Hackers, Journalists, Unite!

hi-yah so as mentioned I work for motherboard which is the technology and science section of ice that's digital underground surveillance industry cybersecurity and a hell of a lot of data breaches so just to give you an idea of the sort of stuff we typically cover it's gonna be Silicon Valley companies VK Russia's Facebook the DOJ and DHS that was the same hackers that targeted the former director of the CIA popped his al account and then they also got 20,000 FBI and 10,000 DHS records sometimes the hackers get hacked as well celebrate which as a love you'll probably know is a firm that unlocks phones for law enforcement they got popped and we got 900 gig of

their data some weird personal stuff as well a plastic surgery that caters for at least one royal family and celebrities like Katie Price and this data includes before and after photos of work on people's genitals so you obviously the lesson from that is when you're a journalist you get this data you have to respect just how sensitive this is and you don't go pulling around on paste bin and then keeping the set of the sensitive stuff there's dating websites porn websites and then back to Silicon Valley so basically the whole spectrum of companies or organizations you would expect so I'm going to talk about what it's like working with criminal hackers when you're trying to

get these data breaches sort of the ethical considerations and just like the bare bones logistics what actually happens but to make it a bit more relevant for this audience I'm going to talk about briefly well it's like if you're an independent security researcher who wants to give something to a journalist anonymously so maybe you work for a firm your employer doesn't really want you giving the IFC's to a journalist or whatever it may be and of course he's going to be somewhat different but they do overlap as well and I mean that just brings up the idea that even if you're a criminal hacker a security researcher a security researcher who's doing criminal hacking on the side

FBI agent government official or some other sort of criminal it doesn't really matter their sources of source as a source they all get the same respect courtesy and sort of approach when handling them of course some are anonymous some are not but it doesn't really matter if they're criminal law or even like a terrible person and I may personally think they're repulsive but that doesn't matter because I have to use them as a source and still respect them and then I'll briefly talk about what hacker can do to protect themselves and this is more like on the record off the record that sort of thing I won't spend too much time on that but then

just peppering it with what journalism really is because we as journalists have really failed in our job and actually explaining what it is that we do there's a massive divide between journalists and the public and sometimes especially hackers as well so just going to explain that and I mean I probably gonna do that straightaway which is that and this is my definition I mean there are obviously going to be similar ones as well and maybe some people would disagree the journalism is getting information into the public domain so then people can make informed decisions and that may be information about breach website so then people can go change their passwords maybe it's about vulnerabilities and try

to explain that to a more general audience just beyond like the u.s. sir excuse me the u.s. cert page or maybe maybe a company is acting illegally or enough it o unethically and we should highlight that providing analysis as well it doesn't just have to be news it can be telling readers why something is significant and calling our [ __ ] which is kind of an important part of it but uh journalism is not despite what people apparently my Twitter mentions keep trying to tell me is covering everything that happens in the info SEC or in the community there is a lot of stuff which of course is relevant to people inside the community but it's not

going to be the same for us all and this is and I'll explain this a bit more next slide this is kind of where InfoSec and journalism separate we're not trying to secure the Internet we're not trying to get vulnerabilities fixed it'll be really inappropriate if we went out and says oh well one the cry was exploiting eternal blue now we have to tell everybody to patch their stuff or advocate for that that may be a side effect of our coverage but deliberately saying hey guys we need to do this it's kind of blurring security researcher activists and journalists so I was going to include this phrase anyway and then I was going through the besides brochure

and this is actually from Tallis's own marketing material saying fighting the good fight journalists aren't fighting the good fight and sometimes that can come across as [ __ ] but we aren't doing any fight all we're trying to do is level the playing field which is that amplifying voices you may not usually hear from which may be victims of domestic stalking through malware or perhaps the ordinary consumer who doesn't know what they're doing when it comes to patching their software and we're just trying to lift up those voices against ones you're typically gonna hear like Google or whoever powerful may be in control of that particular story we can't we can't have a dog in that fight it would be really

inappropriate to do that so that's where they kind of separate but office oh and why it is good to be separate because of course we can be unbiased irrespective of the story and irrespective the source you may be a key source in the story but we are not obligated and we shouldn't be to write the story that you want we have to write the story that is best for the readers and that may include information that's embarrassing or annoying and being very blunt here yeah in case you'll notice but we've all of that in mind criminal hackers can of course still work with journalists I mentioned the hack of cellebrite in that data we found that the company was

