
Meaning:
If I entered the same backup email in another acct,
the hashes would match
28. Around the same time I investigated similarities
between the victims’ networks
29. I automated the Hotmail hash process for a list of emails,
including those from the girls’ mutual friends
30. … and got a hit for a mutual friend of theirs
somehacker@hotmail.com => realname@gmail.com
31. He was a politician with a vast social network and
a trusted position in the party’s social media office
32. At this point I had:
The (residential) IP-address of the first known posting of the pictures
A matching IP-address for a person who claimed to be an iCloud hacker
A connected, real-name based, e-mail address for the iCloud hacker’s e-mail
33. But I wanted to be as certain as possible that two were the same, before
discussing his identity with the girl or the police
34. So I did the following:
Sent the hacker a URL by email, got a hit from the suspected IP
Sent a URL (posing as an email sent to the wrong person) to the regular guy
Found that the two had the same IP, same os / browser / browser plugins
35. Now I was pretty sure I had him
.. but the police were uninterested
— even after being pressured by lawyers for the following months
36. While the lawyers were making futile efforts,
I tried to identify other victims,
to add to the pressure
37. During email exchanges he sent images of another girl,
claiming she was a blogger he found on a Norwegian blogging portal
38. He wouldn’t tell me who she was, so I took the code approach again ..
39. Approach:
He said she used a Norwegian blog portal -
I automated traversal of their tens of thousands of blogs
Scraped email accounts and indexed content
Checked the email accounts against Apple ID web service
Crossed matches for profiles with public Apple ID and trigger words
Narrowed it down to a few hundred blogs
Scraped images from those, and manually compared
Found her
40. I contacted her, explained and scheduled a meeting with her
She also pressed charges against the hacker 🙌
45. Resetting the iCloud password required the date of birth,
and answers to “secret” (😣) security answers
46. Date of birth certainly isn’t a secret
With SoMe profiles, what else really is?
47. Downloaded backups from iCloud
Including pictures, videos, notes and messages
Specifically looked for explicit content and passwords
48. Tried accessing the victims’ email accounts
Linked them to accounts he created with similar names
lisa.lala@hotmail.com => lisa.lala@live.com
49. His goal:
Granting himself “eternal” access to iCloud-connected email accounts,
and thus be able to reset the password at leisure
!
He applied these techniques to an unknown number of girls
Eventually succeeding for at least 30 victims
55. My time at VG is a tale of career options not thought possible
I had no idea such jobs existed, really
Proves that there’s no reason to rot in unfulfilling careers
60. We spent more than a year researching the sites and their users
61. We found a network of hacked sites which adverted child abuse,
pushing downloaders towards the file sharing sites
62.
63.
64.
65.
66.
67.
68.
69.
70.
71.
72.
73.
74.
75.
76.
77. Gathered a total of 36mn logged downloads
But not all documented child abuse
78. How could we tell one thing from the other,
without downloading everything?
79. Initial considerations:
Had loads of data on downloads
.. and knew that several of the downloads were related
The goal was to reduce the 36mn chaos to something manageable
We were interested in the likelihood of a certain file containing abuse
80. We knew for certain that a few files contained abuse material
81.
82.
83.
84.
85.
86.
87.
88. My goal: Rapid experimentation with the (huge) data set
Time-consuming reloads and lack of visualizations would slow down the
project, and potentially make collaboration impossible
99. Identifying the downloaders
Chased the lowest hanging fruits first
Imported emails from logs to address lists => “Find your friends”
Examined password reset pages
Crossed any info we could gather with geolocation of IPs
100. Final results of the analysis:
~5500 downloads from Norway
~300 downloaders
78 identified
102. We confronted 10 downloaders of child abuse documentation
7 admitted their actions
Norwegian police got increased funding
We’re still working on related projects
103. Having gone down this path, would I recommend it to others?
Working with / in the press or police is better than going solo
If solo: stay far away from child abuse material
An open-source initiative would be really interesting
(better tools for monitoring forums, hash db, profile db, etc)