The APT @home - when the attacker knows your mother's maiden name

besides DC would like to thank all of our sponsors and a special thank you to all of our speakers volunteers and organizers he told me that I could be introduced any way I want to and he stuck to it so I appreciate that fact it's not to thank everyone for coming out I know there's a lot of great tracks and I want to appreciate and I appreciate you spending time with me today to talk about this very important topic there's a lot to cover so I am going to talk fairly quickly because I want to talk about a lot of different things it's going to be recorded you could play it back at half-speed and

kind of make sense of it before you started I do want to give a trigger warning I will be talking about domestic violence and abuse there will be no triggering images as best as I could and I'll be sneaking away from very particular specifics but of course it is a difficult topic to talk about but also an important topic to talk about so this is me I need to update my picture I know that but it's the last picture that I really liked I'm Chris Cox I'm the executive director of operations safe escape also formerly the founder of operations security professionals Association in the past I've been a cybersecurity instructor for DoD the chief information officer of the

Department of the Army National Training Center at Fort Irwin and of course today I do the pro bono work with operations safe escape and I'm gonna make sure I want to make sure very very I don't make sure this is a name this is a face that you remember because here for the first time ever in front of this besides audience I'm going to do an amazing feat I'm going to blow your minds I'm going to do not a trick but a something that's never quite been done before but I do need an audience to do a what sir look your volunteer to do that firsthand to come up come on up you don't even know

what it is it could be a really bad thing oh okay I appreciate that can you confirm that we have never met before remember well it's good to meet you my name's Chris you're in Aaron good to meet you Aaron I'm sorry I don't have a microphone for you so you can just talk like towards my chest and it'll pick you up so okay so Aaron can you confirm that you have a personal email address a gmail hotmail CompuServe AOL I think it's the four that really exists yes you do okay so what I'm gonna do is that I'm going to successfully guess in three tries and you have to keep me straight because I lie so three tries both your

username and your password it sounds pretty pretty far-fetched but that's what I'm going to do I'm so confident I'm confident to the point of arrogance that if I can pull this off you will win my personal raspberry pie for yes which I if I can pull it off you get it no wait okay hold on I think I walked in this line here if there you go if I could not pull it off you get this if I can pull it off and successfully determine username password we cancel the rest of the talk and just go through your personal email see you next hour okay I like her okay so three tries keep me straight try the first give me your

username password okay she said no but that was my first try so I still get two more in the spine because I'm about to bring out the big guns here these ones never fail give me your user name and password please okay I did say please you all heard that right okay she's not playing along but I do get two more try to one more try okay one more try that's fine I can do it give me your username password please with the cherry on top I like sprinkles now okay thank you so much thank you well I guess I lost the Raspberry Pi that's really embarrassing I thought it would work but now that I'm

thinking about it maybe I'm not surprised because she actually had no reason to give me her user name password I had no leverage over her obviously she wasn't intimidated by me I didn't know anything about her so I guess I really couldn't have expected it to be quite that easy but we're gonna talk about today is cases instances where it may be where that may be enough in order to successfully compromise someone's system and in fact their life so I'm going to explain the title just a little bit so what is an apt when you think about an apt we're talking about an unauthorized user group we're talking about someone that gains access to protected resources

gets in there for an extended period of time and generally remains undetected until they're detected so advanced persistent threat so we're think about that we're normally talking about at least in the realm that we talk about we're talking about state actors we're talking about groups in North Korea China India we're talking about Russian groups and things like that we're talking about these state actors that have these incredible resources that have money that have time there are things that probably none of us in this room have but they're able to affect these these great feats of technical strength because of the access that they have but I would counter and say that that those apts are less of a threat to

me less of a threat to the individual then a personal advanced persistent threat then an individual that has some sort of personal motivation that has a desire that has the time that has the nothing else to do except to compromise someone's system or someone's life so I would argue to say that we talk about a lot of us work do this professionally work for corporations work for government whatever it may be and so we know what a security program looks like so we compared it we talked about who would win between this well-funded comprehensive security plan with encryption with technology with a lot of money with some equipment and everything else and you put all that you

compare that against Stephen Leaney who walks in with that totally real work order and just gets in ready in your data set because of course there's the person element when you take away all of the equipment and everything else the things the ones and the zeros of things that blink and loop and everything else when you it's harder to protect people it's harder to protect against real people so we compare against what protects our data so in the sense of our companies when it comes to our personal lives and it comes to the things that we're trying to protect our information just throw them things out for me what can we use to protect our information systems oh

nobody knows this is the one group what are some things that we can use at our companies or personal lives what protects our data our information encryption what's that HSM yeah two-factor training right we have a lot of things a look again silence yes shutting up right that works I agree big fan I don't do it very often but I agree there's a lot of things these are now to be fair I had more time to think about it we have certain constitutional rights to protect our data the fourth amendment the fifth amendment [ __ ] ssin we have passwords we have physical locks we have strong men with guns and ensigns and access lists and everything else we

have laws we have biometrics we have all of these things that we can rely on when we go to work or when we lock up our computer or whatever else the case may be that will protect our data our resources those lights are very bright I got to stop looking at when we're talking about what actually protects vulnerable populations specific to this conversation victims of intimate partner violence or domestic violence they have less because their threat is closer so we're talking about the apathy of the abuser we have to consider how closely is the abuser actually looking do they have reason they believe to start looking at access logs at phone records things like that the cleverness of their

defense is we're not talking about strength of the defenses that goes out the window we're not really concerned we're talking about when the threat is in your home and shares a computer and shares a bed we're talking we're not really worried about encryption strength there's not much of a difference between 1024 and 2048 whatever else the case may be when you're trying to protect data where the adversaries very very close to homes we're talking about cleverness of defense's hiding information not necessarily protecting against brute force at least in the technical sense and the reliability of those around them at some point when someone is trying to escape a domestic abuse situation or a violent situation they have to trust

