SlideShare ist ein Scribd-Unternehmen logo

Unmasking Miscreants: Tactics for Identifying Anonymous Actors

Brandon Levene
Brandon Levene

DerbyCon 3.0 Talk

Technologie
1 von 18
Downloaden Sie, um offline zu lesen
Unmasking Miscreants Derbycon 3.0 Allison Nixon && Brandon Levene (⌐■_■) ( •_•)>⌐■-■ ( •_•)
About Us (⌐■_■)--︻╦╤─ - - - ● Allison Nixon (@nixonnixoff) ○ Incident Response & Pentesting at Integralis ○ GCIA ○ Independent Security Researcher focused on malicious services ● Brandon Levene (@seraphimdomain) ○ Incident Handler for large cloud provider ○ GCIH, GCIA, GPEN ○ Independent Security Researcher focused on Exploit Kits and associated Malware
Why are we interested? There are bad people on the internet. They are also dumb.
● Actions taken to ensure information leakage doesn’t haunt you ● Proactive Paranoia ● Appropriate Compartmentation tldr: STFU (╯°□°)╯︵ ┻━┻ Working Definition: “OpSec” For More (from the Grugq): https://www.anti- forensics.com/operational- security-for-hackers/
Common Actor Traits ● Male ● 14-22 ● Middle(ish) Class ● Live with parents ○ Limited/no income ○ Most income goes towards hobbies ● Social interaction predominantly online ○ Not necessarily “anti-social”
Warning ● You are playing with fire! ○ Playing with fire is fun ● Identity is hard to find from online aliases ○ Account sharing ○ Hacked accounts ○ Fake accounts ● False accusations are bad. And easy ○ Hurts your reputation ○ Hurts the reputation of innocent bystanders ● No vigilantism ○ Don’t harass people you find
Scoping ● What do you look for? ○ Bannings ○ Complaints (generally scamming) ■ Infractions ○ Vouches ○ Purchased Reputation ○ Multi-community membership/participation ○ Technical questions related to a service ● Who do you look for? ○ Premium or Sponsored Sellers ○ Authors of stickied threads (Forums) ○ Primary sellers ○ Vouches/Reputation given/received
So I’ve identified a bad, what next? ● Tools ○ Google ■ Always check cached results if a link appears dead ○ Spokeo ○ checkusernames.com ■ Username reuse ○ Reverse Image Searches ○ Maltego ● Get as much information as possible, then sift through for overlaps and relationships (HUMINT) For more resources: http://www.irongeek.com/i.php?page=security/doxing- footprinting-cyberstalking
Youtube Fail On his Youtube account, out of all his videos, one second in one video had his name in focus.
Technical Recon ● Maltego ○ Consolidates Serversniffing, Whois, Dig, Registrant searches ○ Still useful to doublecheck! ● Manual inspection ○ Google Dorking (site:evil.com) ○ Tamperdata ○ Burp Proxy ○ Whatweb ● Cloud DDoS Solutions ○ Are they a dead end? ○ Nope, nocloudallowed
NoCloudAllowed(and other DDOS protection bypasses) ● A scanner to check every server for the existence of the hidden web site ● Many sites hide behind DDOS protection ○ (mostly Cloudflare, a few other companies) ● Bypass by contacting the origin directly ● Finding the origin is easy ○ Outbound connections ○ Outbound e-mail ○ Old DNS records ○ Server specific information leakage ● Nocloudallowed.com for details
Tracking ● Weaving a tangled web ● Finding e-mails ○ Whois info ○ Paypal accounts ■ Even Paypal pages that conceal the e-mail ○ Gleaming mails from ads ■ “Selling stolen credit cards! Contact evil@gmail.com” ○ E-mail contacts in their profile pages ● Database dumps are your friend
Honing in on Bads ● In order to sell, one must advertise ○ Find the ads! ○ Look for affiliates ● Social Media is an invaluable intelligence tool ○ Look for OOB contact methods ■ MSN, ICQ, Email(various), AIM, Skype, Twitter ■ Be wary of hacked/stolen accounts ● The longer an account has been used in similar context, the less likely its been newly compromised ■ Twitter is easy to search ■ Email <-> Facebook is trivial
Honing in on Bads, pt. II ● Read ○ Forum Posts (and PMs) ○ Social Media ○ Really, anything that can be attributed to the target ○ Read everything ● Watch ○ Youtube (Take screenshots!) ■ Huge vector of information leakage ○ Twitter feeds ○ Current v. Historical posting trends ○ AOL Lifestream
Identification ● Find data overlaps ○ Use the data a target is forced to present to the community ○ Compare against samples from multiple sources ● Utilize multiple sources to verify ○ Don’t rely on one search engine or tool for data ● Reconcile target personas ○ Utilize data overlaps/leakage to link online ID to physical person ● Document, Document, Document! ○ Its extremely likely someone else is going to need to follow your logic. Make sure its sound. ● Identity VS Reputation
Results! “We are taking proactive steps to prevent DDoS (Distributed Denial of Service) for hire services from using PayPal to facilitate/fund illegal activities. PayPal's Acceptable Use Policy (AUP) states that our customers may not use PayPal's service relating to transactions that encourage illegal activities. Our goal is to provide a safe payments service that buyers and sellers around the world can use every day.” -Paypal
Questions? ( •_•) ( •_•)>⌐■-■ (⌐■_■)

