Nicholas Roy - OSINT and the Hermit Kingdom

my talk is ocean in the hermit kingdom learning more about the world's most secretive nation uh but about myself has been working in security for over eight years now uh i used to work for an automation company he did an app development vulnerability management he just started a new job they didn't get all my forms filled out in time to say where i work to go through all that process but um work for a big security company uh i live in boston i'm on the discord as uh superductos so certainly any questions uh always happy to answer them and uh we have to have a presentation that starts with a cat picture this is my cat frank and normally how he

looks at me every day when i'm working so a little bit about ocean if you're not familiar with what it is or where it comes from the idea is that it's data that's collected from any kind of publicly available sources so the idea behind this talk was um how much information can we find out about a given topic uh something like north korea where it's it's a little bit more secretive maybe we don't know as much uh so just trying to see what is actually available out there that we can find and use so we want to look at any kind of uh publicly available sources today and really we are not looking at it

doesn't have anything to do with any kind of open source software really we're just looking at various websites and collections of information that we can use to see what we can learn about our various topics and um do some of our our research here there's plenty of paid services out there that'll gather all this data for you and give it some nice context and make your life a little easier and do things automatically but really the goal of today is we're going to look at really just what's free this was all done from sitting on my couch this was actually something i started a couple of years ago and someone said hey this would probably

make a cool talk a lot of what i did i have a website that i publish i'll put a link at the end also if anyone's interested in looking at it but i think i spent a grand total of about 25 dollars in the last uh probably four years that i've been working on this so some of the benefits of using open source intelligence it is less risky really we're just looking to see what we can find on the internet uh we're not going out and actually scanning any of these targets or really interacting with them we're just relying on what we can find online we can look for things uh printed media videos it's all sorts of fun things that we can

use to start learning about what we want to research again it is cost effective i haven't spent a lot of money on this project at all it is pretty easy to gather all this information so this was spent well on the couch watching hockey um certainly i'm not a lawyer by any means but some of the things we do avoid is it's some legal issues again where we're not actually going out and running a port scan against anything everything we're going to look at today is already things that can be found online pretty easily some of the challenges and some of these are things that i've personally run into there is a lot of data out there again

i've probably been working on this for about four years now and i have a lot of data a lot of things i just haven't actually gotten around to looking at very good at collecting things but not always good at actually going in and reviewing some of the data which is again part of the challenges when you are doing some of this research one of the things people always ask is if you work for an automation company for so long did you automate any of this uh truthfully no so it's something that i've i've been meaning to do but just haven't gotten around to doing that uh reliability is always another concern because again we're relying on

third-party sources all the time it's not data that we've actually gathered so we want to as best we can try to verify and validate this data when we are starting to gather this and start doing our research on our targets or topics before we really get into it uh one of the questions that always comes up why north korea i always like to joke it's fun to tell my mom that i go to conferences and talk about north korea um to be perfectly honest though uh about ten years ago there was this uh vice guide to north korea i saw online one of the things that was interesting was it wasn't really designed as a

political thing they just went on a tour that anyone can go on a tour of north korea and they they kind of just showed people going about their day-to-day lives and i thought that was an interesting look at things um and really that's the goal of this today is not to look at anything apt focused not to look at anything political uh really just to see what can we learn about north korea's internet infrastructure there's some pretty interesting things that you can find out there and maybe things that people don't know about but this is really just more of a general look at some of the things that are are in their ip space and

see what we can learn about it

so we want to start off gathering some information we want to start to discover what kind of assets are are out there there's a couple of different ways we can gather this data we can gather this data purely passively which is again where we're going out to these various uh websites and sources where we're collecting all this data from let me passive uh we'll talk a little bit about this also this is where i'm not necessarily going out to any of these these sites but i can use things like url scan or some other services that'll go out and check a website for me builtlift is another great example if you want to know all the web

stack of a website to see what it was built with where again we're not actually going out and doing any of these checks we're still putting something between us when we're gathering this data and then what we're going to try to avoid is doing any kind of active information gathering we don't want to just start running in map scans here we want to try to use the the first two as much as possible so what are we trying to identify today we're going to look at trying to discover just what's online for north korea's ip space any kind of uh services running on them we can identify versions any kind of cloud services operating systems

we want to try to just build a map of this ip space and of our organization and see exactly what we can map out and discover

