Social Insecurity

I just put

your

oh

man

you

heard I just work that's sponsor this game but they they really push us to do our own kind of research and any kind of way we want and

I

that built right then what I do is I tie

that's SC see there's just so much this

heard was

the idea is

s

all right

yeah editing f4v files I'm interested to see got to do that need to cut off some of those blankness it's been

recording

back

then

I know

I

really

of oh well that's pretty close too and you're

going

going

PR

are you going to press uh it has been recording cut out okay 10 minutes EDI yeah the light speaking to the light I thought it was a mic for a few minutes here they took the mic away I don't know where it went and we had to pay for AV people hey everybody um my name is uh Frank tuci I work for quace uh so uh my talk today is going to be a little bit about uh social media uh versus a little bit of social engineering it's quite interesting that I follow Andrew in his talk because a lot of what he uh was talking about the geolocation um I'm going to also talk about location so I'm just going to

approach it a little bit different way um I do work for quace however that this talk has nothing to do whatsoever with quace um so if anyone is familiar or not familiar with any of our products uh this won't help you or hurt you uh we are very motivated to go out there and continue security research most of our employees are either developers uh hackers pentesters Etc uh and so we are pushed to go out and speak and do our own research so yes we're sponsoring this event yes I do work with Fus however this has nothing to do with it but what does have to do with it is I'm giving away a Kindle Fire HD if anyone

wants to uh stop by the table I have set up out there with the uh Mar tablecloth um drop a business card or some information in there because I at the end of today I'll pull out a name and someone gets to leave that so stop on by there um at wace I'm responsible for the southeast territory Prim primarily North Carolina South Carolina uh a little bit in Georgia Tennessee and one in Mississippi um like I said at qual we have a very a variety of responsibilities uh we're all hired to do uh a little bit of everything so I do everything from account management to vulnerability scans to um helping people set up we don't offer a whole lot of uh

Professional Services other than just to help the clients but what we do is uh help them walk through setting up their products and things like that so I basically help out with the web application scanning um assisting with the development of web application firewall system that we're rolling out um and I do have a lot of clients in the area in Charleston um throughout the Carol my past experience is kind of just to give you some information a little bit all over the place um I did a little bit of government work with some people in this room uh a little bit of actually a lot of Consulting before that network security moved all the way down to help desk uh

in the '90s and that's pretty much where I got my start started with uh security and financial sector for the banking credit commun and securities um why I care why I care about Securities more than just a hobby that's really what I do day in and day out uh today's a Saturday I'm not getting to be here but I enjoy this kind of thing so um it's kind of an interest today I'm going to look at a couple different things I'm going to start this off by saying that uh I hate PowerPoint I'm not great at it I think it kind of sucks to be honest with you but there's really no better way to do it so I'm going to

throw some stuff up here and hopefully get a little bit people to laugh a little bit and maybe towards the end of it we can just have some discussions but again I'm going to follow up on um using some of the same principles that Andrew gave in in the talk before as far as using geolocation and I also had some a great side conversation here with Evan not too long ago um that just basically touched on using some geolocation as well so it's definitely a hot area uh in my opinion that we'll be able to use going forward first thing I want to talk about though is privacy um so privacy right now is something really difficult

privacy for anybody is there a such thing anymore what is it why why is the state or condition to being free observed by other people right it's your own it's who you are it's what keeps you individual is that your privacy um but you know privacy means a lot of different things for a lot of different people and that's probably where a lot of the difficulty in privacy comes from um if you ask what people with privacy is everybody you ask pretty much who's not in the room listening or listening to your conversation have a different answer to me I think it's who we are it's how we act it's the way we do things I think privacy uh has a lot

to do with not just anonymity but also respect respect we have for other people respect that we have for ourselves it provides us with some individuality um it helps avoid some uh basically conforming to other people's ideas and group if there's any you know uh mbas or people in that kind of room You' done know plenty of uh research studies on a group think and why it's bad and why it actually you know useful sometimes if you're looking to PO ideas behind that but again I'm not going to sit up here and preach but I think it's a fabric privacy is important it defines who we are morally professionally and in some cases even spiritually and with that um I'll move