Empfohlen

OSINT x UCCU Workshop on Open Source Intelligence
OSINT x UCCU Workshop on Open Source IntelligenceOSINT x UCCU Workshop on Open Source Intelligence
OSINT x UCCU Workshop on Open Source IntelligencePhilippe Lin
 
Cybersecurity
CybersecurityCybersecurity
CybersecurityKeshavBhardwaj19
 
Deep web & Darknet
Deep web & DarknetDeep web & Darknet
Deep web & DarknetNiloy Sikder
 
Internet Slide Quiz 1
Internet Slide Quiz 1Internet Slide Quiz 1
Internet Slide Quiz 1zothnerk
 
Search Engine Skills for Workplace Investigators
Search Engine Skills for Workplace InvestigatorsSearch Engine Skills for Workplace Investigators
Search Engine Skills for Workplace InvestigatorsCase IQ
 
Maltego
MaltegoMaltego
Maltegopenetration Tester
 
The Deep Web
The Deep WebThe Deep Web
The Deep WebMelissa Pereira
 
Privacy and anonymity have been reduced to the point of non
Privacy and anonymity have been reduced to the point of nonPrivacy and anonymity have been reduced to the point of non
Privacy and anonymity have been reduced to the point of nonMateus BahiaRicardo
 

Empfohlen

OSINT x UCCU Workshop on Open Source Intelligence
OSINT x UCCU Workshop on Open Source IntelligenceOSINT x UCCU Workshop on Open Source Intelligence
OSINT x UCCU Workshop on Open Source IntelligencePhilippe Lin
 
Cybersecurity
CybersecurityCybersecurity
CybersecurityKeshavBhardwaj19
 
Deep web & Darknet
Deep web & DarknetDeep web & Darknet
Deep web & DarknetNiloy Sikder
 
Internet Slide Quiz 1
Internet Slide Quiz 1Internet Slide Quiz 1
Internet Slide Quiz 1zothnerk
 
Search Engine Skills for Workplace Investigators
Search Engine Skills for Workplace InvestigatorsSearch Engine Skills for Workplace Investigators
Search Engine Skills for Workplace InvestigatorsCase IQ
 
Maltego
MaltegoMaltego
Maltegopenetration Tester
 
The Deep Web
The Deep WebThe Deep Web
The Deep WebMelissa Pereira
 
Privacy and anonymity have been reduced to the point of non
Privacy and anonymity have been reduced to the point of nonPrivacy and anonymity have been reduced to the point of non
Privacy and anonymity have been reduced to the point of nonMateus BahiaRicardo
 
The Deep Web -- From Spooky to Creepy
The Deep Web -- From Spooky to CreepyThe Deep Web -- From Spooky to Creepy
The Deep Web -- From Spooky to CreepyNicholas Davis
 
Getting started with using the Dark Web for OSINT investigations
Getting started with using the Dark Web for OSINT investigationsGetting started with using the Dark Web for OSINT investigations
Getting started with using the Dark Web for OSINT investigationsOlakanmi Oluwole
 
From OSINT to Phishing presentation
From OSINT to Phishing presentationFrom OSINT to Phishing presentation
From OSINT to Phishing presentationJesse Ratcliffe, OSCP
 
Let’s hunt the target using OSINT
Let’s hunt the target using OSINTLet’s hunt the target using OSINT
Let’s hunt the target using OSINTChandrapal Badshah
 