so we need to start off we need to define a scope where are we looking uh the internet's pretty big place thankfully for us there's a nice wikipedia article that describes uh north korean drp addresses assigned to them they have four class c networks 1024 ap addresses that are assigned to them uh we can see down the bottom there also there is a another block uh that 210.52 block i'm gonna ignore that for today it's usually nothing too interesting there and it's it's always a little bit of a debate of whether or not that's actually in use so we're gonna we're gonna ignore that for the time being as far as i can tell there's never been

anything really interesting there anyway we're just gonna focus on these uh these four class c networks for today so that's all well and good we've defined the scope but what happens if there's not a wikipedia article again this is pretty informative pretty easy information to find using apple.com as an example we can use something like the dig command we can get some ip addresses that it resolves to and then we can do a who is look up for some additional information we get the as number or the uh autonomous system number which is how we start to identify uh ip blocks that are assigned to organizations in this case i can see it's as714 and i can go online i can verify this

information i can see that apple is assigned as 714 they have more than 49 million ip addresses but i can easily verify this information

so i maybe don't want to always trust wikipedia maybe i've edited the article to win a bet at the last minute so i just want to do the same steps and i can verify yes these four class c networks they are assigned to north korea so now we have a starting point for at least where we want to start looking so now that we know where we can start looking uh the next thing we want to do is we want to start to identify what's actually active in this device or in this ip space so this was the earliest information i could find this was from back in 2010 someone ran an nmap scan against north

korea they found that there were 13 devices online at the time this is a pretty cool website it's really the only page on that website but it's cited by a bunch of other publications it was the earliest i could find so at least now we have a starting point to see kind of where things were at where things started and we can start to see how things have grown from there so now we want to identify what's online today though uh because uh 12 years ago now 11 years ago uh doesn't really give us a lot of good information we want to see what's active today so one of my all-time favorite websites to search is github

we'll talk about github a lot today there's a lot of fun things you can find on there when you start looking for it but one of the easiest things we can find is people who are running scans against north korea and they are publishing their results on github for us this makes it a lot easier they also organize things in nice folders for us so now i can start to see as things change over time makes it much easier if we can find things like this and why do i love github so much you can find all sorts of fun things on there people are committing things to github that they probably shouldn't be again we'll see later on where some

other things have been committed to github that are pretty interesting to look at north korea has even committed to github on a couple of public repos for software that they use which we've found as well so there's a lot of things on there that you can use you really start looking into github and you can find a lot of good details in there so we can use our github results from all of our nmap scans we can also use other sites i'm sure everyone is familiar with showdam the best five dollars you can spend on black friday is for their their membership but we can get a good information good bit of information here about

uh what's online what's active same thing census is another internet wide scanning site but now we have a couple of different sources here that we can use between these scan results that we can find online and some of these internet scanning services we can start to build a map and you can tell this is a map that i built but we can start to see exactly what's active inside of these 1024 ip addresses and out of those four class c networks uh there's roughly about 30 to 33 devices online active at any given time sometimes a little more a little less but generally this is what's being used on average so really quickly we started with just

an idea of what we wanted to look for we narrowed down our scope we identified what kind of devices are online and now we want to start to learn a little bit more about what are these devices we have about 33 devices give or take that we want to get some more information about really one of the only times we'll ever do any kind of active investigation is here when we will actually just put that ip address into our browser and pull it up and see what we got so this is one that i put in and we can see some information here apache web server running on port 80. but one of the interesting things is we

can see redstar 4.0 is the operating system so if we take a little detour now if you're not familiar with the red star operating system uh we looked on that old scan results back from 2010 a lot of the operating systems were identified as red hat or centos red star is essentially a fork of uh red hat centos and it's a state sponsored operating system developed by north korea there's a couple of different versions of it available there was some research in germany done on it that really did some great work we learned a couple of things about that there's some binaries on there called scn prc that's a file scanner that runs in the background

and it uses various strings of text that it looks for it gets entered in it gets automatically deleted uh opprc is another one essentially it watermarks a file so you can establish a chain of custody on who who created it who modified it so as you're working on various files you can see who made changes to it and that all stacks up in the background for tracking essentially who's touched a file at any time when using the redstar operating system so i can uh i can send out a link to the slides as well if anyone's interested in this again they did a great talk and really did a lot of research on the os

