Chris Kirsch - Forgot Password: Finding Missing People Using Login and Password Reset Forms

perfect yeah thank you very much um today i am i'm going to talk um about something that might not look like it really belongs together password reset forms and and missing people and but bear with me and i gonna walk you through that a little bit there's also some good tips for red teamers in here at the end and some tips for blue teamers so if you're not just into ocean investigations there's some good stuff at the end and hopefully it's gonna be an enjoyable talk uh just uh for for your general interest all right so a little bit of a background on me uh we already talked about some of these things um the way i got

into kind of looking for missing people uh was uh through two things really one is trace labs which is an organization that takes uh missing people cases uh takes submissions from the uh from the law enforcement community and then crowdsources all of that to uh get the the hacker community to help uh find these missing people really really interesting work they have competitions and they also have ongoing cases if you prefer to just do it in your own time by yourself i've also uh been joining the national child protection task force as an advisor so that's a an organization that's that trains law enforcement officers on how to use osim particularly for child exploitation cases

online predators those kinds of things and the same kind of methods apply here already i've been working in marketing in cyber security for a while so some of the companies i worked for include pgp and rapid7 and right now vera code but my ultimate life goal is to acquire all the cool skills from heist movies and con artistry movies and to get an internship with a fortune header so if there's anybody in the audience who can uh sort me out with any of those that would be good in the meantime i'll be joining shortly i'll be joining hd moore as a co-founder in his startup uh that you can find at rumble.run it seems the world's running out of

top-level domains and if you're into network discovery i highly encourage you to check that out they have a free trial and community edition all right so forgetting passwords the forgot password function and so you may have seen uh that some 4k password functions are you know in the standard kind of operating manual for some ocean investigations but typically they only cover facebook twitter and instagram and they uh cover very little beyond that and there's a lot of nuances that that they don't cover um some of the problems are that people sometimes get notified so it's tricky to use and since i submitted this talk trace labs for example has actually disallowed the password resets for the competitions

because they don't want uh you know 400 people to send a password request that notifies a family that has a missing missing person right um you're supposed to do any of that without contacting anybody of the of the family or anybody at all but the practical application is still valid in a lot of cases if you're not doing this for a trace labs competition i highly encourage you to try this out and be careful because some of those things alert the target i pulled on a thread when i when i did this and i uh i think my bios is not normal the talk says that i inventoried about uh 300 sites i think the

my spreadsheet has grown to about 500 sites where i looked at you know the login forms and the password resource forms and sign-ups and so on where are they leaking information that could be useful from an osim perspective and so what i'm showing in this presentation are some of the really most interesting things and how you use that in an ocean investigation so a quick legal disclaimer really important i'm not a lawyer um take nothing what i say here as legal advice and check that what uh you're about to do is legal in your jurisdiction i'm not suggesting with any of these these methods that he actually tried to log into an account of somebody else and that would be

illegal in most jurisdictions so please be warned the the primary sources for leaks i looked at were three things um login forms password resets and sign up pages so on the login form for example you can test if an email exists in a lot of cases right exists on that platform does that account exist um some sites um many sites actually do that and we'll see uh one example in this in this presentation uh password resets those reveal some of the most interesting information we'll see that in the next section uh it's not a lot of sites but there are still a fair amount of sites that really leak information there on some interesting sites

and then sign up pages so um if if neither the login nor the password reset actually gives you the information on whether an account exists with a certain email address the sign up page in most cases actually does that so if you just try to sign up with your targets email address and it says oh this account exists already then you know that this account exists on the platform obviously that has some challenges because if you do that once you're creating an account and the next person doing that test then gets a false positive the types of information that is leaked are whether an account exists uh you see a lot of masked email addresses and phone numbers we'll have a

look at how to unmask those usernames names mask credit card numbers and even employers when you do any of these techniques what i recommend is so for example i talked about facebook earlier let's say you're logged into facebook right you'd have to log out of facebook before you can log back in and press the forgot password function so what i encourage you to do when you're trying out these kinds of methods is go to uh the incognito um mode of your browser which is essentially the same as logging you out of your browser but it doesn't um you know it isn't isn't connected with all the hassle of actually logging out so that's a neat way to to speed up your