on to something all right so all the three-letter agencies right your NSA CIA DOD FBI Etc are they watching you are they watching you in particular maybe maybe not but the answer is are they watching yes yes they're watching sure but one thing to keep in mind what are they taking from you and what are you or people you know giving to them volunteer what are you offering up what are you making publicly available that you don't know is publicly available how can that stuff be exploited it's not just the three-letter agencies that are spine you it's everybody who wants to know something about you that can buy on you that's going to evade your

privacy um the ages of people that are posting things on the internet and online all the controversy between Facebook and Facebook should be limiting access to your teens's pictures well you know what no they shouldn't you should be living access to what your team puts on there if you're responsible for um education and age young people don't really have a good concept of privacy uh in my opinion uh from any kind of research that I've done the amount of sharing and things that goes on in open media formats is is just ridiculous I mean everything from you know FaceTiming somebody who you don't know walking down your stairs through your house basically getting a tour of

what you want to posting up what you had for breakfast to where you're going to school where you're going to be at the mall Etc now we can take all of this data that we have from all these sources and it's not just the government that's going to be able to do it it's every backer every pentester every researcher that's going to be able to put this stuff together every Joe off the street who just is curious can put this stuff together and assemble the py they can pull all of these pieces together to get uh a huge amount of information um so you have guys like Snowden right he came out there and said

this is what we're doing we're spying at everybody we're spying on the government's uh foreign lands or spying on Spain spying on France spying on Germany Etc that's out there um and you know where's the Uproar where where's all the where's all where's all the protest for this stuff um and in my opinion the protest for this stuff is really you know it's not really out there sure you have some people out there who are upset about it you have some people making light of it and then you also have some people who don't really care I have nothing to hide so what's the difference right that that's one way to look at it but again you know

the during this the time when that information first broke we'll go to this cartoon here is one of my favorites right I don't know if anyone's ever seen it there's a guy talking to his wife or girlfriend hey hey I'm on my way home what do you want to do when I get back she says you know what I want to do I want to hear you say it I want to hear you say it to so what's all this information that other people are seeing and other people are hearing uh or what you know here comes here comes my question that I brought up before right what are we voluntarily disclosing we're using all of these

great tools up here right we're using Twitter we're using Facebook we're using LinkedIn uh we have location services turned on um having enlighten me that's a little bit to uh some of the Google world of what we're doing and what we're putting out there so you really look at what we were disclosing okay you know you're signing up for things that are 100% free right how much do you pay for your Facebook how much do you pay for your Gmail how much you pay for your Yahoo how much do you pay for that stuff you pay nothing you don't pay anything to Instagram you don't pay anything anybody else right so you're getting Services free that you're using right

what are they doing with that information one of my favorites besides Bobby tables this is my one of my favorites here um people know who Bobby tables is but that's a good one um but so this is a good uh basically comic here says that I've been putting all my stuff in Chad's garage he has nice shelves and what's cool is he lets me come in and see it whatever I want but I just got this note for him hey in a month I'm going to Craiglist all the you left in my garage just let you know Chad right this guy gets pissed off calls his buddy he says this is an outrage there's no way to run a storage

business his friend says are you paying him to look after your stuff no well then when he runs is in the storage misses well I'm this close to not giving in any more of my stuff well that'll teach so all of your all of your documents that you're not paying to put out there right all of your photos all of anything that you upload um that has additional metadata attached to it that use your favorite buzz word but any other um information that you're putting out there right they're going to use it they're going to use it how they want to use it so before you you look at say yes you know all of this bad stuff is

happening sure it is and I think it sucks because I personally think privacy is important it's something that I value but what are you what are you giving what are what are your children giving what are your nieces nephews cousins Etc what are people giving out um for free so anybody who does any kind of pen testing in here um at all uh or has been through any kind of security class for ethical hacking or pen testing Etc knows the step one is what what's step one is your information gathering your reconnaissance right a little exactly what Adam uh Andrew was talking about earlier um so we look at like a life contest step one right I'm going to

gather as much information as I can from you or your company now what if I wanted to do identity that what if what if the target wasn't your business but what if the target was you what if I wanted to hack you as a person hack your privacy um all this information is out there people are using social media what if I'm taking the easiest targets people who put the most stuff out there in my in my geographic location um holistically if you're using a lot of different feeds there's a lot of different areas that you can take data from and this gets into the discussion of geolocation um so working at qualus I get to interact

