SlideShare uma empresa Scribd logo

Unmasking Miscreants: Tactics for Identifying Anonymous Actors

Brandon Levene
Brandon Levene

DerbyCon 3.0 Talk

Tecnologia
1 de 18
Baixar para ler offline
Unmasking Miscreants Derbycon 3.0 Allison Nixon && Brandon Levene (⌐■_■) ( •_•)>⌐■-■ ( •_•)
About Us (⌐■_■)--︻╦╤─ - - - ● Allison Nixon (@nixonnixoff) ○ Incident Response & Pentesting at Integralis ○ GCIA ○ Independent Security Researcher focused on malicious services ● Brandon Levene (@seraphimdomain) ○ Incident Handler for large cloud provider ○ GCIH, GCIA, GPEN ○ Independent Security Researcher focused on Exploit Kits and associated Malware
Why are we interested? There are bad people on the internet. They are also dumb.
● Actions taken to ensure information leakage doesn’t haunt you ● Proactive Paranoia ● Appropriate Compartmentation tldr: STFU (╯°□°)╯︵ ┻━┻ Working Definition: “OpSec” For More (from the Grugq): https://www.anti- forensics.com/operational- security-for-hackers/
Common Actor Traits ● Male ● 14-22 ● Middle(ish) Class ● Live with parents ○ Limited/no income ○ Most income goes towards hobbies ● Social interaction predominantly online ○ Not necessarily “anti-social”
Warning ● You are playing with fire! ○ Playing with fire is fun ● Identity is hard to find from online aliases ○ Account sharing ○ Hacked accounts ○ Fake accounts ● False accusations are bad. And easy ○ Hurts your reputation ○ Hurts the reputation of innocent bystanders ● No vigilantism ○ Don’t harass people you find
Scoping ● What do you look for? ○ Bannings ○ Complaints (generally scamming) ■ Infractions ○ Vouches ○ Purchased Reputation ○ Multi-community membership/participation ○ Technical questions related to a service ● Who do you look for? ○ Premium or Sponsored Sellers ○ Authors of stickied threads (Forums) ○ Primary sellers ○ Vouches/Reputation given/received
So I’ve identified a bad, what next? ● Tools ○ Google ■ Always check cached results if a link appears dead ○ Spokeo ○ checkusernames.com ■ Username reuse ○ Reverse Image Searches ○ Maltego ● Get as much information as possible, then sift through for overlaps and relationships (HUMINT) For more resources: http://www.irongeek.com/i.php?page=security/doxing- footprinting-cyberstalking
Youtube Fail On his Youtube account, out of all his videos, one second in one video had his name in focus.
Technical Recon ● Maltego ○ Consolidates Serversniffing, Whois, Dig, Registrant searches ○ Still useful to doublecheck! ● Manual inspection ○ Google Dorking (site:evil.com) ○ Tamperdata ○ Burp Proxy ○ Whatweb ● Cloud DDoS Solutions ○ Are they a dead end? ○ Nope, nocloudallowed
NoCloudAllowed(and other DDOS protection bypasses) ● A scanner to check every server for the existence of the hidden web site ● Many sites hide behind DDOS protection ○ (mostly Cloudflare, a few other companies) ● Bypass by contacting the origin directly ● Finding the origin is easy ○ Outbound connections ○ Outbound e-mail ○ Old DNS records ○ Server specific information leakage ● Nocloudallowed.com for details
Tracking ● Weaving a tangled web ● Finding e-mails ○ Whois info ○ Paypal accounts ■ Even Paypal pages that conceal the e-mail ○ Gleaming mails from ads ■ “Selling stolen credit cards! Contact evil@gmail.com” ○ E-mail contacts in their profile pages ● Database dumps are your friend
Honing in on Bads ● In order to sell, one must advertise ○ Find the ads! ○ Look for affiliates ● Social Media is an invaluable intelligence tool ○ Look for OOB contact methods ■ MSN, ICQ, Email(various), AIM, Skype, Twitter ■ Be wary of hacked/stolen accounts ● The longer an account has been used in similar context, the less likely its been newly compromised ■ Twitter is easy to search ■ Email <-> Facebook is trivial
Honing in on Bads, pt. II ● Read ○ Forum Posts (and PMs) ○ Social Media ○ Really, anything that can be attributed to the target ○ Read everything ● Watch ○ Youtube (Take screenshots!) ■ Huge vector of information leakage ○ Twitter feeds ○ Current v. Historical posting trends ○ AOL Lifestream
Identification ● Find data overlaps ○ Use the data a target is forced to present to the community ○ Compare against samples from multiple sources ● Utilize multiple sources to verify ○ Don’t rely on one search engine or tool for data ● Reconcile target personas ○ Utilize data overlaps/leakage to link online ID to physical person ● Document, Document, Document! ○ Its extremely likely someone else is going to need to follow your logic. Make sure its sound. ● Identity VS Reputation
Results! “We are taking proactive steps to prevent DDoS (Distributed Denial of Service) for hire services from using PayPal to facilitate/fund illegal activities. PayPal's Acceptable Use Policy (AUP) states that our customers may not use PayPal's service relating to transactions that encourage illegal activities. Our goal is to provide a safe payments service that buyers and sellers around the world can use every day.” -Paypal
Questions? ( •_•) ( •_•)>⌐■-■ (⌐■_■)