investigation all right some of the um vendors that i looked at our websites i tried to redact um i can redact the names it's really hard to redact the branding so some of you may recognize which e-commerce company this is um i did not redact all of them uh because some of the well-known examples i i thought didn't didn't make a lot of sense but this is an e-commerce company well-known one and this is an example of how the sign in function the login function actually leaks information so if i type in a an email address that does not exist and click on continue then it says here on the top right uh sorry on the top that there was a

problem because the account doesn't exist you'll find this in a lot of sign-in screens that have one where you type in the email or the um or the phone number actually which can also be really useful if you've got a phone number in an investigation but not the email you can test with that yeah if you have a the kind of the username or an identifying feature of the user email address phone number on one screen and then a continue and then typing in the password this usually works it also works in some cases when there is both username and password on the same page now if we try to log on with a real email address

that exists on this platform then the message is different you don't get the wording message and you're being asked for the password now in this case the person isn't being notified right on this side for example because and it's quite unusual that they'd be notified in this case the notification usually happens either with the password reset or for sure with the logon sorry with the sign up form because they usually want to do an opt-in verification of the email so that's an example of a login form let's have a look at the at the next example facebook i didn't redact because facebook twitter and instagram are pretty well documented but there are some nuances that are

worth calling out so for facebook you know go into the incognito window of your browser and then click on forgot account and you see here that it actually says please enter your email or phone number to search your account right so you can do either email or phone number what's interesting is that many sites that have a password reset function accept more types of input than they actually say on the page so the facebook password reset for example also works with a facebook id or the username and the username is actually the part of the url so you can find that pretty easily so let's say we're taking a username we're plugging that in in the example

and i redacted some of the email addresses in these examples so what you get back is um a masked email address and a masked phone number and an image and a name right so coming from the username the image and the name you can already tell if you just go to the profile if you have the profile name but the masked email address and the phone number are new pieces of information now with uh with facebook i've seen that sometimes this process notifies the account holder most of the time it doesn't but i haven't found a reliable way to tell in advance when it does when it doesn't if anybody in the audience out there

knows the answer to this i would love to know that please dm me on twitter or contact me on discord or share it with people in the audience here later as a question or comment so now we have we have these pieces of information that that we get right and for for many sites i found that the number of stars actually corresponds with the number of characters that are being masked out and that's super helpful facebook is one of those sites so you know that there is you know in this case five characters missing in that email address and that really helps you guess the right email address so let's say that you started out

with an account on facebook called john.doe and you do the password reset function right and you get an email back that says you know j star star star star star e aol.com and a phone ending in the number 25 right so um in many many cases you can guess what that email address is and now here we would guess maybe it's john.doe at aol.com could be john doe without the dot and so on so there's different variants but whatever you're guessing you just you know go back do the same password research function instead of the username this time you plug in the email address and you hit the password reset function and it'll tell you um do you want to reset to your

email or do you want to reset to the phone and it's this and it displays the phone number if the last two digits of the phone number are the same then you're dead certain that it's the same well pretty certain that you're the same it's the same account but it's a very very good indicator there's also some other ways of of guessing the account this is from a real case that i tried to obfuscate a little bit so um we found a facebook profile that was essentially something like jeanette.do.9 as a username we ran that through the research function and we got something like this back um and and it's kind of hard to guess like

what is that what does that look like right we thought okay this could be maybe like a school or university address or something like that so we looked at on facebook at all of the schools that this this was a teenager all the schools that this teenager had been at and this was the school website so then uh we went to dehashed and said all right give me all the breached past breached email addresses for this domain we found out that the the format is for students is three letters of the first name then full last name at stu.irvingisd.net and so then we took that and we kind of used that same jeanette first three and

then the last name do right at and then the rest of the domain plug that back into the facebook password reset and we unmasked the name so you can you can use these kind of techniques another way to unmask the email address is through uh password breach sites so several of these sites allow you to put in wildcards so this is the format for dehash for example here if you say email colon and i i just did a fictitious one this is not an actual a person who were investigating i would just pick something at random june question mark question mark those are two characters right 78 and domain colon gmail.com right so that means i'm looking for an

