SlideShare a Scribd company logo

The devil is in the details

C
Carola Frediani

How cybercriminals, leakers, State-sponsored hackers failed their opsec The talk was given during the No Hat conference in Bergamo (Italy) https://www.nohat.it/ Streaming: https://www.youtube.com/watch?v=b64RE9cXajA from minute 6.52.11

Technology
1 of 22
Download to read offline
The devil is in the details How cybercriminals, leakers, State-sponsored hackers failed their opsec #NOHAT 2019 - Carola Frediani
Opsec and the human factor You can get the tech right and still fail the opsec. Why? ● undisciplined past ● no compartmentation of identities (and of different operations) ● undeletable data ● language (is a traitor) ● money flows (follow the money) ● rush to get results ● group dynamics (peer pressure and recognition)
Harold T. Martin III - Contractor Nsa, sentenced to 9 years for stealing secret documents - Ph.D in information security management - He used virtual machines, encryption and anonymization systems, probably Tails or a similar system -> “a sophisticated software tool which runs without being installed on a computer and provides anonymous internet access, leaving no digital footprint on the machine” (indictment) - “He has a demonstrated ability to conceal his online communications and his access to the internet”. - He sent strange messages to Kaspersky via DM Twitter during the Shadow Brokers leaks - His Twitter handle @Hal_999999999 connected him to his real life
Harold T. Martin III A Google search on the Twitter handle and display name found someone using the same name on a personal ad seeking female sex partners. The anonymous ad included a real picture of Martin and identified him as a 6-foot-4-inch 50-year-old male living in Annapolis, Md. A different search led them to a LinkedIn profile for Hal Martin, described as a researcher in Annapolis Junction and "technical advisor and investigator on offensive cyber issues." (source: Politico)
Harold T. Martin III Twitter handle > dating site > his real photo, location, age > Linkedin profile > language clue (CAMBRIC) Also: ● Twitter account created with email associated to his real life ● On a social networking website, the user hal999999999 had a display picture matching the motor vehicle administration photo of Martin
Paige Thompson (Capital One) ● Some leaked data were openly stored on GitHub ● The GitHub page included Paige Thompson full name in the digital address and it was linked to other pages on GitLab linking to Thompson and her résumé (source: affidavit) ● Thompson posted about the hack in an open Slack channel, naming her VPN, that matched Capital One logs of the intruder and GItHub logs ● A Meetup group was linked to the Slack channel where the alias erratic posted breached data ● The Meetup page had a "Paige Thompson (erratic)" as organizer ● Thompson used the alias “erratic” on Twitter (where she talked of the hack, and had her real life photo)
Alexandre Cazes ● 26 years old Canadian programmer, living in Thailand, and alleged kingpin behind AlphaBay Market ● arrested on July 5th, 2017 in Bangkok; he committed suicide after few days in prison ● in 2015 the Alphabay administrator, known as alpha02 (allegedly Cazes) said to DeepDotWeb: “I am absolutely certain that my opsec is secure, and I live in an offshore country where I am safe.” ● an email address in the AlphaBay forum welcome message was the main lead ● email address > real name > Linkedin > PayPal
Alexandre Cazes Around December 2014 AlphaBay's operators decided to add a forum to the martketplace. Users who registered on AlphaBay's forum got a greeting message from the site's admin. In December 2016, FBI learned that for a short period in 2014 these greeting emails included the AlphaBay admin's personal email address in the message header. That email address was: "pimp_alex_91@hotmail.com" Image credits: Christy Quinn
Alexandre Cazes ● Cazes' email was also included in the header of the AlphaBay forum pwd recovery process (forfeiture complaint) ● The FBI linked it to his identity. It was also associated to a LinkedIn account for Alexandre Cazes, born in 1991 ● In his Linkedin profile he was from Montreal and run a tech company, EBX technologies ● A PayPal account run by Cazes listed his Hotmail account ● He used a pseudonym to run AlphaBay previously used on carding forums. And that was linked to his email and name in a 2008 post on a tech forum
