 Think Tech Hawaii, civil engagement lives here. Welcome back to the Cyber Underground, I'm your host, Dave the Cyber Guy, Dave Stevens. I teach at Kapi Lining Community College for the University of Hawaii out here on the Island of O'ahu. And with me today, Hal the Network Guy, also assistant professor IT and Cyber Security at Kapi Lining Community College. Welcome back, brother. Thanks. It's good to have you here. Let's talk about great cybersecurity stuff. Today we're going to go low tech and we're going to talk about open source intelligence, which anybody can get, and it's tremendously valuable. But before we do, let's do a lead in story. And this one cracks me up. This is great. I've been saving this one up. I am in favor of low tech hacks because there's advanced artificial intelligence out there. There's networking systems and intrusion detection systems and prevention systems and firewalls and all these rules for these advanced sophisticated attacks on your computers. But low tech bypasses all of that. That's why social engineering techs are so good because there's a human involved and we're low tech. We're not the terminator. We're the exact opposite. And this is a low tech hack that somebody pulled off with the lowest tech I can imagine. This is superior. Unfortunately, he was a little sloppy. He's probably going to jail or at least be on probation for a while. So this involves one of those times when people say, hey, this seems like a dumb thing. Why do we do it this way? And the response is because we've always done it that way. This story is a perfect excuse to send back to those people and say, this is why you should reexamine your process. UPS, the biggest shipper in the world besides maybe FedEx or Mattson or Merisk, right? They're up there in the top four or five shippers in the world. Their headquarters is in Atlanta. Well, there was a young man who lived in Chicago who thought, I want all the mail being delivered to the corporate office of UPS. So he went down to his local post office and filled out the change of address form. I'm going to let that sink in. Just for a second, let's think about that. He filled out a form by hand to change the address of the corporate headquarters of UPS to his apartment on the, I don't know, the fifth floor apartment building. And he filled it out at the bottom. He signed his initials, HS, and then he scribbled them out and he put UPS. Apparently that was good enough. Someone at the USPS, the Postal Service, said, okay, let's reroute the mail. And for three months, they took buckets full of mail and set it outside his door at this apartment building in Chicago. Wow. Can you believe that? I have to believe that. Now this is personally identifiable information, PII, that's been shipped out to UPS from different vendors, HR, legal, all the personal identification numbers, all the personal information about the company, all the legal documents that they have to sign, all the confidential information and checks to the company, which he deposited for some total of $58,000. How we got them in the bank, that could be a whole nother show, how they pulled off that low-tech hack, how did he cash $58,000 worth of checks not written to him. Neat trick. Let's talk about this. This is a low-tech bottom-of-the-line hack, and for three months it worked perfectly. And that one mail carrier says, why after all these years delivering mail to this apartment am I delivering buckets full now, all labeled to UPS, corporate headquarters? I've used that change of address form for the post office multiple times. And I have kind of learned a little bit to myself, is there any kind of verification? Because it's really not. You basically thought the form, like you said, handed to them, and if it looks okay, then they followed through on it. This is a way you could harass somebody, have their mail shipped to another address. Right? Stalk somebody by going through all their mail. That's right. Just have it brought to your front door, or to a mail box where no one really checks to an abandoned house or to a house that's on the market, but no one's living there. And you could just go and get all that. I'm thinking this could lead to a more sophisticated hack. When you hack someone's credit card and you go to, say, Amazon.com and use their credit card online, and you have all that stuff shipped, you don't want to ship to your personal address, so you could use this hack to help you out, right? Use the change of address form to a house that no one's living at currently and get all that stuff shipped there, because Amazon doesn't care, UPS doesn't care. They're just going to drop it off of the door, right? Especially if you say, drop it off of the door. Here you go. And then you just go in the middle of the night or something and take it and walk away and nobody's the wiser. Wow. Low tech hack. Why go high tech when you don't have to? You don't have to. I mean, it just makes you wonder, why would I have to put in so much effort when with a little bit of common sense and reasoning and using the