email address that's june something something 78 gmail.com and i i got back a full list that's a little longer but you see at the bottom here that it came back with juneloom78 at gmail.com you can also put a star in for many characters and the question mark is for one character if you have a domain that gives you one character one star per character as a mask then you wanna use the question mark here the other service that i found um that allows wildcard searches in breach data is a dark owl a dark web search engine so that one works as well and i believe they they use stars i'm not sure if they use

question marks but you can check that in their documentation but i thought dehash would be probably the more popular site in in this crowd here let's have a look at twitter so for twitter um again it says email phone number or username right so you can plug any of the three in um consider that when you have different types of input that you're looking for and sometimes what you want to do is you have an email address you just maybe you can't find uh the the profile on the site if you plug that in and it says would you like to reset then you know that there is a profile on twitter.com and you you can either use osint to

search harder or if you work in law enforcement you can follow the legal process and submit a subpoena to twitter.com for example and saying okay i would like to know which account belongs to this email address and they will they will send that back so with a twitter very similar process and you get a masked email address and a phone number the email address is masked in a different way so you get not just the first and the last of the thing before the app but you get the second first two letters which can sometimes help you don't get the full domain but you get that from facebook and twitter doesn't alert the user unless you click continue here right so

when i say it doesn't alert it's always if you don't follow through the whole process if you click here of course they're going to get a text message or an email so if you combine twitter and facebook information now you have like if you add twitter you have one more character uh providing that they use the same email address for for both another interesting thing is sometimes when you're investigating people uh especially if they uh you know maybe in some hate crime cases maybe in some uh prostitution cases and so on um their account has been suspended under the rules of the platform so password resets can also help you there and this is not part of an investigation

i just googled for a random suspended account to show the method so here t cola rose is the account i only see the username i don't see a picture account suspended i can't see any tweets right but now if i go and say i want to reset my password on twitter i can plug in the username and it'll give me this it'll give me a not the username but i guess the clear name right or whatever they had as a clear name on the profile i get an image and i get a phone number a masked phone number and a masked email address and this starts with the g usually that's gmail.com right that's a

very very common one and uh so what i was interested in i felt like okay the the image is a new pivot point that we didn't have from the suspended twitter profile so um i right click on the image and open that image in a new tab and it's tiny right it's a thumbnail doesn't really help me right well it helps a little bit but it's hard to see and then uh look at the url the the picture the jpeg has a a uid and then underscore normal.jpg so just out of a whim i remove the underscore normal and i get a full rest picture and then i do a reverse image search just right click say

search google for and it finds a whole bunch of accounts with the same image and this account here is in adult work i'm not sure if if she's an escort or if she's in adult movies or whatever sounds like something like that so if this was an investigation now you'd already have uh you'd have additional pivot points you know with a picture that you didn't have before and so on uh in this case i didn't go after the phone number and the email address but you you get the picture right um actually you literally get the picture uh that that you can use the password research function for more than just the uh the mass email and phone number

right let's have a look at instagram this is an example where you can plug in the username i believe also email address and phone number and when you click that this status bar pops up super quickly at the bottom of the screen and then goes away so you need to be very fast to screenshot that instagram is an example that has a few disadvantages so for example um the stars do not correspond to the number of characters and the user is always notified and it doesn't give you more information than facebook so if you have facebook and instagram you're getting far enough with facebook take that right it's a better option uh all right let's do some

other examples now we're back in the uh in some of the uh redacted sites that i found that uh were really powerful in the kind of information that they give you so this is for a phone company and so when you're investigating somebody it's usually fairly easy to find their home address and phone number and those kind of things so here for the password reset function uh the company allows you to plug in the phone number and then you click continue uh it echoes the last four digits of the phone number that you just entered so this is not new information then it asks you the for the five digit billing zip code uh you can

figure that out from white pages pretty quickly if you don't have that already so that's the only other information that you need and then you click next and it gives you a masked uh email address with the complete domain name so that gives you some advantages another example and this one i found surprising because this is for a payments company and so a site that probably gets a lot of phishing for its users and is probably quite security aware so i was very surprised to see all the information that they're leaking here so let's say you want to uh get to this here i think this also works with a with a phone number on a different

screen but this example is for an email so plug in the email and it echoes the email here if you plug in the phone number i think it also echoes an email so you can convert that it conver confirms the last two digits of the credit card number on file which i thought you know for most applications you need the last four but the last two might also already be enough if you're doing a wishing or phishing attempt against this target might give you enough information to gain their trust by just you know telling them what the last two digits of the credit card number on file is and you also get the first digit of the

