Down the Rabbit Hole by Ken Weston

okay yeah perfect I just emailed you for all those who are waiting we got about 10 minutes to the next session so uh hunker down and we'll get started shortly because the way that we've had it set up so there's a few things that we can do you can use this security or I can click for you um um going on everybody um correct I forget there's humidity here but it still make you sweat and uncomfortable oh all right so here's the wireless mic all you can use the physical mic whichever you prefer okay so this is the actual mic part I probably hooked up somewhere closer to the lanyard but maybe I'm talking about thank you okay thank you that's recording yeah so um you can unmute it and then you can just do a touch very fast if you want testing testing one two three can you guys all hear me all right testing testing one two three so let me actually you have a video foreign so buttons left and right and you're good to go all right thanks uh you need a water if you need water they're here we need more they're here good it is thank you guys exactly yes all right okay so we're ready to move along we have our next great session here with Mr Ken Weston I'll go ahead and do a quick introduction Mr Weston Ken Weston is a security strategist with Panther Ken has been in the security field for over 15 years working with companies to increase their security posture through threat hunting Insider threat programs and vulnerability research in the past he has worked closely with law enforcement helping to unveil organized crime groups his work has been featured in wired Forbes New York Times Good Morning America and others and he is regularly reached out to as an expert in cyber security cyber crime and surveillance with all that being said without further Ado Mr Ken Weston thank you thank you so much appreciate it and uh thanks for having me yeah hi my name is Ken Weston so we're gonna be talking today um about a concept that I actually uh kind of came about I was asked to do a keynote speech for besides Portland where I'm from I'm from actually from Oregon uh so this is a bit of a long flight for me and I feel like a vampire here because I'm melting um but uh but that talk was around like they wanted to say how did you get into security like they wanted me to talk to students and I really thought about it and I was like I don't even know how the hell I got into there right I just started you know doing uh things around technology I was really interested in it and I feel like in a lot of ways the infosec community actually brought me into it it chose me so um again I've been an Oregon native I grew up without the internet kind of give you an idea how old I am we didn't have the internet I grew up out in the country out in the woods of Oregon uh spent more time doing cow tipping than I did actually on the computer um but I also had some learning disabilities um I'm just graphic I can't write at all um and uh I had a lot of challenges in school around that um and I also had ADHD that came with that um and so I didn't do very well in school and I actually grew up believing that I was stupid and lazy because that's what you know people would tell me teachers and things like that so I'm still a little angry about it um but uh but it wasn't until like I started actually getting to computers once I was actually diagnosed then um I was given access to computers and word processors and when I got access to computers then I feel like I actually had a superpower I was finally able to communicate I'd always read tons of books um I remember we moved to this house and there was this huge library of books in the basement where my bedroom was um I ended up just reading I loved reading um teachers always would say like you know uh you know Ken just doesn't apply himself I can ask him questions and he can tell me what he read but when he writes it down he just doesn't take time um so um so when I got into more and more into computers I really started realizing that it is superpower and I started getting more into programming I actually ended up going to college I I got a my first degree in um a ba in English literature uh and then I went on later on and got a master's in Internet systems development um and I've been in security for quite a while I actually had a startup called Gadget track which I'm going to talk about some of the cases I worked on and how I kind of stumbled into that and that's kind of what I kind of talk about where rabbit holes is I do sort of stumble into these things like one thing leads to another I I really see that there's these sort of dots that get connected when you're doing an investigation or even in your career and my hobbies are I'm a guitar and record hoarder um I have quite a few guitars I love playing guitar playing a band and I like records as well uh some of us still like to to be offline um so what is it about rabbit holes like what do I mean by this um but if anyone have ADHD you don't have to raise your hand but like a lot of us do um and in some cases there is um sort of a superpower too around being able to do hyper Focus um and so sometimes it's hard for us to keep track of certain things but once we get um our teeth into something we're really passionate about whether it's like an investigation if I'm tracking a criminal or something like that I don't give up like I remember there would be two or three days what I wouldn't sleep when I'm when I was coding stuff when I was tracking people um and a lot of times people would didn't think that some of this uh technology that I was building was even possible right so I think that's one thing like especially if you're a student if someone tells you especially someone an authority figure tells you something is impossible now that's that's you know your life goal is to make that possible so um why do I say um also uh Rabbit Hole like I feel like um you know if you guys like Alice in Wonderland um I I like cyber security because we're all a little different I think in order to be in cyber security you have to think differently we're out here we're breaking things we're not only do we have to understand technology we have to understand it to a point that we can actually uh break it and modify it enhance it make it more secure right that takes a very discipline a different type of mindset I think than you'll even find in other technology um so in a in house in Wonderland right they say we're all mad down here and I I believe that's true we all think a little bit differently this is sort of one of my walls of Shame so these are uh criminals uh some of them are people that have