Recomendados

OSINT x UCCU Workshop on Open Source Intelligence
OSINT x UCCU Workshop on Open Source IntelligenceOSINT x UCCU Workshop on Open Source Intelligence
OSINT x UCCU Workshop on Open Source IntelligencePhilippe Lin
 
Cybersecurity
CybersecurityCybersecurity
CybersecurityKeshavBhardwaj19
 
Deep web & Darknet
Deep web & DarknetDeep web & Darknet
Deep web & DarknetNiloy Sikder
 
Internet Slide Quiz 1
Internet Slide Quiz 1Internet Slide Quiz 1
Internet Slide Quiz 1zothnerk
 
Search Engine Skills for Workplace Investigators
Search Engine Skills for Workplace InvestigatorsSearch Engine Skills for Workplace Investigators
Search Engine Skills for Workplace InvestigatorsCase IQ
 
Maltego
MaltegoMaltego
Maltegopenetration Tester
 
The Deep Web
The Deep WebThe Deep Web
The Deep WebMelissa Pereira
 
Privacy and anonymity have been reduced to the point of non
Privacy and anonymity have been reduced to the point of nonPrivacy and anonymity have been reduced to the point of non
Privacy and anonymity have been reduced to the point of nonMateus BahiaRicardo
 

Recomendados

OSINT x UCCU Workshop on Open Source Intelligence
OSINT x UCCU Workshop on Open Source IntelligenceOSINT x UCCU Workshop on Open Source Intelligence
OSINT x UCCU Workshop on Open Source IntelligencePhilippe Lin
 
Cybersecurity
CybersecurityCybersecurity
CybersecurityKeshavBhardwaj19
 
Deep web & Darknet
Deep web & DarknetDeep web & Darknet
Deep web & DarknetNiloy Sikder
 
Internet Slide Quiz 1
Internet Slide Quiz 1Internet Slide Quiz 1
Internet Slide Quiz 1zothnerk
 
Search Engine Skills for Workplace Investigators
Search Engine Skills for Workplace InvestigatorsSearch Engine Skills for Workplace Investigators
Search Engine Skills for Workplace InvestigatorsCase IQ
 
Maltego
MaltegoMaltego
Maltegopenetration Tester
 
The Deep Web
The Deep WebThe Deep Web
The Deep WebMelissa Pereira
 
Privacy and anonymity have been reduced to the point of non
Privacy and anonymity have been reduced to the point of nonPrivacy and anonymity have been reduced to the point of non
Privacy and anonymity have been reduced to the point of nonMateus BahiaRicardo
 
The Deep Web -- From Spooky to Creepy
The Deep Web -- From Spooky to CreepyThe Deep Web -- From Spooky to Creepy
The Deep Web -- From Spooky to CreepyNicholas Davis
 
Getting started with using the Dark Web for OSINT investigations
Getting started with using the Dark Web for OSINT investigationsGetting started with using the Dark Web for OSINT investigations
Getting started with using the Dark Web for OSINT investigationsOlakanmi Oluwole
 
From OSINT to Phishing presentation
From OSINT to Phishing presentationFrom OSINT to Phishing presentation
From OSINT to Phishing presentationJesse Ratcliffe, OSCP
 
Let’s hunt the target using OSINT
Let’s hunt the target using OSINTLet’s hunt the target using OSINT
Let’s hunt the target using OSINTChandrapal Badshah
 