area code and the last four of the phone number which is a lot more than you get on most of the other sites where you only get the last two digits of the phone number conveniently the same payments company also says oh um you forgot your password and you don't even know which email address you registered with us well here is a screen where you can conveniently put in three email address and we'll tell you which one has an account with us so i found that that really interesting and also what i found interesting that especially larger companies that have a lot of disparate systems sometimes have several password reset functions in different parts of their site so make

sure that you really follow the breadcrumbs and and have a close look all right this one here is a payroll company so something that your employer would sign you up for and that you get your pay stub through so here the forgot password function requires first name and last name which you probably know about your target either an email or a phone number one of those you probably have and then on the next screen it gives you the employers that are on file for that person if you're dealing with somebody who is an adult who's uh disappeared um and you can't find their employment on linkedin but you want to locate them you know like let's say in a skip

tracing case or in a in a missing person case you could find their current employer through through this if they are processing through this payroll company and and this is i believe by far the largest payroll company in the us so you hit regularly be pretty good if you go past the screen you alert the account holder so be careful with that if you can always test uh if you have your own account with whatever company you're testing always test whether it alerts uh and at what screen so if we go beyond that we're comfortable with alerting the target we now also get the not only the name and the employer but we also find the username

that's on file to log on to this payroll company for that user for that employer so that gives you either um an edge if you want to get into the the payroll company into that account or if your target is excuse me the employer company where you're trying to figure out what's the internal username especially if it's not you know first.last or initial last name and so on if it's something more complex and the bigger companies usually have that this is a good way of actually figuring out what's the user id for that user uh there's another link here and it says i don't know my password right and i thought weird i thought i

already did like a already looked at um at password reset but maybe i didn't dig far enough so i clicked that one and yeah so here i find um you know all the emails on file not just one but with a full top level domain and the last four of the phone number um so again last four of the phone numbers some give you uh some other parts of the phone number um if you have several sources like this you can piece together a lot and then do a a search on some of the breach sites or or guess and you can unmask the full information pretty quick all right so uh some uh cautions i mentioned this i think

three times already but some of these sites do alert um the account holder so be careful uh signup forms uh can work fantastically well the first time but they impact future investigations so make sure that if you're working on something that other people in your organization or other organizations would also work on and try out then you can actually negatively impact their results and check the legality in your jurisdiction all right i've i've brought with me two cases today um that i didn't redact i thought about okay how can i redact this and so on they're both missing uh people that are advertised uh on the internet i believe neither of them have been found and so

these are from trace labs cases and i decided to leave the information in in clear text because you could do the same thing and figure out the same information online without any privileged information and uh because it provided it provides a little bit of a better training case but please be respectful of these people when i look into the background of missing people it's rarely a good story and both the family and the person if they come back uh get a lot of heat for having run away and so on so please always always treat these people with respect and uh and don't bug them all right so the first one here is mackenzie ray martin

um who's a teenage runaway um these pictures are age progressed um to 16 years and what what we found with a lot of runaways is that they have a lot of different accounts with different names uh oftentimes so here this is the first name and then the last name of one of the parents which isn't the same as the last name of of the search target here so we were able to find the person that way and so if we uh if we look at the um at the url you see yet another name so this is another alias that's being used as the username on facebook so this is the name that you need to plug

into the password reset function so we take that name we plug it in uh you do the incognito window click on forgot account and then enter that that username in that field and then you get a masked email address and a masked phone number right and the picture and the name we already knew because we knew the username okay so um with that partial email address uh we can now start guessing and remember this number 54 because that's going to be important for the for the last two digits of the phone number so we look at this and the facebook name is mackenzie doll but we know her legal name is mackenzie markham so this

one's pretty easy to guess right it's not doesn't require sherlock holmes to figure this out first last yehu.com now we need to verify this so we go to the password reset function again start over and this time instead of the username kat volensky we plug in mackenziemarkin.yahoo.com hit search and we get we don't get the picture and the clear name this time because we started with an email address right so facebook doesn't want to disclose that um but we get the same number 54 for the last two digits of the phone number so we're pretty sure that this is the same account that we were just looking at um the second case that uh i wanna look at is where you can