selling to Bahrain the UAE Turkey acting law arguably unethically in another few data breaches we found that members of law enforcement and the military were buying so-called spouse where there was a talk earlier about this consumer spyware that's used in domestic violence well people from law enforcement to buying that as well so that's something we actually pulled out for data there was the hacking team breach which I'm sure many of you are aware of which showed that the Italian surveillance company was selling to Sudan despite telling you the UN it was no such thing and recently this long one there was a company called sakura s-- which was selling the geolocation data of any phone in the US to low-level law

enforcement and they didn't need a warrant so they could just log on and say hey where's this judge i want to see it and he would bring that up they have to pop to them and then gave me the data and even though there was nothing in the data itself as in we couldn't see their acting unethically or something like that the fact that they were so crappy at securing their own systems was already in the public interest to UM highlight that so working on criminal hackers again this is going to come across over with um with independent security researchers or any other sources but i mean the main thing is you just sit on

your computer a lot and then you wait for a hacker to contact you i mean you may go to alpha Bay or some other sort of forum where they're selling this data and then approach them but typically the hackers probably gonna come to you because they have a motivation and they want to get a story written so I'll have ricochet which is end-to-end encrypted program which also up the skates your metadata for the tour and anonymity network jabber except as you know XMPP or increasingly signal even hackers will sometimes use that so then the hackers going to come up and hopefully describe what it is they have and where it came from this depends at what point in the

hierarchy your source is I mean with the yahoo breach several years ago that was traded privately among Eastern European I think Russian hackers and then it tripled down to the data traders then it trickled down to the skids and then it finally got to the journalists right at the end so if you're further down that hierarchy sometimes sources aren't giving even there where the data came from there's one there Troy hunt who runs have I been poned uploaded recently and it legibly comes from Badu that data was already going around for six months maybe eight months before Troy uploaded it because several journalists are trying to figure out where it actually came from and it definitely didn't come

from Purdue so it really depends at what point in the hierarchy your sources in sorry a hacker is either going to send a sample of the data or a full cache and this depends on the motivation so if they're a ethical hacker or a morally driven hacker they want to expose a company or embarrass a company they're probably going to give you the full thing because they just want to annoy the company as much as possible and give it to a journalist but if the hacker is financially motivated say they actually want to sell the data obviously then they'll can they give you your in the entire product they'll give you a hundred lines a thousand lines maybe ten

thousand which of course doesn't make verification a bit more difficult but you have to work of it and you have to bear in mind why they're actually giving you this data then it's um the main part of the journalists job which is trying to figure out where the state actually came from and whether it came from the place of the hackers claim it does you could do this with say it's a porn website and you have email addresses and hash passwords or maybe let's say you have email addresses and plaintext passwords you could verify that by logging into although the random people's accounts that would also be really illegal and unethical so don't do that what you can't buy I mean the hack

you can do it I don't care but like the journalist is not going to do that what you would do is perhaps you would go to the site and try to make new accounts start putting in the email addresses you've been given the websites then gonna say sorry can't do that an account already exists with that email address so you know the date eve obtains it's actually in the backend somewhere and then you may also check email headers for related ip's but you know obviously it depends on the depends on the data you've been given and then there's just contacting victims you'll have phone numbers or email addresses something like that asking people hey is this the

first two characters a password something like that people may not reply but you can give them a go usually I give people anonymity straight away and we'll go into how you get anonymity in the agreement has to go between and journalists but most of the time these are going to be ordinary people they're not going to be senior government officials or whatever it may be so there's not really any public interest in saying John Smith used a porn website by who cares sometimes they don't reply due to the sensitivity of the breech had one recently that was a forum for people particularly interested in anal fisting and I emailed 50 to 100 people and then

will go back to me which I wasn't really surprised about but of course we still had to try to verify that they did use this website and then we verified it through the password reset mechanism anyway so we didn't actually need there we didn't leave their input then you probably do some writing and to be clear like we haven't finished verifying the data maybe we've done like 70% 80% maybe but you want to get something down because and then you're going to approach the company and they can be real [ __ ] about it they can try to cover it up they can try to push out a press release before you finish your story to get ahead of narrative they can