systems that aren't really being updated on a regular basis? Just take whatever you want. And that's what this kid did. I just thought that would just make us think about, I mean, okay, audience, think about this. I filled out a paper form and I got all the mail from UPS Corporate Headquartership directly to my front door. Please tell me. This is not making you. Just laugh hilariously. I mean, even without smoking a joint, you're laughing like crazy right now because this is the dumbest thing I've ever heard. Thank you, United States Postal Service, for checking that out before you switch a corporate email address or sorry, physical address to someone's apartment in Chicago in a whole other state. They didn't even realize why they're now going to LA or Illinois, sorry, Illinois. What do you think about that? I mean, who should have checked? Who would have been the first one to check the guy with the form? I don't know the process, but I've always kind of wondered where the checks are because as I said, I've used it and there seems like there was never any. No one ever called you. Any verification that I was actually, I mean, my name is on it, but I guess if you put a corporate name, if you put a business name, then even more anonymized. You don't even have to put your own name on it. Usually what you do is just change the address. Right, and he signed it UPS. Someone must have thought that was... There's a person named UPS who owns UPS and... With those initials, Ulysses, Penn Dragon, Sylvester, it's something weird, right? But wow, they did it with a piece of paper and you're right, and all they asked were like six months, right? And then they'll chip the stuff back. So conceivably, if he'd gotten away with it for six months, the mail would have returned to its original address, and he would have gotten away with six months worth of mail, and that would have been hard to track down, right? I mean, you'd think in three months, UPS would have thought we're not getting a whole lot of mail. You think that eventually somebody might have noticed that, especially if they weren't getting checks to the company, they might miss those. Yeah, or security checks. There could have been personnel reports coming in there, and this person has them all, so we expect that to be on the dark web very soon. It just goes to show when you think of hacking, people immediately think of high-tech hackers, and they kind of discount the low-tech. Right, they think of hacking a network or a Wi-Fi or an actual physical computer, but when you think about hacking a process, that's the security, right? You can encrypt something, right? But if it's not end-to-end encryption from beginning to end, there might be holes in there. It's the process, it's not the encryption, it's not the technology, it's how you implement it. That's the important part, right? We were just talking about faxes and how it's assumed faxes are, how did you put this? They're secure because it's an end-to-end analog transmission, the old school phone line, right? But we do eFaxes now. And a fax machine is often shared, I know in our office at the school, there's a fax machine that's shared by everybody. If something sensitive showed up there, I could easily walk by and pick it up, even if it wasn't meant for me. It's just sitting there waiting for someone to pick it up. That's why I don't enlarge it. All our syllabi say, here's our fax number. Don't put anything personal on this just in case. It's the same with governmental operations, though. I've actually been in places, and I won't tell you where, that the fax machine's sitting in the middle of the room on the floor, and it's shared between lots of people so anyone can walk up. And I guess the assumption is all those people are responsible individuals and won't take anything that's not there, right? But that's not secure. And now eFax, if you were to send an email to a eFax service, it gets converted to a paper fax and sent to a phone line fax. However, in the process of converting that fax, the eFax, it goes to a website. And that website has to store that information for up to six months. Some of them store for up to a year. And they're not if a compliant, SOX compliant, NIST compliant. They follow their own rules. There's very few of these eFax services, I've been looking at them, very few of these services that will store them and attest to their security while they're being stored online, making another hazard of transmission. So if you open a company and you have to use eFaxes and you want to save money and not have a fax machine, you've got to think about your data at rest. I don't know the whole. The answer to this, but could you put a fax machine on an IP phone? Then it would no longer be that dedicated interlog transmission that you were talking about. I don't know if it's. Well, then you have a network hack. Yeah, then you have a network package, right? And then you can get a wire shark could probably get it for you. You've got to encrypt it. OK, well, let's change gears now. Let's go to open source intelligence