other people they have to trust law enforcement they have to trust the family friend that can take them in if those people also don't know no matter how much the no matter how many precautions the individual themselves has taken if those other people don't know what they need to protect if they don't have that same mindset they can end up inadvertently helping the adversary and we've seen that before we've seen that happen through our organization so a few key facts a few things that I considered be axiomatic that the rest of this presentation really is built upon is number one that security generally relies on both secrecy and access to establish permission that is that in order to

establish permission to a resource to a system to information you have to have both of those things you have to be able to keep a secret and you have to have access to implement that secret so a password for example you have to be able to keep that password to yourself and you have to be able to actually put it on the system in a way that it can't be overcome you need both of those things in order to establish permission to a resource but then both of those things secrecy and access can be overcome by proximity the closer the attacker the adversary whoever that may be to the target to the data whatever it is the

harder it is to maintain secrecy the harder it is to maintain access to those resources as well a dedicated persistent threat is more likely to succeed than a random attack I think we all see this all the time a dedicated attacker is far more dangerous than a random script kiddie just trying to throw out of it whatever they can find when someone actually wants your information this one actually wants something from you they're more likely to succeed because they're going to expend more time more resources take additional risks that a random attacker wouldn't necessarily take you see this a lot with physical security so if you're to look here to go on YouTube and you're to look up home

security tips and things like that it's generally by some Police Department that says here's how you protect your home you put these lights on you put one of those alarm stickers on your window cuz those are as effective as actual alarms really bars you know things like that take that key out from under the mat like all these common-sense measures that are designed to make you a harder target and that's where the information is really geared towards because that's the way then in the security community as a whole we tend to think whether it's physical security information security we say let's make ourselves a hard target so that the bad guy will go to the neighbor

and that's fine because I don't like the neighbor as much as I like me so we try to get them over to it to someone else we try to make ourselves a harder target but that falls apart and what we're failing as a whole to address is what happens when the adversary the burglar is it maybe doesn't care about the alarm system because they know they have three to five minutes at best before the police show up and they their plans are going to be completed within those three to five minutes they don't care so they're far more dangerous at that point and what is known can be discovered there's a lot of ways you could discover

something that's known we see this in the news all the time if you know a password there's certain ways that that can be gained from you that can be gained via force you can be compelled to give it up you can be threatened you can be coerced you can be tricked whatever else the case may be the adversary can look under your keyboard they can find where it is there's a lot of like mine there's a legend I'm kidding there's a lot of different ways that what you know can be overcome because of that proximity so I just wanna talk about the scope of the problem for a minute because everything else need it I

need to impress upon you this is an actual problem that that we that we need to address we're talking about six million men and women impacted by intimate partner violence annual that's one in seven men that's one in four women a lot of times we don't talk about just how pervasive that problem is there's able to work for where they were considered to be a large organization in several individuals maybe there's some people work for government maybe some people live in a community whatever the case may be you live around other people so the reality is a lot of the people that depend on you for security information advice the apps you develop the security solutions you put in place

the guidance you put in place whatever it is that you do where other people depend on it statistically speaking you get enough people together and some of them have this unique threat model that we're not as a whole prepared to address or not properly so we have to consider those as we develop our solutions one at six women one in nineteen men of experience would be called extreme stalking in their lifetime so that's where you really start talking about privacy hiding information OPSEC and OSINT and how those work together and everything else because we're talking about people that are living that are afraid we're talking about people that someone is following them it may be online sending a lot of

messages may be coming to their house this is something that's pervasive in their life and then 25% of dating teens have been harassed by a partner and of course dating teens or teens in general tend to embrace social media they're online much more than a lot of us that are older than teenagers grew up on and so the digital life extends in other areas of the actual life so this is a much greater impact than it may be when some of us grew up so just to use an example I talked about Anna for a second Anna at the three arcs she when she got married at about the three-year mark is when the abuse started to occur red

flags started coming up this was an individual we actually worked with and as not her real name but this is a real story she wasn't allowed to hide her passwords or PIN numbers she was told that she had to give them up because what are you trying to hide we've heard that argument in different ways if you're not trying to hide something why do you need the why do you need encryption and all these other things that doesn't work on any level but particularly in the home so as she was told is that why do you have a password what are you trying to hide for me why won't you share it she has every right

to share it but she didn't feel that she did now it only goes one way generally speaking she of course was compelled to give up her password and her pins whereas her husband at the time was of course not her phone was checked regularly very overtly and then it became accompanied with other forms more kinetic forms of abuse so she ended up after that point leaving her husband filing for divorce and getting to a safe place but the the harassment the stalking that didn't stop that didn't end when she left and it rarely does in these types of situations so we met her when it was about five years past the marriage date so T plus five at that

point we found after we really did kind of dug in after we really kind of started looking at what there actually was we found sixteen of our online accounts are compromised email social media her Domino's account her DVR account like when he started losing access he got in and deleted all over favorite shows just because she's petty we did find two unknown devices on her Network and that bugs me to this day this was awhile ago this happened there were two unknown devices that we were it was easy enough to kick off the network you just change the Wi-Fi password it's not on there anymore not a big deal but we never actually found them and that

still bugs me because I know that they were there somewhere batteries or whatever has probably died whatever the case may be but I always wish we could have found him we did find email redirects a very very low-tech attack email redirects just email comes in it splits off somewhere else it's not a very sophisticated attack but that didn't mean that everything that she was receiving was also things that he was he was giving poisoning the well with employers this is something we start to see more and more of she had a very kind of a specialized skill set not too many employers in her area when she needed money because you know suddenly she was