they put out a lot of tools that you can use to disable a lot of these things that are running on there as well if you haven't seen what red star looks like this was version one had that nice windows xp feel to it two changing up a little more of the traditional linux desktop experience version three was an interesting one uh this was a pretty big change especially interesting because around this time there were pictures coming out of north korea where we started to see apple devices on desks we started to see ipads being used so naturally i had to update the operating system to match that look now we do know that version four is

available uh versions two and three you can find online uh they're on archive.org they're really easy to download uh version one as far as i know isn't online anywhere version four again we do know exists one because we've seen it when we browse to that ip address this was also a magazine called foreign trade of the dprk this gets published about once a quarter by north korea and it's essentially a magazine where they show all the things that they are uh exporting or able to manufacture and export uh you can find this on the their various websites there's some interesting things in there that they can export but recently there was an article in there

about red star that it had been upgraded to version 4.0 so we do have a little bit of information about it we do know that it exists but as far as i know it hasn't really made its way online yet

so with with version 3 of red star there were actually two editions published there's a traditional desktop version and then there's a server version as well so i've always seen a lot of work done on the the desktop versions historically server edition it is online as well but it is it is a little bit different from the desktop versions there isn't as much surveillance software on there but there's a couple of other binaries on there there's something called beam rss mod and se tools which we'll talk about in a minute yum is disabled and one of the more interesting things that i ran into when i installed it was that you are the root user

but you are still lacking certain privileges as you start really working with the operating system so one of the first things i i tried getting into was se tools because it sounded like something that you could use for managing sc linux they figured i'd start there see what i could find popped up with a password you had to enter but that's really tough and then i started uh seeing that i was getting permissioned and not denied even when i was the root user and i learned that the redstar server edition is using what's called the bell the page model for enforcing access control and if you are like me and you're not familiar with this

essentially the idea was it was kind of a dod use case but the idea is you have things like secret top secret classifications as well on files so even if you are the root user if you don't have the right classification level on your account there are certain things that you're you're not able to access unless you have in add in that additional classification to your account

so that was something that i'll be honest i wasn't too familiar with there's not a ton of information online i started trying to uh to work with it a little bit but i said man it'd be really easier if i could just find a manual that explains all this for me one of my other favorite tricks is to uh you start googling in other languages this is uh red star in russian i found a russian forum where people were posting uh movies from north korea because russian tourists will go there they can go a little more easily they were posting pictures they were posting manuals and textbooks from north korea one of the things that

i found was the uh the manual or the red star operating system there this made it much easier for me uh because as i started scrolling through i found something that looked uh like something that i could use to start modifying my account's privileges found all the commands that i needed to run google translate also works frighteningly well now especially when you hold it up it'll auto translate for you from the steps i needed now i could have some additional controls around my account or remove those controls so i could have access to all the files the other interesting thing that i found in these guys where there's a uh a guide similar to the the cis benchmarks for

hardening redstar servers uh there's about three guides that i've found they're all about 150 pages long you haven't had too much of a chance to go through them yet but there is a a lot of information in there as far as how the operating system works what's on there and then just a lot of basic concepts dns smtp how that works as well but now that i do have uh access to all these files i don't have these same restrictions on my accounts now we can really start to dig into this and see what's running on here i mentioned there are two additional programs beam and rss mon i started digging through those files to

see exactly what they were essentially what they are is just a uh a nice graphical interface for managing your your redstar server i started digging through some of the files they're all written in php some of the things that i like is uh they don't trust slash dev slash you random to really truly generate random ids so they generate it twice and then they do a check to make sure that it's actually reliable i thought that was pretty interesting to see they also add in a lot of code for blocking things they don't use anything like fail to ban on the server they wrote in a lot of code if you do enough things wrong you do absolutely

get locked out pretty quickly i can verify that but what does this all look like so now that i had some of these additional permissions i was able to start up this this beam program was able to log in and again really just a nice web interface for managing your server you can see where i can configure bind here i have all my options available i can see all my services on the left hand side that i can easily set up it will say it was actually a pretty nice setup again having to use google translate all the time makes it a little bit slower to work with but it was a pretty easy way to get your your server set up

and configured uh so we still have a lot more to look at one of the other things i found i did find a uh cross-site scripting vulnerability on there where you could uh you could get session information out so this is when i was just posting it to a webhook site there's an easy way to test that where i could get the session details of other users mention they do have a website where i post all this uh it started probably about four or five years ago and really it was just a way to put notes online if anyone was interested uh i posted this and within about an hour i got a message i get about one comment a year maybe

