PG - Classic Misdirection: Social Engineering to Counter Surveillance - Peter Clemenko III

Good. So, hi everyone. Hi. Hi. So, welcome to class social engineering to surveillance.

Hey everyone, what's up? Okay. Okay. So this talk so this talk is about using social engineering tactics in counter surveillance situations. So this one that first of all this one's dedicated to the only part of the government that actually listens especially us. Hi guys and a little bit of background info about me. So I recently graduated from Wilmington University with a bachelor's degree in computer network security. uh looking for a job right now. Uh unfortunately, I had an incident where the feds tried to recruit me and they decided to go completely unethical. So, I had to walk away. Uh but in the process, I got some practical experience in this stuff as a result. Uh so, first a warning, this is not to

make yourself an obsc risk or a danger to yourself or others. Don't [ __ ] it up because right now you're in the danger zone. It's only going to go downhill from here. Okay, so as a disclaimer, if they are already trying to get you, this probably won't help you. This is primarily to prevent you from getting to the point where they decide to hunt you down by using social engineering to make the point that you're not someone they really need to be focusing on. Um, this can also help diagnose being spied on if the situation is accurate, if the situation is right, as well. Um, so a real world scenario for you and this is

something that actually happened. There was a German scholar who got busted back a couple years ago. He was doing a paper on Marxism and it was a philosophy paper. So most of the info was lost due to right to be forgotten. So can't exactly pull up citations and stuff because it's all buried now. But he was very private, had good OBSAC, used to otr encryption, all that stuff. The turban authorities saw what they did of encryption and Marxism and they assumed he was a terrorist. They kicked his door down. So when using privacy tools, there's a very real possibility that if you have good enough obstac and you have certain things leaking out through Google for example, there's a

possibility that this will wind up being something which could get your door kicked down if you're say a philosophy major writing a paper on Marxism in Germany or if you're a hacker studying you know how to do say buffer overflows or something like that and black market explo boy sales and things like that, even if unless your name is, of course, credits. So, an introduction to our character. Archer is an up and cominging hacker. Red is interested in in a person of interest kind of way, and he's a bit wary of red. Uh he tends to lead more to the side of blue instead. Something feels off, and he's getting a weird feeling from people who have been

approaching him. Okay, so let me make this absolutely clear right now. This is going to be more red trying to recruit Archer rather than red trying to get Archer. But this is going to go into some interesting stuff. So what's the threat model? Assume they're watching you on all the things. Prism and X key score are not your friends, unless you're the NSA, in which case maybe. So don't assume they're hostile because they probably aren't at least first. Don't assume they're friendly either. That would just be bad form and frankly stupid. So there's a saying just clam up and in this case it's not always true. In this case if information denial were always working then we wouldn't

have things like psychological warfare and information warfare in the military. As son Sue said all warfare is based on deception. And yes, I know I just diss on sue quote. No, I don't care. Our objective is not just to deny information, but also to craft a narrative. It can help reduce your risk of being suspected of things you're either not doing and reduce your risk of being suspected of being a threat when you're not. And unfortunately, as we know from experience and seeing all these news stories about people getting their doors kicked out and stuff like that, unfortunately with the way SWAT has shown and all that stuff, if they suspect something is going on, they'll

just kick your door down. They'll use extreme force and ultimately you're going to lose all your privacy when they kick your door down and seize all your gear. So that's not a good thing. So deception in the old world operation bodyguards the leadup to the Normandy invasions of 1944. They were using inflatable tanks among other things in order to try and de deceive the Germans into thinking that they were landing on a completely different beach. In the process they managed to get the Germans to think, hey, we're going to go to this other beach because they aren't going to hit Normandy. And as a result, the Germans were about a day behind on the Normandy

invasion with most of their forces giving the allies a chance to invade the beach head. Now, all just about all propaganda has always been using this technique as well. Ultimately, this is just turning propaganda methods on its head and using them against the intelligence community when they decide to, you know, listen in on you. So, deception in the brave new world. You'll hear about JRA by chance, the GCHQ and various other organizations using social media among other things to influence activists and suspected terrorists and all that stuff. Well, it's not just GCHQ, it's the Russians, it's pretty much every country out there. Uh, all organizations do it now. Hell, I mean, advertising is a form of information

warfare. you're trying to sell your product to the other guy and you know ultimately comes down to hey how can I go ahead and convince these people to believe what I'm trying to tell them and as you know deception propaganda mass messaging all that stuff it all comes down to controlling the flow of information and that's what we're trying to do here so Archer story story part one so Archer is encountering some weird people who like to pry especially politically and they seem a little too specific, which is unfortunate because when they seem a little too specific, things can get a little bit creepy. Uh although he doesn't realize it at the time, he's being scouted out by people who work for