Spooky Halloween IT Security Lecture -- The Deep Web
Spooky Halloween IT Security Lecture -- The Deep WebSpooky Halloween IT Security Lecture -- The Deep Web
Spooky Halloween IT Security Lecture -- The Deep WebNicholas Davis
 
A visit to the darknet
A visit to the darknetA visit to the darknet
A visit to the darknetMichelle Devanny
 
Deep web
Deep webDeep web
Deep webManoj Prasad
 
OSINT Tool - Reconnaissance with Maltego
OSINT Tool - Reconnaissance with MaltegoOSINT Tool - Reconnaissance with Maltego
OSINT Tool - Reconnaissance with MaltegoRaghav Bisht
 
Osint ashish mistry
Osint ashish mistryOsint ashish mistry
Osint ashish mistryn|u - The Open Security Community
 
Darknet
DarknetDarknet
DarknetKamalPreet Saluja
 
Deep web
Deep webDeep web
Deep webAbu Kaisar
 
Deep web and dark web
Deep web and dark webDeep web and dark web
Deep web and dark webVaishali Misra
 
OSINT mindset to protect your organization - Null monthly meet version
OSINT mindset to protect your organization - Null monthly meet versionOSINT mindset to protect your organization - Null monthly meet version
OSINT mindset to protect your organization - Null monthly meet versionChandrapal Badshah
 
How to Use Open Source Intelligence (OSINT) in Investigations
How to Use Open Source Intelligence (OSINT) in InvestigationsHow to Use Open Source Intelligence (OSINT) in Investigations
How to Use Open Source Intelligence (OSINT) in InvestigationsCase IQ
 
OSINT - Open Soure Intelligence - Webinar on CyberSecurity
OSINT - Open Soure Intelligence - Webinar on CyberSecurityOSINT - Open Soure Intelligence - Webinar on CyberSecurity
OSINT - Open Soure Intelligence - Webinar on CyberSecurityMohammed Adam
 
The deepweb
The deepwebThe deepweb
The deepwebALuna Ryssel
 
OSINT- Leveraging data into intelligence
OSINT- Leveraging data into intelligenceOSINT- Leveraging data into intelligence
OSINT- Leveraging data into intelligenceDeep Shankar Yadav
 
Investigating online conducting pre-interview research
Investigating online conducting pre-interview researchInvestigating online conducting pre-interview research
Investigating online conducting pre-interview researchCase IQ
 
Owasp osint presentation - by adam nurudini
Owasp osint presentation - by adam nurudiniOwasp osint presentation - by adam nurudini
Owasp osint presentation - by adam nurudiniAdam Nurudini
 
The Hidden Web
The Hidden WebThe Hidden Web
The Hidden WebJon Kane
 
NPTs
NPTsNPTs
NPTsBrandon Levene
 
Keynote the grugq opsec for russians
Keynote the grugq opsec for russiansKeynote the grugq opsec for russians
Keynote the grugq opsec for russiansDefconRussia
 

Weitere ähnliche Inhalte

Was ist angesagt?

The Deep Web -- From Spooky to Creepy
The Deep Web -- From Spooky to CreepyThe Deep Web -- From Spooky to Creepy
The Deep Web -- From Spooky to CreepyNicholas Davis
 
Getting started with using the Dark Web for OSINT investigations
Getting started with using the Dark Web for OSINT investigationsGetting started with using the Dark Web for OSINT investigations
Getting started with using the Dark Web for OSINT investigationsOlakanmi Oluwole
 
Let’s hunt the target using OSINT
Let’s hunt the target using OSINTLet’s hunt the target using OSINT
Let’s hunt the target using OSINTChandrapal Badshah
 
Spooky Halloween IT Security Lecture -- The Deep Web
Spooky Halloween IT Security Lecture -- The Deep WebSpooky Halloween IT Security Lecture -- The Deep Web
Spooky Halloween IT Security Lecture -- The Deep WebNicholas Davis
 
OSINT Tool - Reconnaissance with Maltego
OSINT Tool - Reconnaissance with MaltegoOSINT Tool - Reconnaissance with Maltego
OSINT Tool - Reconnaissance with MaltegoRaghav Bisht
 
OSINT mindset to protect your organization - Null monthly meet version
OSINT mindset to protect your organization - Null monthly meet versionOSINT mindset to protect your organization - Null monthly meet version
OSINT mindset to protect your organization - Null monthly meet versionChandrapal Badshah
 
