 Welcome to the next talk. You can hack everything. Welcome to the talk. You can hack everything but just shouldn't get caught. So first of all, who has found a vulnerability of you and had doubt about telling it due to fearing consequences? And who would want to find a vulnerability? All right. Well, you're certainly affected and this talk should be relevant for most of you. Most hackers are faced with the situation that they found something, they dig into something and know that people who own the architecture, they've compromised that this has some consequences and they don't like what they've done. And this talk is about how to deal with such a situation and ideally not get in such a situation in the first place. Linus and Torsten are experts on IT security and you might know them from a hack on the election software. They found some vulnerabilities in there. So if you want to hear it in German, there's a podcast of Lokbuchnetzpolitik. But for now, please enjoy the talk. Thank you very much for coming. Great that so many of you are here. And I appreciate that lots of you did the first mistake right now by signing up showing up for having hacked something. So actually, both of us have never hacked anything. So we've seen lots of hackers over the years who had to go to jail and there's lots of risk involved when hacking and who diminished the joy. So lots of legal procedures, kicked-in doors and so forth, really unnecessary things and it might make sense to actually think about how you can still be free and also be free in the future. And we know hackers are just free beings and we really like you to stay free, paint beautiful pictures like free beings and yeah. What this is basically about is OPSEC. OPSEC basically is depicted here nicely. Very nice teaching material from Russia. There's also a concern for them over there apparently. And we also have... We would like to start with the very first computer warm and you never should overestimate your capabilities, which is basically the first lecture already. We know this since the very first computer warm. The very first big warm that was also recognized internationally. That was the Morris Warm. Lots of vulnerabilities in sent-mails fingers as how we're abused and also weak passwords to kind of spread itself. And back then that led to a failure of parts of the internet in 1988. And some of you might ask why is this warm called Morris Warm? Because his inventor, his founder, was pretty proud of this warm and told everyone how it worked. And at some point he stood on campus at Harvard. On a chair, on a table and was just preaching about the warm he had developed. And yeah, he basically just spread the word. Everybody heard about it and somebody passed this info on to a journalist. And well, he was faced with this. And the result of this is that this warm was named after him. But he had to... He got fines, he had to go to prison. Basically he could have avoided the whole thing without all this need of spreading the word about his work. The same actually applies to a bank robbers. This guy here, he robbed their bank. And you know what do you do when you actually have experienced something entertaining, something great? Well, first of all you take a selfie, right? You can also take a second one or photograph the people you've collaborated with or eat what you've got. And then, well, this is basically the road straight to instant jail. And you might consider this just a one case example. But if you actually keep looking, you'll find plenty of these examples and lots of experts who kind of make the most same mistakes. And it always ends the same way. You know, this guy here, lots of golden teeth. This gentleman is displaying on a picture. And basically he was sentenced because he showcased all of this and this legally obtained money on Facebook. So let's move on to car hacking and the pioneers of this field. We again are faced with the same phenomena. First car hacks were pretty analog and pretty brute force. And the pioneers in this field were those two young guys. They had a major hack. They basically just broke a windshield and they stole an iPad from inside a track. So what do you do first after such a deed? You go to a shop where you have Wi-Fi, a Wi-Fi network and just start gaming with this iPad, this illegally obtained iPad. And they kind of realize, oh cool, you can even take pictures and videos with this iPad. This is my brother Dylan. He's also a money team. This, my good people, is what we get from a good night's hustle. Well, and since they connected this iPad to the Wi-Fi of Burger King in this case, something happened and well, it had to happen. And the owner of this truck handed over the video one week later to the police and the police knew the two and well, took care of the rest. Well, let's go back to actually our main focus of the talk, computer hacking after this quick detour to the analog world. What can actually go wrong when you as interested internet user or online shopper, what can go wrong? You want to just buy something online and start clicking around and then somehow click on a wrong icon or just get detract in a way. And actually we're talking about a threat level here. A threat level for the person hacking in this case online shop. So you in this case have a certain threat level and this level rises if you're not using software anonymizing your activity or other cases. And so you might think, well, I better use Tor in such a setting with a software made for anonymizing your activity. And well, potentially you will find a cross-site scripting and