Alexandre Cazes Police caused AlphaBay servers to shutdown, forcing Cazes to access AlphaBay forum/datacenter and try to reboot the servers. (“Law enforcement-caused outage”) Then they tricked Cazes into leaving his laptop by simulating a car accident outside his Thai home. Undercover cops crashed a car through his front gate. Cazes had the passwords for the servers stored in unencrypted text files, and an Excel with all his properties. (Thanks to @Patrick_Shortis for some help on this case)
Ross Ulbricht (Silk Road) ALTOID HANDLE -> SILK ROAD ALTOID HANDLE -> ULBRICHT EMAIL I (Images via IPVN.net)
Ross Ulbricht On October 2013, FBI agents decided to arrest Ross Ulbricht because there was a chance to get the laptop unencrypted. In the public library he was working in, a couple (two FBI agents) simulated a fight behind him. And when he turned away the FBI snatched his laptop, a Samsung 700z encrypted with TrueCrypt. He was logged into Silk Road. They found: PGP private keys, the .php files that built Silk Road, spreadsheets, chat logs, a journal. Thettttt Source: The Grugq
OxyMonster Gal Vallerius aka OxyMonster was a vendor on underground marketplace Dream Market. He was arrested in August 2017 after flying to the US to attend a beard competition. Border guards searched his (unencrypted?) laptop and found his credentials for Dream Market, a PGP private key used by a Dream Market vendor, $500,000 US in bitcoin and a copy of Tor browser. Why was he a suspect?
OxyMonster ● OxyMonster had a Bitcoin tip jar for the help he gave in the forum. ● From this address many outgoing transactions went to a Localbitcoins.com account registered to Gal Vallerius. ● The agents searched his Twitter/ Instagram accounts and analysed his writing style comparing it with more than 1,000 comments left by OxyMonster on Dream Market. ● Cheers, double exclamation and quotation marks, French posts were a common pattern. ● Enough to mark him and get a warrant.
OxyMonster Investigation: chain analysis > social media OSINT > writing analysis > device search at the border Mistakes: no tumblers > no compartmentation > no avoiding US > no encryption
Hacktivism Stick to yourselves. If you are in a crew - keep your opsec up 24/7. Friends will try to take you down if they have to. (Sabu aka Hector Xavier Monsegur) Jeremy Hammond identified via a triangulation of real life insights revealed through his 3 nicknames (Anarchaos, yohoho, POW) ● Groups are often an enemy of opsec ● Social dynamics, group think, the need of peer recognition, the exchange of tools weaken opsec ● Hacktivists are easy to infiltrate (more than cybercriminal groups; much more than State-sponsored groups) Source: The DailyDot
Guccifer 2.0 and the GRU State-sponsored hackers (Russian GRU) allegedly responsible for the DNC leaks: ● Language (Guccifer 2.0) ● Identifying metadata (PDF documents) ● Real IP address (forgot to activate VPN) ● Account and IP reuse (email, server) ● Malware reuse (X-Agent, X-Tunnel -> APT28) ● Money flows (bitcoin) So Source: Motherboard
Guccifer 2.0 and the GRU - spear phishing domains - DCLeaks.com site same pool of bitcoin - X-Tunnel malware domain (linuxkrnl.net) Guccifer’s VPN funds from same DCLeaks bitcoin address Bitly link > Bitly account (not private) > many Bitly URLs (phishing campaign targeting the Democrats) Source: indictment; SecureWorks Image: #Cybercrime
Park Jin Hyok (Lazarus Group) Kim Hyon Woo persona accounts (Lazarus attacks): tty198410@gmail.com hyon_u@hotmail.com hyonwoo01@gmail.com hyonwu@gmail.com @hyon_u Chosun Expo accounts (Park Jin Hyok): ttykim1018@gmail.com surigaemind@hotmail.it pkj0615710@hotmail.com mrkimjin123@gmail.com tty198410@gmail.com ttykim1018@gmail.com surigaemind@hotmail.it hyonwu@gmail.com pkj0615710@hotmail.com mrkimjin123@gmail.com tty198410@gmail.com
Looking forward ● Establishing cyber criminal identity (WHO) ● Establishing the outcomes of criminal conduct (WHAT) “Successful cyber criminals are those who avoid both detection of their crimes and identification”
Some takeaways (from an opsec perspective) ● If you have good crypto but you fail at OPSEC and TRADECRAFT then you lose - (Krypt3ia) However, crypto helps. ● Don’t reveal operational data ● Don’t contaminate. Contact between personas (covers) contaminates both (the grugq) ● No logs, no crime (the grugq). However, people love logging. ● When you start, that’s probably when you are going to mess up. ● If you are going to build a big campaign attacking many targets maintaining a good opsec is hard, and expensive. ● The solitary highly-skilled one-off hacker might well be the toughest to identify (especially if she/he doesn’t move much money). ● Opsec is rooted in psychology, mental well-being, autonomy, patience.
Thank you! Carola Frediani Twitter: @carolafrediani Newsletter: https://guerredirete.substack.com/

