Your Secrets Are Showing: What Hackers Can Find Online

Again, thank you all for being here. I want to welcome to the stage Connor Kaslin from Florida. We want to say welcome to New Mexico and thank you for submitting a paper and you know sharing your your knowledge and wisdom with us. So, please without further ado, welcome Conor Mccas. >> I said welcome Connor McCaslin, please. Thank you. He wants me to come back next year. So, he's wanting you guys to like sweeten me up, you know, let me up a little bit. All right. So, good morning everyone. My name is Conor McAdlin. And yes, I am not from New Mexico, but I'm a New Mexican at heart. I love New Mexico. I've actually visited here a couple times

throughout my work history. And what I do is cyber security training. It says instructor and it says I work at a university and that's true, but I actually do workforce development. If you don't know what that means, it just means I don't teach college kids. I teach those who are either looking to get into cyber security or who are already there. And we have different programs, and I'm not going to brag about them, but I mean, we have things like supporting our veterans, our first responders, and people who are trying to get into cyber because it's not an easy transition. So my background, I know that we have some people who are from local government. I am a recovering

local government employee as I say. Um while I was in local government, I did I was the one person wearing many hats. I was the only person in charge of an entire county cyber security. So that means everything from policy writing to checking those reported fishing emails, everything in between was within my responsibility. But I found my passion was in education and sharing knowledge with the community. So a little bit about me so you know who you're dealing with for the next two days. I am of course an instructor. I love Osen and social engineering. I love the human element when it comes to cyber security because we can spend millions of dollars on the greatest tech

but if you have one person click on the link what was the point right I am also part of my own community that I love near and dear to my heart and it's women in cyber security I love cyber jitsu and I love all the other women's groups that are out there but for the Florida affiliate for the women in cyber security I run all their social media because I'm like the youngest by like 20 years. You know how that works. I am also a cat mom. That's one of my babies up there. His name is Noctis. And yes, it is a gaming reference. And if you can tell me who the gaming is, maybe I'll

find a sticker or a badge for you to get later. So, we're going to just talk about Osent, but not from the perspective of looking at people online. What we're going to look at is OSENT as more of a way to evaluate our organization's cyber security because oftentimes when you are in the industry you could you kind of stay in the bubble of looking inside out and not outside in and oftentimes we defenders need to take that time to evaluate that. So we have to break it down. What is OSEN? It's our just it just stands for open source intelligence which all that means is Anything you can find out there for free and has any sort of intelligence value,

it's for you and you can make a story. You can make connections with this. OSENT comes in a variety of different ways. It's not just Google, even though Google is the most powerful one that we often use, but things like public records, libraries, any sort of news media and websites, all of that can combine into OSENT. And OSEN did not start as a tech thing. Fun fact, the first time that we recognized Osent as something that was very powerful was in World War II with So in World War II, the US needed to figure out what was going on with overseas in Europe. So one way that we did it was that the United States

created a department whose sole job was to listen to radio waves all over the world. And we were able to figure out what was going on in France based on the prices of oranges. Does anyone want to guess as to why oranges mattered. Not scurvy. Good guess though. It was because if the price of oranges went up, it meant that a supply line was destroyed usually by a bomb, right? Like a major bridge, a major railway, some highle target was hit, meaning the price of produce went up because they don't grow oranges in France. they have to be imported in. So us good guys can use OSENT but hackers do it too. We usually call it

reconnaissance when we look at the traditional uh mappings of cyber attacks and OSENT for hackers is just a gold mine and really when you look at cyber attacks about 70 to 80% of the attack is here in the reconnaissance piece because they're looking up their targets. So, they're looking for information on you, your employees. They're looking at what your infrastructure probably looks like. They're trying to piece together everything they can figure out about you before they even enter your network. For us, we need to utilize it as a defense mechanism to put ourselves in the hacker's shoes to figure out what is going on with our environment, where are our weaknesses, and what can we do to