trying to maintain her same style living on her own she started applying for different jobs and she found they already knew her and there's kind of the feeling of you know why are you contacting us you already applied and you suck your your grin was terrible you're rude and everything else like she had trouble getting a job come to find out if Kristen a shoe that wasn't her that was her abuser acting on her someone acting on her behalf in order to make her appear bad to her employers and we did ultimately find stalker where which is rising and prevalence her phone was compromised so he didn't know everywhere that she was until he got

that replaced and then of course another person Mike slightly different scenario they were married for six years when that those red flags started coming up same thing you shouldn't need passwords you shouldn't need secret things if you have nothing to hide the exact same argument keep hearing that it drives me nuts no matter when I hear that it drives me nuts phone tracking apps are overtly installed there's no attempt to hide it it was hey this is so we can find each other this is so I know where you are and of course that was only installed on his phone for his safety I guess was the argument and then he was over time slowly restricted from a

support system it just kind of was like boiling a frog before you know that the water is too hot is when you start to be in that situation so that was Mike situation as well so this is something called the power and control wheel this is kind of foundational for a lot of intimate partner violence domestic violence types of approaches it has different aspects that tend to be present in various forms of interim partner violence and surrounded by physical violence which is often prevalent depending regardless of the nature or the other the other aspects so I have modified this slightly because the power control wheel as it tends to be used in different therapeutic methods and

different treatment methods focus is really on kind of what the person is physically doing it's not optimized for tech it doesn't take into account with technology allows and how it can be used for evil instead of good so going for that you have coercion you have threats threatening harm to the person you have intimidation which is of course you're causing fear you may be harming the pets the abusers making it very very clear that we can hurt you or that I can hurt you emotional you have your gaslighting humiliation sometimes you see like revenge porn is a part of that you see someone trying to cause some form of emotional harm to the victim isolation isolation is act is a

foundational it's abuse 101 it starts with isolation because what the abuser will do and technology allows them to do this a little bit better a little bit faster is to cut off the person from their support system because once you cut off the person from their support system there's nope no one around they could say this is wrong you're in a bad situation or I can help you get out of this situation so that's why the abuse tends to start with isolation there's ways around that that's why we in this room that's what we in this community have are uniquely poised to help this type of population because we know all about piercing through technical

isolation we know about piercings or isolation in general a lot of us you know don't get out as often as we as some others a lot of us kind of prefer to stay indoors so we know about other ways to reach out we also know about ways to reach out safely so that's where that knowledge isn't shared by everyone but we have the ability to share it minimizing denying and blame that's where they would make light of it try to minimize what happened using children this is something that I really should have highlighted this one the ones that I highlighter to the ones that I'm gonna focus on a little bit in the next slides

but I really should highlighted using children because we see this a lot with custody type issues where the parents share custody and one parent does not want to be found that becomes a very very complicated situation now what if the parent that wants to find the other parent gives a device to the child could be one of those teddy bears that has a camera in it could be a phone say here's the phone you know the parent can't afford it and it has a tracker installed this is something the children or the children are often weaponized and that sucks using privilege now of course privilege is a very very broad sense on the original format for this type of wheel

and what's called the Duluth model it was talking about what's called what you specifically the word male privilege but I would say there's a lot of different types of privilege that we have to consider for example immigration status where if you leave me I I hold your green card I hold your residency if you leave me you go back to where you came from the person is afraid to leave it's also talking about just traditional whatever the role is within the household I make the decisions because that's my role and well let's talk about how that works with literal admin craft and privilege and economic we saw that as well as a lot of ways that tech could

be used in order to leverage and further economic abuse also so intimidation the goal of the abuser here is not to actually get into accounts not to actually try to compromise devices or ever the case maybe it's sending that message I'm still here you can't get rid of me hacking into accounts but not quite getting in you know some accounts they have this very very like two-factor authentication someone set it back there that's a great way to protect your accounts but what does it do when someone tries to log and file your password it sends you a message that someone tried to log in you can abuse and weaponize that because it's a way of

saying I'm trying to get into your accounts I'm not worried about getting caught I'm doing it overtly but I'm still here you do it at 2:00 in the morning wake the person up it's a bad thing to do and then of course obvious monitoring versus more covert monitoring emotional so the goal of the abuser when it comes to emotional attack is to isolate the person if it builds on isolation because they want the person to use the word crazy when people use the word crazy and I say they're not in the perjur'd of sense I see that that's the word that they want to hear they want the person to say I think I'm going

crazy they want the person to say for their friends around them to say they're kind of crazy he or she is crazy don't listen to what they're saying because that insulates the abuser from the act and it starts to not only harm the victim but protect them sometimes it's a matter of getting in and doing certain things but they're removing the traces that those things have been done this happens to me you know all the time is that when I when something's not working and I try to show someone this frustrating thing is not working that's when it starts working right let you get any like I can't login this is the site's messed up and then it starts

working again if that were used intentionally that makes the person start to doubt themselves just a little bit and then of course subtle changes IOT what's the old joke is if you wanna remember what it's like to be hacking in the 90s you hack IOT today not too much different but so IOT can be used you have your all sorts of different devices that are connected to the network now it not only does it increase your attack service but it increases different ways that can be used to attack a vulnerable individual like for example thermostats when the imbue when it's a case where the abuser was the one that set up when the adversary is the one that set up the

thermostat they may still have access without the maybe less tech-savvy individual knowing that's the case depending on where that technological disparity falls which side that falls in on so getting in and changing the temperature during the day just a little bit making a little bit hotter making a little bit colder things like that the Vatican you miss Austin is bad can released a web-enabled rosary or the rosary beads and things like that turned out to be a little bit full neural there's just so many new attack surfaces that can come in and so men and the dedicated persistent threat our AP P at home is trying to find new ways to leverage that we talked about isolation

it's a matter of controlling the access to the devices and the resources you often see this while the abuse is still ongoing well while the two are together or while the relationship is in place so it may be a matter of locking the person out of their accounts as a form of punishment you think about situations where you may live in a rural location I used to live in a town called Albany Ohio which was as rural as it gets it was about as big as this room and about a quarter of them out of people lived in it not much there not much to do so if you live in a location like that