Recommended

Reasoning and mental aptitude for entrance test
Reasoning and mental aptitude for entrance testReasoning and mental aptitude for entrance test
Reasoning and mental aptitude for entrance testDr. Trilok Kumar Jain
 
Computer Forensics ppt
Computer Forensics pptComputer Forensics ppt
Computer Forensics ppt
OECLIB Odisha Electronics Control Library
 
DMTM Lecture 19 Data exploration
DMTM Lecture 19 Data explorationDMTM Lecture 19 Data exploration
DMTM Lecture 19 Data exploration
Pier Luca Lanzi
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
Mithileysh Sathiyanarayanan
 
Top 5 digital forensic court cases
Top 5 digital forensic court casesTop 5 digital forensic court cases
Top 5 digital forensic court cases
Deadbolt Forensics
 
Does a Bear Leak in the Woods?
Does a Bear Leak in the Woods?Does a Bear Leak in the Woods?
Does a Bear Leak in the Woods?
ThreatConnect
 
Open Web Data Feeds for Cybersecurity & Homeland Security Intelligence
Open Web Data Feeds for Cybersecurity & Homeland Security IntelligenceOpen Web Data Feeds for Cybersecurity & Homeland Security Intelligence
Open Web Data Feeds for Cybersecurity & Homeland Security Intelligence
Ohad Flinker
 
News Bytes by Jaskaran Narula - Null Meet Bhopal
News Bytes by Jaskaran Narula - Null Meet Bhopal News Bytes by Jaskaran Narula - Null Meet Bhopal
News Bytes by Jaskaran Narula - Null Meet Bhopal
Jaskaran Narula
 

Recommended

Reasoning and mental aptitude for entrance test
Reasoning and mental aptitude for entrance testReasoning and mental aptitude for entrance test
Reasoning and mental aptitude for entrance testDr. Trilok Kumar Jain
 
Computer Forensics ppt
Computer Forensics pptComputer Forensics ppt
Computer Forensics ppt
OECLIB Odisha Electronics Control Library
 
DMTM Lecture 19 Data exploration
DMTM Lecture 19 Data explorationDMTM Lecture 19 Data exploration
DMTM Lecture 19 Data exploration
Pier Luca Lanzi
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
Mithileysh Sathiyanarayanan
 
Top 5 digital forensic court cases
Top 5 digital forensic court casesTop 5 digital forensic court cases
Top 5 digital forensic court cases
Deadbolt Forensics
 
Does a Bear Leak in the Woods?
Does a Bear Leak in the Woods?Does a Bear Leak in the Woods?
Does a Bear Leak in the Woods?
ThreatConnect
 
Open Web Data Feeds for Cybersecurity & Homeland Security Intelligence
Open Web Data Feeds for Cybersecurity & Homeland Security IntelligenceOpen Web Data Feeds for Cybersecurity & Homeland Security Intelligence
Open Web Data Feeds for Cybersecurity & Homeland Security Intelligence
Ohad Flinker
 