with a lot of cool people I go to some cool cyber security conferences I work with a lot of great developers um if anyone out there has ever heard of a company you know called trustwave or breach or anything like that uh I worked with people you know who wrote A lot of those systems um I work with uh a lot of people who designed a lot of the security even some of the security protocols PCI compliance version one OAS these guys who are on the board for oos who've done a development for OAS so I meet a lot of people through networking and U not just my love for security but I have stumbled upon two

people um uh who I had some very interesting conversations with um and to get back to what we're talking about here it's a gentleman named Carl Swan and James Fernandez I don't know if anybody in here has ever heard of Carl Swan or James Fernandez uh they are actually Canadian and they got their start um in two areas really one person one of them was doing consulting for um Canadian military pseudo military operations and the other person was a professional mapping and photographer uh well they got together here's the two gentlemen right here Carl Swan on the left James Fernandez on the right and clover point is the cartography service that they use and echos is something that Carl started and

uh James did a lot of the coding for it and what they said is let's put all of this stuff together let's put our social media let's let's put our all of these different apis that are available right there's 110 or 120 public available apis okay for social media type of applications whether it's taking data off of flicker metadata off of a photograph or you know or you know obviously Twitter and Facebook and things like that for square let's take all of this and let's put it into our clover Point into our in our cartography software and stuff that we're doing so um they developed a product called eoac and has anybody in here heard of eoac

before today just Tim all right so I'm going to just jump over here to

uh jump over here

quick

all right it's I guess it's as good as it's going to get for a display but so let me let me show you here what you have is a map it's a map of San Francisco uh Oakland further down my corporate headquarters rwood City down just out San Francisco here so we have a map like this and we say okay this is great you know it's a map but let's do this right let's minimize this a little bit or a

lot connected to a really fast internet here so demos don't always work let's jump to

location any here is a fast internet connection this is really Instinct it's only slow from my demo of course so you can take this map uh and this is echos and you can pretty much anywhere in the world you can take this map and you can move it around you can make it smaller bigger whatever um and what we're going to do is we're going to just come down here onto the peninsula in Charleston we're going to try to get right over our area here it's taking time but um so I'm on a limited time basis here so let me uh select an area right so I'm going to take this area here I'm going come out here with the with the

boxing for the selection okay I'm going to let it

go this is so what what you get here is you get all of these different social media posts with location information directly on the area you select now I just did this because of speed and this thing is still refreshing but you can get down to one square block you can get down to one block you could get to one house you can select one house one building one business ET and you can pull all the social media content out of that building all all Every Picture that's been posted on the internet and they're loading here from everybody's public account within that area that you selected now what if we were to take the information that was given out earlier

for IP blocks and plug it into this map what if we were to take a map and select it and take all of that information and say here's our IP blocks for this block blck find them and then what if we had another uh another widget or a plugin on the side that runs an N map real time so you select an area you select a block you select whatever you want and you can run let's say a live end map right right from a specific location now what can you draw from this right I was in a a corporate location not too long ago um where I was talking to a fellow and showing a little bit about what I was

going to present on and we actually highlighted the corporate uh office for where we were sitting in and found internal pictures uh of the building and pictures of the bathroom believe it or not um and someone who was there for an interview taking pictures of themselves in the mirror in the corporate bathroom but um interesting but that that stuff is available here right so let's let's look at it a little differ way all right I'm not only gathering information the disturbing part about this is that I did this for where my daughter goes to elementary school one of my daughters is in second grade so I put it just over her elementary school that's it I didn't

go any further I got tons of pictures of inside the school I got names of students I'm talking little kids I didn't find my own daughter but I saw three of her friends i s found all of that information I went over one of the culd saacs where I live pictures of the ice cream truck pictures of the people with their names going up to the ice cream truck pictures of their vehicles pictures of their license plates pictur anything that you could want again I apologize for the speed of this but if you can look at all the different apis that are feeding back here for that spe specific location if I had a faster