actually use information across several accounts so this is also a missing person that i believe hasn't been found yet um and um here we're doing password resets on two profiles we found a facebook and a twitter and you see that it says c last letter t at hotmail.com and here it says ch stars no last letter at h something so we we can kind of see right same kind of length email address seems to be the same email address so we can infer that it's ch star starts as a star t hotmail.com it's the email address right and we've got the number 89 here so um it took me a little bit of guessing because usually people use dots or

underscores um between first and last if there is an extra letter um in this case it was just a um just a a dash um but we sorry but we verified that and we got the same 89 as part of the email address um sorry as part of the phone number on twitter the last example was facebook right so this works across different sites as well okay so i promised you some tips for red teamers and some for blue teamers let's go to the red teamers first and these might be more obvious right if you um have an email address you want to verify it you can go to some of these password reset functions and see

is is that email valid of course there's a ton of other ways to also verify the email address you can also use the intel to map out services used by the organization we talked mostly about um about um [Music] kind of consumer-grade systems except maybe the payroll company but it's mostly like consumer stuff but i found also a lot of a big tech companies that are used as uh corporate sas solutions that have the same kind of issues so if you want to if you have a user in that organization or a bunch of users you can try out logging onto a central sas platform and see if the account exists with a work email address and if you do that

for two or three of your targets you can be pretty damn sure that they're using a certain sound service and so that helps you kind of map out what they're using helps you with pre-texting maybe helps you with phishing also pre-texting right but more importantly if you're going after anybody um with phishing or wishing whether it's their work email address or if that's in scope also their private email address you can really tie an email address to a certain service you will know if they go to a certain e-commerce site or if they have an account on a certain uh payment site or payroll site or [Music] office productivity site right and that way you can craft

a much much better phishing email that really hits home right so really really useful for the pre-texting for blue teamers when i looked at you know i looked at like 500 sites um and and so these are the things that uh that sprung out at me for login pages don't return a different message or user experience when the user is when the user name or email doesn't exist versus when the password is wrong right and also don't flag uh we had the e-commerce site in the beginning where it flagged if the account existed because the username and then the password are on different pages so um you should always let somebody go to the password page and

then um and then at the end say hey username and or and or password were incorrect so same experience no matter where people enter for the password reset forms um don't put in different messages when the user and email exists versus whether it doesn't and this is really important so what i usually did to test out the password resets even if i didn't have an account on the site i i went to the password reset typed in you know gibberish at gibberish.com and hit password reset and it said if it said account doesn't exist i have my answer right there is a an information leak in terms of um what accounts exist versus don't because you might not have an account on

all systems sometimes it's a hassle to sign up sometimes it's um it's not possible to sign up if it's a closed community right so so this is a really quick check so don't do that if you're setting up an application uh don't return any customer data that user hasn't entered and so if i give you my phone number don't give me a mass email address those kind of things and uh also regardless of whether the email is correct displayed that you we sent a link or code so what i've seen often times is um a message that said uh thank you for resetting the password if we have an account on file for this email address we will send you

a password reset link so that's that's what i see as best practice the sign up forms i think are where you have the most information leaks um here don't return a different message if the account exists already um if the account exists already maybe treat that as a the same as a password reset just send say hey you try to sign up for this account you actually already have an account for this site here's a password reset link but don't give a different message if the account exists remember that it's not only osim that might be used for phishing and fishing and so on but if uh your applications your your key applications that you run as a business

uh broadcast which accounts exist and which ones don't then you open up the door for account brute forcing if i can first figure out what email addresses are there and then i can try out different common passwords uh that that really opens the door for that i do understand why some of these companies um do it the way they do because they're providing assistance to the user in a way that reduces burden on the help desk so it absolutely is a trade-off between usability and security but i encourage you to just be aware of the trade-off and then make a business decision so the resources so first of all before i forget i want to thank

chris eng at vera code for providing me feedback on the abstract and and outline of this presentation really appreciate that it helped me make that better for a besides audience um in terms of resources michael basil is kind of my go-to for anything ocean he has fantastic resources his book open source intelligence i i've read front to back uh several times it's a really big book so it's a bit of a commitment uh intel techniques.com his website has a really good information um if you know of the open source toolkit that he had on his website that's no longer publicly available but if you buy the open source intelligence book here's a link to make that downloadable