How to Use Open Source Intelligence (OSINT) in Investigations
How to Use Open Source Intelligence (OSINT) in InvestigationsHow to Use Open Source Intelligence (OSINT) in Investigations
How to Use Open Source Intelligence (OSINT) in InvestigationsCase IQ
 
OSINT - Open Soure Intelligence - Webinar on CyberSecurity
OSINT - Open Soure Intelligence - Webinar on CyberSecurityOSINT - Open Soure Intelligence - Webinar on CyberSecurity
OSINT - Open Soure Intelligence - Webinar on CyberSecurityMohammed Adam
 
OSINT- Leveraging data into intelligence
OSINT- Leveraging data into intelligenceOSINT- Leveraging data into intelligence
OSINT- Leveraging data into intelligenceDeep Shankar Yadav
 
Investigating online conducting pre-interview research
Investigating online conducting pre-interview researchInvestigating online conducting pre-interview research
Investigating online conducting pre-interview researchCase IQ
 
Owasp osint presentation - by adam nurudini
Owasp osint presentation - by adam nurudiniOwasp osint presentation - by adam nurudini
Owasp osint presentation - by adam nurudiniAdam Nurudini
 
The Hidden Web
The Hidden WebThe Hidden Web
The Hidden WebJon Kane
 

Was ist angesagt? (20)

The Deep Web -- From Spooky to Creepy
The Deep Web -- From Spooky to CreepyThe Deep Web -- From Spooky to Creepy
The Deep Web -- From Spooky to Creepy
 
Getting started with using the Dark Web for OSINT investigations
Getting started with using the Dark Web for OSINT investigationsGetting started with using the Dark Web for OSINT investigations
Getting started with using the Dark Web for OSINT investigations
 
From OSINT to Phishing presentation
From OSINT to Phishing presentationFrom OSINT to Phishing presentation
From OSINT to Phishing presentation
 
Let’s hunt the target using OSINT
Let’s hunt the target using OSINTLet’s hunt the target using OSINT
Let’s hunt the target using OSINT
 
Spooky Halloween IT Security Lecture -- The Deep Web
Spooky Halloween IT Security Lecture -- The Deep WebSpooky Halloween IT Security Lecture -- The Deep Web
Spooky Halloween IT Security Lecture -- The Deep Web
 
A visit to the darknet
A visit to the darknetA visit to the darknet
A visit to the darknet
 
Deep web
Deep webDeep web
Deep web
 
OSINT Tool - Reconnaissance with Maltego
OSINT Tool - Reconnaissance with MaltegoOSINT Tool - Reconnaissance with Maltego
OSINT Tool - Reconnaissance with Maltego
 
Osint ashish mistry
Osint ashish mistryOsint ashish mistry
Osint ashish mistry
 
Darknet
DarknetDarknet
Darknet
 
Deep web
Deep webDeep web
Deep web
 
Deep web and dark web
Deep web and dark webDeep web and dark web
Deep web and dark web
 
OSINT mindset to protect your organization - Null monthly meet version
OSINT mindset to protect your organization - Null monthly meet versionOSINT mindset to protect your organization - Null monthly meet version
OSINT mindset to protect your organization - Null monthly meet version
 
How to Use Open Source Intelligence (OSINT) in Investigations
How to Use Open Source Intelligence (OSINT) in InvestigationsHow to Use Open Source Intelligence (OSINT) in Investigations
How to Use Open Source Intelligence (OSINT) in Investigations
 
OSINT - Open Soure Intelligence - Webinar on CyberSecurity
OSINT - Open Soure Intelligence - Webinar on CyberSecurityOSINT - Open Soure Intelligence - Webinar on CyberSecurity
OSINT - Open Soure Intelligence - Webinar on CyberSecurity
 
The deepweb
The deepwebThe deepweb
The deepweb
 
OSINT- Leveraging data into intelligence
OSINT- Leveraging data into intelligenceOSINT- Leveraging data into intelligence
OSINT- Leveraging data into intelligence
 
Investigating online conducting pre-interview research
Investigating online conducting pre-interview researchInvestigating online conducting pre-interview research
Investigating online conducting pre-interview research
 