well, now the threat level slowly rises. You have Tor, you have Tor, but the threat level rises and if you potentially find a more critical vulnerability like a SQL injection and even a remote code execution opportunity and you'll see the threat level rises and goes up and up. And well, this is not more like very simple hacking. It gets more serious and you potentially even find some credit card information and this threat level has now risen to a pretty, pretty high level. And you know, once the threat level goes actually back rapidly and this is when we talk about prison, because once you're in prison, things have been settled and you can be sure that you won't get pursued again for this one deed. And basically when we look at this threat level, at the very first stage you should have already used a software for anonymizing you because as the owner of the website you're trying to hack, they'll get aware of that activity and kind of start to trace back and they get suspicious. Yeah, so that actually happens pretty frequently. Like people say, oh, I found something and well, I look more into this and by actually using Tor. And the main point here is you should have used Por in the main case, in the first case. So you could also look at the data privacy regulations that they have and maybe you have a right to be forgotten. There are companies that only save their locks for seven days. Maybe you just need to wait. So generally, be careful when being a data traveler. Let's also place our friend Alberto from Uruguay who at the afternoon was on his computer with his girlfriend and he was looking at a cloud and he said, oh well, health data. Have they got an admin? Oops. Oops. You see, that was the oops. So he wrote a mail to Serge Uruguay, the central authority of the country. This is about health records. And he received a very fast response by the director of the cert. So they took this very seriously. Maybe this wasn't so dramatic because the hacker wasn't really about to do anything. So this was maybe not that bad. For him, this was over. He had notified cert. They had taken responsibility. They will deal with this. Alberto was to carry on with his life as normal. After one year, he realized that, well, they closed the admin-admin, but now they have unauthenticated file access. So maybe I'll just go and sort of notify cert. Again, some time passed, about two years of silence. He had already forgotten about this. And then the company that has those health records, they get an e-mail from somebody saying, give us Bitcoin. And the person blackmailing them said that they had the health records. And if they wouldn't transfer 15 Bitcoins in a certain amount of time, they would go to the press and publish the information of all people who are HIV positive. I'm not sure the press would have been interested, but the police was certainly interested. You always need to think about the police. You can identify them by these hats. There is a star at the front of the hat, so you don't forget. So somebody wants Bitcoin now. And again, for a while, nothing happens. And then Alberto's door is kicked in. His house is searched. Again, brute force attempt, as we know it. And now this happens. The police can't believe their eyes when they enter this apartment because they find so many interesting things that they will say at a later press conference about this and sort of exhibit all their findings. Looked like this in the picture. Stacks of credit cards, blank credit cards tend to not make the best impression. This is true for the supermarket, but also in your cupboard when the police comes around. Also, card readers. So they set this up very nicely. Cards, card readers, everything. The question would be if the police actually thought about OPSEG and maybe censored the credit card numbers, we're never going to know. And of course, what you find at any hackers or criminals' house, what do you find, of course, the mask of anonymous... They find the mask. They also exhibit it. We don't have a mask with us. Strategic concerns and strategic money reserves. And... Very telling. They found Bitcoin. Very telling. And that's what the blackmailer wanted. So case closed. And one Bitcoin added up together. So, questionings, threats, police incompetence. And what Alberto does is confessing falsely, hoping that during the following procedures he would meet competent people, but that hope was wrong. He spends eight months in jail in prison and he is left out on bail at the moment. He's very sure that he didn't do this because after responsibility disclosing information, you don't send a blackmail. Especially if it says, please transfer 15 Bitcoins to the following account without actually giving the account or the wallet number. So as we have put some fun at Alberto, we actually contacted him and he had to say a few things and we welcome him to our video screen. After spending eight months in prison, I have to tell you that I've learned many things. One of them was that I should know how to manage the truth. When, who, where, how much information you share are key elements in order to stay out of trouble. After hearing my story, people tell me that they're learning is that they should not report security incidents. And for me, that is sad. Report them. I don't report them anymore because I was forced to and that is the way that I managed the truth in my case. I hope to be there next year and share with you the outcome of my experience which is crazy. So guys, keep on hugging. So the device that he was holding in the video that looked like an ISM jammer is