the uh security privacy and ocean show is a podcast by michael basil where he talks a lot about osim and also privacy which is the other side of the coin similarly the ocean curious podcast super good resource bellingcat as a website this is more of a journalism website but they do everything with osint fantastic work i'm impressed every time i read an article by them and they also have a toolkit that shows some of the things then conferences layer eight many of the people who organized b-science boston also organized layer eight highly recommended if you're into social engineering and ocean the recon village at defcon is a good resource and if you're in law enforcement the ncptf conference

once a year is a really really good way to learn about ocean and legal process but it's uh close to the public it's only available if you're in law enforcement or government glenn devitt's got a really good ocean course at black hat and if you are looking for an automated way to test password resets there is a github um repository by a guy who calls himself megadose i don't know how to pronounce the project is it whole he or kolej or if anybody has an answer to that i'd really like to know i don't think that many of the password reset functions can be truly automated at scale some of them use capture some of them use several inputs

and so on i think it's going to be really difficult some of them use several screens so um you can automate it to some extent but not not fully i believe all right that's it for the presentation i was rushing to get through it but it seems we have some time for questions and by the way this is my twitter handle of course chris underscore kirsch feel free to follow me feel free to dm me my the ends are open or ask your question right here in the chat so thank you so much chris that was a really fantastic presentation i have to tell you i laughed at the beginning when you mentioned you wanted

to work for a fortune teller and carry out all of the the heist movies that's like my my dream as well um i did give a talk at deathcom last year i think it was last year uh on uh how fortune tellers kind of like techniques of how you can pretend to be a fortune teller and lessons for social engineering it's up on you can find it if you look for fortune telling defcon kirsch or uh sc village you'll find that talk so i'm i'm you know like i'm on my path there that's awesome everyone watching i will try and find that for you and uh share it in the discord channel so that we can

we can all geek out over that i also wanted to say i cried when you were sharing some of the information about uh the missing people just thank you for that work it was really uh yeah it just hit me so so thank you for that um we don't have any any questions in the chat so far i see some folks are typing but related to the missing persons i mean with all that work that you've done how have you been able to kind of separate the emotions around finding missing people from the work that you're doing um so i i think you just need to compartmentalize it right you go in i do this work because i think

it's good work right it's it hopefully helps people um and uh we have actually in in i think three so twice when i was a contestant and once when i was a judge we did find people and locate people um and in some cases you know um [Music] uh one case where we found somebody they had run away with a gang um so an underage girl who ran away with a gang um so they're not in a good place now presumably she wasn't a good place at home either otherwise she wouldn't have run away um so so that's something where we provided all of the information of where we think she is to law enforcement there was another

case where um the an underage girl ran away um and she was hanging out with a 40 year old tattoo artist with a lot of white supremacist postings on facebook and so that one we we handed in we had one case where the person was officially missing um but we could we found her uh also under age girl no well i think she was like on the verge of 18 or something but she looked like she was in a good place she had gotten married she seemed to be happy her dad had liked one of her recent postings and so that one we didn't hand it um because we we thought you know looks like it might be an immigrant

family maybe this is an ice case we don't want to mess up something somebody who's who's in a good place right yeah so you find very very different uh examples some some uh uh cases that we looked at uh underage girls that are either hanging out with people who are um as uh one guy like one expression is like who is an unlicensed pharmacist and another girl another girl was kind of in in illegal prostitution underage prostitution so these are cases where you really want to try and get them out right their home might not be the right place but where they are right now is also not the right place so if you can get the authorities involved

and maybe find a better home for them that then at least they stand a chance right yeah yeah so that kind of ties into one question that did pop up from jason h he says are the majority of these cases like your examples just to confirm these missing people are alive or somewhere and it sounds like you actually hand off to law enforcement as well yeah so so the in the trace labs competitions and they have a platform where you submit all of your findings for points right and then you get bragging rights at the end it's not for for any rewards or anything and these results are then aggregated and handed over to law enforcement in

one case at the nc ptf conference we ran a trace labs competition where we had direct access to the law enforcement case officer was also a smaller competition and one case that i worked on we actually had a a patrol car outside the house where we thought the missing person was before the end of the competition so that was super interesting because normally for for the trade to be honest for the trade labs competitions you hand over the information and that's it you don't ever hear back um you know sometimes you hear um that a person has been found like sometimes if there was a case that that we didn't solve but i'm interested in like how it's