actually retrieved some of their devices for um some of the faces are blurred out to protect the guilty um but um I had technology where we'll talk about some of this I started with USB devices then I started figuring out okay well how can I track a laptop and I was able to go in and actually look at a lot of the techniques that um like cyber criminals were using and I applied them for good for the purpose of theft recovery and the cool thing about that is lost cyber criminals they can't patent that technology I now have two Pat um well I did a talk on Defcon around some of this Defcon 23 I ended up getting docks as a result of it when I was talking about all this stuff um some of the media they don't understand uh when you start talking about this technology they start thinking it's BioWare you know it's all malicious but there were a lot of controls that I actually put in place it was very responsible how we approached some of this stuff uh I think the meet the real life Rister robot that's total Hyperbole and a little little kind of pissed me off um but when I'm doing investigations too like uh you know this is true for you know these types of Investigations or if you're doing um any sort of cyber security investigation in your sim you know it's never just one alert if you're just sitting there and you're you're looking at your sim and you're just looking at your alerts and okay that's false positive uh let's just go wipe the system right that's not uh that's not conducting an investigation uh an alert like that is actually the first clue and then it's your job to then go out and find additional Clues whether it's going into your Splunk instance or whatever you're using for your security data Lake um and oftentimes um there's going to be a lot of evidence that you're going to be able to gather to tell the larger story of that particular incident anyone know who this is anyone heard this phrase this is Edmund lecard so he is the the sort of the grandfather of forensic science uh he was in France he was the sort of the French they call him the French Sherlock Holmes um he actually developed a lot of uh uh Concepts and principles that we use in forensics today some of the precursors like even before like fingerprinting and things like that um he's uh really uh a brilliant uh guy and he had this concept and he said every contact leaves the trace and the idea there is that when someone commits a crime not only do they take something with them they leave something behind so we think about that with physical crimes right there can be a blood splatter sometimes he had some cases where there was like metal shavings and someone's pocket to identified like he was there at this location and some sort of a Mining facility like there's all these sorts of little clues that if we know where to look for them we can actually identify that and what I believe is this actually carries over in the digital world as well especially nowadays with all of the logging that we have available to us all of this information that's available in our fingertips everything we do right now we're being tracked if you think about what's in your pocket you think about you know the photos you post and I'm going to talk to to you guys about some of those examples throughout this talk so I got started um I was I was a web developer I was uh ended up being a one-man wet mommy for a company where my first exposure to security was actually managing a web server um and I had to protect it secure it if it's a basic lamp stack um as well as building the websites and things like that the company that I was at they had a new technology new product that was blocking USB flash drives from being plugged into networks oh it was becoming an issue where you know it's great you can hack from outside you know try to get into the network but it's a hell of a lot easier when you're inside the network and you can just plug a flash drive in you can do all sorts of fun malicious things or you can also steal data and so the this technology would block it and that's when I started getting really interested this I started actually looking at some of these different tools that were being utilized to steal data and I started making my own to try to test our technology and uh then I said hey I'm gonna put this up on a website I think people would really want to learn more about this particularly like system administrators they don't understand the threat so I actually made a bunch of these tools available on a website called usbhacks.com that's the first time the FBI contacted me so the idea was I would build a happy little spyware I was actually working on my Master's dissertation at the time and so what I did was I took some of this technology I'm like I don't need to be too invasive I can gather just enough information that if you know someone stole a flash drive or external drive you know if they plug it in I could take over that system and gather some information uh for for law enforcement and I put it out there for free and um I think I put it on dig for all you young guys that's but it used to be uh before Reddit we had to dig and this website got dug to the ground it was on shared host I had 20 000 people that were signing up for it it went crazy the cool thing about that too though is I also had additional information to gather information about the devices that were being connected so as I was gathering that information and people were using the tool I had a whole list of all the devices that I could actually track I had everything from external hard drives GPS systems remember before you actually had it in your phone your car you had these devices that you would then plug in and to update the maps you had to connect it to a computer well I could hijack uh your computer as a result of that um and you know I put this out there and then I actually decided um that I was going to do a startup around it and we started actually getting some actual cases I was just kind of curious if it would work we had the first case and the first thing that you know people have in their username it was the name of the family that of the kid that stole an iPod and then we um kind of expanded this there was a professor that was using this and um he had his uh a dissertation on a flash drive that was taken from uh his um his classroom and we're getting some information I was kept getting IP address pings uh that were from at T that's not really helpful um from an ISP unless I have to go to law enforcement then I have to you know have them do a bunch of paperwork it's a huge pain in the ass to get information on the IP and then of