Spooky Halloween IT Security Lecture -- The Deep Web
Spooky Halloween IT Security Lecture -- The Deep WebSpooky Halloween IT Security Lecture -- The Deep Web
Spooky Halloween IT Security Lecture -- The Deep WebNicholas Davis
 
A visit to the darknet
A visit to the darknetA visit to the darknet
A visit to the darknetMichelle Devanny
 
Deep web
Deep webDeep web
Deep webManoj Prasad
 
OSINT Tool - Reconnaissance with Maltego
OSINT Tool - Reconnaissance with MaltegoOSINT Tool - Reconnaissance with Maltego
OSINT Tool - Reconnaissance with MaltegoRaghav Bisht
 
Osint ashish mistry
Osint ashish mistryOsint ashish mistry
Osint ashish mistryn|u - The Open Security Community
 
Darknet
DarknetDarknet
DarknetKamalPreet Saluja
 
Deep web
Deep webDeep web
Deep webAbu Kaisar
 
Deep web and dark web
Deep web and dark webDeep web and dark web
Deep web and dark webVaishali Misra
 
OSINT mindset to protect your organization - Null monthly meet version
OSINT mindset to protect your organization - Null monthly meet versionOSINT mindset to protect your organization - Null monthly meet version
OSINT mindset to protect your organization - Null monthly meet versionChandrapal Badshah
 
How to Use Open Source Intelligence (OSINT) in Investigations
How to Use Open Source Intelligence (OSINT) in InvestigationsHow to Use Open Source Intelligence (OSINT) in Investigations
How to Use Open Source Intelligence (OSINT) in InvestigationsCase IQ
 
OSINT - Open Soure Intelligence - Webinar on CyberSecurity
OSINT - Open Soure Intelligence - Webinar on CyberSecurityOSINT - Open Soure Intelligence - Webinar on CyberSecurity
OSINT - Open Soure Intelligence - Webinar on CyberSecurityMohammed Adam
 
The deepweb
The deepwebThe deepweb
The deepwebALuna Ryssel
 
OSINT- Leveraging data into intelligence
OSINT- Leveraging data into intelligenceOSINT- Leveraging data into intelligence
OSINT- Leveraging data into intelligenceDeep Shankar Yadav
 
Investigating online conducting pre-interview research
Investigating online conducting pre-interview researchInvestigating online conducting pre-interview research
Investigating online conducting pre-interview researchCase IQ
 
Owasp osint presentation - by adam nurudini
Owasp osint presentation - by adam nurudiniOwasp osint presentation - by adam nurudini
Owasp osint presentation - by adam nurudiniAdam Nurudini
 
The Hidden Web
The Hidden WebThe Hidden Web
The Hidden WebJon Kane
 
NPTs
NPTsNPTs
NPTsBrandon Levene
 
Keynote the grugq opsec for russians
Keynote the grugq opsec for russiansKeynote the grugq opsec for russians
Keynote the grugq opsec for russiansDefconRussia
 

Mais conteúdo relacionado

Mais procurados

The Deep Web -- From Spooky to Creepy
The Deep Web -- From Spooky to CreepyThe Deep Web -- From Spooky to Creepy
The Deep Web -- From Spooky to CreepyNicholas Davis
 
Getting started with using the Dark Web for OSINT investigations
Getting started with using the Dark Web for OSINT investigationsGetting started with using the Dark Web for OSINT investigations
Getting started with using the Dark Web for OSINT investigationsOlakanmi Oluwole
 
Let’s hunt the target using OSINT
Let’s hunt the target using OSINTLet’s hunt the target using OSINT
Let’s hunt the target using OSINTChandrapal Badshah
 
Spooky Halloween IT Security Lecture -- The Deep Web
Spooky Halloween IT Security Lecture -- The Deep WebSpooky Halloween IT Security Lecture -- The Deep Web
Spooky Halloween IT Security Lecture -- The Deep WebNicholas Davis
 
OSINT Tool - Reconnaissance with Maltego
OSINT Tool - Reconnaissance with MaltegoOSINT Tool - Reconnaissance with Maltego
OSINT Tool - Reconnaissance with MaltegoRaghav Bisht
 