less so i'm always very suspicious when i do get them someone said i'm interested in this i want more details they said i don't really think so send me an email and i get an email from one of the most suspicious email addresses i've ever seen so never actually replied to it but it was interesting to uh to see some of the response to it

so now that we know a little bit about what these devices are we know there's about 33 devices we'll wrap up at the end also about what some of the other things are that are running on there one of the other things we want to do is we want to start to enumerate any domains as well in our case most of the domains that north korea has they all point back to that ip space that they have on the internet but we want to see is there anything else that we can find maybe it's pointing to uh aws account or something else outside of that back in 2013 we learned that there are 28 websites registered

to north korea they have their own top level domain kp the reason we know this is someone found that their dns servers were misconfigured they were allowing zone transfers someone found that at just the right time and we found out there's 28 websites using that top level domain so that was a really good starting point but we want to keep an eye on this and see are there any new websites that come online so in the the year since there's been a couple of additional websites that have come online there's now 32 websites pointing back to north korea with this top level domain of dot kp there's 34 different domains a couple of the domains point to the same site

but really we want to find all these domains again we want to see if there's any kind of subdomains that we can find we can use passive dns data to discover these domains who is data but it really gives us a good way now where i can take some of this information and start to map it back as well and see if there was anything that we missed early on when we were doing some of this asset discovery this was also a screenshot from the north korean airline air coryo which is their official state-sponsored airline one of the again interesting things is we can see all their flights are on time if you look on flight radar that's

usually not the case they're usually running a little bit behind always and i get delayed pretty frequently but according to their website they're always on time flight radar also started showing within probably the last two three days flights within north korea as well which aren't listed on the website north korea has been pretty shut down during koved so it's been interesting to see some of the the flights running again even if they are just inside the country uh looks like they are starting to uh start flying a little bit again

so how can we start to gather this information again what happens if we don't have a nice wikipedia article or a misconfiguration that gets posted online and we can use some of this who is information get information about who owns a domain and then we can do things like reverse dns lookups based off of this again looking at apple they own a ton of domains for all sorts of fun things uh passive dns data is a great source as well this is where sites are logging all these dns requests and all the information associated with them so we can start to build out a pretty good picture of any kind of domains associated with an

organization as well this way census is another interesting one or you can use a website like crt.sh if you have any kind of certificates you can actually search the fingerprint there and see if it's being reused across any sites so we can find a little bit of information that way as well north korea has started using more certificates on their website and even though they're they're not valid but again it gives us another way where we can start to search and see are they being reused anywhere across their infrastructure so i've been working on this for uh i don't know about two three years uh then about a year and a half ago a new website came online it's called

dprkportal.kp uh north korea actually just publishes a directory of all their websites now with their top level domain they personally have always taken this as a little bit of an insult but it also makes it a lot easier now when new sites do come online you can check here

so now that we know a little bit about our domains we have our targets we want to start to find out what kind of services are running on these these different devices again we can turn to some of our our internet scanning services uh this one comes from uh called zumai which is essentially the chinese version of showdam again we can get some good information about what's running on these devices we can get some basic banner information may not want to be something that we rely on but at least it gives us an idea of what's there one of the things we can also start to see with this is as we do start to look at

central services like dns and mail services those are all still running on red hat any kind of web servers that are just serving up the sites those seem to have all been migrated over to red star now we can find all sorts of other things on there as well vmware was exposed at one point seen various adobe media streaming services that were exposed there's cisco routers that are found as well and again some of this if we we don't necessarily trust this or we're a little suspicious uh we want to try to again validate that data as much as possible we can search the same ip across various sites we can make sure that everything really

does match up that everyone's reporting the same thing

and really what it comes down to this is really the list of everything that's running a couple of web servers some dns and smtp servers down the bottom there is 20 services running on port 8080. i will talk about that one in a minute a couple of linux servers there's a couple of windows servers that pop up here and there sometimes it's actually just a laptop that gets plugged in we have our cisco router that we can find as well so this is really where now we can start to have a pretty good idea of what we've seen we've found all these active devices they have a good idea of what's running on them a good idea of what all the domains are

i mentioned this port 8080. this one's been interesting to watch over about the last year and a half it shows up on a lot of these these scanning sites we'll talk about that one in a minute but why is it important to identify all these services again we have some banner information may not be the most reliable thing but it still gives us some pretty good information about our targets and what we're looking at and we want to make sure that we're finding these things about our own organization uh before someone else does so most of uh what we've been doing so far has been pretty passive gathering data uh we'll talk a little bit about