just a very sad misunderstanding because the police hadn't taken it when they searched his house as well as 30 hard drives and he doesn't get those devices back because the police are saying that this would take way too much time to look at everything. So what we learn is it kind of makes sense to keep 127.001 as a very clean and tidy space in the wrong eyes looking at some devices that are taken from your house can be trouble and they might just try some logins. What else can give us a way on a technical level? We've talked about how to incriminate yourself. Maybe people are too honest sometimes. But what are the threats that can get dangerous for us? I could say they're kind of a kind of metadata similar to fingerprints as you can see here. Nowadays there are almost no things that don't contain metadata. The question how to avoid metadata and what can be done with metadata is very context dependent. So we always have to look at the content where the data was actually generated. So one of the most important things that you need to think about before even starting to hack anything what traces am I going to leave? This is the part where we want to try to address younger people or people who are just starting out to hack things to give you some ideas to think about which devices which software I'm using what traces do I leave? If I'm just at my computer I'm going to leave traces I have a smartphone that I'm carrying around with me So where am I leaving logs? What are the identities that I leave? Even if I'm using pseudonyms or if I'm using anonymizes and what technology do I use to stay anonymous? Pseudonyms, cryptographic keys that are used on multiple systems which is a bad idea because cryptographic keys only exist once that's kind of the idea but if I just copy my VM and some host names or keys might be the same making possible to trace back to me Logs are one classic there are always strategists who have files in TrueClip volumes because they heard that this is better but have enabled logging on their operating system level which says which files were opened with what application so the logs basically tell everybody what videos and files may be in the encrypted areas and this feature for many people this is just a feature they just want to know it's less work you need to type less this might actually break your neck if you just want to use this operating system to just hack around a bit the important thing is investigators or people after you can create identities of you whatever pseudonym you're using they can create profiles they can analyze your coding style your orthography your pseudonyms and forums where you show off the people looking at the devices that they took during the search of your house they're just going to look at how you deal with a terminal shell they can find out how many experiences how experienced you are with the operating system and also the coding style so maybe if you leave back functional extension to the kernel this is going to be analyzed later and there's software that does that same thing as detecting plagiaries plagiarized works there's works about how to trace back binary code to the original author basically to for example to attribute malware there are many things that you need to take care of and basically you need to find out yourself which tools you're using and what they and which side channels they open which kind of telemetry and how can I turn it off there are the rules of the internet written by anonymous nobody is really anonymous anymore but we'll talk about that later they have put down these rules to sort of get the fuck out as one of the rules one of the rules for the people who wanted to stay anonymous yeah, here come we're to a this is a nice fail of a hacker by the name of Warmer a photo of his who posted a picture of his girlfriend's breasts and he was very proud so even the police thought he'd sort of get the fuck out so he took the picture with this iPhone and the photo included GPS metadata so we award Warmer the Mario Bart award for the most superfluous OPSEC fail most gratuitous fail of course so how do we do anonymity in the internet if even anonymous can't really do it we don't want to be discovered the problem is that our IP address tells a lot about our location so we are looking for something that covers our IP address so if we google that the first thing we found is VPN service providers want to be anonymous on the internet just use a VPN this advice is given often so let's use a VPN VPN provider we connect to them might be an open VPN connection or whatever so this means that our original source IP address is covered and hidden and nobody on the server can know the servers that we then connect to so then we go to our target in this case it's an evil company that we want to hack and they're like what's going on? weird traffic it's a VPN endpoint so what can we do? are we secure now? we just assume that the VPN provider is going to shut up and not disclose our IP address we don't know them, we haven't met them but so the idea was actually that we don't have to trust anybody we don't want to trust anybody because what happens at the VPN provider we have an account we pay, we make payments so they're not going to offer this for free so they're probably going to have our email address credit card data, Bitcoin wallet whatever possibly there are logs but we don't know maybe the VPN provider just enables a login option with the next operating system update so this can happen there can always be surveillance at the provider level and the problem is we don't want