OSINT mindset to protect your organization - Null monthly meet version
OSINT mindset to protect your organization - Null monthly meet versionOSINT mindset to protect your organization - Null monthly meet version
OSINT mindset to protect your organization - Null monthly meet versionChandrapal Badshah
 
How to Use Open Source Intelligence (OSINT) in Investigations
How to Use Open Source Intelligence (OSINT) in InvestigationsHow to Use Open Source Intelligence (OSINT) in Investigations
How to Use Open Source Intelligence (OSINT) in InvestigationsCase IQ
 
OSINT - Open Soure Intelligence - Webinar on CyberSecurity
OSINT - Open Soure Intelligence - Webinar on CyberSecurityOSINT - Open Soure Intelligence - Webinar on CyberSecurity
OSINT - Open Soure Intelligence - Webinar on CyberSecurityMohammed Adam
 
OSINT- Leveraging data into intelligence
OSINT- Leveraging data into intelligenceOSINT- Leveraging data into intelligence
OSINT- Leveraging data into intelligenceDeep Shankar Yadav
 
Investigating online conducting pre-interview research
Investigating online conducting pre-interview researchInvestigating online conducting pre-interview research
Investigating online conducting pre-interview researchCase IQ
 
Owasp osint presentation - by adam nurudini
Owasp osint presentation - by adam nurudiniOwasp osint presentation - by adam nurudini
Owasp osint presentation - by adam nurudiniAdam Nurudini
 
The Hidden Web
The Hidden WebThe Hidden Web
The Hidden WebJon Kane
 

Mais procurados (20)

The Deep Web -- From Spooky to Creepy
The Deep Web -- From Spooky to CreepyThe Deep Web -- From Spooky to Creepy
The Deep Web -- From Spooky to Creepy
 
Getting started with using the Dark Web for OSINT investigations
Getting started with using the Dark Web for OSINT investigationsGetting started with using the Dark Web for OSINT investigations
Getting started with using the Dark Web for OSINT investigations
 
From OSINT to Phishing presentation
From OSINT to Phishing presentationFrom OSINT to Phishing presentation
From OSINT to Phishing presentation
 
Let’s hunt the target using OSINT
Let’s hunt the target using OSINTLet’s hunt the target using OSINT
Let’s hunt the target using OSINT
 
Spooky Halloween IT Security Lecture -- The Deep Web
Spooky Halloween IT Security Lecture -- The Deep WebSpooky Halloween IT Security Lecture -- The Deep Web
Spooky Halloween IT Security Lecture -- The Deep Web
 
A visit to the darknet
A visit to the darknetA visit to the darknet
A visit to the darknet
 
Deep web
Deep webDeep web
Deep web
 
OSINT Tool - Reconnaissance with Maltego
OSINT Tool - Reconnaissance with MaltegoOSINT Tool - Reconnaissance with Maltego
OSINT Tool - Reconnaissance with Maltego
 
Osint ashish mistry
Osint ashish mistryOsint ashish mistry
Osint ashish mistry
 
Darknet
DarknetDarknet
Darknet
 
Deep web
Deep webDeep web
Deep web
 
Deep web and dark web
Deep web and dark webDeep web and dark web
Deep web and dark web
 
OSINT mindset to protect your organization - Null monthly meet version
OSINT mindset to protect your organization - Null monthly meet versionOSINT mindset to protect your organization - Null monthly meet version
OSINT mindset to protect your organization - Null monthly meet version
 
How to Use Open Source Intelligence (OSINT) in Investigations
How to Use Open Source Intelligence (OSINT) in InvestigationsHow to Use Open Source Intelligence (OSINT) in Investigations
How to Use Open Source Intelligence (OSINT) in Investigations
 
OSINT - Open Soure Intelligence - Webinar on CyberSecurity
OSINT - Open Soure Intelligence - Webinar on CyberSecurityOSINT - Open Soure Intelligence - Webinar on CyberSecurity
OSINT - Open Soure Intelligence - Webinar on CyberSecurity
 
The deepweb
The deepwebThe deepweb
The deepweb
 
OSINT- Leveraging data into intelligence
OSINT- Leveraging data into intelligenceOSINT- Leveraging data into intelligence
OSINT- Leveraging data into intelligence
 
Investigating online conducting pre-interview research
Investigating online conducting pre-interview researchInvestigating online conducting pre-interview research
Investigating online conducting pre-interview research
 
