I Know What You Did Last Summer - Sam MacDonald

I Know What You Did Last Summer I you take it away cool good afternoon I'm going to show my age here and I'm not used to bending this far down since I used to climb under desks uh thankfully no longer in it support because I look lot more stressed with today's news I'm sure everyone has heard right today's talk is I know what you done last summer um it's more of a thought-provoking um talk then a technical talk because we're going to talk a load of things about o and of course there are lots of tools out there to find the information I'm going to show you and they change on The Daily they false positives and so forth so

it's more about thinking what information is out there about us so of course I'm s McDonald um I'm a pentester at PTP I've been there the last 18 or so months um be Basin Stoke was my first bsides of last year so it's great to be here a year on given a talk so first thing we're going to talk about is O so open ENT is about open source intelligence um so basically it's everything that's just openly available we we're not paying subscriptions to get information that might be private um if you've not heard of O before it's anything we can use from what we on social media what's in um news articles blogs anything that's just open

on the you know the worldwide web so what we're going to talk about this moment is what we can find out about myself um once again I'm not going to go through the tools so we're going to kind of skip that and just kind of go through me as a person and what we can find about myself if you guys were to go online um some stuff would have been removed so if you go out there find me you won't find it other stuff I don't think I've got round to removing yet which I think my other half might get upset about so please don't find out who she is so okay picked the wrong yeah so it says

LinkedIn I picked clearly the wrong color text for that screen uh so we're talk about LinkedIn LinkedIn is a treasure Trove of information as a person um it's an online CV platform which no one's ever used it before uh basically it's just a digital version of our CV so about us uh you know work experience so forth people put their own opinions and posts so it's a cross between a digital CV and any other social media platform like Instagram Twitter X whatever you like to call it these days so if we were going to do a case study on myself finding myself is is quite easy s McDonald you already know what I look like or if you don't know what I

look like you might have an idea of what company I work at which of course comes across uh pentest Partners so starting from that small bit of information you've given as a Target we can then start looking at past experience so we know where you are that's maybe not a particular big deal but let's see where you've been so before I worked in um cyber security I uh was an IT contractor working in support I said before I'm glad I know long to do that today um so of course we've got some information about there I blacked out but I'm sure if you online I think I've still got it up there because I'm really bad at my own operation

security in addition to people putting up their experiences they put a lot of um certifications that they may have so I'm a cstm which is a cyber cyber scheme team member which means I've got SE clearance which just allows me to do basic wealth with uh certain government departments whether that's the local Council um other department such as the DV sorry yep dvla I speak a lot of americanism so to make sure I got the right Department um and so forth so that's quite an interesting piece of information which we'll tie up later later on then often people because I'm of a certain age we're talking about my education from 97 to 04 I have to look

because I can't remember I'm an individual that I have to think twice of how old I am I like this guy 40 next year um and then of course some people put up their contact information this can be um some people willingly put up their email address their mobile telephone number um thankfully I just got up um a a Blog and an email address but just by looking at my LinkedIn profile you can pretty much get a very good picture of whom I and a lot of contact details this is where we now laterally move to our next source which is company house and as I said from my LinkedIn you could see that I was a contractor which

means at a limited company now people don't think much about company's house they don't understand what wealth of information they care about themselves and seen a few noding heads I guess there's a few contractors or small business owners and a few smes um so comany out house is a register of all limited companies within the UK uh some Internationals have to register as a limited company in the UK too but on here we find a few bits of information so whether it's who's also a director move on from but more importantly is a home address so when I started uh this company when I first got into Contracting I didn't particularly think much of um operational security

why did I care I'm living at home with my parents I just need to register a limited company just so I can you know pay those dreaded taxes but the problem is as people progress their limited company then they start think maybe I shouldn't have my um my home address sitting on there maybe I should you know register a you know a foring company a company that are you know taking your mail answerers some phone calls and they change it thinking that's it I'm operationally secure no one knows where I live however at the giggles everything think is tracked there will be a log that will say the change of address or if you go to any of