internet connection I would most definitely go down to a block radius or maybe just over the Tate Center here and you could see with accuracy tweets or social media that's been coming out of this building with time codes stamps Etc you could actually Target one person you can Target one area and you can use this and again this is Echo so this is just a tip of the iceberg people are using this and how many people here do anything with the military anyone here have security clearances are you allowed to um tweet pictures of your base can you do that does anyone here have an SCI Clear okay are you allowed to tweet pictures of what you're working on or your Bas or

things like that out to social media no but use this and you'll find out the people are um so Carl actually works with different military uh bases so we have uh people who are violating security clearances not say you are violating security clearances put this over Fort Jackson put this over Shaw put this over spay War put this anywhere you want and you're going to find violations you're going to find stuff that might even be classified that's getting posted out there so we're not talking about just one specific attack Vector we're not talking about talk you know stalking somebody we're talking about something much more serious uh there could be um definitely uh more consequences and again I

apologize for the speed of the internet but as you can see there's plenty of Charleston pictures and posts and timestamps and people's names and you can follow these people you know who they are where they are when they're posting and again don't look at the whole Peninsula you can put this down to your neighborhood when you get home try it your neighborhood it's a paid service for 120 apis this is a free service for five and this is something that's just developed and again this is Carl and James just developed and I'd love to tie it in to some uh geolocation for uh public IP blocks and some other locations what's don't know not my

product this is free um I work with these guys through some collaboration and doing some other things on the web app side of things um but that's pretty much where we started so my talk yesterday was I actually ended up changing it so today this is where I was going to stop and maybe discuss a little bit here um but there's a gentleman who I think is doing some things and I know I'm running real short on time here so I'm going to fly through the next couple slides and I apologize um

yeah I have plenty I have so much stuff here

go so see I get a SL all right so if anyone here is familiar with any um any work that Texas Tech does in their cyber Security Programs probably similar to a lot of uh other cyber Security Programs well there's a student um there named Jordan Wright I don't know if anyone's ever looked at any of Jordan Wright stuff on GitHub or anything like that so Jordan His focus is OS right so open source intelligence using apis um and I followed a few of these blogs before and I recently ended up having a conversation with him on something that he reverse engineered um a public plugin um for Chrome uh has anyone ever heard of

reportive it's a plugin for Gmail or for Chrome all right so he reverse engineered that and basically was able to get whatever he wanted out of it and um well I I'll show

you so this it goes beyond just Ju Just the uh map and geolocation right here's Jordan um and you know we're at bside so let's bring a little bit of python code into it right so that's pretty much what we do um and I'll bring up his Pages real quick and luckily they're already loaded so we don't have to wait for a internet connection

so Jordan goes a little step he goes further right he says okay we're not going the mapping part of my my talk will come back to but for right now he's using these a apis and this is Raider SEC if anyone has a chance to take a look at later suck um he's saying I have all these publicly available apis um what can I do with that right so that's exactly how uh Carl and James get their information is from public apis um so this is taking a look at these public apis and manipulating the requests and saying you know what can I do I can I can attack your poll I can attack your whole company pulling social

media information right from the apis I can scrape every email address every employee everybody's LinkedIn profile and I can put all of this information into Recon and again that's just step one of anybody's pentest so I I'll send out these links later if anyone wants to read them but this is a little bit of what he's doing I want to skip ahead again and this is where he reverse engineered um reported and if you're familiar with what reportive does you could basically take

take report of reverse engineered here using public code that Jordan wrote and you could basically have a social engineering attack put together okay he can lo automatically log in grab credentials take any information he needs using python that he's posted okay to go through Google's open ID right and put this information out there as well now if we take what Jordan's doing with reportive and Raider SEC take what Andrew talked about earlier take about what these guys are doing with Echo and these apis it all comes back to one thing right um Evan mentioned this earlier with Google using Splunk and using some other things there's so many different ways that we could use the

data in these apis for attacks they're all all different kind of attacks um you you know anything from military attacks to petty crime to stalking to Etc right I it's it's all that way but one thing that I want to bring up that in my conversations with James and Carl is that it's not all negative so there's a lot of positive that can come from this as well right and it's not just marketing um it's not just um it you know if we look at all the bad that can come right so all this information being out there and available with your location all the time you're going to get caught calling out sick yes you're going to get caught