Owasp osint presentation - by adam nurudini
Owasp osint presentation - by adam nurudiniOwasp osint presentation - by adam nurudini
Owasp osint presentation - by adam nurudini
 
The Hidden Web
The Hidden WebThe Hidden Web
The Hidden Web
 

Destaque

Keynote the grugq opsec for russians
Keynote the grugq opsec for russiansKeynote the grugq opsec for russians
Keynote the grugq opsec for russiansDefconRussia
 
An Underground education
An Underground educationAn Underground education
An Underground educationgrugq
 
OPSEC for hackers
OPSEC for hackersOPSEC for hackers
OPSEC for hackersgrugq
 

Destaque (6)

NPTs
NPTsNPTs
NPTs
 
Keynote the grugq opsec for russians
Keynote the grugq opsec for russiansKeynote the grugq opsec for russians
Keynote the grugq opsec for russians
 
La casa miranda
La casa mirandaLa casa miranda
La casa miranda
 
Unveiling-Patchwork
Unveiling-PatchworkUnveiling-Patchwork
Unveiling-Patchwork
 
An Underground education
An Underground educationAn Underground education
An Underground education
 
OPSEC for hackers
OPSEC for hackersOPSEC for hackers
OPSEC for hackers
 

Semelhante a Unmasking Miscreants: Tactics for Identifying Anonymous Actors

Hit by a Cyberattack: lesson learned
Hit by a Cyberattack: lesson learned Hit by a Cyberattack: lesson learned
Hit by a Cyberattack: lesson learnedB.A.
 
Personal Internet Security Practice
Personal Internet Security PracticePersonal Internet Security Practice
Personal Internet Security PracticeBrian Pichman
 
How you can become a hacker with no security experience
How you can become a hacker with no security experienceHow you can become a hacker with no security experience
How you can become a hacker with no security experienceAvădănei Andrei
 
Online Privacy & Computer Security Basics (September 2017)
Online Privacy & Computer Security Basics (September 2017)Online Privacy & Computer Security Basics (September 2017)
Online Privacy & Computer Security Basics (September 2017)Kit O'Connell
 
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksTHOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksJohn Bambenek
 
Pen Testing Development
Pen Testing DevelopmentPen Testing Development
Pen Testing DevelopmentCTruncer
 
Cybersecurity Awareness Training Presentation v1.0
Cybersecurity Awareness Training Presentation v1.0Cybersecurity Awareness Training Presentation v1.0
Cybersecurity Awareness Training Presentation v1.0DallasHaselhorst
 
Cybersecurity Awareness Training Presentation v1.3
Cybersecurity Awareness Training Presentation v1.3Cybersecurity Awareness Training Presentation v1.3
Cybersecurity Awareness Training Presentation v1.3DallasHaselhorst
 
Securing and Safeguarding Your Library Setup
Securing and Safeguarding Your Library SetupSecuring and Safeguarding Your Library Setup
Securing and Safeguarding Your Library SetupBrian Pichman
 
Hacking - Breaking Into It
Hacking - Breaking Into ItHacking - Breaking Into It
Hacking - Breaking Into ItCTruncer
 
OSINT for Attack and Defense
OSINT for Attack and DefenseOSINT for Attack and Defense
OSINT for Attack and DefenseAndrew McNicol
 
OSINT for Proactive Defense - RootConf 2019
OSINT for Proactive Defense - RootConf 2019OSINT for Proactive Defense - RootConf 2019
OSINT for Proactive Defense - RootConf 2019RedHunt Labs
 
brighton final.pptx
brighton final.pptxbrighton final.pptx
brighton final.pptxssuser152aeb
 
Security for Data Scientists
Security for Data ScientistsSecurity for Data Scientists
Security for Data ScientistsDavid Arcos
 
Securing & Safeguarding Your Library Setup.pptx
Securing & Safeguarding Your Library Setup.pptxSecuring & Safeguarding Your Library Setup.pptx
Securing & Safeguarding Your Library Setup.pptxBrian Pichman
 
On hacking & security
On hacking & security On hacking & security
On hacking & security Ange Albertini
 
Hyper Island - 2012
Hyper Island - 2012Hyper Island - 2012
Hyper Island - 2012Detectify
 
Pichman privacy, the dark web, &amp; hacker devices i school (1)
Pichman privacy, the dark web, &amp; hacker devices i school (1)Pichman privacy, the dark web, &amp; hacker devices i school (1)
Pichman privacy, the dark web, &amp; hacker devices i school (1)Stephen Abram
 