to trust anybody so we just start at the beginning in this case it went wrong so we're going to have to find a way where we don't have to rely or trust anybody else we just don't want to and we also need a different target so maybe some sort of alternative in case you don't know this is the logo of the German right wing party alternative for Deutschland so this time we're going to use Tor you may have heard of that it's kind of easy the traffic is just going to go through several nodes encrypted multiple times you're sending towards the Tor entry your traffic which is encrypted multiple times and now the Tor entry knows who you are but only in the message encrypted to the node it said which next node this traffic is to be passed on this is going to be passed on you can also configure this until you end up at the Tor exit and the Tor exit is going to do the hacking and if the target looks at this then the Tor exit is going to know where the traffic came from but the middle node doesn't know anything and the entry knows who you are but the Tor entry doesn't know where your packets went which way they went so this is much better you don't have to trust as many people because they just can't know unless of course you're dealing with a global attacker or a global enemy which is bad for you but just for your small data journey we don't have to issue travel warnings unless you're too stupid so now we have the technical requirements to be safe and secure on the internet but now our own intelligence comes into play and this is the level where we need operational security before that we don't really need to start or think about OPSEC this is also what a student of Howard University thought and they were not well prepared for the exams they had that day so what you do how can I actually make this exam not happen there are not many options one of the solutions that usually works is a bomb threat we all know that here are strategists at Harvard he knows, they know how to use Tor and they send their threat message saying in which rooms they planted bombs of course including the room where the exam was to take place so this reaches Harvard and what do they do of course they call the police look they say this is come over Tor dear nock just check if any of our students use Tor at the time question so of course everybody had to sign in by their names to the network and this person got a free ride to the prison or to the police station so if we hadn't signed up on to the network and use Tor for this very limited space of time to write this email this wouldn't have happened so let's continue with anonymizers this is a very a topic that has very important to the public discussion hidden services so we're going to turn the whole anonymization network on its head we don't want to be anonymous as an attacker and hide our service in the net so we make people reaches through Tor so the police agent has to go through Tor and at some point the packets arrive at our node so our packets are routed differently through Tor so now we have a server on the internet that can be reached by many ways and it's very hard or impossible to find out where this server is actually located always of course assuming that nobody controls the whole internet or we're just stupid so we can prevent some of that by not writing any logs on our hidden service we don't use any known SSH keys we only give a local network to our hidden service catching it or constructing it to a 10-0-8 and only the connection to our hidden service is done by the onion router so it cannot be connected to the internet like this so even if it tried if it tried to do a little ping it could never escape to the big evil internet as you can see on the left so now we have our hidden service and we're very happy because the big evil internet can only reach us through Tor if you know how to do this and have some ideas this will take you about one or two days to set up and then you can just become a drug lord and now you can really screw up your own opsec again so to stay with the topic of the darknet Germany there was this guy who had built a forum and a marketplace so running this kind of service costs money so they asked for money to be able to continue to offer those services and those donations were collected as bitcoin just so I have a hidden service I use bitcoin, I'm in the darknet this all fits together very well so what do I do so now we need to exchange our bitcoin at some point and get real silver at some point you might want to actually have some euro so at some point this anonymous money leaves the digital world and goes through a bitcoin exchange and to your bank account and in this case this is where it broke because this uncovers your identity because we're actually using a german provider a german bitcoin exchange so it won't be any different of course they will actually disclose information who is the actual recipient and to whose bank account the money went this is a leads us to the Satoshi Nakamoto award for anonymous payments or this was a very well thought out donation platform and and what's interesting about this case is that there was some clean police work no they did the work without any without prohibiting anonymizers without saving data so there were weapons traded on this platform and they say that the police in this case and they always nag about that they get no data anymore that they need more have actually done good work in this case without surveilling us all the time pretty nice right so we can all say anonymous right so we get some nice metadata all right now move on