improve ourselves? And to be honest with you, as someone who's worked in local government, it also helps with our reputation as well. I'm not a singer, so I'm not going to sing that song for you, but I'm sure all of you who are musical lovers knows what I'm talking about right here. The room where it happens. Oh, y'all suck. Come on, Hamilton. Y'all, no. So it's this is not an all-inclusive list. This is like a category system of different websites that we often find vulnerabilities for our own organizations. So company websites I love looking at company websites. Actually I'll give you raise a hand. Who walks into a building and immediately starts looking at physical security

issues? Right. Okay. I go on a company website and I start doing that. I look at what kind of information is out there that probably doesn't really need to be out there or if it does you just have to take extra precautions with it, right? So things like who are our leadership and we might even give you our leadership's email, the emails of all of our employees, where are they physically located, what kind of services do they provide, techn that they use. In the state of Florida, we have this fabulous law. It's called the Sunshine Law, and that means that any sort of state or local government entity basically has all of their records public. I don't know if New

Mexico got something similar. I've seen some nods of heads. So, that was a big challenge working in cyber security when just about everything about my or was public record. We even oftent times if you dig deep enough and if you know how to manipulate websites, you can pieces of your environment via your website. So, here's a great one. This is my old or um when we talk about elected officials, that makes sense. They are public figures, and we can't help that they are public faces. But why the heck do I need to know who's in charge of libraries? Why do I need to know who's in charge of corrections? And guess what I'm going to probably I'm

gonna go on LinkedIn. I'm gonna go see who these people are. I'm gonna go see what they're about. I'm gonna start profiling them. This is also my favorite one. This is just a rand I literally just Googled leadership bios on Google. This was the first page that got brought up. So leadership and those who are working within the organization are like, "Oh yeah, we have to highlight those who are part of our group. We want them to know who we are, what we represent. You want to know accuracy.

They're Oh, there we go. That's what they see. They're like, "Yes, I know who all your leadership is, and I probably have their contact info now." So, just wanted to make fishing emails. No no. Job listings. Job listings are a little tricky just because we want to publish what we want from a future employee, but we don't want to disclose too much, right? I mean, when I look at job listings as an OSENT person, I'll look at, oh, what kind of technologies are you guys using in your environment? Especially tech roles. Usually, HR's email or even if I'm lucky the hiring manager I can kind of get a ga a quick gauge of how your work environment is. Are you

guys fully remote like all over the United States all over the world or are you maybe in a physical location or do you have everything kind of in between with a hybrid model or I might even get a quick glimpse into where you're currently lacking because you're looking for that role. my old job. I was the only cyber security person. They fixed that now, by the way. But when I left, they were lacking a whole cyber security department now. And so when the job listing went out, attackers could have looked at that and said, "I interesting." This is one of my favorite screenshots I found on LinkedIn. This is for a government contractor. I'm not sure if

you guys are able to read all of it, but there are some interesting details in here. Like for example, they want you to have experience with Microsoft Windows Server 2016, 2019, 2022 in Windows 1011. They want you to be proficient with SQL scripting, Java, Windows Server and Linux Servers, Oracle, IIS, and Tomcat and be also capable in data backups and load balancing. So they want us an admin, right? But by at this I'm able to kind of get a quick like okay this is what they're using primarily in their environment of course they also want the traditional things like security plus a security clearance but then also at the very bottom you might not be able to see it oh guess

what they still use AD they use active directory and they also continue to confirm hey we need a Windows server admin Yay, social media. This is my favorite. Just because people just get so comfortable on social media that we just don't realize how much we're truly exposing, right? And the the thing with it is that this is one part that us as IT and cyber professionals cannot control, right? We can educate. We cannot directly say no no no share, right? So, this is actually a quick screenshot of if you look at where I work and you go on my company's page, you can actually get a quick glimpse of where we all live, which I hope is pretty

self-explanatory, but then you can even see where what colleges we all studied at. So, you can get a quick gauge of the community in that company. Click. There we go. But there's more than just that. Oftent times we also notice that large companies have communities that are built all over the web. For Amazon, for example, did you guys know that there's a Reddit community forum? Our Amazon employees and it's open. It's to the public. I didn't have to do anything fancy. I just looked them up and there are policies and procedures all written in here like their PTO policy. What does Amazon actually drug test for? [Music] How do you transfer, right? How do you

transfer across the company? So again, these are all little pieces that build a story in my mind as an attacker. This is one one of my favorites. This is a baseball team and they did a lot of interviews inside the locker room area and it's kind of hard to Those are all the usernames and passwords for all their Wi-Fi. And here's another one. And if you look up this team, this isn't the only video. There's like 10 videos with their Wi-Fi username and passwords all in there. It's I see some people like face bombing right now. Yeah, they don't. They've been warned and I think now they've changed everything, but we never know. Metadata. Okay.