Owasp osint presentation - by adam nurudini
Owasp osint presentation - by adam nurudiniOwasp osint presentation - by adam nurudini
Owasp osint presentation - by adam nurudini
 
The Hidden Web
The Hidden WebThe Hidden Web
The Hidden Web
 

Andere mochten auch

Keynote the grugq opsec for russians
Keynote the grugq opsec for russiansKeynote the grugq opsec for russians
Keynote the grugq opsec for russiansDefconRussia
 
An Underground education
An Underground educationAn Underground education
An Underground educationgrugq
 
OPSEC for hackers
OPSEC for hackersOPSEC for hackers
OPSEC for hackersgrugq
 

Andere mochten auch (6)

NPTs
NPTsNPTs
NPTs
 
Keynote the grugq opsec for russians
Keynote the grugq opsec for russiansKeynote the grugq opsec for russians
Keynote the grugq opsec for russians
 
La casa miranda
La casa mirandaLa casa miranda
La casa miranda
 
Unveiling-Patchwork
Unveiling-PatchworkUnveiling-Patchwork
Unveiling-Patchwork
 
An Underground education
An Underground educationAn Underground education
An Underground education
 
OPSEC for hackers
OPSEC for hackersOPSEC for hackers
OPSEC for hackers
 

Ähnlich wie Unmasking Miscreants: Tactics for Identifying Anonymous Actors

Hit by a Cyberattack: lesson learned
Hit by a Cyberattack: lesson learned Hit by a Cyberattack: lesson learned
Hit by a Cyberattack: lesson learnedB.A.
 
Personal Internet Security Practice
Personal Internet Security PracticePersonal Internet Security Practice
Personal Internet Security PracticeBrian Pichman
 
How you can become a hacker with no security experience
How you can become a hacker with no security experienceHow you can become a hacker with no security experience
How you can become a hacker with no security experienceAvădănei Andrei
 
Online Privacy & Computer Security Basics (September 2017)
Online Privacy & Computer Security Basics (September 2017)Online Privacy & Computer Security Basics (September 2017)
Online Privacy & Computer Security Basics (September 2017)Kit O'Connell
 
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksTHOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksJohn Bambenek
 
Pen Testing Development
Pen Testing DevelopmentPen Testing Development
Pen Testing DevelopmentCTruncer
 
Cybersecurity Awareness Training Presentation v1.0
Cybersecurity Awareness Training Presentation v1.0Cybersecurity Awareness Training Presentation v1.0
Cybersecurity Awareness Training Presentation v1.0DallasHaselhorst
 
Cybersecurity Awareness Training Presentation v1.3
Cybersecurity Awareness Training Presentation v1.3Cybersecurity Awareness Training Presentation v1.3
Cybersecurity Awareness Training Presentation v1.3DallasHaselhorst
 
Securing and Safeguarding Your Library Setup
Securing and Safeguarding Your Library SetupSecuring and Safeguarding Your Library Setup
Securing and Safeguarding Your Library SetupBrian Pichman
 
Hacking - Breaking Into It
Hacking - Breaking Into ItHacking - Breaking Into It
Hacking - Breaking Into ItCTruncer
 
OSINT for Attack and Defense
OSINT for Attack and DefenseOSINT for Attack and Defense
OSINT for Attack and DefenseAndrew McNicol
 
OSINT for Proactive Defense - RootConf 2019
OSINT for Proactive Defense - RootConf 2019OSINT for Proactive Defense - RootConf 2019
OSINT for Proactive Defense - RootConf 2019RedHunt Labs
 
brighton final.pptx
brighton final.pptxbrighton final.pptx
brighton final.pptxssuser152aeb
 
Security for Data Scientists
Security for Data ScientistsSecurity for Data Scientists
Security for Data ScientistsDavid Arcos
 
Securing & Safeguarding Your Library Setup.pptx
Securing & Safeguarding Your Library Setup.pptxSecuring & Safeguarding Your Library Setup.pptx
Securing & Safeguarding Your Library Setup.pptxBrian Pichman
 
On hacking & security
On hacking & security On hacking & security
On hacking & security Ange Albertini
 
Hyper Island - 2012
Hyper Island - 2012Hyper Island - 2012
Hyper Island - 2012Detectify
 
Pichman privacy, the dark web, &amp; hacker devices i school (1)
Pichman privacy, the dark web, &amp; hacker devices i school (1)Pichman privacy, the dark web, &amp; hacker devices i school (1)
Pichman privacy, the dark web, &amp; hacker devices i school (1)Stephen Abram
 