my statements um or filings you will see the home address of when that filing was made which also gives a clue if you're looking at an individual of how much money I'm I'm making how much debt I may be in who creditors might be um and then including on company's house although they don't uh put the full date of birth they will have a month and a year or looking into a colleague of mine doing a bit of op Tech on him being American they did get the dates one way around and I managed to get his full v o this is very interesting on a person not I do have a people that you know

will always go I earn x amount and I earn this and I earn that and I go straight on there and it's like no they don't they you know that's before we get into their ccjs but that's a conversation offline so next we going to move into social media now I'm 38 I grew up under an age where you know you understand what you put out there stays forever uh we see a lot of things in celebrities you know with the past catching up with them now something that they said a few years ago but even still we still throw information out there we really taking a second thought of do I really need to

put up there do I really need to put up that I'm here bze B State I did on my stories but I didn't throw in that I had a drink ear at lunch time because I was like well that's probably not the best thing for the office to see that's why they understand this they the right so look at this it's that's more than just a drink well you know I like the hard stuff especially it's Japanese um so here just a random bottle of you know Nick from the barrel great whiskey if you're in a whiskey Japanese whiskey is awesome um there will be a couple of pictures on that you think okay well

it's just you know just the St light Nick from the back um then of course I had a friends live out in Dubai um so I spent a lot of time on my off time out there once again you like there just just just holiday pictures so you know I think I'm out there every couple of months spending a bit time hanging out not not not particularly a big deal to share with everybody moving on and then going back to the americanisms I know there's a gentleman here I'm not too sure where about who's from but um I'm a best Boston Red Sox fan have been for a while watching on the 14in CRT didn't have a clue where the ball

was because it's so tiny but once again these are all things that we we just share on our social media not giving you know to thoughts about what what we share and how that may impact us now we'll move on to Fitness tracking apps now as time's gone on we're all getting more and more you know we're focusing more more on our physical health as well as our mental health um you get into an age like okay maybe I should track this make sure that I'm hitting my targets so there are a number of different apps you know there's hiking apps which started to use and clearly haven't in the last year please don't judge um running apps things that

track track our food intake once again we kind of just uploading this information like always there for myself get a like here and there from some random person in Wales that goes yeah cool good run not really thinking about why we're throwing up there do I need to throw that up there so this was 23 that shows you how bad it is it's a year ago um nice little 6K now I'm just showing off but now I do more than a c walking another run and a more okay cool this this guy likes to run pretty cool does the same route gener at the same time so that's cool then we start thinking where else

can we look and find out more about myself so if I get the colloquial terms wrong for these particular data apps just excuse me um but I'd like to just say these the conventional data naps which we used single on the last 10 years or not seem like Tinder hinge Bumble the list goes on I'm sure there's five more in the last month that I've not heard of um that I'm not allowed to go on um but once again we brought up a lot of information about ourselves because we want people to like us we want people to hit the like button we want to show off they want be like you know I like

drinking at the the company bar overlooking uh over London Bridge how cool is that oh he's really interesting give a talk at be sides oh he sounds [Music] cool more alcohol um it's it I was a teacher for it te makes sense um talking about the sort of uh you know ladies that I'm particularly into of course I want people to know this is my sort of uh target audience

and then of course you know I'm so funny I tell Jack that jokes is I'm nearly 4 with no children and of course more alcohol that time in Prague so you know I do get about I'm you know very cultured um once again just Jo naal sort of information you know it's it's not important so I've used the terms alternate alter alternative dating apps um some people understand which ones these are I won't name them but I think most some people will know what they are so these are I think the the most vanilla term to use be the more spicy apps um so I assume most people per in terms of grinder so this is more for the

you know a wider accepting community of what what you're into um so this is one about myself um a little bit of the spicy things that I might be into something that I'm not particularly going to share on hinge where you know maybe a colleague or a bus or you know a relative that recently got divor after the 40 years um you share more spicy images things that you think why it's irrelevant the only people that going to see this are likeminded people there's no judgment why does it matter what I share and then this is um I'm not a unicorn at all um but this is another online uh dating app we share more spicy