technology becomes your lifeline that's how you get information that's how you get news that's how you talk to your friends and everything else so in a case where that phone is taken away and the computer is taken away as a punishment and I'm not exaggerating this thing that happens as far as I'm taking this to work with me because you did this act then that person is effectively isolated for that day it can also be a matter of impersonating the victim locking out their accounts in person the victim this is happening right now there's one individual that I'm working with where their abuser their adversary is running their Facebook account everyone that tries to communicate with this person

through their Facebook account is actually talking to the abuser now of course you'd say we'll just report it with impersonation this is the conversation we keep having is just reported there's a report button say impersonation and everything else but what does Facebook do they email the account on record and they say please prove who you are and the person says sure here's my driver's license here's my birth certificate here's every piece of documentation that I still happen to have so it becomes very very difficult in order to overcome this much more so when it's an individual that's trying to get to life back on track we talked about privileges a lot of different forms of what is referred to as

privilege but I'd like to talk about literally admin privilege you know you think a lot of you maybe sysadmin in this room or you may work for organizations where there is an IT staff and you think about what would happen if your IT staff hated you they can do a lot of damage to you right because I'm at my workplace in my day job I don't have admin access to my computer I can install apps I can't take apps off I can't change configurations I rely on someone else to do that if that other person had something against me they can do a lot of harm to me they could impact my work day they could impact my ability

to do my job to communicate they could theoretically change my files I'm about to turn something in I'm about to send up a report that says here are some things that are true and then other information makes it in that it's not true I look foolish I doubt myself so having that administrative privilege either remotely or in person you can do a lot of harm that way you can prevent app and software installs prevent wiping logs so if the person wants to try to get help try to look online try to look for resources and the abusers already configured the computer so they can't do that safely and then again preventing configuration changes that could be used to do that

economic attacks this is something that I recently changed it it said poisoning the wall for the longest time I've recycled the slide go green and it should be poisoning the well we talked about that earlier with Anna who had her potential employers already knew about her the well was effectively poisoned and this is something that if you have someone that has a lot of time has motivation can cause harm that way can interfere with the job hunt delete emails things like that and then also IOT accounting tax I live I put that under economic attacks because you could spend a lot of money if your heating is running all day long and then the a/c

comes on to cool the house down again you really drive up that bill in the month that it'll take to figure out what's going on and then what I call kind of technical methods not really technical attacks but kind of leverage kind of work in that realm but things to make sense of is crowdsourcing the abuse so you see it there's like these doxxing sites or some of the chants or some of these other types of daxing locations where someone will say this person did a bad thing it's not just a matter of hey help me abuse this person it's never that overt rarely that overt but normally if this person did a bad thing

they'd kick puppies they did this bad thing they hurt these people here's their information go to it and it's not that hard to drum up a witch-hunt on the Internet it's not that hard to kind of mobilize that that some of those communities in order to harm another person so what that does is that effectively isolates the abuser from the abuse that makes them about far more difficult to detect and that raises the impact that increases the impact on the individual and police as a service which is where the police are actually weaponized my device has been stolen I pay the bill help me find it happens to them all the time I just had this

conversation with NYPD and they're familiar with it they know what happens there's not much they can do about it except to try to figure out what the actual truth may be but again they're overloaded so they're using that way a couple challenges to the victim themselves a couple things that impact them is when you have things that are accurate but unlikely it's rare that the average abuser is going to burn a zero-day in order to harm their victim those are expensive and there's other ways to do it but then again so when you have someone that is trying to figure out what's going on in their lives and they don't have someone to help them put

it in the proper context they're gonna start looking at things they're gonna start hearing these news articles seeing these things on the news and they're gonna say well wait a second someone else you know China or whatever just broke into this person's iPhone and did these other things they're going to see these types of attacks that can happen but they're unlikely in this scenario but lacking the context pasa is equated with probable so we see things this is the case where the Bounty Hunter's were buying up all the location data that can't happen it's something that is not that difficult but it's not something we actually also see in the wild that often either webmd everything

means something WebMD if you're all familiar it's where you look of your symptoms and if you focus on it from a symptom perspective then everything becomes much more meaningful than it would be otherwise so I do it myself I go to WebMD and that's not true I'm lying but if I were to go to WebMD and I say I have a stomachache I've kind of lightheaded and everything else I start looking - because I'm looking at it from a symptom perspective without the context some symptoms seem to make sense I try to fit them in and then I find out I have hysterical pregnancy because I lack the contact same thing with your car if your car is making a knocking

sound you try to diagnose it yourself I'm not a mechanic I'm not even all that smart and so I look in there and I say knocking sound means this I need a new engine my cars my car shot because I lack the context in order to interpret the symptoms information overload so even trying to put all that together even information that may be accurate just get too much information it becomes a matter of paralysis and then manipulators they manipulate that's what they do so we see cases where when the individuals with their abuser for a long period of time they hear it every day I can hack into all your devices don't even try I can see everything you do

this may not even be true it's oftentimes the abusers an idiot but they can lie really really well the min de pelea that's what they do so I had an individual one time that I had worked with right said okay let's let's first establish those safe communications channels go ahead and go to your local library go to a random computer at a random library create a new email address and sit down I felt that was a pretty good solution and she said that's not going to work because as soon as I do is going to hack it and that's in this room we're like that's not gonna happen but if someone's been told every single day

by someone that appears to know what they're talking about I can do this thing then they're going to believe it to be true we need to talk a little bit about threat modeling so it's kind of three different factors when it comes to this particular audience there's the individual devices that they have up to the router there's the cloud the internet that everything passes through and then there's the resources they're trying to hit so for the individual that's where they have the fewest resources available generally like most people don't have a private IT staff but the most often attacked then you have the cloud very sometimes the ISPs gonna attack but not really for this particular case so