straight up lie in their press releases as well I mean in the cellebrite case I contacted them for comment weight is a fingers maybe add a half day something like that and said oh hey can they just have an update cuz we're getting ready to publish and you're like oh yeah here's our press release which we've just put on the internet for everyone to see and we're clearly trying to scoop you despite that you've had this dating be verifying it so that's why you already have some copy or it's done and then you choose what to include what to admit I mean I'll go into this in a bit more detail shortly but obviously you're

not going to put someone's real password in the article even if the hacker put on paste it'll go spin or wherever the journalist is not really going to do that and then you publish and then you deal with a load of Twitter mentions and that sort of thing so I mentioned motivation and some some hackers are driven by a moral obligation or whatever maybe others don't really care about that so the dark overlord they appeared in summer 2016 and they started targeting medical institutions in the u.s. like local clinics that sort of thing not really hospitals but they could get patient data they would grab the data pull it on the dark web for like a ridiculous sum that no one would

pay but the entire point was to intimidate the victims and then pay a ransom as for how this applies to journalists it got a bit more interesting when they realized hey we can kind of manipulate the media here give them excuse me give them data the journalist will go and report about it if it's in the public interest right a nice little article and then the dark Overlord takes night coverage shows it to the victims as halo people are paying attention you should probably pay 50 K and that's what they did with a production studio that worked for Netflix they got $50,000 in Bitcoin so that's a load of text don't worry about clearly hackers may not be as

virtuous as a leaker or a whistleblower not that they're particularly immune either but in the same way you may have a criminal hacker who is particularly driven by a moral obligation you have ones who really don't give a crap as well and it's important for the journalists to include that I've had hackers who will come to me and they'll say oh we're doing this to expose whatever and then you talk to them you talk to other people who know them and you get the real motivation is there a skit on hack forums and they want to get some more cred basically so then you include on your article because that is important for the reader to understand

the main obligation of the journalist is to the reader and to the story of course they'll still respect protecting the source and source anonymity but if the source is bullshitting the journalist is going to call that out as well because they have to just briefly on including and omitting data these are two companies that were hacked so having in 2017 maybe 2016 and they both sell malware to install on your husband's or your wife's or your boyfriend's or whoever's phone it can collect Facebook messages emails GPS locations remotely turn on the camera basically a full access rat right there does require for successors to install flexi spy the one on the right explicitly markets to Java spouses as it

was mentioned in the talk earlier anyway hackers go in they steal those stuff customer details company files the GPS locations of victims so the actual exfil of the malware and then give it to us at motherboard now we have to decide what to do with this data because obviously it's incredibly sensitive you're not going to publish the name of someone or the GPS location of someone who is um you know potentially facing sexual violence domestic violence rape whatever it may be but we still wanted to get across the readers sort of the scale of the problem and this is a crap map because as you can see there's Africa twice so kind of just ignore that

and Europe but you get the idea I've made a little bit of it as years but these aren't the real GPS locations this is just a dirty quick Python script which obfuscates it by random amount wherever it may be but the reader can still get the scale of the issue and that's kind of what you you've got to think about when you're handling data like this decide you want to include what to omit is just as important one another it's going to impact totally ordinary people as I mentioned and the consequences can be really tangible as well so in 2015 hackers calling themselves the impact team that I had a nice little chat with over encrypted

email they target is an extramarital affairs website called Ashley Madison stole the data I mean you probably all know know this story and then they released it publicly so you could see that oh maybe this person was on this website and where there may be several people killed themselves after that because presumably they I mean I don't want to say shame but clearly they were they were uncomfortable the data being public so even though the hackers released that the journalist could not then take that data and amplify it with that sort of effect in mind so deciding till I leave our names and that sort thing and yeah so the this is a general thing with journalism and this it's not

the norm I mean usually when someone comes to you they're trustworthy and they have data and it's courteous and whatever maybe sometimes is not through a fault of their own they may not fully understand what is they've obtained because a leaker or a whistleblower may be inside an organization a hacker is typically going from the outside in they may know their way around the infrastructure but they may not appreciate what it is they've obtained and that's when they can work with a journalist and they the journalist can go and get sources and verify it and figure out like well no you were a bit wrong there but you did still get this data from this company

away for maybe so in this example the same group of hackers who targeted the CIA director and they had a good track record clearly affirmed breaking into accounts and email spools and all that sort of thing they for they had come across live drone feeds of NASA spying on the US the most domestic population which will clearly be a massive story if it was true turns out when my colleague the renzo got given this data he went and verified it and it was actually streams and NASA had already put out itself as part of its ordinary public relations effort I think it was just of filming the weather or something and it was I think was just like an exposed box