images this one you got groups that you can join to or you know well it's it's it's my uh niece's little uh unicorn and I'm just a ple um ironically I actually did put that on the profile this isn't for the actual website I did put that on profile which I do need to call down sometime this weekend um but more spicy content more Local website um local community groups bit like bsid Bak I can find something that I'm into my local area you know I want to attract people that are local to me they can find me I want that information out there no one outside that Community is going to see it so we've kind of talked about what

information that's out there that you can openly find about myself now that information was bad you know only the people that I want to share that with is going to see it you know it's harmless it's you know dating apps my LinkedIn bit social media maybe a bit of spicy uh dating profiles once again only the people I want to see that is going to see that how can that be used against me well we've all heard of account takeovers you know you go in someone reset your your password they've got your email it's easy makes a bit harder if they got ask questions about you then look at the sort of questions that they

ask what secondary school did you attend all right I'm not going to do a pop quiz it was there in my LinkedIn well that's that's easy enough what was your favorite drink I think it's Nick from the barrel there were several shots and I B beard bit more cultured what was your favorite sport well I look like B I mean got the jersey and everything what's your favorite holiday destination I think that the fact that even my own family members didn't realize I lived in the UK still I think we could answer that what was the Mak of your first car well of course I didn't go into those pictures but if you go on a my Facebook

you can go back far enough we of a certain age well you will find such pictures what was the name of your best friend once again you going through trolling through someone's Social Media post if you're a certain age you you're going to get that information what's the name of your favorite pet and the last one what M has made a name well I I still don't know why that's a security question these days anyway now you might think what's the chances of someone actually doing a c take over myself I'm nobody ironically a good few months ago before just before I wrote this um this talk I was laying in bed at 2:00 in the morning then my phone woke me up

I looked and I was getting alert from Apple I was being hacked like who you wants to get into my iCloud account I've not used that iCloud account in ages ironically it turned out to be my parents cuz who knows you better than your parents I can't remember my friend was in sco I go ask me Mom and she goes well you know as Bening CL you still go ry's house all the time it was my parents and totally forgot that I installed WhatsApp for her before she had an email address it was TI to the account if she didn't get logged in and updated she was going to lose all her messages and that's where she done all

her business on WhatsApp but that's quite easy for them they remember those things but people outside if they're truly targeting you all these things can just be looked up on your social media identity F I have a really bit of snaps here because I kind of I'm really bad with numbers um but basically in a review there was two projects conducted with 2300 smartphone owners aged 18 plus in the UK France and German um in a week in January 2022 and these were the finals that they found 44% of people had their their bank account access the money taken wait we just looking at all the information they've got my home address or already know my mother's made the

name that's quite easy for anyone to find D mobile number email address it's you know this this information is what all these questions that the banks will use 28% had their credit card and bank account stolen and used once again all the informations we've happily put out there 23% had their name used to open new credit card and bank accounts my mom was a victim of this herself um santande it took over a year to get the account closed the only reason she knew had happen is because they'd sent a statement through to the house and even though she could prove who she was Sant and was still like well I'm sorry you need to prove who you are

before we can close the account down like but these are the D yeah but that doesn't match the thing but you sent me the the the you know the statements well I'm sorry we'll get back to you just yeah we um 19% had a new utility account opened in their name only 5% had their uh mobile phone number stol stolen and cloned and 4% had a new loan taken out in their name so quite big numbers of a a pool of only 2300 individuals in the space of a week now nation state targeting I doubt anyone particularly in this room maybe one individual will you know name nameless um so there was a intelligence staff

putting sensitive information on LinkedIn so this goes back to where we talked about my LinkedIn um profile saying I'm a cstm which means I get to work on SE clearance jobs so if you're targeting the UK well the first thing you want to do is Target those that can have sensitive information whether it's particularly on their work laptop because those are the jobs that they want to Target so someone like myself don't worry good on the security front but if they wanted to Target someone that works on government projects I would be a prime suspect he's got SE clearance we know he's going to be working with the government maybe local councils maybe the health services like the NHS here's