Phish training final
Phish training finalPhish training final
Phish training finalJen Ruhman
 

Ähnlich wie Unmasking Miscreants: Tactics for Identifying Anonymous Actors (20)

Hit by a Cyberattack: lesson learned
Hit by a Cyberattack: lesson learned Hit by a Cyberattack: lesson learned
Hit by a Cyberattack: lesson learned
 
Personal Internet Security Practice
Personal Internet Security PracticePersonal Internet Security Practice
Personal Internet Security Practice
 
How you can become a hacker with no security experience
How you can become a hacker with no security experienceHow you can become a hacker with no security experience
How you can become a hacker with no security experience
 
Online Privacy & Computer Security Basics (September 2017)
Online Privacy & Computer Security Basics (September 2017)Online Privacy & Computer Security Basics (September 2017)
Online Privacy & Computer Security Basics (September 2017)
 
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksTHOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
 
Pen Testing Development
Pen Testing DevelopmentPen Testing Development
Pen Testing Development
 
Cybersecurity Awareness Training Presentation v1.0
Cybersecurity Awareness Training Presentation v1.0Cybersecurity Awareness Training Presentation v1.0
Cybersecurity Awareness Training Presentation v1.0
 
Cybersecurity Awareness Training Presentation v1.3
Cybersecurity Awareness Training Presentation v1.3Cybersecurity Awareness Training Presentation v1.3
Cybersecurity Awareness Training Presentation v1.3
 
Securing and Safeguarding Your Library Setup
Securing and Safeguarding Your Library SetupSecuring and Safeguarding Your Library Setup
Securing and Safeguarding Your Library Setup
 
Hacking - Breaking Into It
Hacking - Breaking Into ItHacking - Breaking Into It
Hacking - Breaking Into It
 
OSINT for Attack and Defense
OSINT for Attack and DefenseOSINT for Attack and Defense
OSINT for Attack and Defense
 
OSINT for Proactive Defense - RootConf 2019
OSINT for Proactive Defense - RootConf 2019OSINT for Proactive Defense - RootConf 2019
OSINT for Proactive Defense - RootConf 2019
 
brighton final.pptx
brighton final.pptxbrighton final.pptx
brighton final.pptx
 
Security for Data Scientists
Security for Data ScientistsSecurity for Data Scientists
Security for Data Scientists
 
Securing & Safeguarding Your Library Setup.pptx
Securing & Safeguarding Your Library Setup.pptxSecuring & Safeguarding Your Library Setup.pptx
Securing & Safeguarding Your Library Setup.pptx
 
On hacking & security
On hacking & security On hacking & security
On hacking & security
 
Log Out Cyber Awareness
Log Out Cyber AwarenessLog Out Cyber Awareness
Log Out Cyber Awareness
 
Hyper Island - 2012
Hyper Island - 2012Hyper Island - 2012
Hyper Island - 2012
 
Pichman privacy, the dark web, &amp; hacker devices i school (1)
Pichman privacy, the dark web, &amp; hacker devices i school (1)Pichman privacy, the dark web, &amp; hacker devices i school (1)
Pichman privacy, the dark web, &amp; hacker devices i school (1)
 
Phish training final
Phish training finalPhish training final
Phish training final
 

Kürzlich hochgeladen

Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 

Kürzlich hochgeladen (20)

Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 

Unmasking Miscreants: Tactics for Identifying Anonymous Actors

  • 1. Unmasking Miscreants Derbycon 3.0 Allison Nixon && Brandon Levene (⌐■_■) ( •_•)>⌐■-■ ( •_•)
  • 2. About Us (⌐■_■)--︻╦╤─ - - - ● Allison Nixon (@nixonnixoff) ○ Incident Response & Pentesting at Integralis ○ GCIA ○ Independent Security Researcher focused on malicious services ● Brandon Levene (@seraphimdomain) ○ Incident Handler for large cloud provider ○ GCIH, GCIA, GPEN ○ Independent Security Researcher focused on Exploit Kits and associated Malware
  • 3. Why are we interested? There are bad people on the internet. They are also dumb.
  • 4. ● Actions taken to ensure information leakage doesn’t haunt you ● Proactive Paranoia ● Appropriate Compartmentation tldr: STFU (╯°□°)╯︵ ┻━┻ Working Definition: “OpSec” For More (from the Grugq): https://www.anti- forensics.com/operational- security-for-hackers/
  • 5. Common Actor Traits ● Male ● 14-22 ● Middle(ish) Class ● Live with parents ○ Limited/no income ○ Most income goes towards hobbies ● Social interaction predominantly online ○ Not necessarily “anti-social”
  • 6. Warning ● You are playing with fire! ○ Playing with fire is fun ● Identity is hard to find from online aliases ○ Account sharing ○ Hacked accounts ○ Fake accounts ● False accusations are bad. And easy ○ Hurts your reputation ○ Hurts the reputation of innocent bystanders ● No vigilantism ○ Don’t harass people you find
  • 7. Scoping ● What do you look for? ○ Bannings ○ Complaints (generally scamming) ■ Infractions ○ Vouches ○ Purchased Reputation ○ Multi-community membership/participation ○ Technical questions related to a service ● Who do you look for? ○ Premium or Sponsored Sellers ○ Authors of stickied threads (Forums) ○ Primary sellers ○ Vouches/Reputation given/received
  • 8. So I’ve identified a bad, what next? ● Tools ○ Google ■ Always check cached results if a link appears dead ○ Spokeo ○ checkusernames.com ■ Username reuse ○ Reverse Image Searches ○ Maltego ● Get as much information as possible, then sift through for overlaps and relationships (HUMINT) For more resources: http://www.irongeek.com/i.php?page=security/doxing- footprinting-cyberstalking
  • 9. Youtube Fail On his Youtube account, out of all his videos, one second in one video had his name in focus.
  • 10. Technical Recon ● Maltego ○ Consolidates Serversniffing, Whois, Dig, Registrant searches ○ Still useful to doublecheck! ● Manual inspection ○ Google Dorking (site:evil.com) ○ Tamperdata ○ Burp Proxy ○ Whatweb ● Cloud DDoS Solutions ○ Are they a dead end? ○ Nope, nocloudallowed
  • 11. NoCloudAllowed(and other DDOS protection bypasses) ● A scanner to check every server for the existence of the hidden web site ● Many sites hide behind DDOS protection ○ (mostly Cloudflare, a few other companies) ● Bypass by contacting the origin directly ● Finding the origin is easy ○ Outbound connections ○ Outbound e-mail ○ Old DNS records ○ Server specific information leakage ● Nocloudallowed.com for details
  • 12. Tracking ● Weaving a tangled web ● Finding e-mails ○ Whois info ○ Paypal accounts ■ Even Paypal pages that conceal the e-mail ○ Gleaming mails from ads ■ “Selling stolen credit cards! Contact evil@gmail.com” ○ E-mail contacts in their profile pages ● Database dumps are your friend
  • 13. Honing in on Bads ● In order to sell, one must advertise ○ Find the ads! ○ Look for affiliates ● Social Media is an invaluable intelligence tool ○ Look for OOB contact methods ■ MSN, ICQ, Email(various), AIM, Skype, Twitter ■ Be wary of hacked/stolen accounts ● The longer an account has been used in similar context, the less likely its been newly compromised ■ Twitter is easy to search ■ Email <-> Facebook is trivial
  • 14. Honing in on Bads, pt. II ● Read ○ Forum Posts (and PMs) ○ Social Media ○ Really, anything that can be attributed to the target ○ Read everything ● Watch ○ Youtube (Take screenshots!) ■ Huge vector of information leakage ○ Twitter feeds ○ Current v. Historical posting trends ○ AOL Lifestream
  • 15. Identification ● Find data overlaps ○ Use the data a target is forced to present to the community ○ Compare against samples from multiple sources ● Utilize multiple sources to verify ○ Don’t rely on one search engine or tool for data ● Reconcile target personas ○ Utilize data overlaps/leakage to link online ID to physical person ● Document, Document, Document! ○ Its extremely likely someone else is going to need to follow your logic. Make sure its sound. ● Identity VS Reputation
  • 16.
  • 17. Results! “We are taking proactive steps to prevent DDoS (Distributed Denial of Service) for hire services from using PayPal to facilitate/fund illegal activities. PayPal's Acceptable Use Policy (AUP) states that our customers may not use PayPal's service relating to transactions that encourage illegal activities. Our goal is to provide a safe payments service that buyers and sellers around the world can use every day.” -Paypal