 Okay guys, let's start our next talk We shall nangle here. So I'll give him a big applause, please Okay, everybody hear me, okay? Good to go cool So speaking today on operational security lessons from the dark web a few kind of mandatory disclaimers before we proceed The usual views and materials presented here do not represent a day of my employer's past present or maybe future I'm going to be talking about a number of dark web related criminal cases I'm not discussing guilt or innocence what I'm going to be discussing is evidence that was provided and What operational security mistakes that outlines and how to apply it for other? Enterprises Also, not going to be really discussing much the topic of parallel construction for anybody that doesn't know parallel construction is a Practice used by law enforcement where if they are either unwilling or unable to divulge how information was gathered Say by NSA surveillance that sort of thing they will essentially construct a parallel Explanation that will be presented in court as to how the information was gathered a Little bit about myself about 25 years in technology Shifted to security about 10 years ago have done a wide range of Public and private sector work everything ranging from two-person software startups up to Multinationals Currently working in the DC area and as you can see I have the cutest dog in the world Golds of this talk as I mentioned a little bit examine a number of criminal cases what mistakes were made and How the lessons learned from those mistakes can be applied to? non-criminal activities Starting with probably the most high-profile one and I won't go into kind of the build-up to the case that much And that's the dread pirate Robert Silk Road case But been in the news a lot most people are probably familiar with with the case at least at a high level Ross Ulbric was Arrested at a library in San Francisco While working on his laptop One of the primary security mistakes made there. He'd chosen to work at at a library use their Wi-Fi make sense He was sitting at his table with his back to the room Couldn't see anybody come in couldn't see what was going on the FBI agents that were there to arrest him Thought they probably needed to make sure they could get his laptop before he could lock it So they had a couple of FBI agents essentially Faked getting into a screaming argument He we'd all do this, you know looked up from his laptop looked around There was someone standing almost right behind him before he knew it laptops in their hands. They take it back They image the laptop He had encrypted the drive on the laptop Which would have helped if he'd been able to keep the FBI from getting to it before locking in One of the things he was accused of was ordering at the it was either five or six murders At least one all of those were arranged Through relatively anonymous means at least one of the quote-unquote hitmen Turned out to be a DEA agent. I'll actually talk about him later In that instance, they actually faked the murder of the person in question To the best of everyone's knowledge no murders actually occurred payments were made but no murders actually occurred There's an old New Yorker cartoon that probably everyone has seen that says on the internet no one knows you're a dog After this I'm considering there should be one that says on the internet no one knows you're not actually a hitman So FBI was able to successfully image his laptop he had Copious documentations documentation on Silk Road activities on the laptop he had a Personal journal on the laptop spanning many years Detailed his plans for Silk Road detailed activities on Silk Road also had a Large volume of chat logs between him and other administrators on Silk Road that were stored on his laptop completely unencrypted Interestingly enough in the very early days of Silk Road He made a post. I don't remember where it was Using the handle Altoid Basically saying hey has anybody heard of this Silk Road thing. I think it's pretty nifty Kind of I guess very early guerrilla marketing of Silk Road He then later on needed some some pretty basic coding Assistance posted to I think it was stack exchange site like that Under the same handle, but whatever board he was posting on to ask for programming advice Automatically made public the email address that you had registered the account under His email address that he used to register the account in that case was Ross Albrecht at gmail.com Some of the initial suspicion around him actually had very little to do with Silk Road itself He ordered I think nine fake IDs From a shipper in Canada Very high quality fake IDs. They were shipped the package set off some sort of alarm bells for customs and border protection They opened the package. They discovered what was inside. He had requested that it be shipped directly to the house He's living in in San Francisco They showed up knocked on his door said we'd like to have a little chat with you Weren't there to arrest him just wanted to have a little chat. He said no absolutely not slam the door in their faces Which is entirely his right to do But maybe shouldn't have had the IDs shipped to his to his home I Mentioned earlier. I wasn't going to talk about parallel construction. I'm gonna make myself a liar for a moment and talk about parallel construction a little bit One of the things the the law enforcement agencies investigating needed to do was try to find the actual servers in question One of the back-end servers they were trying to find turned out to be in Iceland the official story on How that was found was that? That server was misconfigured so Everything was served via tour except the captcha on the login screen Which was transmitted over regular internet? Rob Graham has a really good analysis of that points out why it's actually likely that probably wasn't what happened but The thing he does point out is through analysis of the evidence the US government released The server in question was horribly and securely Configured his theory which makes sense to me is that the server was actually found through widespread internet scanning by the NSA Looking for a couple of things that could link this server back to Back to Silk Road the server was allowing regular internet traffic. It just wasn't necessarily through the through the Serving of the captcha So some lessons learned from this case Configure system securely Don't if if you're doing sensitive work and you need for whatever reason to hide what you're doing Don't reuse your personal identifiers If you need to ship something Securely think about using a mail drop something like that. Don't have it sent to your home Also, don't send it from your home, which I'll get into a little bit later in one of the additional