semi-passive as well this was uh something interesting that i found that someone had published they essentially used one of those mail testing sites where you can just check your your mail server for any kind of misconfigurations but they they ran them against a north korean mail server they found it was actually set up as an open mail relay at the time uh so in theory you would have been able to email inside of the the country with uh i forget the domain it was on but that was found a open mail relay on one of their mail servers there are sites like proxy checker so port 8080 we're going to assume that's a proxy this will go out and try to test that

all of them failed port 8080 just always seems to appear and then it'll disappear for a few weeks and then it'll show up again still not too sure what it is and then we can use other pretty creative things as well seo tools will give you all sorts of information about your website one of the things that i'll find is broken links though and on one of the north korean websites we can see down the bottom here we have a link to an internal ip address 172.200. this is something that's actually pretty interesting this isn't necessarily something that was uh broken might have been left in there by mistake but it is uh something pretty

interesting that it tells us about north korea's internet as well that we'll talk about in a in a couple of slides

so we spent a lot of time looking at north korea's infrastructure but now i wanted to look at this from the other way wanted to see can we actually find any uh any presence of north korea browsing the internet so if you're not familiar with the way the internet works in north korea it started back in 2001 they had a male relay between ping pyongyang the capital city in shenyang china essentially sent batches of email every hour cost a dollar fifty to send an email and today there's two different networks in north korea uh there is access to the internet which is really reserved for party elites and if you're doing research you can have essentially timed access to the

internet but most people have access to the the intranet which stays inside the country this picture here on the right is something that i found on someone's flickr which is another great way to get pictures of places that you probably can't go to this is from an internet cafe we can see a list of all the websites inside the country here there are some pictures of the websites on it as well so we do know that it exists uh which is why i thought it was interesting to see a link back to the internal ip addresses some of these websites they do pop up uh just in various dns records nothing really seems accessible from the

internet but we do know that this is uh something internally there are sites available i've heard numbers anywhere from about 50 to about 300 different sites internally i mean we can find some information as well just published online about marketing material about various uh apps and services available inside the country as well so really what started all this was a couple of years ago steam published a map of where everyone was playing we look really closely there is one green dot inside of north korea so i wanted to see can we find any information this is from a a russian russian oil company google had indexed all their logs so using simple google search we can

find north korean ip addresses in their logs pastebin another great site to find information this was from a minecraft server you could find all their users on there again we find their the ip address of a north korean user on this minecraft server and then we can really start to get creative here we can start to look at things like wikipedia if you don't have an account when you're making a change uh it'll log your ip address so we can see they changed this article for where this this book was published in the u.s to the uk various edits made as well under north korean ip addresses vandalizing pages as well we can start to see that there is some

some activity online where north korea is browsing out to the internet um this is another good website that i found called i know what you download dot com uh really just tracks all the uh the torrents and trackers so you can find all sorts of information in here about countries your own ip address what i did was i wrote a script to query this and i got a list of all the north korean ip addresses that were torrenting at that time but what was really interesting was not that modern family apparently is pretty popular but we can see a list of all the device drivers that are being tormented as well so now we can get an idea of what kind

of devices are there what kind of products are inside their computers another interesting thing that we can we can see and not something that i was necessarily expecting to find as well and then we talked about uh their top level domain dot kp typically they're dot com.kp or dot org dot kp now that i had a whole list of them i wanted to see what happens if i bought just the dot com version so i bought two of those they were available i found one domain in the os manual and then i found one kind of weird domain that kept popping up in some thread intel feeds i bought that one when it became available as well

really all i did i just put google analytics on all those i figured it'd probably be pretty weird if you were actually browsing to those domains so this was my my analytics map for the last year i did get some pretty good traffic to it nothing explicitly from north korea but still a lot more hits than i was expecting with these these domains that i had online

so one of the last things i always like looking at social media as well i think everyone knows about looking at linkedin to see what employees are posting uh linkedin is apparently becoming very popular in north korea as well as far as i know i haven't gotten any friend requests on there from them but i've learned if you come up with any kind of crazy hashtag you want to search there's generally people that are posting things that you probably don't want them posting new job is a great one you can find all sorts of information there about badges schedules employee numbers visitor badge is another one i didn't really think that was going to work but