that's pretty safe they follow the same rules they're pretty well protected and then you have the other side where a lot of the websites that may be going to the shelters the safe houses the adversary the ad the groups that are trying to help them may have better resources more people less often attack but it does happen but I really need to focus on the individual themselves because that's where the risk is so we're talking about developing solutions there's three there's three different kind of models that I look at the one that we in the security community or the IT community have a bad habit of looking at is here's a vulnerability let's develop a

countermeasure so we look and we see okay there's a new vulnerability in Windows believe it or not that happens once in awhile and so we need to put a patch together so we look at the vulnerability we look at the countermeasure and we're done if we're getting little bit smarter we look at here's multiple vulnerabilities and they may work together they may impact one another they may have an impact to one another but let's include the adversary in that equation what are they likely to do is it something they're still likely to use and then we develop a countermeasure if we're really smart we're looking at multiple vulnerabilities we consider the adversary plus the behavior of the users

plus the skill level of the users what they're likely to do and that's where we start to develop countermeasures with all of the information for more holistic approach this applies very very cleanly and well to this audience some of the common attack how am i doing on time I don't I'm I'm good I I think lunch is after something just keep talking yeah y'all could be late for lunch I'm fine I eat beforehand so I'm good so some of the common detect myths that we do see we are seeing more and more stalker where in the audience in the clients that we work with I won't bother defining it because we all know what that is stalker where spouse where

spyware whatever you want to call it this is something that is actually being used because it's just so easy it used to be once upon a time so you had to have some level of skill some level of knowledge in order to compromise someone's phone now there's pre-built solutions now of course some years back a lot of them got sued they got in trouble so they changed it with their marketing where they said with a wink and a nod they said you know this is only used to protect your kids because everyone loves their kids won't you please do it for the children and to protect your employees but they're still you there still those pictures are still though

that data that latent code on their websites they still say what they're actually expecting if you they know what people are using this software for so even though they say don't use it for these illegal purposes and be illegal don't do it we're protecting ourselves we don't care about the customer I mean they'll cut the buyer free which is good because people buying it or the problem but um even though they have these disclaimers they actually don't care I didn't experiment of people have done these experiments you can do it yourself I went on one of their websites and I got into the support chat and they're quick to respond they're like they're right there with support and I said hey

I made up this lie I said I think my girlfriend's cheating on me she has her phone I don't have access to it but can I use your software to find out if she's cheating on me so translation I said Kaiser software it come in a major felony and they came back and they said yeah of course of course you can it's really easy here's some instructions and here's a 10% off discount code there's absolutely no they didn't mention don't do that because it's kind of a jerk that's a I mean a lousy thing to do it's highly illegal you'll get caught because people are getting caught you'll get arrested and you're just a bad person

none of that was mentioned it was just yeah give us your money and end of transaction now we're also seeing more data exposure in daxing which is kind of former revenge it's also kind of a threat and saying that if you leave me I'll do this so it's used in order to exert control over the individual account takeover so of course we all know what that is but I draw a distinction between account takeover and device takeover the two are often equated so if you have an individual that is not a technical person doesn't understand this is he'll the threats of the technology they may believe they may come to you and they say my phone got hacked and that might

not be the case it might be their Facebook account got hacked or their Gmail or whatever the case may be I would say that we see a lot more account takeover than we see device takeover but again that's where we have to listen to what the people are telling us and try to figure out which is which impersonation we saw that in some of the previous cases where it's a matter of impersonating the victim's identity for one reason or another and then IOT attacks and I have that as a special case is because we put more and more things on our network without realizing what that might mean and so if you have someone who maybe they're not the ones

that put these things on the network they're adversaries one that did it they can still have access into the into the home and that becomes tricky because you're talking to someone often not face-to-face maybe some of the you know remotely you're saying well what devices do you have they say well I have a laptop I have a phone I've this but then you have to ask you like well you have a toothbrush that talks to the Internet you know do you have an IOT from thermostat do you have all these different devices does your fridge connect to the Internet I can't keep up I don't have a sidebar because this sunny we really really need to talk

about when it comes to primarily account takeover so these are the one two three four five if my math is right most common password reset questions these are the ones that it's asked when you set up an account we've all seen these that it says answer these so if you're ever locked if you ever forget your password we can get in there and you can you can reset your password one of the most common being mother's made a name and for that by the way we can thank banks in 1882 they use that pert to protect telegraph information or banking via Telegraph so you're right the idea is that if you if you're sending money

to someone far away that person far away probably doesn't know your mother's maiden name is a fairly reliable way to protect that secret that was 137 years ago I have never banked via Telegraph I've not one dude I've not done that once I'm not that old but we're still using that same question and also name of your first pet and things like that these are all things that those close to us probably know about us they may have met the mother they may have been there for the present may have grown up together lived on the same street whatever the case may be so these are things these are useless questions and so what do we do you know I'll tell you

what here's here's my answers these are my actual answers as my mother's maiden name it's all there feel free to write it down it's not going to do much good stuff you can find if you want to dig a little bit no pictures I like that guy so it's something that it's not hard to find if you really really wanted to or if you spent any amount of time looking but of course like all of us I lie I lie a lot because I'm not going to put this actual information I'm not gonna protect my accounts with this information so I use false information I use my password manager to keep track of my lies but

these lives these Leslie's but sometimes I've heard like in conversations that we tend to laugh in this community we sometimes laugh at the people that answers these honestly we say it's it's dumb that they're doing that but they're just trying to be honest they're getting the question and they don't have that same mindset they don't know they should lie about those things and so maybe instead of some of us that maybe laughing at those people that are doing it maybe we need to tell them why that's a bad idea in case you didn't believe me that's the actual excerpt from the 1882 document that suggested mother's maiden name as a password for financial stuff bad idea so we start looking what the