doing what you're not supposed to be doing you're going to get caught for fraud if you ever committ it so you can use this for social engineering hacking mugging kidnapping stocking identity identity theft fraud robbery murder rape marketing whatever this is the bad right this is the terrible things that you can do with this information some of it but it's not all bad because the good things that come out of this is military uses security clearance checks anti-me anti- gang DEA solving crimes now what about this okay so we recently had a um an instance at LAX everyone familiar with what happened to LAX the other day yeah so immediately using that echos SEC program they put out a tweet and said

click this link on their Twitter on echosex Twitter click this link you click the link and it goes directly to every social media feed and they opened up their paid apis for this for this link and they gave you a real time analysis of every single thing that was happening at LAX from everybody who was in there who was tweeting texting doing any kind of picture where there's a public API available so you had real life scenario you had investigations you had people you had law enforcement you had FBI Etc looking at this publicly available information I want to see something that happened 5 miles away from LAX 15 minutes before where was this guy

well let's see who is in the area a friend a daughter a wife somebody you know gets mugged someone you know gets assaulted somewhere uh gets in a fight at somewhere uh car broken into Etc you're looking for Witnesses this is an incredible tool to use um so I think everybody knows all the bad things that they can do but there's some great tools and things that we can use this for positively wouldn't you want to know if your husband wife brother sister daughter was hurt and there was someone in the area that was tweeting about just St my toe today and my boots look great but just happen to be in that area 5 minutes before it

happened or a minute before it happened and may have caught something on the photo or may have seen someone walk by them or been a witness to it so what's the timeline on it on what is is it how do you go back in time or yeah so it it C on the paid versions you have specified time windows and you can um have different kind of Windows as far as okay I'll archive this for 15 minutes I'll archive it for 30 days obviously it depends on the size of area you pick right for it's only so much data on the free stuff that stuff Cycles fairly quickly if you uh like an area like

Charleston uh I've seen you know a week two weeks you can even get a month maybe even more than a month go by and with certain stuff that's still out there if there's you if you select a large area obviously the free stuff they're not going to let you just perspective of an investigator working Cas I'm I'm not positive on that but what I've been told from Carl is they do archive so just like anything else uh the archive formats and information The Lax they're actually I don't know for a fact but I think they're working in angle with the law enforcement for The Lax and um basically really looking at half the from prior not really what went down

there's enough cameras and Witnesses it was things that happened before that so to sum this up in my last two minutes here what does this all mean in my opinion privacy in any definition is going to remain a Battleground it's going to be privacy good and privacy bad right double-edged sword no matter how you look at it I like my privacy but it's going to get harder as we go on our jobs pentest Etc will get a boost you get a little bit of help in Phase One um you're definitely going to you know if you want to wage cyber bad stuff uh on a particular area you're going to have a lot more information to go on you can use what I

talked about in the combination what you talked about put it all together if we can somehow get everybody working together you know there's a lot of different um possibilities here um obviously increased opportunities for crime and crime fighting um huge opportunity for uh gu apis o via apis in my opinion is U huge way to go uh as far as expanding at this point uh opportunities for awareness and education children students Etc we we have to continue to educate them on this on this privacy we have to go back to Chad's garage and say you went down the street and threw all your stuff in someone's room and you're pissed off because it's gone or because

they took ownership of it so a lot of opportunity for awareness and education social media is probably not going anywhere I don't think it's going anywhere I personally have mixed feelings about it but it it it exists out there it's a way to communicate and I'm sure there's a lot of things that I'm missing um so I'll be more than happy and I'll be at the Paul's table uh to talk or discuss anything and I'm going to sit through uh most of the rest of the talks for today um and the last last slide here is a couple of good Dilbert uh for the questions you can read these I hope you can read them from

where you are but you know a little bit of entertainment for you as I finish up and then finally uh if anyone gets to read my three Gilberts up here um this is my contact information uh I'm on Twitter IRC uh mostly fre Noe channels Etc uh a couple of my handles are on there um I'm in the area I'm local from South Carolina so feel free to reach out call contact email Etc yes I'm putting this out on the internet over a live stream it is what it is yeah so we'll conclude with that and if anyone has any other uh questions please let me know

is