cases Know who to trust now this is a very difficult problem when you're dealing with an environment where people are At least somewhat anonymous. I mean how do you find well? I guess the question of how do you find a hitman you can trust period is a big one But how do you find a hitman you can trust when you can't? Do you ask for references for a hitman? I don't know But how do you find a hitman you can trust when? Anybody can claim to be a hitman and you have no way of knowing if they are or not This obviously goes a lot deeper than just hiring people to assassinate other people, but Be aware of your surroundings as I said if you're in a potentially hostile physically hostile environment Don't sit with your back to the room and Also, if something I mean if if there is a commotion and you need to look up shut your laptop and If you're doing sensitive work as much as possible don't document your activities You're just providing Basically free information for whoever your adversary is be it a nation-state whatever Next case wanted to look at is called Some that went under the well several aliases primary alias is Willie clock Young gentlemen in Uganda so legal name Ryan Gustafson Had a pretty successful counterfeiting operation Which was discovered after someone was found Trying to buy a three dollar and eighty five cent. I think cup of coffee with a counterfeit hundred dollar bill in Pittsburgh Managed to trace back. They thought it was to Uganda not sure who was coming from He again we see this a lot Reused in personal email address for one reason or another I still don't understand why his Jack Farrell alias He set up a pretty full-fledged Facebook page for The email address he used for that was the same email he used for his Passport application for a legitimate us passport in In addition he put he put a profile picture on this fake Facebook Page okay, you know make sense if you're creating a Facebook page You want to make it look as realistic as possible but he used a photo of himself that they were able to match via facial recognition to his State of Texas driver's license I Have two issues here if you're doing something like this why you're creating a Facebook profile for your alias and Given that you probably will never be meeting people in person under that name If you have to to make it look like a convincing person just pick a random photo of somebody So again, we have the don't reuse identifiers issues, and if you're trying to set up a cover identity The love and God don't use your real photo This kind of now loops back to the Silk Road case This is Appropriately enough the fake hitman who turned out to be a DEA agent Was incredibly corrupt among other things ended up stealing hundreds of thousands of dollars Went under that he was in contact with Dread Pirate Roberts under the Alias knob that was a legitimate part of the investigation. He also however created two additional Handles to communicate with Ross Albrecht French made and then one called death from above Neither neither the French made or death from above Handles were were part of the official investigation that weren't endorsed by the the people running the multi-agency investigation He communicated On as both French made and death from above using his DEA work laptop Not only that using his DEA work laptop that was set up because it was being used for the Endorsed communication his knob. It was set up to log everything So they have literal full video recordings of all of his communication Pretending to be a hitman trying to extort money out of him so on and so forth As I mentioned he ended up Attempting to abscond with a pretty large amount of money He transferred all of that into bank accounts that were in Let's just say locations with not super strict banking secrecy laws and he set them up in his own legal name With his full legitimate contact information home address phone number you name it So again, we we kind of keep coming back to things around Segregating your activities whether it's don't reuse identifiers or Don't use don't use a device that you know full well is going to be monitored to conduct sensitive operations additionally if you're needing to Communicate with somebody you don't want to trace back to you consider the use of aliases although once again Maybe don't use your personal photograph if you're creating a social media Presence for that Next case we're to talk about is shiny flakes. This was a pretty large-scale drug trafficking operation based out of Germany It's run by a 20 year old actually out of his childhood bedroom when police arrested him they confiscated about 48,000 euros in cash 320 kilograms of various drugs and Reportedly all this is somewhat debated about 325,000 euros in Bitcoin That then led to 38 additional raids Following that arrest He's since been been convicted One of the big mistakes that he made was almost every single shipment of drugs He sent was sent from the exact same DHL Package station it was DHL package station 145 Relatively close to his home. It was in a location that was under ongoing CCTV surveillance Once they figured that these were that's where the packages were coming from narrowed down immediately What what sort of area they needed to look in The other mistake that was made was encryption or actually complete in total lack thereof he Stored all of the information about customer transactions plans for what he was doing all that information In an unencrypted format on an unencrypted hard drive on his laptop again kind of linking back to Silk Road, he also had all of his plans for his activities As well as an unencrypted list of all of his logins and passwords for All of the various selling platforms. He was using all that sort of information So lessons learned if you're shipping something sensitive if you're for instance a whistleblower and you need to send a large volume of Paper documents to a reporter Maybe split those up into multiple shipments and scatter where you're sending them from Encrypt your data and again for the love of God don't document your activities Very recent case was Alphabet which kind of became one of the successors of Silk Road That and pretty much dominated the marketplace mostly in the area of Selling and purchasing illicit substances following the shutdown of silk Road Servers for that were located in Quebec the alleged administrator Was living in Thailand. I say alleged because there was very good evidence against him He chose to take his own life While awaiting extradition to the US That was shut down in this month. I think July 4th of this year Edits peak they estimated that Alphabet was making between $600,000 and $800,000 US in revenue Again welcome messages and password reset messages for Alphabet were sent