From NDC Oslo 2016

1. Coding to fight online abuse
Or:
“My work from 2012 till today, and why you wouldn’t want to do the same, but somebody possibly should”
Einar Otto Stangvik
twitter/einaros
einaros@vg.no

2. Me
~34 years old
Security-minded developer
Aspiring strobist
Employed by VG.no in 2014 to do
ops / security / investigative journalism

3. Work résumé in chronological order, late 90s to 2012ish:
Turbo Pascal, C, C++, Linux and ops, Security,
C++/MFC, PHP, C++.NET, Flash, Java, C++,
SharePoint, C#, Silverlight, Javascript / Node.js,
Flash, Security, …

4. It all mostly felt like made-up solutions to artificial problems
Mid 2012: 😣💥
Desperately needed a change / purpose

5. Noticed: Revenge porn and iCloud hackers
Read articles described sites dedicated to hacking,
outing and shaming young girls and boys

6. Impression:
Victims weren’t helped
Offenders grew ever more ruthless
Police couldn’t be bothered
Lack of pushback seemed to legitimize the abuse
Vigilantes resorted to DDoS

7. The DDoS tactic seemed childish and counter-productive
Legitimate businesses harmed
One site down (for a few minutes), thousands still up

8. Instead:
Could a Norwegian revenge-porn case be cracked, with code?

9. I figured it couldn’t hurt to try
… in retrospect, it could have hurt many, a lot

10. Chasing an iCloud hacker
January 2013:
Monitored certain forums for geotagged pics from Norway

11. How the system worked:
Partial http downloads (Range: bytes=0-5000)
Processed millions of image headers
Parsed metadata, looked for GPS tag
Resolved location through Google’s api
Notified me when content from Norway was found

12. Before long:
Found a post which suggested iCloud hack of 5+ Norwegian girls
“Who said they know I got them? iCloud…”

13. Identified two girls based on the geolocation data in image exif headers

14. Updated bot code to look for other posted images with the same hash
This revealed link to post on another forum

15. On this second forum: Looked like original posting
Users were trying to identify girls
Came close to naming one girl’s 14 year old sister

16. Got IP-address of original posting from admin, and pictures deleted

17. Contacted the police - got no help notifying the girls
Eventually I contacted two of the girls,
one of whom filed a police report
The police dropped it immediately

18. Police: “Since we don’t know who the perpetrator is, we can’t help you“

19. Started monitoring chatter about iCloud hacks,
saw self-advertising hackers
I decided to set a trap

20. Bought a domain (spun.xxx) and established a honeypot,
contacted hackers asking for help hacking the
iCloud account of a made-up step-sister

21. The honeypot:
Claimed to be a near-mythical stash of revenge porn
Claimed to have operated for years, being built on absolute user trust
I casually mentioned it in emails with the hackers
Told them I was a long-time member
Eventually told them I trusted them, and sent an invite
Invite process: Many steps, meant to build trust and gather info
The final step of the registration process: Phone number
Once the code sent by sms was typed in, they’d get an error

22. Got several to trigger the honeypot,
revealing (often residential) IP addresses
and a few phone numbers (verified by the two-factor response)

23. And then suddenly …

24. I now seemed to have the hacker’s (anonymous) Hotmail address

25. I examined the password reset info for the Hotmail account
Found that it pointed to a Gmail account

26. I also noticed a hashed value in the reset page’s markup

27. Turned out to not be salted for any specific source account
Meaning:
If I entered the same backup email in another acct,
the hashes would match

28. Around the same time I investigated similarities
between the victims’ networks

29. I automated the Hotmail hash process for a list of emails,
including those from the girls’ mutual friends

30. … and got a hit for a mutual friend of theirs
somehacker@hotmail.com => realname@gmail.com

31. He was a politician with a vast social network and
a trusted position in the party’s social media office

32. At this point I had:
The (residential) IP-address of the first known posting of the pictures
A matching IP-address for a person who claimed to be an iCloud hacker
A connected, real-name based, e-mail address for the iCloud hacker’s e-mail

33. But I wanted to be as certain as possible that two were the same, before
discussing his identity with the girl or the police

34. So I did the following:
Sent the hacker a URL by email, got a hit from the suspected IP
Sent a URL (posing as an email sent to the wrong person) to the regular guy
Found that the two had the same IP, same os / browser / browser plugins