people are posting pictures of their visitor badges you can find contact names numbers some people post just a really good look of their visitor badge so i wanted to see what else can we find about north korea on social media i learned that many kegs are being developed they have their own brewery inside of north korea mini kegs are being developed right now this was from a hotel if you do take a tour i liked this book that someone posted how to cope with potential disaster and then if you're staying for a longer time in north korea uh there are a uh people you can be a student there at some of the the colleges

if you're from outside the country there's a couple of embassies inside of north korea so people were posting pictures of their their student cards their long-term stays inside the country and then one of my favorite ones i found this is the palace of the sun and if you do go on a tour when they take you here they're very strict about not taking pictures uh sure enough if you look on instagram you can find some pretty candid pictures here one of my favorite things is that it's also geotagged on the location so it makes it easy actually to go back and look at it so we can really find uh a lot of things on there especially

things that even something like this where probably don't want to be taking pictures in that instance i know i certainly wouldn't be but we can still find pictures online pretty easily so what else can we learn from this though we can learn that windows xp is still pretty popular there's a lot of pictures of people using xt in a lot of places it doesn't really seem that the redstar operating system is used too much outside of official purposes and some of the colleges seems like xp is on most of the systems that i've seen pictures of and again we want to remember that we we can't always trust what we find north korea is active on social media

posting things uh most of the links are back to their own websites but if we look at some of these pictures sometimes they just they look a little too perfect all the time so there's a great website called photoforensics.com it'll actually go through and analyze all the layers of an image to see is it something that was potentially photoshopped and it it tries to highlight those a lot of the pictures do look like this where nice clear background all the time nice sunny day a lot of times it seems that most of these pictures are actually just superimposed on top of these backgrounds so we always want to remember that even though it is online

you can't always trust what we see there

and then we can really start to get creative with what we're using strava is a fitness tracker and they anonymize all this data they publish where people are walking with the goal of helping you find fun places to hike and run i hear things like this and my first thought was i wonder what i can find that isn't supposed to be on here so strava did actually get in trouble there were some government bases that were mapped out here that you can find on strava i use it for looking at north korea and we can actually find a number of routes that people are taking i assume this is where if you're there on a tour group you can get the roots of

where people are going but if you really zoom in we can see that this is actually uh down to the building level so we can see a nice heat map of what's popular we can see what buildings people are going in the next thing i want to do is actually overlay this on google maps and uh the satellite view to see if we can get a better idea of what's here but then up in the uh the northern part of the country i noticed there were two very same lines so when we look at the same location on google maps it kind of looks like a ski resort here again why this is interesting there is a ski

resort in north korea it's pretty easy to find pictures a lot of people might have actually seen it i think it's pretty popular but this isn't the location of the the ski resort that gets published everywhere i don't know if this is the second one i've been trying to find information but it seems like there is uh potentially a second one being used it's not the one that that always gets talked about

to wrap it up here in the last few minutes a couple of other things that have been put online this came out a couple of years ago from checkpoint research silly vaccine was a anti-virus program developed inside north korea it's a great article it talks all about how it works some of the things that intentionally misses but one of the interesting things was if we go back to github and we start to search things we can find um this was from the shadow brokers leak from when the cia tools leaked online all their code people mirrored it onto github and this was from one of their files where they are trying to detect um what's on the endpoint so you see a

lot of uh edr tools and av tools in here uh but one of the things that i thought was pretty interesting and haven't really seen mentioned is that they're also looking for the presence of the silly vaccine which was developed in north korea so we can see some of the registry keys that they're checking for certain log files where they're being stored as well so we can really find a lot of good information on on github one of the other things i've seen on some of the north korean websites they have their own fonts that they've developed so i didn't know too much about these i was doing a little bit of googling i found this uh message board

found that it was developed inside of north korea the font we started searching those fonts one of the things that also came across was the some of these sandbox sites where you can submit files to for free they also let you search them so i found some of the strings that match these these north korean fonts as well certainly not enough to do any kind of attribution but i thought it was interesting to see some files there as well that were actually using these these pretty specific uh characters and font families

and that leads to uh one of the last things since we start to wrap it up here finding actual north korean software online uh this is something i wanted to focus on next uh there's a lot of programs out there like speed up my pc that are some of these free services but it turns out they're actually indexing all the software on the back end and publishing it to these sites so this is where now i've learned you can search some of these there's different vendors like the korea computer center pyongyang informatics center and we can get a good idea of again kind of homegrown north korean software not anything malicious but things being used for for day-to-day use