solution sets need to be for this particular audience we're talking about someone that may not have a lot of money may not have a lot of skills of experience with technology it has to be easy for them to use whatever it may be free and inexpensive has to be secured hard it hard to detect you can't create new indicators based on what you're trying to do to help and you have to make the assumption that the device is going to be searched the changes will be noticed and the detection may be dangerous again that depends on knowing the individuals threat model what their actual situation is so if you're recommending solutions to someone you have to keep these things in mind I'm

going to skip past that because I think I'm wearing kind of short on time I'm so good I have a lot more to go through I'll come back if I can so we're talking about like a typical solution set in terms of when we're working with an individual this is kind of what we go they're not of you looks like so call this in because we're trying to consider okay so we do this what happens if we do this and if what does it indicate to the abuser when this changes and everything else there's a lot of different branches a lot of different things that we need to consider but I would say just focus

on for if someone comes to you for help and they may first thing you wanna do is establish those secure communications so they need to have a safe way to talk to you if you're going to help them with the security measure so if they're talking across in secure communications and it's being intercepted whatever you tell them is just going to be number one they're gonna know that there's a someone's trying to help that can make things more dangerous but the other hand any countermeasure that you try to put in place are going to be counteracted you're gonna be in that game of cat-and-mouse you're gonna lose it develop security measure of security measures once you can talk safely talk

about what they need to do it's not always our solutions the ones that we in the security community tend to say this is what you need to do that doesn't always work for millions of people for a lot of the people that you're developing apps for or software for or in your companies those typical solution sets might not work for them so we tend to say for example stalker we're generally requires physical access to the device protected you use a good password using use good it use a good pin and we kind of that's the advice that we throw out and we've set it and forget it but if again we ask the same question if you're not allowed

to have a password or a pin that advice is useless ensure a safe destination so once you can kind of so this is kind of depends on how much one is helping but this is kind of the way we look at it is that once they can protect themselves once they get out they have to have a safe place to go so it may be for example a shelter or a safe house who may not have the same security countermeasures in place that we do you know I come from a DoD background as you saw my introduction so I'm worried about like protecting facilities shelters safe houses things like that often run by retired social workers health care

workers retirees not security people so you're saying you're in the situation where you're trying to protect your volunteers your clients from someone that wants to hurt someone but they're not resourced to do that so sometimes it's a matter of having that given that assistance and then security and perpetuity that's where once they get to a safe place they have to know they have to have the skill set to remain safe so if they go somewhere that's a safe location very very far away but we still never told them don't use don't answer these questions these paths reset questions honestly they'll get compromised on the fact have to move again is the best-case scenario particularly effective and two

that particularly effective is you have your secure email oftentimes the email is one of the first things to get compromised so we say create a new account nothing to do with your old one new username not your real name and everything else and then that way there's at least a safe way to start having that conversation two-factor authentication ideally hardware-based two-factor authentication we've had a lot of success using tales who've worked with their development team to increase the level of safety for the type of people that we work with which is awesome because if we're talking there's a computer in the house they share the computer remember they're told every single day I can see what you do don't

even bother looking for help I can see what you do they're not going to trust that device best case there one potential potentially they may try anyways and actually get caught which is bad or they don't try because they're too afraid to try and that's bad too so giving them a way to say that kind of that Tallis man that magic bullet that whatever it is say you can plug this in and this is going to protect against that then that's going to least make them feel safe enough to start having that conversation regular scans is good because you know a lot of the antibiotics manufacturers are picking up on the stock aware and how to how to

detect it burner phones of course are not just for drug dealers and spies anymore so it works really well if there's concern that the phone itself is compromised which occasionally happens and Oh get them to the place where they can get a new device and of course organizations like ours where we want to help so I would say that if you show yourself as a safe person people are going to come to you so if you are known as someone that can be trusted within your friendship circles within your community within your cut within your companies when they know that you're someone that has information when they know that you're someone that can be trusted because you've been saying

things that indicate you're a trusted person they are going to come to you so when they do first off listen without judgment and be patient because a lot of times the people that you're talking to they don't understand technology they're going to say things that don't seem to make sense there's gonna be a white Oh a while for them to build up that trust level sometimes they're just they're so done with it they just want helps they're saying here's only username passwords please figure out what's going on but other times you're gonna need to be patient as the person tries to explain what's going on remember that sometimes if someone's come to you for help they're desperate

they may have been told for years and years and years you're crazy nothing's really happening you're trying to cause trouble you're drama they've heard these things over and over again the audience that we work with they have to fight really really hard so they're tired of fighting they just want someone to help don't ignore the ghosts and I say that literally this is not a metaphor don't ignore the ghost there's one individual that I worked with some time back that she can reach this I know this sounds crazy and right away hear the word crazy I'm like he's probably not she's I know this sounds crazy but my dishwasher sings songs to me my pets

have turned against me and and I feel I can be watched and followed all the time now you say that you got to any random person and you say my dishwashers saying to me my pets have turned against me and I'm being watched you you might get institutionalized hit they're gonna say this person's crazy I'm gonna go the other way but in this case she was right she was 100% correct and that her dishwasher had an IOT component that her abuser set up it was singing to her her pets didn't hate her her pets didn't hate her they were just tired because it get hot during the day because the thermostat was set up high and she actually was being watched

so don't ignore those goes the things that don't make sense they're often the things that are most important learn the actual threat model so is the purse is the threat model five hackers named 4chan that are highly skilled highly adaptable and able to get in there and just work together and everything else maybe not very common it's not very likely but maybe more likely is someone that's lied to them someone that downloaded some tools off the internet maybe someone that hired someone so try to figure out exactly where the person may be actually the threat model may actually be and then once you figure all that out if they come to you for help recommend reasonable solutions we tend