35. Now I was pretty sure I had him
.. but the police were uninterested
— even after being pressured by lawyers for the following months

36. While the lawyers were making futile efforts,
I tried to identify other victims,
to add to the pressure

37. During email exchanges he sent images of another girl,
claiming she was a blogger he found on a Norwegian blogging portal

38. He wouldn’t tell me who she was, so I took the code approach again ..

39. Approach:
He said she used a Norwegian blog portal -
I automated traversal of their tens of thousands of blogs
Scraped email accounts and indexed content
Checked the email accounts against Apple ID web service
Crossed matches for profiles with public Apple ID and trigger words
Narrowed it down to a few hundred blogs
Scraped images from those, and manually compared
Found her

40. I contacted her, explained and scheduled a meeting with her
She also pressed charges against the hacker 🙌

41. The police still did nothing, though

42. All in all it took more than six months,
and eventually press involvement,
before the police dealt with the hacker

43. One year later he was sentenced to 60 days,
of which 30 had to be served in jail

44. How the hacks were executed

45. Resetting the iCloud password required the date of birth,
and answers to “secret” (😣) security answers

46. Date of birth certainly isn’t a secret
With SoMe profiles, what else really is?

47. Downloaded backups from iCloud
Including pictures, videos, notes and messages
Specifically looked for explicit content and passwords

48. Tried accessing the victims’ email accounts
Linked them to accounts he created with similar names
lisa.lala@hotmail.com => lisa.lala@live.com

49. His goal:
Granting himself “eternal” access to iCloud-connected email accounts,
and thus be able to reset the password at leisure
!
He applied these techniques to an unknown number of girls
Eventually succeeding for at least 30 victims

50. In retrospect, would I have repeated my work?

51. For better or worse, nothing has been quite the same for me ever since

52. But more important than my experiences, the highly present risk of:
Outing — and destroying — innocent people
Meddling with police affairs

53. So would I have done it again?
The problem really can’t just be ignored
So yeah, probably

54. In March 2014 I started working work VG.no

55. My time at VG is a tale of career options not thought possible
I had no idea such jobs existed, really
Proves that there’s no reason to rot in unfulfilling careers

56. In either case: My time at VG has been diverse

57. Chasing child abuse consumers
March 2014:
Discovered sites spreading child abuse material,
while checking loose ends from the iCloud-case

58. Video not embedded, see:
https://www.youtube.com/watch?v=S78DuvaoSTw

59. Discovered sites spreading child abuse material
while checking loose ends from the iCloud-case

60. We spent more than a year researching the sites and their users

61. We found a network of hacked sites which adverted child abuse,
pushing downloaders towards the file sharing sites

77. Gathered a total of 36mn logged downloads
But not all documented child abuse

78. How could we tell one thing from the other,
without downloading everything?

79. Initial considerations:
Had loads of data on downloads
.. and knew that several of the downloads were related
The goal was to reduce the 36mn chaos to something manageable
We were interested in the likelihood of a certain file containing abuse

80. We knew for certain that a few files contained abuse material

88. My goal: Rapid experimentation with the (huge) data set
Time-consuming reloads and lack of visualizations would slow down the
project, and potentially make collaboration impossible

89. Python + Jupyter Notebook

91. This really was key to the collaboration between coder and journalist

92. The full analysis process

97. Example: Weighted filtering

99. Identifying the downloaders
Chased the lowest hanging fruits first
Imported emails from logs to address lists => “Find your friends”
Examined password reset pages
Crossed any info we could gather with geolocation of IPs

100. Final results of the analysis:
~5500 downloads from Norway
~300 downloaders
78 identified

101. Globally: 430.000 downloads of the same files

102. We confronted 10 downloaders of child abuse documentation
7 admitted their actions
Norwegian police got increased funding
We’re still working on related projects

103. Having gone down this path, would I recommend it to others?
Working with / in the press or police is better than going solo
If solo: stay far away from child abuse material
An open-source initiative would be really interesting
(better tools for monitoring forums, hash db, profile db, etc)

104. Questions? Suggestions?
!
Feel free to reach out:
Einar Otto Stangvik
twitter/einaros
einaros@vg.no