that had it but the data was supposed to be public anyway so I mean we don't usually write about a hack that didn't happen obviously because that would be a bit strange but this felt like an opportunity because everyone was talking about it that just to remember sources don't always know what it is they've obtained so I mean as mentioned this shows that hackers may not understand what it is but that is the reason there could be more communication between it because although the hackers could get some interesting data they may need help verifying it just in the same way that we we need help obviously finding data in the first place and of course this I

said that we touched on this briefly this does apply if you're a I mean it doesn't have me an independent security researcher you could just be at a normal company as well but maybe you want to give some information that your employer doesn't really like you just go public with maybe it breaches your NDA something like that but it may still be in the public interest I think this will come up in the next slide but there is a group called intrusion truth which has been dumping very interesting data on apt free and apt 10 I think which are two Chinese cyber cyber espionage groups I mean fire I and all the ordinary people have

covered them and record a future as well but this blog which just appeared a couple of years ago maybe a year and a half ago started dumping uber receipts for the alleged operators or the physical addresses of where they're going to work like really interesting stuff that definitely looked like it was picked up off a compromised box or something that's a little bit sketch that you probably wouldn't miss in the public report I mean we all know hacked back happens and it's pretty common in frettin telogen s-- but they were actually publishing the receipts I mean quite literally so that's an example where someone may want to provide information to a journalist which they wouldn't normally be able to and it was

already um posted publicly but then I spoke to people who have researched those apt groups and they could verify that yes this matches up with what we're seeing and this matches up with what we're seeing and kind of it kind of touches on the idea that the hacker may not know exactly what they have a journalist can go and build upon the work I mean the really substantial solid work you've already done but a journalist could build upon that so it's not even gray research but there's a series of really good articles and The Associated Press at the moment where SecureWorks gave AP as in the journalist organization a list of fancy bears a p228

targeting because they've been exposed bitly link and you could see all the email addresses of they're trying to fish so now Raphael the journalist from The Associated Press has gone and done a piece on well it targeted this Clinton bits they targeted religious leaders in the Ukraine and that sort of thing and I mean you could do that just in the public fresh Intel report or whatever it may be but you're probably not gonna have people on the ground who will go and do like a journalistic interview just because it's outside of your sort of remit right and that's where journalists and hacker / like and security researchers can like definitely benefit and yeah ultimately provide

these stories which are much more in the public interest and hopefully lead to a more informed public and that's just the intrusion truth group right so this won't be too long but this is kind of the not not just why sorry not just what you can do to protect yourself if you're speaking to a journalist but kind of why that's actually the case so as you may know on the record means you be quoted and named what you may not know is that everything is on the record by default so if you go up and Joan list identifies themselves and I'm not trying to scare I'm already singing like some scared faces so I'm not going to quite don't worry I'm

talking so everything is on the record by default and people think well that's really unethical like why can't you let someone approve their quotes or check what they're saying the reason is that if journalists only use the quotes that have been nicely massaged and nicely put through a press agency or a public relations team or whatever there's a better chance they're not going to be fully reflective of reality let's say and the main obligation is still to the story is still to the readers we have to provide as much accurate information as possible with the best context possible and if someone says something and then is like oh no no no like I didn't mean

that I mean unless it's a technical inaccuracy you can't just start taking stuff back so what you do is if of course if you want to have a confidential chat with journalists you can but you may use a term like background or deep background and these phrases are really really dumb because nobody actually knows what they means and everyone disagrees about it and journalists the journalist may believe one thing that's also believed another may be two different sources we'll have two different understandings of what background means I mean I even speak to Silicon Valley companies and this is just hypothetical but Facebook will have one understanding a background and then snapchat will have a different so you're

never really clear on actually what it means so instead when you want to speak to a journalist maybe you reach out to them over jabber wherever maybe just explicitly state and journalists are gonna hate that I'm saying this because it's actually gonna screw them over a little bit and it's gonna be the job a bit harder but explicitly state to them hey I want to give you information but I want to I don't need to print my handle and I don't want you to name my employer if you provide that and then the journalist says yes I agree to those terms and then the agreements be made I mean the journalist can still screw you over but