a prime target we just openly put that up on LinkedIn you know a a badge of honor I'm sitting there thinking well you know maybe when it's time to move to another job someone will give me the Poke and go hey you're looking for a new job I'm not sitting there thinking about my operational security I very much doubt I'm going to get targeted by said nation state but it's something need to sit there and think about do I really need to put that up there is it just going to be assumed if I'm a pentester that I'm likely got that clearance romance scams W if it's too good to be true it probably is

so these stats are from um the action for working on behalf of the police so uh when I wrote These slides the police never had their own independent stats this was a third party body that was reaching out I via the Freedom of Information Act to get some more information um and of course as with anything in the UK the dates starts always a few years in the past just Cherry B 22 um but in 22 there was near on 8,000 reported romance scams so a romance scam is when you get reached out on it'll be a stretch if it's linked in but they're really going to Target you on dating apps they're going to see you

on a dating app and go okay that person looks you know wealthy or I can see what their job title is probably got access to cash do you know like maybe they SE Suite level like a CFO or a CFO and go this is this is the person we want to Target what is this person interested in I need to create a profile that matches their requirements so I B short petite and blonde so I'm going to create a profile of a short petite and blonde individual knowing that if I like this individual I've got a higher chance of getting a light back and then they go with the social engineering and reeling that person

in on average victims lost 11,000 PS so they're clearly not targeting you know the average person they're targeting people I mean I don't think many people in this room probably have £1,000 cash sitting around and let know willingly share share that around so they clearly targeting people that they believe have access to such funds and not going to think twice about sending it on to someone else this was the interesting stat from this uh census is a nearly fifth uh dating scams reported by people 20 to 29 quite confused I never had that much of disposable income um between those ages and twice near twice that age and I still don't have that disposable cash um

and Was Then followed by near on 20% in their 50s and a bit shorter in their 40s not too sure why those particular um age ranges uh for the targets um with the the old older gaps um you kind of understand as you get older as I did myself you will more love and affection you're thinking about settling down you become more vulnerable to such um scams um the younger generation may' be curious to speak to any in that age bracket and quite get why that potentially may be that high sextortion so sextion an interesting one so sextion occurs when intimate images or videos is a captur during an online sexual exchange the victim is subsequently

blackmailed threats to share them often with friends and family so when I initially wrote these lines there wasn't much information out there um it was a struggle to even get an actual definition let know statistics but over the last couple of weeks there's been more and more of this um coming out um I'm of the age when the webcam was invented um I'm also of an age where I was foolish um and shared images with people that probably I shouldn't have and this leads in to the next stat so the UK's Revenge poorn helpl line revealed it received 1100 reports of sex aution in 2021 which compares to near on 600 in 2020 nearly 9 in 10 cases involved the

male victim so we can talk offline about why why that male is that's probably because we're idiots pure and simple we're just idiots we will share images ourselves without giving a second thought and I will stay straight up so don't have to answer it later never share an image that hasn't been requested with other in other individual it's against the law and it's just really bad form

so basically sex aution is basically me sharing these images with other people whether willingly or unwillingly and that person turn around and go I want some money please I know where you work I know where you live I found your mom on Facebook found your dad on a b site I'm going to share that with that person and they keep doing it and with anything on on black m there's never just one time um so on this is the disgusting crime as well as sharing images with someone that hasn't request them who ever victim please call the local authorities cyber stalking so cyber stalking is a really gray area I think still in UK it's not uh properly

defined as in terms of what is cyber stalking um and why the victim numbers are quite low doesn't get reported but it's effectively of online harassment um you know checking out your your social media posts LinkedIn profile making comments um contacting your new workplace because you've had an issue with past friend or you know a partner and it's basically just harassment move to your online form but isn't particularly recognized properly as as a law as a crime and it's much harder to prove especially with things like sock accounts and basically just fake personas um and this just some more more stats on that but if I have you know a disagreement with a friend with all the information I put