using the administrator's hotmail account, which was I think His name is Alex. I think the Email address was pimp Alex numeric string at hotmail.com Which he also used for lots of other personal communication that sort of stuff Again lesson learn segregate your activities and your communications method if you're doing Performing some sort of sensitive active activity One last case that I wanted to talk about And this was a number of years ago. It's a little different in that it's not It's not actually a dark web case This was all all performed on clear net The arrest was made in 2014 Gentlemen from Russia by the name of Roman Selisnev Went under these various handles. What he would do is essentially when investigators got close He would shut down operations open-op operations immediately on Carter forums under a new alias One of the ways that they initially started suspecting that it was the same person is he would Start up under a new alias on a Carter forum and immediately be elevated to the highest trust levels Which normally you wouldn't see in that sort of environment for a for a new seller He was arrested in 2014 as I said He was on vacation in the Maldives found with a laptop with just under two million stolen credit cards on it He so as I mentioned the the Sites that he ran for selling stolen credit cards were on the clear net when he registered the domains for those He used his personal email address Most of the sites were served From a server from a provider in McLean, Virginia He also used that Server is basically his workstation. He did things like make travel plans order tickets Order tickets transmitting his passport number those sorts of things and again His like we saw before Laptop had a large volume of plaintext passwords for his sites that sort of thing Just stored unencrypted on the laptop Again, I'm apparently just gonna keep hammering this point until I'm done Don't document your activities unless there's a really good reason for it And again segregate your activities if you're using If you're using a system for sensitive activities that you don't want traced back to you Maybe don't use it to buy Airplane tickets for you and your wife to go on vacation the email address that he used for For registering the websites was also used for registering a PayPal account for himself and Sending his wife flowers, which is a wonderful thing to do, but maybe use a different email address for that So That ended a lot quicker than expected in conclusion Kind of a summary of the the common lessons learned we see here are configure systems securely Know who to trust which obviously in an anonymized environment is very difficult to do I don't have any solutions on that if someone does I would love to hear some ideas during the Q&A section Always be aware of your surroundings Don't document your activities encrypt your data and again Segregate your activities and communication methods Questions comments Can you Last last case with the Yeah, now you mentioned he got elevated to the highest level of trust The the assumption is that he knew people on when he would set up a new identity on a Carter forum He already knew people on those forums again were kind of no they did have established trust relationships so and typically how it works on a Carter forum is is you Register with a relatively low privilege account and until you can provide You know X number of stolen credit cards or something like that. They're worried you might be a Fed So they're not going to give you access to everything So any time you know I my assumption is that he communicated with you know Administrators of the forum said hey, this is actually n cucks and they said okay Can you prove it and he did whatever to prove it and then they said okay? We'll bump you up to the top Yeah, in the case where he Was shipping from one d. Agile station. Yeah, so the recommendation just be to like drive out Use a different station. Well, I think the recommendation is actually not only not just drive out to a remote location but a number of remote locations, you know using the whistleblower example because I mean You're all free to do what you want to do But I'm kind of focusing this on non-criminal enterprises using the whistleblower example, you know You have 10 reams of paper that you need to get to a reporter Maybe and I'm just picking you know a number at random maybe split that into 10 separate shipments Not necessarily drive to you know 10 cities each 100 miles from you But you know a couple of different towns maybe one a bit remote that sort of thing Like the timing of like what these users were active one of them like factors that led to them being taken away and captured so What would you recommend for like defending against correlation of tax and like I know that like Using like encrypted traffic in a public place is often suggested Yeah, it can be and you know this kind of touches on the whole parallel construction thing that I Referenced earlier, you know the concern obviously depending who you're worried about is you know Do do you have a nation-state attacker that is going to be able to easily break whatever? Transmission encryption you're using I Think probably the best thing is you know I I go back to the Ross Albrecht case and him being arrested at the library I honestly think him working from the library was probably a pretty good idea Him not being aware of his surroundings was one of the things that that led to his conviction but Going somewhere where you can essentially hide in plain sight along with a lot of other traffic Coffee shop library that sort of thing and but again, I mean this kind of comes back to the the Shipping issue, you know if you always go to the same Starbucks. That's two blocks from your house Um Yeah, you're gonna be somewhat hidden in the other traffic occurring at the Starbucks, but it's not that difficult to go Okay, so we watch everybody at the Starbucks and we think it's this guy now. What is you know, what is he doing? Yeah, yeah, and mixing up the locations as I as I referenced Always different can entirely different computers If if possible, yes, but I mean at the very least different very different computers different logins You know different use different email addresses, you know I almost every single one of these cases one of the pivotal things was the reuse of a personal email address Yeah, I mean there's there's certainly some advantage in In that although you do run the risk of so now they see that there's you know at this location There's basically two different traffic flows. They still know that one of them is whatever sensitive activity you're you're performing Again, I come back kind of to that hide-and-clean site Strategy anyone else? Okay. Thank you very much