to Wi-Fi who's using Wi-Fi in this room actually well they used to say that you should go to coffee places and use their Wi-Fi to do hacking well Wi-Fi is not only anymore in your own apartment those signals are spreading way way further and some anonymous members got to learn that the hard way because in front of his house they placed a van to observe his network and just see when there was a lot of activity even decrypted they just traced the amount of traffic when is their activity and by by knowing this they were just correlating activity to to other occurrences and it turned out that was the case and they managed by knowing this volume this activity amount they were able to kind of trace those deeds back to him and imprison him so Ethernet in fact is also part of OPSEC another killer for another killer for anonymity is the possibility of a smart phone and with its functionality like Bluetooth and so forth it's also leaving traces marketing there's actually the marketing companies that offer that offer services to track MAC addresses of devices and every time you basically venture out and walk walk around outside you are leaving traces with a mobile phone but actually you can you can change your MAC address right yeah that might be true but your phone is not simply on and it doesn't only know all the different Wi-Fi networks you're using and even though you're changing your MAC address from time to time your device is sending out the probes of the different SSIDs that it has been logged in and you might not count on that but with this information those deep probes it's pretty easy to identify you because you have a very unique profile that you're leaving leaving out there well actually I think we got someone just looking on the street who has been in the dark net so kind of really unfortunate here so this is very unfortunate the manufacturers of devices try to get rid of this by randomizing the MAC addresses but just by logging into different Wi-Fi networks and by leaving those traces it's pretty easy to identify you so what's the main learning here if you don't want to get tracked then simply switch off your Wi-Fi capabilities once you leave your apartment or when hacking something which might occur so let's move on to the next case you know sometimes I'm actually doing consulting and this is an example from my work this is a case of people who voluntarily trains they volunteer their time and are interested in judging their their actions and actually they had mobile phones that they only use when on site for the client which seemed nice when coming up with the idea and they in fact only they only use it on site at their clients and you know what the police actually traces those different areas where mobile phones are active and they realized see they simply traced the activity in the area where those people were active and were simply able to manage those guys because they were just waiting for the live tracking to show up the phone numbers that in the past occurred in the context of those sprayings a quick disclaimer this is not actually related to my clients like this is from a random group of sprayers so so what happens after such a finding such a case the name of those groups they are being actually connected to individuals and at some point they'll be a day like in five or ten years you might be able to trace all those activities back to one person like profiles are being created in the background and you know the more often you do this the more riskier it gets and you know if you've done it 19 times and it always went fine you think like okay it's gonna be fine again in the 20th occurrence but actually that might be not just the case and some organizations actually in the digital realm well the first lesson overall is you should know your device and you should be able to use the tools that you're using you should master them not simply just download a tool that somebody recommended and somebody who has read something about it really know your device deal with the technology know the technology and use the one that you master best for example web browsers it's a pretty important topic like lots of web applications and lots of services you actually need to explore by using browsers and today actually it doesn't matter what browser you're using they all have certain vulnerabilities or certain certain issues for example Mozilla they have a very popular extension install and this extension changes the ownership and this new owner is simply adding a tracking feature which happens in cases this can quickly reveal your identity and be a risk so always question what actually happens when you update an extension it's worth looking at the ad business the ad industry they're really good at tracing people like browser foot printing and all that stuff lots of different approaches to profile people comparable to those Wi-Fi pro requests used for profiling the same actually applies to browsers so be aware of this and how about using profiles that you can discard once you use them or erase the data once you use them set up a new operation system from time to time and be aware that certain data leaks of those browsers are patched as quickly as possible and well another advice here is really disconnect things that you can disconnect from each other like separate services and minimize the risk and as an example use one computer with the it's like your hacking workstation on the left like with different software installed and different measures that prevent data to be leaked there might be still data leaks like that who nicks can't