Never Go Full Spectrum Cyber
Who am I
- Randy
- Live and work in Sunnyvale Trailer Park
- Love cheeseburgers
|
|
Relevant (and obligatory) XKCD
Don't do illegal things
Report all illegal activity to @InfosecMrLahey
Story time
Roy Sun
- Graduated in 2010 from Purdue with Electrical Engineering degree
- Went on to graduate program at Boston University
Roy Sun
- Got those grades despite only attending one class his senror year
- Was stealing professor's creds, change his grades
- Had gotten away with it
Mitsutoshi Shirasaki
- friend of Roy Sun
- International student from Japan
- also had very high grades (straight A's)
Mitsutoshi learned from Roy
Mitsutoshi Caught
- Mitsutoshi tells the cops all about Roy
- Roy charged
- Another friend of Mitsutoshi also charged for acting as lookout
- Mitsutoshi flies back to Japan, before facing trial
Scott Arciszewski
- 21-year-old computer major at the University of Central Florida
- Hacked Infraguard local chapter site for Operation Avenge Assange
- Tweeted about it under his handle @voodooKobra to @FBIPressOffice and @lulzsec
St. Petersburg Heist
In late 2012 and early 2013:
- $40 million stolen from Bank Muscat and Rakbank in Oman
- Compromised through their shared India based payment processor ElectraCard Services
Unlimited Operation
- Attackers obtain ~40k pre-paid debit card numbers with funds loaded on them
- Remove the withdrawal limits on the cards
- Send the numbers to co-conspirators aka "casher mule" teams
- Casher mules clone the numbers onto magstripe plastic cards
$40 milion dollars
- Very well coordinated and sophisticated operation
- Organization believed to be St. Petersburg, Russia based
- Likely not their first operation
Good help is hard to find
- A heist this large, many players
- That many people involved, someone will blow it
Elvis Rodriguez
- Part of NYC crew that was responsible for $2.8 million of $40 million
- On ATM cameras wearing his black Dominoes pizza hat from work, face visible on CC cameras
- Pictures on his cellphone with piles of cash and pictures of items he bought
Fallout
- Leader fled, killed in Dominican Republic while playing dominoes during robbery
- Rest of crew busted
Lizard Squad
"obnoxious" aka internetjesusob
- 17 year old from BC Canada
- Swatted multiple people
- Swatted mostly female gamers
- Made one family's life a living hell
Eduard Lucian Mandru aka "Wolfenstein"
- Hacked DoD website in 2006
- Used compromised hosts in Japan as proxies
- Only clue to identity was an alt email address "wolfenstein_ingrid@yahoo.com"
Years later, needs a job
- Posts CV online
- Uses an email address on CV to collect job spam
- Same one used in attacks
Chen Ping aka cpyy
- Used email and address to register domains used for command and control servers used in attacks
- Used same email address and cpyy identity to register other accounts
- Picasa account/site with pictures of PLA officers, etc.
- Unit 61468 - People's Liberation Army
Source: CrowdStrike, Kris McConkey, PwC
Hieu Minh Ngo
- Superget.info and findget.me
- Sold identity info hacked from US companies (like Experian)
- Flew to US
- Arrested as soon as he stepped off the plane
lolooolll
White hats are not immune.
Wesley Wineberg
- Security Researcher
- Finds Instagram Ruby-based admin panel RCE flaw
- Submits flaw to Facebook Bug Bounty Program
Wesley Wineberg
- Later writes blog post saying FB called his employer and threatened him with legal action
- Facebook is villainized for being hostile towards security researchers submitting bugs
Actually...
- Facebook agreed to pay $2500 even though not first to submit that bug
- Wes then used RCE exploit to gain access to AWS instance
- Grabs API keys for S3 and starts exfiltrating data
- Intentional exfiltration not in scope of bug bounty program
- Wes sends email expressing disatisfaction with reward
- Tells them about all the data he exfiltrated and API keys
- Tells them he plans to write about it
- FB only contacted his employer because they believed he was operating on their behalf
Chris Roberts
Image: ArsTechnica
Fallout
- Feds waiting for him when he got off the plane
- Maintained tweet wasn't literal, feds didn't get the joke
- Landed in a heap of legal trouble, possibly related...
- His company, One World Labs (OWL) Security also later filed for bankruptcy
David Helkowski
- Worked for Canton Group (Consulting Firm)
- Assigned to University of Maryland Project
- Claimed he found malware on servers
- Claimed his employer and UMD took no action
- Hacked into UMD, using multiple VPNs
- Downloaded personal data for UMD's security team
- Posted it to Pastebin in attempt to force their hand
- Then told his coworkers what he was doing
- Used same vulnerability the Canton Group reported to UMD
- Gets raided by FBI (the next day)
- Posts on reddit about it and does an AMA
- Gets fired
- "My stance is that I did nothing 'morally wrong.'" - Helkowski
What is OPSec?
STFU is the best policy - the grugq
Practical applications for STFU
- Not telling your friend or coworker how to change grades
- Lizard Squad kid not live streamed his criminal activities
- Not tweeting
- Not trusting anyone to risk jail for you
- Stories
I got 2 phones - Kevin Gates
On compartmentalization
- Create cover identity/persona
- Dispose of cover identites (emails/handles/acccounts)
- Do not contaminate identities
- Keep personal life seperate
Practical applications for Compartmentalization
- Elvis Rodriguez not wearing his work hat or buying things that attract attention
- Wolfenstein
- cpyy
- All the people that could have been in this talk for hacking from their house
Other OpSec practices
- Plan
- Have clear objectives and don't act outside of achieving those objectives
- Don't take unnecessary risks (especially not just for fun)
- Don't keep contraband around your house/work or use personal devices
- Be paranoid beforehand, have paranoia built into routine
- Good OpSec takes time
- Stay in scope
OpSec - Other Resources
https://grugq.github.io/
OPSEC: Because Jail is for wuftpd (talk)
How to do everything wrong