to think like sometimes we think well this this is a great opportunity this is new that let's put all this encryption in place and these passwords and these hardware lockers and like all this stuff maybe that's not something that'll work for that person and sometimes even recommending those additional models can start to make the person be a little more concerned they're like why are you putting these things in place is it that bad so you really have to have that kind of that personal touch and understand that maybe the same threat model that we do on our day to day life isn't what's going to apply for someone who has a unique concern and then I would just

about the end I think I'm still doing pretty good on time minutes this is great so I would I would beseech you I would the thing that I would if nothing else is that each person in this room you guys are the technology haves the people that have spent a lot of time learning these skills understanding the threats understanding the aspects of technology might be Red Team you might be blue team you might be somewhere in between but you have information that other people need to stay safe and so you have an opportunity to be that evangelist I told you before is that instead of as some people I'm sure no one in this room you look like very very

nice people but as some people do they laugh at the people got hacked they say their password sucked it was hunter - it's not gonna it's not going to protect you that ones all over the place and so we tend to like look down on the people that made those errors without saying why what did we do to help them so you can be that evangelist you can be that annoying person that says hey your passwords written down stop that because that might annoy people but at the same time those are the skill sets that they need to stay safe if you talk to 100 random people go out on the street talk to 100 random people and just say you

know here's some information 19 of those people are going to be either have been are being or will be impacted by intimate partner violence or domestic violence that's a pretty it's not hard to talk to a hundred people I don't know how many people I'm talking to now but if you talk to people at your but it's not a lot of people so if you talk to people at your workplace in your community wherever the case may be is that you're going to impact people that need to hear it you have to say but they might not have known there's someone out there that can help them they might not have had any inkling that maybe some of

the things that they're seeing are actually happening so someone's struggling about 19 people out of 100 are struggling you can use that information be an advocate in the InfoSec and the deaf community so a lot of times the information has to go both ways so we're talking before about how you can share that information with the vulnerable populations that need it which is great which is a wonderful thing to do because that's the security community talking to the survivor community but it should go both ways so a lot of the models that we're putting into place when it comes to the security solutions and the tech and everything else we need to be that voice of the

people that maybe don't have that direct line be the voice of the people and that try to look at new things that we're developing or new things that we're putting out or that we're aware of and think how can be this being misused so I was on of all things I came back from New York I spoke at some domestic violence conference on this topic and I ended up taking the mega bus because I'm an idiot and don't like my time and but it's great because I sat down to this woman and we started to talk to Eustace oh my sister's an app developer you talk about IT and everything else I say what she work on and she says it's a great

app to keep children safe the so parents can find them at any time and the children don't know they're being tracked and I'm like oh let's talk and some more questions and and she says oh yeah my suspense together it's for kids we want to keep kids safe and I was like I'm sure you do you know I'm sure that you hard in the right place and I ended up on the phone with her sister somehow on the bus going down wherever it was and I'm like this is a really bad idea stop doing what you're doing and she actually she she'd listen to a degree I hope she actually listened but at least I know

the development company name so I can keep an eye on things because I'm curious that I'm nosy so make sure the information goes both ways when you're coming up with something new try to think about if I were a bad guy this is accident this is foundational to OPSEC in the purest sense when what is actually called OPSEC the whole process depends on looking at things from the bad guys perspective and in what I do that's distasteful it feels backs I'm thinking if I were a bad guy if I were an abuser type and this is the way I saw the world what would I do it's not a pleasant feeling to even have that thought process but we

have to do it we have to at least consider and say if I were this bad guy how would I misuse this technology how could I get in and harm someone because that's how you can start to develop those effective countermeasures find a causing pipe for this is general you know maybe it's this particular cause maybe something with EF F maybe something with whatever else the case may be but once again I think there's a lot of really smart people in this room some of the talks that I catch like I don't know what I'm like the last dog have no idea I work with that guy and I have no idea what he's talking about

this is a lot of smart people there's room for you whatever it is your area of expertise is there's room for you to help other people if you have time consider it use what you know for good so this information that you have there's things that you can do you you can use it for good or bad you know you're the one that has to look yourself in the mirror you can use it for to do good things and that maybe just keep doing what you're doing developing great tools developing great security solutions or it may be even go further than that in terms actually helping people to avoid abuse to avoid being harmed by these forms of technology but

just don't use it for evil above all else what Google used to have in their rule set is don't be evil they took it out but keep it in yours and before I go on with that I just do want to because I have a couple more minutes five plenty of time so to kind of give an example what we're talking about as an example there was this planning app that we became aware of and it's a thing it's really really cool it's really really smart it's this tool that you're this paper checklist and you print it out and it says what's this information that you need to be concerned about so it's made for people

that are escaping abusive situations and so ask questions like when I when I leave this is the first place I can go this person said they'll take me in for two nights this person said they'll loan me some money this person said this is where I have my money hid and this mic over things like that and that's important because when you're doing the scariest thing in your life you're gonna forget everything so have you written down as good it says right at the bottom hide this really really well and we looked at that we're like how well can you really hide it because maybe you can hide it at work maybe a safe deposit box

maybe you're fortunate but if anyone hides it at home and it's found a lot of people are put in danger because abusers it's about control when they start to lose control they lash out so you don't wanna put people's names on that piece of paper so we said okay how can we solve this process we look at it kind of in an iterative sense because it's an OPSEC background is where it's coming from so we said how do we solve this first problem first problem is - it's dangerous it found it's a first option let's digitize it let's put it on ones will still have computers let's just put it on a computer that'll solve that

first problem of being found people can have it with them on their phone they don't have to worry about it so much we look and we say ok so we're aware that's gonna cause more problems because you're having new apps you have new icons these phones are searched we're aware of this so that's creates a new problem which is fine we knew that so we say ok so we can solve that problem my passwords and encryption and things like that so even if the person knows it's there they can't access it because it has strong encryption but of course they'll ask for it it's not a situation where the person's likely to be able to say no so