prevent but it's overall at least minimizing risks of data being leaked accidentally so your devices let's have a look at your devices don't let people tell you certain things don't follow advice by people regarding certain operation system you should just use the system that you are well accustomed with that you know well you master that system and that's basically the way to go and laziness actually is also a pretty big killer of anonymity like you gotta be you gotta look into the future when doing opsec I'm using Tor no matter what like even if I'm doing simple online shopping just to be sure to not leave any trace due to laziness you never know there might be a target server that is blocking Tor exit nodes you know that happens from time to time or captures are just simply more and more a pain once you once you use a Tor exit node and those are all measures to basically get you to a point where you switch off Tor and for a moment not conceal your anonymity and this laziness might actually cost you your identity well in the future we might see canneries more often there was a talk actually last year on canneries on canneries and embedded devices well it's basically any certain patterns that are being left and that are being monitored for like if somebody is googling for those patterns it's comparable to like a honeypot approach with a database with certain data inside and a attacker that is that is using this data later on in a different setting like researching the patterns in my honeypot data trying to gauge the worthiness the value of the data he obtained and those approaches might also be pretty dangerous for for anonymity and revealing your identity so always be skeptical be aware that there might be traces and people are trying to get at you and actually place traps along the way you know in other cases somebody is installing this smart meter or it's coming along with a smart meter this is the device this is now being installed as we speak in the digital first euphoria and well this is actually collecting lots of data but I mean no worries you know it has been certified by an authority like the German internet security authority so no worries right but nevertheless we we recommend to not use those kind of devices and we're pretty skeptical what more devices will be come up in the future that reveal lots of data well it's also worth looking at yourself and your characteristics like are you lazy it's like you're kind of not skeptical enough if things have turned out well in after 19 times you just trust things that turned out positive in the past and you just make assumptions like nobody will look at this log because nobody has looked at it until now and always always ask yourself if this is actually a good approach and and you shouldn't spread too much information that's something we talked about earlier like if you go on go out partying are you a person that likes to brag to talk about your great achievements so this is also a pretty big weakness for your anonymity well let's look again at some kind of features and your way of conducting yourself it's like your grammar style it's your way of writing in an online forum technical skills that are pretty unique that only a few people have and showcase and investigators will look at those kind of unique skills and try to trace them back to just the few people of having them featuring them you might leave along something along the way certain functions and things that simply stay on the machines that you have been on and those things are being traced back to you and investigators are looking at this very thoroughly and in addition to that just take a deep breath try to do these things a bit more discreetly and at the rate of don't brag don't make illusions don't be overconfident it's one of the most important points also this money question don't be greedy money is not going to make you happy anyway I believe that if you've been hacking for years this is a very dangerous thing to become overconfident act like you recommended to act to your parents don't click any links they're sent to you by spam don't click on any attachments and don't be silly, careless one of the telling weaknesses is a case from the context of anonymous so he has a kid and a family and is liable to be blackmailed and pressured and might just tell about you this is Fneas Fischer nobody knows what they look like nobody knows if this is one or more person and the pseudonym is somebody who hunts Trojans opened the gamma 5 team and all investigations were dropped because there were no traces of this person or this hacker and we give we want to give the hat tip to this person of course so our conclusion pseudonymity is not anonymity don't tell about your plans never be in a situation where you have to trust somebody be paranoid before and not after the fact know your devices separate activities and devices makes a lot of sense to have a variety of devices especially if you're searched like Alberto if you have many devices they only take parts or some of them you might be left with some other devices and don't touch cybercrime there were people who are better than you and didn't make it forget about bitcoin, it's dropping so just leave it be and then we only have one thing left to advise you never hack without a ski mask and not without ethics and there was a talk about an introduction to the hacker ethics on the first day just save yourself some trouble work on the light glowing side of the force and you're not going to be in trouble thank you I have one too it's going to be fushing again it's going to be