so i actually have a pretty good collection going now and something i was going to focus on working on next of talking about really what's there but we can start to find north korean software online and it's another interesting way that we can kind of get an idea of what's running there so to wrap it up in the last couple of minutes here one of the things people always ask about is what kind of tools do you use uh oceanframework.com is a great website it's a nice uh spanning tree you can use to kind of click in and it has all sorts of tools so i always recommend this it's much easier than trying to recommend a few

tools i do have my own website nkinternet.wordpress.com it's been online for about four or five years now and i try to keep it a little bit up to date but that's where i publish anything new that i find then one of the the last things in the last minute or two here this was about four or five years ago i found this online uh we can see it's on uh north korean ip space and at the the top of the browser there you have things like signature list detection system cnc server it seemed pretty interesting it had a valid certificate uh so me being as clever as i was there's an email address in the

certificate emailed them i said hey you know a friend showed me your software i'm interested in purchasing it can i can i get some more information because i want to know more about it and they said uh you know wrong company that's not us okay i'm catching on i was looking at it a couple weeks later it's 7 30 in the morning on a sunday and uh i got a phone call it was all zeros on the screen i know this is weird so i picked up the line goes dead okay fine i go back to looking at this and looking at some of the html on it see if there's any information my phone rings again a second time it's

all zeros i get a little nervous i pick up i say hello again the phone goes dead so at this point i'm thinking well it's time to move it's time to move out of the country change my name this isn't good i'm pacing nervously around my room i still don't know what this is i get a call one last time with three zeros on the screen pick up and say hello hello who is this uh still no answer no response and then i hear a voice and i'll always remember they said mr roy and i thought oh game over i said uh i don't know if he wants to know and he said uh this is steve from enterprise

your rental car is ready i'm sorry we've had some problems with our phone this morning thanks steve give me a nice heart attack at seven in the morning um that's all i had thank you again everyone hopefully we can do this in person one day uh but thanks for hanging in there and listening always uh always really appreciate it yeah thanks nick um looking to see it looks like we do have at least one question here if you want to hang out uh answer some questions have you identified any north korean associated ips maybe via clustering not hosted within north korea maybe from china etc um so i mean yes we know that they are

using things outside of north korea for we'll say bad things or malicious things um i tried to stay away from that though but they they are using things for general purposes though no it doesn't seem to be for kind of day-to-day things it's it's really just contained inside of that block of ips yeah not having access to some of these applications you know i guess there's no way like maybe a staffer within tick tock could tell us if they're publishing anything on tick tock or if they're jumping on clubhouse but from the outside you can't really tell right yeah and if you look on tick tock's map they actually do have videos there but it's usually people just

faking their location typically it seems to be nice um can you can you repeat the website that checks for certificate fingerprints and how do you use that info sure so it's a crt.sh and then you can also use census uh the idea is you have a a fingerprint on that certificate so if it's being reused anywhere else on another site in theory they they would find that and have it pop up in the search some of the the north korean certificates they're they're just love card certificates they reuse them across multiple domains the only downside to that is they all the domains are hosted on the same server so it's not actually too useful to search for

for that purpose but if it was something else it might work a little better cool um yeah everybody else is just saying a great talk they enjoyed it um [Music] see we've got about nine minutes before the next talk here um so yeah uh if you want to i think within sked you can upload your your presentation if you want to share it there uh or a link to your presentation if you if you just rather do do a link to it um and i i don't know if you're into discord but you're you're welcome to hang out there and we can we can promote you to speakers so that people can visually see that your speaker your your

tag gets a green text but um yeah otherwise uh thanks great talk yeah i mean there's uh super ductos so i joined in last night all right cool and uh yeah somebody was asking if it's uh being recorded yes uh probably by this weekend i'll have all these uh chopped up you know because uh we're recording each track as one giant video file so i'll have to chop them up and upload them to youtube one by one uh but yeah i think last year by you know like one or two days after the the conference i had them uploaded but uh yeah i'm just going to say this weekend to by myself give myself a

little a little padding there a little room oh nice uh somebody says they teach ocent and uh he's gonna show this to his class in the fall oh very cool yeah there you go very cool you're part of a lesson plan now congratulations i would have would have worn a mask or something too if it was being reused