out you know cber stalking is a risk to myself but personally for me it's it's low but if you've added this big disagreement by friend or an ex partner these are the sort of issues that people are now occurring once again it is a crime seek your local authorities and the special help groups the last one um in terms of what information we've gained about myself is physical attacks now people that don't like me they meet me out in the yard um they've already said that they don't like me and that's fine uh I very much doubt they're going to physically attack me because um I'll have to see my me on Monday um but this goes mainly back

to this this first publication is my straa which is me showing my physical activity of was doing all my runs so um know politics aside uh a Russian Commander was possibly stalked for his straa run and shot dead a couple years ago so basically what it was he done same route the same time the same length same way that I do without second thought and that's how they targeted him there is an interesting one on the stra I think was ra um there was a secret military base US military base in another country and someone checking out the stra heat Maps which they so lots of activity going why is there so much activity in this like Square almost

rectangle shape in the middle of a desert but it turned out it was a secret yeah military base and that's how they found that base

all on that on that one if you want to look it up there was another one and it was using the hiking app I think it's Trails which also did use for a bit and it was someone high up in the US um government agencies who was also log in everything all these hikes but of course without going with their security detail and then the last one this is quite an interesting uh video I don't know if anyone's heard of the Cyber Mentor TCM um but he talks about a rap stroke R&B star called pop smoke um I personally never heard him in and I'm in to R&B um but he was killed in a air Airbnb

that he had rented out and the Cyber Mentor goes through the video of all the oent that the the attackers used to locate him going through his Instagram posts and then they were using Jo from the Instagram post to work out they knew what city he was in and then they were looking at the pictures of the place that he'd hired out then I went to realtor which is a US version of our right move um and then worked out where he was staying and then of course just to confirm things being a sta he got sent a load of freebies and he took a picture uploaded on his Instagram with his address on the

label so great video if you're interested in um all the different of oent skills um and in details of how that led to his murder so of course those are all the threat scenarios that come from oen and looking at a particular individual um I mean everybody has different risk Toler to an um and risk appetite which I think this morning's talk um discussed I think most individuals I don't know you personally most of these FR scenarios not going to happen I don't think any of us are going to be targeted by U you know APS um or sextortion SC scams if you take my advice um can't takeovers probably at best but I'd always look to

a relative that knows you best um so the main focus of the talk is just sit back and go do I need to put the information out there that I do do I need to put it out there when I do it so if I'm here do I need to put it now do I wait a day and go oh is it bze or if I'm on holiday do I need to know let everybody know oh by the way I'm on holiday and my house is unattended no we see it constantly throughout the UK as football uh football stars being targeted while they're on International Duty because everybody knows that the whole family is in Germany and at the Euro

24s then also we got to sit there and think about what settings we can apply to our profiles so straa after a lot of whoar and the Articles they discussed they implemented a feature which would black out the first I think it was 100 m and the last 100 m if you run which particularly isn't that much because you run in a straight line you pretty much know what road you're on really oh awesome yeah when they introduced when they introduced it it was a very short period of time you had to opt in yeah and there was a triang oh wow there almost like case point on that they was um a bug found in

one of the data naps Bumble where you could triangulate an individual so really good 12 but that that's the thing it's like look into the Privacy s do I need to share my straa profile with anyone no no so as much as the 100 met C mild now is is beneficial I don't really need to share with anyone it's only there for myself but of course it falls down to that you know social media of like like like and of course only having like five friends with one like I don't really feel that

motivated and that's that's the thing there so much information we put out do we need to the other thing is what's going wrong with people who stup taking I don't know how many times I've been asked for my birth in this country we only have one person that's everything else it's just criminal that people consider taking you got to remember if you're not if you're not paying for the product you are the product back to the work of the god D encourage you all to look at d

um so that's talk as said it's not really a technical talk I just hope you walk away and go do I really need to put that on there not going to get targeted but there be other things you'd be sitting and go maybe I should have a second thought about my dating profiles maybe I shouldn't you know register a limited company at my home address um I mean if you're going to send free pizzas to my parents pepperon no vegetable stuff uh definitely no pineapple um that's that's the talk