News Bytes by Jaskaran Narula - Null Meet Bhopal
News Bytes by Jaskaran Narula - Null Meet Bhopal News Bytes by Jaskaran Narula - Null Meet Bhopal
News Bytes by Jaskaran Narula - Null Meet Bhopal
Jaskaran Narula
 
Backdoor Dreaming
Backdoor DreamingBackdoor Dreaming
Backdoor Dreaming
Carola Frediani
 
Social Engineering
Social EngineeringSocial Engineering
Social EngineeringNeelu Tripathy
 
Hacking And Its Prevention
Hacking And Its PreventionHacking And Its Prevention
Hacking And Its Prevention
Dinesh O Bareja
 
Social Engineering : To Err is Human...
Social Engineering : To Err is Human...Social Engineering : To Err is Human...
Social Engineering : To Err is Human...
n|u - The Open Security Community
 
Cyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyCyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spy
b coatesworth
 
Course on Ehtical Hacking - Introduction
Course on Ehtical Hacking - IntroductionCourse on Ehtical Hacking - Introduction
Course on Ehtical Hacking - Introduction
Bharat Thakkar
 
Computer Security,Types of Hackers,Installation of Kali Linux, Common Keywords
Computer Security,Types of Hackers,Installation of Kali Linux, Common KeywordsComputer Security,Types of Hackers,Installation of Kali Linux, Common Keywords
Computer Security,Types of Hackers,Installation of Kali Linux, Common Keywords
khansalman19
 
C|EH Introduction
C|EH IntroductionC|EH Introduction
C|EH Introductionsunnysmith
 
Security Breaches and the Six Dumb Ideas Consider a recent (2014- 2015.docx
Security Breaches and the Six Dumb Ideas Consider a recent (2014- 2015.docxSecurity Breaches and the Six Dumb Ideas Consider a recent (2014- 2015.docx
Security Breaches and the Six Dumb Ideas Consider a recent (2014- 2015.docx
acarolyn
 
Guccifer 2.0 the DNC Hack, and Fancy Bears, Oh My!
Guccifer 2.0 the DNC Hack, and Fancy Bears, Oh My!Guccifer 2.0 the DNC Hack, and Fancy Bears, Oh My!
Guccifer 2.0 the DNC Hack, and Fancy Bears, Oh My!
ThreatConnect
 
5 biggest cyber attacks and most famous hackers
5 biggest cyber attacks and most famous hackers5 biggest cyber attacks and most famous hackers
5 biggest cyber attacks and most famous hackers
Roman Antonov
 
Top 10 Cyber Crimes in the World till now
Top 10 Cyber Crimes in the World till nowTop 10 Cyber Crimes in the World till now
Top 10 Cyber Crimes in the World till now
Abdullah Khosa
 
News bytes-July 2013
News bytes-July 2013News bytes-July 2013
News bytes-July 2013
n|u - The Open Security Community
 
Power Point Hacker
Power Point HackerPower Point Hacker
Power Point Hackeryanizaki
 
Hackers Izyani
Hackers IzyaniHackers Izyani
Hackers Izyaniyanizaki
 
Hacking (cs192 report )
Hacking (cs192 report )Hacking (cs192 report )
Hacking (cs192 report )Elipeta Sotabento
 
Funniest Cyber Crimes that actually worked.pptx
Funniest Cyber Crimes that actually worked.pptxFunniest Cyber Crimes that actually worked.pptx
Funniest Cyber Crimes that actually worked.pptx
Cyber Security Partners
 
Newbytes NullHyd
Newbytes NullHydNewbytes NullHyd
Newbytes NullHyd
n|u - The Open Security Community
 
Newsbytes_NULLHYD_Dec
Newsbytes_NULLHYD_DecNewsbytes_NULLHYD_Dec
Newsbytes_NULLHYD_Dec
Raghunath G
 
fdocuments.in_tracking-hackers-56ed6be29ae97.ppt
fdocuments.in_tracking-hackers-56ed6be29ae97.pptfdocuments.in_tracking-hackers-56ed6be29ae97.ppt
fdocuments.in_tracking-hackers-56ed6be29ae97.ppt
ErRanjanRoutray
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 