So, one piece that I didn't even realize until I honestly left being in industry and went into education was how much metadata can really tell us about what's going on in our environments. Again, local government, there's a lot of PDF files you can download on the website. They're all resources that we can use, but those documents have data within them called metadata, right? It tells you who's the author, when was it written. You can even start to see how the uh network is built out. You can see what software they probably used. If it's a photo, you might even see the physical location of where photos were taken, creation timestamps, any sort of embedded information.

So, this is one. This was a a uh a document I pulled on a random public entity website. The author's name is Dr. Does anyone want to tell me what you've seen when you see that kind of name or what you think it might be? >> Doc, not Dr. Smith, although that's >> usernames. This is their naming convention within this organization. And if I were a betting woman, first name D starts with D, middle name starts with R, last name C. So now, even if you don't publish your email addresses, if I know your employees, I can figure out their email addresses to a certain accuracy. Who is DNS and subdomains? Okay, so with this

we often neglect to look into the details of all of this information. We're getting better. A lot of organizations are getting better about it, but sometimes we leave things out that we totally forgot were there, right? So, one thing is subdomains that are used for different purposes. Maybe you have a development environment within your organization. So, maybe it's like company or I'm sorry, dev.comp.com. company.com. Well, if I just guess, I can probably find your development environment, any sort of misconfigured services on your web page. I might even find things like what VPN you guys are using based on your VPN, like vpm.comp.com. I might find what email servers you use based on your DNS information.

And if you can find the search SH file, I can actually find your certifications revealing more services that your website's running off of. So, I've got a story for you. Raise a hand. Who heard about the Colorado Department of Transportation hack back in 2018? Okay, good. It's a new story for you guys and all you techies are going to love it because it's definitely not a dumb decision that happened. All right. So, the Colorado Department of Transportation had some sort of software and server developer and he wanted to quickly spin up a VM, a virtual machine to test some new software for their environment. For context, their virtual machines are on the internet. They use a cloud service.

They do not anything on premises. So this guy spins up a brand new virtual machine on their cloud services. It is entirely open to the internet and no security policies have been implemented on it. So it is a fresh VM with no security on it whatsoever. My server admins are going to get even more upset because he connected it to the environment using the domain admin account. If you guys don't know what that means, that means that is the highest level of permissions you can get in your environment. And there's a unique feature to it to where that account cannot be logged out. So within I think it was within 18 hours of this server being spun up, a hacker

immediately found it. He then proceeded to jump on this server because guess what is entirely open for them to use and they attempted about 42,000 password attempts and because it's a domain admin, it never locked out. So they just kept trying and trying and trying and trying all these brand new passwords. until they got the domain admin password, got into the network, dropped Sam ransomware or the entire Colorado Department of Transportation. And there is a good point to this. If you want to learn about this, they have all of this published. not necessarily all the technical details, but they will tell you about the VM and how many password attempts it took and the fact that it was the domain

admin account. All of that because one guy forgot to put a brand new server with just some security permissions on it and it took an attacker mere hours to find it. GitHub. If you ever want to sensitive information. GitHub seems to be the place to be. GitHub is getting better. They are there is a feature built in now to GitHub where it will try to see if any sensitive information is being posted and will it will report to the company about it, but it's not always capturing things. Did you guys hear that Gro's API keys were exposed? This is just recently. I have one thought of. Yeah. So, Grock, which is the AI model that it works under XT