Red. Uh this can get very interesting. So, part two, he like at first he likes what he hears from Red, but then he realizes how did they know what to talk to him about that crap. So, OBSC is great and all, but you know, even the most meticulous, OBS occasionally leaks. For example, when you have to Google search something or something like that, yeah, you're connected through tour, but even then you have to worry about the possibility of relay relays being messed up or things like that. There's always the possibility you might accidentally not search with tour, in which case you're screwed. But if you control what you're sending out, it's a little bit harder to

profile you. And unfortunately, when confronted with the unknown, people tend to assume the worst. And when they assume the worst, bad things happen. So example about 3 months ago I was reading through the Duku 2 papers and I had noticed some interesting network traffic about 4 months prior to that going to Indonesia. Turned out Indonesia was one of the command and control areas for Dooku 2. At this point, I was like, "Oh [ __ ] did I get Dooku on my system?" And until I wound up coming down from that and doing a little bit of diagnostics, I was like, "Okay, what what's the possibility there's actually Dooku on the system?" Turns out it wasn't Dooku, but at the

same time, even in this field, something acting funny, kill it with fire. Laptop's acting funny, kill it with fire. I mean really, we all know that once you we all know that once you're all home from Defcon, you're going to either image the m machine and start doing forensics or you're just going to wipe it and start all over. So, you know, keep calm, nuke it from orbit. And ultimately, well crap. Okay, ultimately there this is about using targeted information leaks to control the flow of information. The intelligence community knows this as a limited hangout. And the origin of that phrase actually stems from the Nixon administration when they were trying to deflect suspicion from them. They

decided to do what they called a limited hangup to let some of the information hang out in order to deflect people from the really really damning information. So using targeted leaks to craft a narrative is always useful. Ultimately, this is all about using propaganda as a counter surveillance technique. Remember that you're googling, you're browsing the internet, you're posting on Facebook, whatever. As Taz said in the previous talk, uh yeah, as Taz said in the previous talk, disinformation is a powerful tool if you know how to do it right. And that's ultimately what this is coming down to. Uh doesn't have to be deception, but does have to be enough to make you seem like less of a threat. Or

you can make yourself like a puffer fish and push people away. For example, if the feds got a little too clingy, you might decide to puff yourself up saying you support Wikileaks, for example. And then they realize that it's probably a bad idea to continue. So ultimately, it's like using an ECM jammer. And an ECM jammer, for those who don't know, it uses the radio spectrum and it just blasts on every possible radio wave it can in order to try and overpower radars and all that stuff. So, what you're doing is you're essentially creating high levels of noise in order to in order to make this actual signal harder to read. Um, silence can be damning as we all know

because if you stay silent, they might take that as an admission of guilt. Unfortunately, this has happened in the past to other people. And crypto itself makes you interesting. We know that the NSA among other groups do use crypto as a selector for storing information for longer periods of time. So, crypto itself will make you a target. So ultimately looking mundane in info leaks can make it look like you're less of a threat than you really are or for that matter just not a threat at all because you aren't actually a threat. Right? So you could also, unfortunately, this got cut off, but you could also flare yourself up and make yourself like a puffer foot, a puffer fish in order to

deflect suspicion as well by making yourself less of a target, less of an appetizing appetizing target, making them think you're going to speak out if they do something. It makes it harder for them to justify taking the risk. Detecting ultimately, it's about it can also be used for detecting compromise. And this is where the really good stuff starts happening. So if you suspect you're being watched and you know they're doing it and you know who you suspect, you can try and influence behavior. So this is a tool that can help detect if someone is spying on you. Admittedly, you have to have some sort of form of communication with the party involved. However, sometimes that

happens like human for example. Uh it can also help detect information leaks. This is known as a barium meal test and it is used in the intelligence community actually. It's essentially using fake targeted information leaks to influence the control or influence the behavior of the people you're trying to root out. So what the [ __ ] is a baron meal test? So what you're doing is you're revealing fake secret information in order to try and influence the behavior of those on the receiving end of it. If they react, they wind up tipping their hand that they're actually doing something they shouldn't be or that there was a leak somewhere. Where if they don't react, maybe they were, maybe they weren't, but