More Related Content

Similar to The devil is in the details

Backdoor Dreaming
Backdoor DreamingBackdoor Dreaming
Backdoor Dreaming
Carola Frediani
 
Hacking And Its Prevention
Hacking And Its PreventionHacking And Its Prevention
Hacking And Its Prevention
Dinesh O Bareja
 
Social Engineering : To Err is Human...
Social Engineering : To Err is Human...Social Engineering : To Err is Human...
Social Engineering : To Err is Human...
n|u - The Open Security Community
 
Cyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyCyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spy
b coatesworth
 
Course on Ehtical Hacking - Introduction
Course on Ehtical Hacking - IntroductionCourse on Ehtical Hacking - Introduction
Course on Ehtical Hacking - Introduction
Bharat Thakkar
 
Computer Security,Types of Hackers,Installation of Kali Linux, Common Keywords
Computer Security,Types of Hackers,Installation of Kali Linux, Common KeywordsComputer Security,Types of Hackers,Installation of Kali Linux, Common Keywords
Computer Security,Types of Hackers,Installation of Kali Linux, Common Keywords
khansalman19
 
C|EH Introduction
C|EH IntroductionC|EH Introduction
C|EH Introductionsunnysmith
 
Security Breaches and the Six Dumb Ideas Consider a recent (2014- 2015.docx
Security Breaches and the Six Dumb Ideas Consider a recent (2014- 2015.docxSecurity Breaches and the Six Dumb Ideas Consider a recent (2014- 2015.docx
Security Breaches and the Six Dumb Ideas Consider a recent (2014- 2015.docx
acarolyn
 
Guccifer 2.0 the DNC Hack, and Fancy Bears, Oh My!
Guccifer 2.0 the DNC Hack, and Fancy Bears, Oh My!Guccifer 2.0 the DNC Hack, and Fancy Bears, Oh My!
Guccifer 2.0 the DNC Hack, and Fancy Bears, Oh My!
ThreatConnect
 
5 biggest cyber attacks and most famous hackers
5 biggest cyber attacks and most famous hackers5 biggest cyber attacks and most famous hackers
5 biggest cyber attacks and most famous hackers
Roman Antonov
 
Top 10 Cyber Crimes in the World till now
Top 10 Cyber Crimes in the World till nowTop 10 Cyber Crimes in the World till now
Top 10 Cyber Crimes in the World till now
Abdullah Khosa
 
News bytes-July 2013
News bytes-July 2013News bytes-July 2013
News bytes-July 2013
n|u - The Open Security Community
 
Power Point Hacker
Power Point HackerPower Point Hacker
Power Point Hackeryanizaki
 
Hackers Izyani
Hackers IzyaniHackers Izyani
Hackers Izyaniyanizaki
 
Funniest Cyber Crimes that actually worked.pptx
Funniest Cyber Crimes that actually worked.pptxFunniest Cyber Crimes that actually worked.pptx
Funniest Cyber Crimes that actually worked.pptx
Cyber Security Partners
 
Newbytes NullHyd
Newbytes NullHydNewbytes NullHyd
Newbytes NullHyd
n|u - The Open Security Community
 
Newsbytes_NULLHYD_Dec
Newsbytes_NULLHYD_DecNewsbytes_NULLHYD_Dec
Newsbytes_NULLHYD_Dec
Raghunath G
 
fdocuments.in_tracking-hackers-56ed6be29ae97.ppt
fdocuments.in_tracking-hackers-56ed6be29ae97.pptfdocuments.in_tracking-hackers-56ed6be29ae97.ppt
fdocuments.in_tracking-hackers-56ed6be29ae97.ppt
ErRanjanRoutray
 

Similar to The devil is in the details (20)

Backdoor Dreaming
Backdoor DreamingBackdoor Dreaming
Backdoor Dreaming
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineering
 
Hacking And Its Prevention
Hacking And Its PreventionHacking And Its Prevention
Hacking And Its Prevention
 
Social Engineering : To Err is Human...
Social Engineering : To Err is Human...Social Engineering : To Err is Human...
Social Engineering : To Err is Human...
 
Cyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyCyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spy
 
Course on Ehtical Hacking - Introduction
Course on Ehtical Hacking - IntroductionCourse on Ehtical Hacking - Introduction
Course on Ehtical Hacking - Introduction
 
Computer Security,Types of Hackers,Installation of Kali Linux, Common Keywords
Computer Security,Types of Hackers,Installation of Kali Linux, Common KeywordsComputer Security,Types of Hackers,Installation of Kali Linux, Common Keywords
Computer Security,Types of Hackers,Installation of Kali Linux, Common Keywords
 
C|EH Introduction
C|EH IntroductionC|EH Introduction
C|EH Introduction
 
Security Breaches and the Six Dumb Ideas Consider a recent (2014- 2015.docx
Security Breaches and the Six Dumb Ideas Consider a recent (2014- 2015.docxSecurity Breaches and the Six Dumb Ideas Consider a recent (2014- 2015.docx
Security Breaches and the Six Dumb Ideas Consider a recent (2014- 2015.docx
 
Guccifer 2.0 the DNC Hack, and Fancy Bears, Oh My!
Guccifer 2.0 the DNC Hack, and Fancy Bears, Oh My!Guccifer 2.0 the DNC Hack, and Fancy Bears, Oh My!
Guccifer 2.0 the DNC Hack, and Fancy Bears, Oh My!
 
5 biggest cyber attacks and most famous hackers
5 biggest cyber attacks and most famous hackers5 biggest cyber attacks and most famous hackers
5 biggest cyber attacks and most famous hackers
 
Top 10 Cyber Crimes in the World till now
Top 10 Cyber Crimes in the World till nowTop 10 Cyber Crimes in the World till now
Top 10 Cyber Crimes in the World till now
 
News bytes-July 2013
News bytes-July 2013News bytes-July 2013
News bytes-July 2013
 
Power Point Hacker
Power Point HackerPower Point Hacker
Power Point Hacker
 
Hackers Izyani
Hackers IzyaniHackers Izyani
Hackers Izyani
 
Hacking (cs192 report )
Hacking (cs192 report )Hacking (cs192 report )
Hacking (cs192 report )
 
Funniest Cyber Crimes that actually worked.pptx
Funniest Cyber Crimes that actually worked.pptxFunniest Cyber Crimes that actually worked.pptx
Funniest Cyber Crimes that actually worked.pptx
 
Newbytes NullHyd
Newbytes NullHydNewbytes NullHyd
Newbytes NullHyd
 
Newsbytes_NULLHYD_Dec
Newsbytes_NULLHYD_DecNewsbytes_NULLHYD_Dec
Newsbytes_NULLHYD_Dec
 
fdocuments.in_tracking-hackers-56ed6be29ae97.ppt
fdocuments.in_tracking-hackers-56ed6be29ae97.pptfdocuments.in_tracking-hackers-56ed6be29ae97.ppt
fdocuments.in_tracking-hackers-56ed6be29ae97.ppt
 

Recently uploaded

UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 

Recently uploaded (20)

UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 

The devil is in the details

  • 1. The devil is in the details How cybercriminals, leakers, State-sponsored hackers failed their opsec #NOHAT 2019 - Carola Frediani
  • 2. Opsec and the human factor You can get the tech right and still fail the opsec. Why? ● undisciplined past ● no compartmentation of identities (and of different operations) ● undeletable data ● language (is a traitor) ● money flows (follow the money) ● rush to get results ● group dynamics (peer pressure and recognition)
  • 3. Harold T. Martin III - Contractor Nsa, sentenced to 9 years for stealing secret documents - Ph.D in information security management - He used virtual machines, encryption and anonymization systems, probably Tails or a similar system -> “a sophisticated software tool which runs without being installed on a computer and provides anonymous internet access, leaving no digital footprint on the machine” (indictment) - “He has a demonstrated ability to conceal his online communications and his access to the internet”. - He sent strange messages to Kaspersky via DM Twitter during the Shadow Brokers leaks - His Twitter handle @Hal_999999999 connected him to his real life
  • 4. Harold T. Martin III A Google search on the Twitter handle and display name found someone using the same name on a personal ad seeking female sex partners. The anonymous ad included a real picture of Martin and identified him as a 6-foot-4-inch 50-year-old male living in Annapolis, Md. A different search led them to a LinkedIn profile for Hal Martin, described as a researcher in Annapolis Junction and "technical advisor and investigator on offensive cyber issues." (source: Politico)
  • 5. Harold T. Martin III Twitter handle > dating site > his real photo, location, age > Linkedin profile > language clue (CAMBRIC) Also: ● Twitter account created with email associated to his real life ● On a social networking website, the user hal999999999 had a display picture matching the motor vehicle administration photo of Martin
  • 6. Paige Thompson (Capital One) ● Some leaked data were openly stored on GitHub ● The GitHub page included Paige Thompson full name in the digital address and it was linked to other pages on GitLab linking to Thompson and her résumé (source: affidavit) ● Thompson posted about the hack in an open Slack channel, naming her VPN, that matched Capital One logs of the intruder and GItHub logs ● A Meetup group was linked to the Slack channel where the alias erratic posted breached data ● The Meetup page had a "Paige Thompson (erratic)" as organizer ● Thompson used the alias “erratic” on Twitter (where she talked of the hack, and had her real life photo)
  • 7. Alexandre Cazes ● 26 years old Canadian programmer, living in Thailand, and alleged kingpin behind AlphaBay Market ● arrested on July 5th, 2017 in Bangkok; he committed suicide after few days in prison ● in 2015 the Alphabay administrator, known as alpha02 (allegedly Cazes) said to DeepDotWeb: “I am absolutely certain that my opsec is secure, and I live in an offshore country where I am safe.” ● an email address in the AlphaBay forum welcome message was the main lead ● email address > real name > Linkedin > PayPal
  • 8. Alexandre Cazes Around December 2014 AlphaBay's operators decided to add a forum to the martketplace. Users who registered on AlphaBay's forum got a greeting message from the site's admin. In December 2016, FBI learned that for a short period in 2014 these greeting emails included the AlphaBay admin's personal email address in the message header. That email address was: "pimp_alex_91@hotmail.com" Image credits: Christy Quinn
  • 9. Alexandre Cazes ● Cazes' email was also included in the header of the AlphaBay forum pwd recovery process (forfeiture complaint) ● The FBI linked it to his identity. It was also associated to a LinkedIn account for Alexandre Cazes, born in 1991 ● In his Linkedin profile he was from Montreal and run a tech company, EBX technologies ● A PayPal account run by Cazes listed his Hotmail account ● He used a pseudonym to run AlphaBay previously used on carding forums. And that was linked to his email and name in a 2008 post on a tech forum
  • 10. Alexandre Cazes Police caused AlphaBay servers to shutdown, forcing Cazes to access AlphaBay forum/datacenter and try to reboot the servers. (“Law enforcement-caused outage”) Then they tricked Cazes into leaving his laptop by simulating a car accident outside his Thai home. Undercover cops crashed a car through his front gate. Cazes had the passwords for the servers stored in unencrypted text files, and an Excel with all his properties. (Thanks to @Patrick_Shortis for some help on this case)