Phish training final
Phish training finalPhish training final
Phish training finalJen Ruhman
 

Semelhante a Unmasking Miscreants: Tactics for Identifying Anonymous Actors (20)

Hit by a Cyberattack: lesson learned
Hit by a Cyberattack: lesson learned Hit by a Cyberattack: lesson learned
Hit by a Cyberattack: lesson learned
 
Personal Internet Security Practice
Personal Internet Security PracticePersonal Internet Security Practice
Personal Internet Security Practice
 
How you can become a hacker with no security experience
How you can become a hacker with no security experienceHow you can become a hacker with no security experience
How you can become a hacker with no security experience
 
Online Privacy & Computer Security Basics (September 2017)
Online Privacy & Computer Security Basics (September 2017)Online Privacy & Computer Security Basics (September 2017)
Online Privacy & Computer Security Basics (September 2017)
 
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksTHOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
 
Pen Testing Development
Pen Testing DevelopmentPen Testing Development
Pen Testing Development
 
Cybersecurity Awareness Training Presentation v1.0
Cybersecurity Awareness Training Presentation v1.0Cybersecurity Awareness Training Presentation v1.0
Cybersecurity Awareness Training Presentation v1.0
 
Cybersecurity Awareness Training Presentation v1.3
Cybersecurity Awareness Training Presentation v1.3Cybersecurity Awareness Training Presentation v1.3
Cybersecurity Awareness Training Presentation v1.3
 
Securing and Safeguarding Your Library Setup
Securing and Safeguarding Your Library SetupSecuring and Safeguarding Your Library Setup
Securing and Safeguarding Your Library Setup
 
Hacking - Breaking Into It
Hacking - Breaking Into ItHacking - Breaking Into It
Hacking - Breaking Into It
 
OSINT for Attack and Defense
OSINT for Attack and DefenseOSINT for Attack and Defense
OSINT for Attack and Defense
 
OSINT for Proactive Defense - RootConf 2019
OSINT for Proactive Defense - RootConf 2019OSINT for Proactive Defense - RootConf 2019
OSINT for Proactive Defense - RootConf 2019
 
brighton final.pptx
brighton final.pptxbrighton final.pptx
brighton final.pptx
 
Security for Data Scientists
Security for Data ScientistsSecurity for Data Scientists
Security for Data Scientists
 
Securing & Safeguarding Your Library Setup.pptx
Securing & Safeguarding Your Library Setup.pptxSecuring & Safeguarding Your Library Setup.pptx
Securing & Safeguarding Your Library Setup.pptx
 
On hacking & security
On hacking & security On hacking & security
On hacking & security
 
Log Out Cyber Awareness
Log Out Cyber AwarenessLog Out Cyber Awareness
Log Out Cyber Awareness
 
Hyper Island - 2012
Hyper Island - 2012Hyper Island - 2012
Hyper Island - 2012
 
Pichman privacy, the dark web, &amp; hacker devices i school (1)
Pichman privacy, the dark web, &amp; hacker devices i school (1)Pichman privacy, the dark web, &amp; hacker devices i school (1)
Pichman privacy, the dark web, &amp; hacker devices i school (1)
 
Phish training final
Phish training finalPhish training final
Phish training final
 

Último

SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 

Último (20)

SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 

Unmasking Miscreants: Tactics for Identifying Anonymous Actors

  • 1. Unmasking Miscreants Derbycon 3.0 Allison Nixon && Brandon Levene (⌐■_■) ( •_•)>⌐■-■ ( •_•)
  • 2. About Us (⌐■_■)--︻╦╤─ - - - ● Allison Nixon (@nixonnixoff) ○ Incident Response & Pentesting at Integralis ○ GCIA ○ Independent Security Researcher focused on malicious services ● Brandon Levene (@seraphimdomain) ○ Incident Handler for large cloud provider ○ GCIH, GCIA, GPEN ○ Independent Security Researcher focused on Exploit Kits and associated Malware
  • 3. Why are we interested? There are bad people on the internet. They are also dumb.
  • 4. ● Actions taken to ensure information leakage doesn’t haunt you ● Proactive Paranoia ● Appropriate Compartmentation tldr: STFU (╯°□°)╯︵ ┻━┻ Working Definition: “OpSec” For More (from the Grugq): https://www.anti- forensics.com/operational- security-for-hackers/
  • 5. Common Actor Traits ● Male ● 14-22 ● Middle(ish) Class ● Live with parents ○ Limited/no income ○ Most income goes towards hobbies ● Social interaction predominantly online ○ Not necessarily “anti-social”
  • 6. Warning ● You are playing with fire! ○ Playing with fire is fun ● Identity is hard to find from online aliases ○ Account sharing ○ Hacked accounts ○ Fake accounts ● False accusations are bad. And easy ○ Hurts your reputation ○ Hurts the reputation of innocent bystanders ● No vigilantism ○ Don’t harass people you find
  • 7. Scoping ● What do you look for? ○ Bannings ○ Complaints (generally scamming) ■ Infractions ○ Vouches ○ Purchased Reputation ○ Multi-community membership/participation ○ Technical questions related to a service ● Who do you look for? ○ Premium or Sponsored Sellers ○ Authors of stickied threads (Forums) ○ Primary sellers ○ Vouches/Reputation given/received
  • 8. So I’ve identified a bad, what next? ● Tools ○ Google ■ Always check cached results if a link appears dead ○ Spokeo ○ checkusernames.com ■ Username reuse ○ Reverse Image Searches ○ Maltego ● Get as much information as possible, then sift through for overlaps and relationships (HUMINT) For more resources: http://www.irongeek.com/i.php?page=security/doxing- footprinting-cyberstalking
  • 9. Youtube Fail On his Youtube account, out of all his videos, one second in one video had his name in focus.
  • 10. Technical Recon ● Maltego ○ Consolidates Serversniffing, Whois, Dig, Registrant searches ○ Still useful to doublecheck! ● Manual inspection ○ Google Dorking (site:evil.com) ○ Tamperdata ○ Burp Proxy ○ Whatweb ● Cloud DDoS Solutions ○ Are they a dead end? ○ Nope, nocloudallowed
  • 11. NoCloudAllowed(and other DDOS protection bypasses) ● A scanner to check every server for the existence of the hidden web site ● Many sites hide behind DDOS protection ○ (mostly Cloudflare, a few other companies) ● Bypass by contacting the origin directly ● Finding the origin is easy ○ Outbound connections ○ Outbound e-mail ○ Old DNS records ○ Server specific information leakage ● Nocloudallowed.com for details
  • 12. Tracking ● Weaving a tangled web ● Finding e-mails ○ Whois info ○ Paypal accounts ■ Even Paypal pages that conceal the e-mail ○ Gleaming mails from ads ■ “Selling stolen credit cards! Contact evil@gmail.com” ○ E-mail contacts in their profile pages ● Database dumps are your friend
  • 13. Honing in on Bads ● In order to sell, one must advertise ○ Find the ads! ○ Look for affiliates ● Social Media is an invaluable intelligence tool ○ Look for OOB contact methods ■ MSN, ICQ, Email(various), AIM, Skype, Twitter ■ Be wary of hacked/stolen accounts ● The longer an account has been used in similar context, the less likely its been newly compromised ■ Twitter is easy to search ■ Email <-> Facebook is trivial
  • 14. Honing in on Bads, pt. II ● Read ○ Forum Posts (and PMs) ○ Social Media ○ Really, anything that can be attributed to the target ○ Read everything ● Watch ○ Youtube (Take screenshots!) ■ Huge vector of information leakage ○ Twitter feeds ○ Current v. Historical posting trends ○ AOL Lifestream
  • 15. Identification ● Find data overlaps ○ Use the data a target is forced to present to the community ○ Compare against samples from multiple sources ● Utilize multiple sources to verify ○ Don’t rely on one search engine or tool for data ● Reconcile target personas ○ Utilize data overlaps/leakage to link online ID to physical person ● Document, Document, Document! ○ Its extremely likely someone else is going to need to follow your logic. Make sure its sound. ● Identity VS Reputation
  • 16.
  • 17. Results! “We are taking proactive steps to prevent DDoS (Distributed Denial of Service) for hire services from using PayPal to facilitate/fund illegal activities. PayPal's Acceptable Use Policy (AUP) states that our customers may not use PayPal's service relating to transactions that encourage illegal activities. Our goal is to provide a safe payments service that buyers and sellers around the world can use every day.” -Paypal