how it ends if there's any new information i put out a google alert on the that person's name and uh so i i get an update when they've been found or when there's any new information um yeah but sometimes it's a dead end you know it's it's teenagers and younger people are easier because they have more of a social uh media footprint people in their 20s and 30s have usually more breach data available that you can leverage um breach data is not like a a paid for dehashed account would not be admissible for a trace labs case right as for points you can submit it without points if you find a password or find more information

but if you take dhash for example without uh login or you go to a darknet site and find uh you know search for a name and it says yes we have information on this email address there's a breach but you don't have the password that's allowed if you didn't pay for the information right that's that's the uh the important thing for the trade labs competition don't pay and don't alert the target or the uh or the family right so what recommendations do you have for the average user to protect themselves so that some of these ocean techniques don't work sure yeah so i actually uh i'm probably like through this work a little bit on the paranoid side of

things there is the boss none of us are there is a boston company called a bean a-b-i-n-e and they have a service called blur blur is a service there's a paid version and a free version i think the email masking is part of the free version where you let's say you're signing up for facebook right you can right click in the email field and say generate a masked email address and what it will do is it will generate a random string at opaque.com which is one of their domains they have about 506 domains that you can choose from and then you use that and when you get an email from facebook it forwards it to your regular email address so you

don't have to maintain a gazillion accounts just forwards the email and if you happen to reply to that email then it also masks it and makes it look as if it came from the masked email address right so what i'm doing is i just like any account i sign up for i use a blur email address and that means uh a few things number one the email address can no longer be used as a pivot point number two it's really hard to guess the email address from a masked email if it's just a number of random strings that i only use for that domain right and the third thing that i really like is um

i can now freely sign up for all sorts of sites even if i just want to use them for five minutes because at the header of of each of those blur emails what you get is a you know basically stop forwarding me the messages that come into this email address right oh wow so that you know a lot of people have like a spam email address but if uh one of those sites doesn't honor unsubscribes or uh or or is breached and you get like a whole lot of spam from like the mass spammers then it's really hard to shut that down but because you're compartmentalizing every site with a different email address you can just

selectively shut down those email addresses so i highly recommend it and they also have have some other other cool stuff um so for example they have a service that uns like that takes you out of many of the public databases like white pages and those kind of things i've done that manually it's a ton of work um you can pay them they do it for you and so those are some of the others and tips yeah now we just need them to have a bug bounty so that they can harden their own security posture we can't have them getting hacked and also if people are interested if you i wrote an article on medium with all of my kind of like identity

theft and and privacy tips if you google medium curse identity theft i think you should find it and it's basically 10 or 12 different things that i recommend people do blur email addresses are in there um the uh another service i love to use is privacy.com you hook that site up to your checking account and you can generate a different credit card for each site and it doesn't actually cost you money to do that um really really helpful and so you can say i have one one uh credit card for netflix one credit card for hulu one credit card for my insurance car insurance or something right and you can put in maximum amounts per month

per year you can do a single charge if the website that you only want to use once and once the card is being used by for the first transaction it gets locked to that vendor so let's say i put in my card number with netflix and they charge that account once and then that netflix gets breached uh and the the card number gets stolen that card number will not work with any other vendor like if somebody's trying to buy something on ebay it will not work because it's it's locked into netflix super super cool service yeah yeah it's fantastic it's it's nice to know that there are a bunch of services out there to protect us

because i think all of us uh need to be paranoid and um clearly like hearing some of your ocean ocean techniques a lot of them were new to me as well so it just terrified me that much more yeah this one's just like a super small part of the techniques we use on the uh on on those kind of cases right excellent chris i i really appreciated your talk i i could ask you questions so much more but we do have to wrap up i really appreciate again all the information you shared today shout out to layer 8 as well i threw the links for the cold reading techniques defcon talk in the chat on discord as well as the

medium article is there any like words of wisdom or parting advice that you would want to give us no all good thanks for having me i'll be in the discord channel for a little bit in case anybody has questions and you can also dm me on twitter i will be available on resort for question answer and this is bibliography thank you so much thank you so much everyone