  • 11. Ross Ulbricht (Silk Road) ALTOID HANDLE -> SILK ROAD ALTOID HANDLE -> ULBRICHT EMAIL I (Images via IPVN.net)
  • 12. Ross Ulbricht On October 2013, FBI agents decided to arrest Ross Ulbricht because there was a chance to get the laptop unencrypted. In the public library he was working in, a couple (two FBI agents) simulated a fight behind him. And when he turned away the FBI snatched his laptop, a Samsung 700z encrypted with TrueCrypt. He was logged into Silk Road. They found: PGP private keys, the .php files that built Silk Road, spreadsheets, chat logs, a journal. Thettttt Source: The Grugq
  • 13. OxyMonster Gal Vallerius aka OxyMonster was a vendor on underground marketplace Dream Market. He was arrested in August 2017 after flying to the US to attend a beard competition. Border guards searched his (unencrypted?) laptop and found his credentials for Dream Market, a PGP private key used by a Dream Market vendor, $500,000 US in bitcoin and a copy of Tor browser. Why was he a suspect?
  • 14. OxyMonster ● OxyMonster had a Bitcoin tip jar for the help he gave in the forum. ● From this address many outgoing transactions went to a Localbitcoins.com account registered to Gal Vallerius. ● The agents searched his Twitter/ Instagram accounts and analysed his writing style comparing it with more than 1,000 comments left by OxyMonster on Dream Market. ● Cheers, double exclamation and quotation marks, French posts were a common pattern. ● Enough to mark him and get a warrant.
  • 15. OxyMonster Investigation: chain analysis > social media OSINT > writing analysis > device search at the border Mistakes: no tumblers > no compartmentation > no avoiding US > no encryption
  • 16. Hacktivism Stick to yourselves. If you are in a crew - keep your opsec up 24/7. Friends will try to take you down if they have to. (Sabu aka Hector Xavier Monsegur) Jeremy Hammond identified via a triangulation of real life insights revealed through his 3 nicknames (Anarchaos, yohoho, POW) ● Groups are often an enemy of opsec ● Social dynamics, group think, the need of peer recognition, the exchange of tools weaken opsec ● Hacktivists are easy to infiltrate (more than cybercriminal groups; much more than State-sponsored groups) Source: The DailyDot
  • 17. Guccifer 2.0 and the GRU State-sponsored hackers (Russian GRU) allegedly responsible for the DNC leaks: ● Language (Guccifer 2.0) ● Identifying metadata (PDF documents) ● Real IP address (forgot to activate VPN) ● Account and IP reuse (email, server) ● Malware reuse (X-Agent, X-Tunnel -> APT28) ● Money flows (bitcoin) So Source: Motherboard
  • 18. Guccifer 2.0 and the GRU - spear phishing domains - DCLeaks.com site same pool of bitcoin - X-Tunnel malware domain (linuxkrnl.net) Guccifer’s VPN funds from same DCLeaks bitcoin address Bitly link > Bitly account (not private) > many Bitly URLs (phishing campaign targeting the Democrats) Source: indictment; SecureWorks Image: #Cybercrime
  • 19. Park Jin Hyok (Lazarus Group) Kim Hyon Woo persona accounts (Lazarus attacks): tty198410@gmail.com hyon_u@hotmail.com hyonwoo01@gmail.com hyonwu@gmail.com @hyon_u Chosun Expo accounts (Park Jin Hyok): ttykim1018@gmail.com surigaemind@hotmail.it pkj0615710@hotmail.com mrkimjin123@gmail.com tty198410@gmail.com ttykim1018@gmail.com surigaemind@hotmail.it hyonwu@gmail.com pkj0615710@hotmail.com mrkimjin123@gmail.com tty198410@gmail.com
  • 20. Looking forward ● Establishing cyber criminal identity (WHO) ● Establishing the outcomes of criminal conduct (WHAT) “Successful cyber criminals are those who avoid both detection of their crimes and identification”
  • 21. Some takeaways (from an opsec perspective) ● If you have good crypto but you fail at OPSEC and TRADECRAFT then you lose - (Krypt3ia) However, crypto helps. ● Don’t reveal operational data ● Don’t contaminate. Contact between personas (covers) contaminates both (the grugq) ● No logs, no crime (the grugq). However, people love logging. ● When you start, that’s probably when you are going to mess up. ● If you are going to build a big campaign attacking many targets maintaining a good opsec is hard, and expensive. ● The solitary highly-skilled one-off hacker might well be the toughest to identify (especially if she/he doesn’t move much money). ● Opsec is rooted in psychology, mental well-being, autonomy, patience.
  • 22. Thank you! Carola Frediani Twitter: @carolafrediani Newsletter: https://guerredirete.substack.com/