then that's professional suicide and hopefully you would shame the journalist um for doing that but yet you agree them before the conversation and you can't as I kind of mentioned before you can't really hop back and forth I'll touch on that a bit you can't say oh by the way this is off the records and then say something because it's like well we're mid conversation if we're going to switch to off the record we both have to agree because otherwise if you're interviewing I don't know the CEO of uber just to make it up and they may be talking about the head of the data breach they recently had and then they'll say oh yeah yeah so we took all

steps to detect that breach off the record we actually do [ __ ] all and we didn't do anything we covered it up well well you can't do that because again the obligations to the reader and in that case the the journalist could just quote you but of course you can have an off-the-record conversation with the journalist as well it just has to be agreed beforehand and then just briefly I mean there's a couple of and because I deal with hackers a lot and a lot of hackers are teenage or children which also adds like a very complicated legal thing because we can't name minors like in the UK or whether maybe it depends but a lot of people ask hey can I see

the article before you publish it and we can't do that because that is going to that's going to ruin that separation and independence because if you show someone an article and even if they don't make any changes or suggest any changes you're still giving them the opportunity to potentially I mean I made this mistake once in my life very early on in my career I showed a source a copy of an article because I fought well there are very high wanted criminal maybe I can share it to protect my source editor then explains that's really really inappropriate you can't do that so lesson learned I guess and now everyone else knows it and I did touch

on this but in the same way you can't just say oh this is off the record this is now on the source can't really change their quotes they can't just like in Germany especially there's a practice so if you send the quote of the person and they may make changes and then they approve them that's not in the UK in u.s. they don't really do that sort of thing if someone says something they said it the only difference is if you're speaking to a journalist and you're like actually that wasn't quite accurate especially if you're explaining I don't know like a piece of malware or an implant or something and maybe you misspoke and you got a technical detail

wrong of course you should push back and say no no that's wrong please let me readjust it and like that's going to be okay because of course the journalists want to be accurate as well but typically you can't take back your quotes um so I mean this isn't so much oak because obviously the majority of you are not journalists so this isn't so much for you to know what you can and can't do but more and more understanding the limits of what the journalists can and can't do so the first one is they can't go do the cybercrimes get smear that's what the heck is doing stuff like logging into accounts or oh yeah or

encouraging your source to go hack so a hacker may come to me and have some really interesting data I can't go wow this is great can you go pop that second like sequel database and then bring that back because that looks even better can't do that less see fans are being indicted and being co-conspirator so what you can do to get around it is say okay this is great have you already obtained this other data set because then you've just soliciting information like you would on a political beat or I don't know even a fashion or sportsbeat or ever it may be you're not telling them to go hack you're asking them for information which

they've already illegally obtained I'm not a lawyer but I think that's right yeah so hackers don't get caught that much I mean I don't have data to hand but I feel like a lot of people get away of it especially the stories that we do but a journalist should be assuming that all of the communications they have with that source are gonna end up in the hands of law enforcement I have had sources who have been busted by the FBI nothing through me but later on they were caught through other means and it turns out they logged all of their jabber chats or something like that which is obviously terrible for them don't lock your chats but also if I'd

done anything dodgy then there's clear evidence like if I'd been I don't know if I'd been speaking to the hacker mistake yeah that's great we'll pay you for that information now the FBI seized it and we don't pay for information because that encourages the source to provide stuff irrespective of whether it's true or not we oh we don't journalists in general don't pay for information later so if you're going to learn anything from that it's like don't log your pigeon or your atom chats or whatever is and don't use pigeon yeah and then that's what the journalist they're not gonna go logging into accounts themselves I had one literally the other day there was oh hey here's some really

interesting email accounts his a credential and I'm like okay he just like tell me what's in the emails because I'm not gonna go and log into this person's Gmail however maybe yeah and there's a lot of caveats when you're dealing with hacking reporting maybe you don't know what year the database came from maybe you know the hack was in 2015 but maybe it was of a backup server from 2012 or something like that so when the journalist isn't sure they kind of have to communicate to this the readers because if the point is to make it more reform public some people can make informed decisions keeping it vague is not really going to help you have to communicate not just

what you know but what you don't know and that's just worth bearing in mind if you're speaking to a journalist as well because they're going to be including that that was it actually I think I did it with in time I'm happy to answer any questions either now or later that's my Twitter I would say talk to me for ricochet but I didn't actually bring any business cards with me so you just can have to not use that but email and jabber and all that and thanks a lot I appreciate