at least you have the knowledge of knowing that you try. So this was according to pure writer, this was used by MI5 and other intelligence agencies back during the cold war. So this is actual espionage [ __ ] This is actual [ __ ] they actually do in the real world. So, this isn't just theory. This is done in practice. Uh, for all you for all my fellow Tom Clansancy readers out there, this is known as a canary trap from Patriot Games, although the canary trap was a more simplified version of it in Patriot Games. Um, there is a known example where a canary trap or barrier meal test backfired on Elon Musk while at Tesla. Apparently, he

was trying to root out information leaks and it backfired because he sent one copy to his general counsel and the general counsel and he was going to send individual copies of a non-disclosure to everyone else with slightly different wording and the general counsel just forwarded his to everyone and everyone got the general counsel's version. So, sometimes this does not work as planned just for the record. Um, so consider the following. Ultimately, this is not about can you influence it once. You have to use the scientific method. Once is a once is chance, twice is coincidence, three times something's up. That's a saying there is in fighter pilot school according to various fighter pilots that have been out there. And frankly, it's a

rule to live by. If you see something where you can just say, for example, you're walking down a street and someone's eyeing your phone. If you if you change course once and they're they keep following you. Eh, it's chance. Twice. If you change course and they follow you again, okay, what's going on here? Three times. Okay, something's not right. Try to get to a crowded area, preferably with police nearby because something might be about to go down. So ultimately, if you can only incight the reaction once, it's probably nothing. But if you can repeatedly incite the reaction, you might have something going on. And ultimately, this is just using the scientific method. Now, I should note,

if you're actually in danger or if you suspect you're in danger, you might want to cut down the number of times you need to test just to be safe. Um, as we all know, two of the greatest scientists on the planet will always tell you, use a scientific method. And I, as a nuke, will tell you, use the [ __ ] scientific method. So part three. So Archer doesn't put mo much on social media. He's a fairly private person. Doesn't post on Facebook. Doesn't post on Twitter, any of that. So all of his accounts are also locked down. Standard post practice. Friends only. You get the idea. So the question is, how the [ __ ] do they know

that much about him? Really, how the hell does that happen? So in one of the recent oddness, Archer decides to do a burial meal test to try and influence the behavior of those who he suspects are watching him. At this point, it's only a hypothesis, but it's a hypothesis that needs to be tested in order to become a theory. So at this point, he lets a little information just at this point, he left a little information. So not a lot and nothing dangerous, just enough to see if he can influence them and their behavior. and if something's in half. So what he does, he starts putting some info on Skype and Facebook and all that stuff. And the reason I'm

dropping Skype and Facebook is because we know they're prism organizations. Yes, I am citing NSA documents here, too. So his contact, who he suspects with Red Barry, starts acting on the information. And if he appears to act on the information that he shouldn't have had access to, there might be a leak somewhere. And ultimately, this is what it's going to be focusing on. So, in order to confirm his hypothesis, Archer observes and sees if he can repeatedly influence Barry's behavior. So, if it was random coincidence, it's not going to be repeatable. However, if he responds in a predictable pattern, something may be up. An emphasis on may because there's always the possibility it's still champ. But if you want to

find info leak, that's how you find the info leak. So, part six. In this case, for the sake of this example, Barry does start reacting on the info leak. If he didn't, we could kill it right there. We could just go back to step one. So Archer starts narrowing down the suspect list of tools and winds up finding that Skype and Facebook and Twitter appear to be the key tools of choice that are being used against it. He also he suspects these tools are compromised and he also decides to wipe his box just to be sure. Nuke it from orbit is the only way to be sure. In this case, he decides to have some fun while he's at it. And this is

where some more stuff happens. So crypto won't always save you. They love computer network exploitation. It's well known that the NSA and all the other organizations drop a ton of money on exploits. There are groups like hacking team out there that drop a ton of money on exploits and sell to unscrupulous groups and including Sudan I should mention. [ __ ] those guys who go around selling surveillance tools to everyone. And if something like that gets on your system, it's [ __ ] You might as well just start over and hope that they didn't infect a hard drive controller like an equation group malware or something, which frankly is highly unlikely given the fact how controlled