this new icon password-protected that's gonna be very interesting to the abuser so we say now let's solve that last problem and the we included in LM without going into too much detail include an element of option where the app says it's doing one thing if you know how to get into the secret portion that's where everything is so there's that plausible deniability that strategic misdirection where there's other ways to get this app it's primarily distributed through the shelters and the safe houses and other secure channels where you can say here's this specific tool but it doesn't necessarily stand out and so as other ways you can get it you have that plausible deniability much like tails

where you can say I got this some other way and that solve that particular problem so with that being said going back in order I do have just a minute or two but if there's any questions I'd love to answer them couple great general in the back black

sometimes it has happened I've been called so many creative things and gotten so many creative threats my personal favorite favorite is you big stupid I need to frame that one but yeah because that is what happens that's why for law enforcement domestic violence calls are among the most dangerous because it's the abuser losing control and they hate losing control so they lash out so in the cases where they've known that we're involved that I'm involved it's generally it's been exclusively online it's been a lot of just angry messages we haven't been too worried about it some things we have had to report to the police but generally speaking they haven't gotten too close to that some remote

most of the volunteers for an all-volunteer organization remain kind of pseudo anonymous anyways I'm one of the unfortunate fools that has my face out so that's me yes can I have another hour for that no there's a lot to consider there but mostly it's a matter of looking from that mindset of how what am i creating how can it be used for evil one of the ones that I really want to highlight because more and more apps are being either created or misused to track the individual new laws are kind of being developed to approach that new yorks doing a really good job with that until they screw things up with bailable that's another issue but so more and

more they're requiring the apps are voluntarily alerting the tracphone that it's being tracked google does that now Find My iPhone does that now because they knew that the bad guys were using it so just it's a matter of thinking from that distasteful perspective behind I think there's a question

a counter operations but as part of you all of each to pose for survivors do you also the question is is that do we provide that type of information about the non tangle things and yes so this conversation is about the technical forms of abuse but we focus on the wide range all the security disciplines from counter-intel a lot of the people that are volunteering come from like a DoD Intel type background so they're providing that type of information physical security and the whole thing so we do for each client that we do intake for we do kind of go over that wide range of topics yes such that they unfortunately find themselves in that

situation they're already set up in a good way like how much they not have family plans on their cell phones or get one of those things yeah well that's a good question the question was is that what should we in general be doing before we get in this situation so that's where general privacy concepts come into play that's where we have chance to become advocates for privacy but it's a matter of kind of setting yourself up in a secure way compartmentalizing information again I say it I'll use that polite euphemism strategic misdirection but I'll I so it's okay to give VoIP phone numbers as head of your actual phone number giving you actual phone number that's like the

blood Brotherhood now when I was a kid if you're giving someone your actual phone number that's because that you should really trust them I most anyone else has my voice you know fake emails and things like that but compartmentalize figure out those layers of trust this is who I really trust this is who I kind of trust and these are the new people that I'm meeting and kind of people have to work their way through a circle I did see questionnaire

well I don't like people to take my raspberry pi's so just see I would invite you to I like to talk afterwards I have plenty business car seat about but also on our website we do have a volunteer form that goes straight to our intake team where they can kind of pair people up we do need volunteers we are an all-volunteer organization so any skill set ideally they take a height of the technical skills are in high demand because in almost all cases we deal with there's some sort of technical component but whatever the skill set is if you're a graphic designer if you're someone that can make pictures if you're someone that can you know help write information

for the the clients to work with there's a place for everybody so whatever it is yes sir okay

I'm not sure I understand the question you're saying how what's the process for eating some out of the situation oh okay well that's a really good question so the question is is that if you if the safe person they come to if you had me close to both the abuser and the victim that's a really crappy situation to be in because there's like the emotional entanglements it's hard to determine who to believe so really it's a matter of automatically having a trusting stance of the person claiming abuse that doesn't necessarily was there the user not seeing it as an important issue like say they have access to the accounts yeah but they just see it as

okay yeah yeah yeah so the question was is that if the abuser doesn't see that it's wrong they have all the passwords of they control the accessed information and everything else that's a really hard situation because there's kind of a an education component sometimes we have an opportunity as people or you can say this thing that you're doing is kind of a crappy thing to be doing stop it or this is kind of controlling but that can be hard to do when you're close to the person so really that kind of depends on kind of taking that step if you see something say something that it's wrong but also at the same time kind of

letting the victim in this case know that there's resources available to help them not necessarily trying to force them out a situation that might be our temptation to say you got to get out let's go but the key that can't happen until they're ready so you need start planning that information if you weren't as close to the base of you're closer to the abuser wow that's a really good question so here's raising the level of difficulty here so if you're close to the abuser but not so much the victim at that point it's still a matter if we kind of have a duty I would say to at least call out the behavior that we're

seeing we do we need to call out toxic behavior and it has to come from anyone that is in a position especially to do so if I may one second okay so if we're in position to do so we have to be feel free to call it out we have said that integrity to call it out and it's hard to do and it sucks to do but it's kind of our obligation to do

if you ask them are you doing this to be abusive

they just won't say yes it's abuse but if you frame in other ways so the thing is if you know the abuser and they're saying you would judge them if they went oh yeah yeah so honestly at that point it becomes you might want to vote yeah I do know if one more question please sorry oh yeah yeah we tend to see a lot of periphery you know crimes in the periphery of that our initial scope was domestic violence intimate partner violence what we focused on those we started saying that a lot of the a lot of the issues are similar so we do work with you know with what's we're looking for people that you know types of

violence or abuse or harassment human trafficking stalking harassment things like that so a lot of the same concepts are transferable I do know that I've kind of infringed on the goodwill of my hosts and pretty much eaten into your lunch time but thank you so much for taking the time to talk to me [Applause]