Twitter. Just two months ago, a gentleman by Felipe Catarelli, he um was just looking around GitHub and he found this. He said, "Uh, yo, hey, your API keys are exposed." And so, this is actually the screenshots he provided. So, this is him on GitHub looking at everything. And you can exactly how they programmed everything. And here's your API key. He was kind enough to fuzz it out. All because he just started clicking around on GitHub and I think he found the Grock servers. Now, this API key was not just for the current running version of Grock that you and I would probably use on X. This was actually the development one, too. You could get into Gro's

development environment using this API key. And again, no fancy technical work involved. Just Google and going on to GitHub. All right. Google Dorking. If you've never played with Google Dorking before, I highly recommend it. But if you don't know, Google dorking is the ability to look up specific things on Google. Because we all know that Google is now very biased. It'll at your previous search history. What do you like to click on? What do you like to do? And give you results based on that. Well, you can filter out some of the garbage and the mess with Google. You can enter in specific commands into your Google search to get exactly the results that you're wanting. And these are just

some examples. So, I did it on our own website, wf.edu, and I told Google to give me every PDF it can see. There you go. I mean there's a lot more but you know so you can easily clean up the information that you're looking for just with a Google search and so I recommend you doing that with your own company your own self seeing what's out there you do your name file type PDF so you might be sitting here thinking okay well it why does this matter this all feels like little bits and pieces that don't really add up to anything. That's not entirely true. Many threat actors are doing reconnaissance on our environments. They're spending months to years

watching your orgs. And so one piece here, one piece there over months of time builds into a big picture that they can use to go after your environment. So, the usernames you're using, the email addresses, because I'm going to assume your your emails are close to your email addresses, right? Usernames and emails are the same, even things like what services you're using, what technologies you're using. And this is how our advanced persistent threats are getting us. They're waiting for those small little mistakes every so often. So, what can we do about it? do this on yourself. That's all this boils down to. Everything that we just talked about. Go back if you are in an

organization. Go back and just play with Google of all things and just see what comes up. If you want to really act like a threat actor, get on a brand new machine, brand new browser you've never touched before, completely be new to this, and do all these searches on yourselves. Look at what your employees are posting about. Are they uh saying, "Look at my new job." And it's a picture of their badge. Those are my favorite photos, right? Look at the metadata that may be posted on your website without you knowing. All of those bits and pieces can add up to a full picture that can inevitably lead to a cyber incident. So, just remove things as you see. Take

away the weaknesses that you're finding. If it's if it's metadata, for example, you can strip metadata from files before publishing on the website. Discuss social media hygiene with your employees and say, "Hey, um, posting your badge with your photo and what you do is probably not the smartest idea, right?" Try to obscure any information you can. You know, again, local government for me, my elected officials want to be on the website. Okay, fine. But we're not going to put your address. We'll do a generic address. It's an inbox. you can check right? And just try your best to kind of clean up. And this is an active ongoing thing, just like everything else in cyber

security. This is not a one and done, yay, we got it thing. This is a continuous effort that you're going to have to do. But instead of thinking this as a burden, think of this as a new type of threat intelligence for you. Think of this as a new way to evaluate yourself and how secure your environment is. And guess what? If you need resources, add me on LinkedIn and I'll share all these with you. These are not individual tools. These are lists. This is how popular OSENT is and this is how potent OSENT is. There are all these lists of tools that you can use to find what you need, especially if you're wanting to

deep dive a little further into your environment. Oh, the last link, the Osmosis Association. If you are interested in OSENT, if this is something that you're wanting to kind of deep dive further into, the Osmosis Association is an international organization of OSENT professionals. They do partner with groups like layer a security that Mary mentioned earlier. Um, and they also have, I would say, one of the most recognized OSENT certifications if that's something you've ever considered. Excuse me. So, are there any questions for me? Because I've got three minutes. >> Yes.

>> Who has the updator of the harvester updated tool? I don't think so. It's still useful to some extent, but I think there are some websites it's not compatible with, especially because social media websites have picked up the people like us are kind of around there. Um, but that's not something I have a definitive answer for, but I can look into that. Any other questions? All right. Well, hey, if you ever want to add me, I'm on LinkedIn. I'm gonna be floating around the conference. I'm actually also speaking tomorrow. I don't know why you guys want to be back twice, but Thank you so much. I really appreciate y'all's time. If you ever need anything,

I'm here for y'all. Thank you.