Never Go Full Spectrum Cyber

Who am I

  • Randy
  • Live and work in Sunnyvale Trailer Park
  • Love cheeseburgers

Relevant (and obligatory) XKCD

Don't do illegal things



Report all illegal activity to @InfosecMrLahey

Story time

Roy Sun


  • Graduated in 2010 from Purdue with Electrical Engineering degree
  • Went on to graduate program at Boston University

Roy Sun

  • Got those grades despite only attending one class his senror year
  • Was stealing professor's creds, change his grades
  • Had gotten away with it

Mitsutoshi Shirasaki

  • friend of Roy Sun
  • International student from Japan
  • also had very high grades (straight A's)
Mitsutoshi learned from Roy

Mitsutoshi Caught

  • Mitsutoshi tells the cops all about Roy
  • Roy charged
  • Another friend of Mitsutoshi also charged for acting as lookout
  • Mitsutoshi flies back to Japan, before facing trial

Scott Arciszewski

  • 21-year-old computer major at the University of Central Florida
  • Hacked Infraguard local chapter site for Operation Avenge Assange
  • Tweeted about it under his handle @voodooKobra to @FBIPressOffice and @lulzsec

St. Petersburg Heist

In late 2012 and early 2013:
  • $40 million stolen from Bank Muscat and Rakbank in Oman
  • Compromised through their shared India based payment processor ElectraCard Services

Unlimited Operation

  1. Attackers obtain ~40k pre-paid debit card numbers with funds loaded on them
  2. Remove the withdrawal limits on the cards
  3. Send the numbers to co-conspirators aka "casher mule" teams
  4. Casher mules clone the numbers onto magstripe plastic cards

$40 milion dollars

  • Very well coordinated and sophisticated operation
  • Organization believed to be St. Petersburg, Russia based
  • Likely not their first operation

Good help is hard to find

  • A heist this large, many players
  • That many people involved, someone will blow it

Elvis Rodriguez

  • Part of NYC crew that was responsible for $2.8 million of $40 million
  • On ATM cameras wearing his black Dominoes pizza hat from work, face visible on CC cameras
  • Pictures on his cellphone with piles of cash and pictures of items he bought

Fallout


  • Leader fled, killed in Dominican Republic while playing dominoes during robbery
  • Rest of crew busted

Lizard Squad

"obnoxious" aka internetjesusob

  • 17 year old from BC Canada
  • Swatted multiple people
  • Swatted mostly female gamers
  • Made one family's life a living hell
Live streams it

Eduard Lucian Mandru aka "Wolfenstein"

  • Hacked DoD website in 2006
  • Used compromised hosts in Japan as proxies
  • Only clue to identity was an alt email address "wolfenstein_ingrid@yahoo.com"

Years later, needs a job

  • Posts CV online
  • Uses an email address on CV to collect job spam
  • Same one used in attacks

Chen Ping aka cpyy

  • Used email and address to register domains used for command and control servers used in attacks
  • Used same email address and cpyy identity to register other accounts
  • Picasa account/site with pictures of PLA officers, etc.
  • Unit 61468 - People's Liberation Army
Source: CrowdStrike, Kris McConkey, PwC

Hieu Minh Ngo

  • Superget.info and findget.me
  • Sold identity info hacked from US companies (like Experian)
  • Flew to US
  • Arrested as soon as he stepped off the plane
lolooolll
White hats are not immune.

Wesley Wineberg

  • Security Researcher
  • Finds Instagram Ruby-based admin panel RCE flaw
  • Submits flaw to Facebook Bug Bounty Program

Wesley Wineberg

  • Later writes blog post saying FB called his employer and threatened him with legal action
  • Facebook is villainized for being hostile towards security researchers submitting bugs

Actually...

  • Facebook agreed to pay $2500 even though not first to submit that bug
  • Wes then used RCE exploit to gain access to AWS instance
  • Grabs API keys for S3 and starts exfiltrating data
  • Intentional exfiltration not in scope of bug bounty program
  • Wes sends email expressing disatisfaction with reward
  • Tells them about all the data he exfiltrated and API keys
  • Tells them he plans to write about it
  • FB only contacted his employer because they believed he was operating on their behalf

Chris Roberts


Image: ArsTechnica

Fallout

  • Feds waiting for him when he got off the plane
  • Maintained tweet wasn't literal, feds didn't get the joke
  • Landed in a heap of legal trouble, possibly related...
  • His company, One World Labs (OWL) Security also later filed for bankruptcy

David Helkowski

  • Worked for Canton Group (Consulting Firm)
  • Assigned to University of Maryland Project
  • Claimed he found malware on servers
  • Claimed his employer and UMD took no action
  • Hacked into UMD, using multiple VPNs
  • Downloaded personal data for UMD's security team
  • Posted it to Pastebin in attempt to force their hand
  • Then told his coworkers what he was doing
  • Used same vulnerability the Canton Group reported to UMD
  • Gets raided by FBI (the next day)
  • Posts on reddit about it and does an AMA
  • Gets fired
  • "My stance is that I did nothing 'morally wrong.'" - Helkowski

Lessons

What is OPSec?
STFU is the best policy - the grugq

Practical applications for STFU

  • Not telling your friend or coworker how to change grades
  • Lizard Squad kid not live streamed his criminal activities
  • Not tweeting
  • Not trusting anyone to risk jail for you
  • Stories

Compartmentalization

I got 2 phones - Kevin Gates

On compartmentalization

  1. Create cover identity/persona
  2. Dispose of cover identites (emails/handles/acccounts)
  3. Do not contaminate identities
  4. Keep personal life seperate

Practical applications for Compartmentalization

  • Elvis Rodriguez not wearing his work hat or buying things that attract attention
  • Wolfenstein
  • cpyy
  • All the people that could have been in this talk for hacking from their house

Other OpSec practices

  • Plan
  • Have clear objectives and don't act outside of achieving those objectives
  • Don't take unnecessary risks (especially not just for fun)
  • Don't keep contraband around your house/work or use personal devices
  • Be paranoid beforehand, have paranoia built into routine
  • Good OpSec takes time
  • Stay in scope

OpSec - Other Resources

https://grugq.github.io/
OPSEC: Because Jail is for wuftpd (talk)

How to do everything wrong

THE END

- @digitalshokunin
- digital-shokunin.net*
*slides available on site