that specific kind of malware is. But still, it's totally not like that kind of malware source code is in the wild though. So think these guys, thanks [ __ ] if you're in the room. Exploit counter measures. Surrounded tools will detect the kind of device and software you're running. So you're going to want to acousticate what you're running. User agent switchers, [ __ ] yeah. So user agent switchers are your friends. Why not say if you're on the Linux box that you're running Windows and Internet Explorer if you're actually running say Linux and Firefox. This is something which helps you say hey yeah look at me run your Windows exploit on my Linux box. Seriously, try and get

shell and ultimately a fusing other software running on your system works as well. For example, if you're running an IAS web server, you might have it set up to say you're running an Apache web server. If you're running an Apache web server, you might want to say you're using Engineix instead. So remember, Foxid tools aren't just for the NSA, and they are coming soon to a script kitty near you. Unfortunately, thanks to hacking team, this is now all on GitHub. Thanks, guys. So, part seven. After installing new after installing a new OS on his laptop, he starts doing standard hardening and messing with the various configuration files. in order. He does this all from a

location such as an internet cafe or a for example a library that he's never connected to the internet from before. The reason is because if they pop your router, if they suspect they hit your box, if they see you going over the internet initially and say Linux, you won't have a very easy time of convincing them you're actually Windows. or if they see you going over the box or if they see you going over the network as Windows, you're going to have a hard time convincing them you're Linux. So, you want to a little bit more and send them off a little bit in order to make them think that you know you're not who

you say you are, so to speak. So in order to throw off attackers, acoustication measures wind up throwing off analysis tools which wind up being used to attack. Ultimately, we know stuff like Fox acid and frankly also stuff like the hacking team malware is all automated and all easy to use and especially with the hacking team leak. Thanks guys. can this is all in the hands of everyone now and it's all going to wind up being advanced to new levels of oh crap where everyone has it. It's not going to be long until every two bit script kitty winds up having stuff like the hacking team malware in their arsenal and that's going to get bad. So in order to throw

off attackers the measures are implemented and context matters. As we know, even a ton of data doesn't provide context. Snowden himself said that the problem with the NSA programs is that they're adding more and more hay to a stack of hay while they're trying to find an individual needle. And as we all know, that does not work. So, what winds up happening is they add more and more data and they think they're getting a more complete picture of you. But if you're doing things like googling for example random medical conditions and they assume for example that you have uh Ebola because you're googling Ebola for example just to do something completely random. They might assume that you are

let's just say sick or something like that. They'll do some assumptions and end up badly. So controlling the context of the information those are watching you see can seriously change their opinion of you. And which one of these will put you in the feds danger zone? On one hand we have a bunch of [ __ ] On the other hand, we have a bunch of real [ __ ] The question is which [ __ ] are worse? So Archer's story part seven. Archer decides to research blue some more after deciding that red was [ __ ] And ultimately, blue is looking more appealing. However, in order to research that stuff, he has to make sure red doesn't think he

sympathizes with blue because red and blue are kind of going at it because as always, red doesn't like blue and blue doesn't like red because apparently primary colors don't like each other. Um, so red winds up keep watching them. They wind up just making it look like he's researching Blue in a way which isn't as though he sympathizes with them, but is in a way which he's actually just like know your enemy kind of stuff instead. So he winds up sending things like how to join red, how to join red, while at the same time looking up the blue qualifications and stuff like that. So it ultimately looks like hey I want hey I'm interested in these guys

but not that kind of interested when in fact you are that kind of interest. So for example you know just that stuff. So ultimately part eight archer decides to for the most part cut ties with red but what he does next is to be determined if you know what I mean. Hint hint. So what it comes down to is give some information to prevent people from assuming the worst and shut the [ __ ] up doesn't always work. Ultimately this doesn't replace obssec but it can help augment it. Uh don't give too much information because that's just oversharing and that's always going to get you in trouble. But at the same time only give enough information to deflect

pin. Yeah, it's almost done. uh only give enough information to deflect or pinpoint negative uh attent or deflect or pinpoint negative attention such as spying people spying. Uh this is only a single tool in your toolbox questions. Okay. Uh we have how much time? Okay. So we're sorry we're over so uh if anyone has questions talk to me outside. Okay. Thanks.

Sorry about that.