course it changes um it could have been a Starbucks you don't know but we started getting additional connections from a university um and we looked at the time stamp for it and I was able to see that work with the campus security we identified that it was coming from a specific computer lab and in that computer lab they had actually had a bunch of laptops that were stolen the year prior so they had the key card and they also had cameras that were available for us so I also had the students who one who was in there there was three or four students that were in there and from that they were able to identify the student that had it they waited for them outside of a classroom and he got his flash drive back that was one of my first cases and so some of the word about about this uh got out and there was a company called FLIR a lot of people in the military probably know FLIR yeah so FLIR makes these really expensive thermal imaging cameras they're anywhere from like three thousand to three hundred thousand dollars and so they actually they came to me and they're like is there a way that you could you know put your your theft tracking um on us not only for um for tracking thefts they're also having issues with export controls some of these cameras can't go to certain countries because of uh the um embargoes like has a like the abuse for nuclear purposes and things like that so um one of the tricks though was that um the storage is on an SD card and if someone pulls an SD card out and they put a new one in my little Trojan executable won't run so what I did was we worked with them and we actually installed something in the firmware that would actually reinstall the agent if it wasn't on there and that's my cat this I actually just disguised the executable as an image and that's my cat knobby um and then we uh we actually ended up get getting some uh uh tracking they couldn't tell me some of the uh that was stolen but they did tell me it helped uh considerably with some of the export control issues that they were having I believe they identified a distributor that was selling these cameras to places they shouldn't so again further down the rabbit hole I didn't want to stop there I was like well you know uh you know these flash drives are all great but what people really care about it was their laptops and at that time most uh laptops started having web cameras you know it's hard to believe like back this is that's how old I am right um I was alive on web cameras or when web cameras weren't um installed on laptops so um you also uh at the time the first iPhone to come out and I was really interested like how did this iPhone not have a GPS chip and it was doing tracking and they was using Wi-Fi positioning and they were using this company called Skyhook to do it so I reached out to them and I told them about my idea and I got a special license from them to use it on Mac and I helped them debug a lot of this stuff so the idea is that if someone steals your laptop activate tracking we'll take a photo of the person that's using your computer we'll get the location and then we'll also get other network information that can be helpful for law enforcement this was a game changer for law enforcement because at that time they were dealing primarily with a company called absolute software it was doing this but that required a back door into the system you had to give this that that company um even though they were a bunch of like retired law enforcement folks uh back-end access to your system whereas I wanted to make this much more self-sufficient so you don't have to give that um access up so I didn't want to have set up a server I didn't want to have to secure it particularly given the nature of this uh the technology at the time and it was just me so um made it so we actually integrated with a photo sharing website called Flickr so what we would do is you would uh you know create an account on Flickr and then I would use their API and that's where we'd upload the images and other information and I ended up getting our first recovery and it was in New York a guy a customer had his uh laptops along along with a bunch of camera equipment and we traced it to this uh this one uh it was looked like it was in a tattoo parlor we had we had the photo we had the general location and I had to deal with a police officer there who was a total [ __ ] he was uh like oh God I gotta I hate dealing with this technology I gotta go do a bunch of paperwork and like yeah sorry you have to do your job um and I was like but you don't have to do that it's not like the other technology where you have to go get the ISP and all that I'm saying you this is General location he goes oh I've seen this before like it's just in this the city I can't look around the whole city I'm like no it's within 10 to 20 meters and these his eyes kind of lit up and he was like okay uh and he goes well still a lot of work and I go just I have a photo just take the photo look around that area ask if anyone knows it and he finally did and they ended up finding it was this guy who owns a tattoo shop parlor and then in the back um he has if you see in the background there's keyboards there's mixers there's all kinds of really cool stuff so he was basically running a fencing operation and they actually went in there finally they recovered like four other laptops all sorts of other uh camera equipment and everything like that as well and then then the cop in that case he wanted to be my friend and he wanted to go to a baseball game next time in New York so pretty cool um and then um I started getting more into this one thing I really started discovering was you know we would find these sort of larger fencing operations uh a lot of this was organized crime in Portland Oregon there's a few Russian organized crime groups uh not necessarily uh the Russian Community doesn't like them very much these are people that were criminals um they were when the Soviet Union fell they um they kind of pushed them all into all of these other states and then they removed their passports so they couldn't come back and then a lot of them ended up um actually in Portland there's a whole uh kind of group of them um but they uh would go in and we found that they were stealing a bunch of laptops from schools and then they would get replace the laptops a week later they would come back in and steal them again and so this kept happening so I said uh let's set out some bait laptops so we've installed our software on some laptops didn't even lock them up in the cupboard sure enough within a couple of weeks they were stolen and we were started gettin