and talk about what open source intelligence is. What's your understanding, open source intelligence? Open source intelligence. Well, two things come to mind. You could be thinking about open source tools that are meant to help collect intelligence. But I believe the way that you're using it, you're talking about just information that is out there that is really accessible to anyone using web browsers and search engines and, again, fairly low tech type stuff. But it's amazing how much information can actually be gathered by just using Google and some of these open source publicly available tools, if you say you mind to it and just spend a little time searching on somebody. There's commercially available stuff, too. And we just got, well, we're in the midst of swimming through the swamp now with Facebook. Now, they had a commercially available application programming interface, which is an API. And you could sign up to use that API and search through data that Facebook didn't consider necessarily confidential. So they would hide your social security number, but name, address, sometimes your phone number. If you signed up saying you can give this out and people can find me by my phone number or email address or my physical location or where I work, my job history, because they just initiated a job site, you could gather all that through this API. You could write a script to gather all that. And that's what Cambridge Analytica did. And they got millions upon millions of records, personal stuff that we didn't expect. And both Facebook and also Google, I believe, now have an interface where you can log in and you can look at the data that they have on you. And I guarantee people will be amazed if they go ahead. I read the Facebook to see what they had and I was just flabbergasted at how much information they had gathered just from what sites I had gone to, what things I had looked at or clicked on, things I had liked. It was just amazing how much and how far back it went. And Google has the same thing. They have a file on everyone and they just collect everything that you do and they build this profile based upon your behavior, which sites do you visit. What kind of person you are. Things do you click on, yeah. Now, did you have the app loaded on your smartphone? No. So I had the Messenger app on my smartphone. I had the Facebook app on my smartphone. And what I found was it collected who I called. Who I called. But it must have said that when you installed it. You know how they list what it needs to access. It's in the terms of service. People don't look very closely at that. If you're installing Facebook and it's asking and it's saying it needs access to your phone, why would you need that? Facebook's not going to call me, why would they need it? This is why, because now they can track who you call. And your phone book, right? If it wants all your contacts. So that's a miniature database inside your smartphone or on your computer that it can search through and see if there's any of those email addresses or phone numbers that's registered from other users in Facebook and they can build a linked profile of those types of people. Are you in the Democratic Party? Are you in the resistance movement? Are you part of the Me Too movement? Twitter's another one has a tremendous amount of information about your personality, right? Because whatever you hashtag and whatever you're posting and whoever you follow, those are your personality types. Unless you're trolling Trump to try to say something bad. But I would imagine if you're doing that you get one comment and then they take you out, right? I would imagine, okay, we're going to go away for about a minute and we're going to come back after we pay some bills. And when we do, let's get back into open source intelligence and find out what you can really do with OSINT. We'll be right back until then, stay safe. 皆さんこんにちは。 Think Tech Hawaiiが日本語でお届けする。 こんにちは、ハワイの日本語放送のコスト。 くにすえゆかりです。 各州月曜日の2時からお届けしています。 日本語コミュニティー、ハワイの日本語コミュニティーに 便利なお助け情報、ニュースなどを ゲストを招きしてお届けする番組です。 こんにちは、ハワイ。 各州の月曜日、2時から。 ぜひ皆さん見てください。 コストのくにせえゆかりでした。 あろは。 Hi, I'm Pete McGinnis-Mark. And every Monday at 1 o'clock, I'm the host of Think Tech Hawaii's research in Munna. And at that program, we bring to you a whole range of new scientific results from the university, ranging from everything from exploring the solar system to looking at the earth from space, going underwater, talking about earthquakes and volcanoes, and other things which have a direct relevance not only to Hawaii, but also to our economy. So please try and join me 1 o'clock on a Monday afternoon to Think Tech Hawaii's research in Munna. And see you then. Welcome back to the Cyber Underground. Today we're talking about open source intelligence I have here with me, Hal, the networking guy. Welcome back. We're back and let's do the last half of the show. Let's take a look at something that I found very interesting. Now, when you go to open source intelligence, we've got a list here. This was a presentation that I did for the American Society of Industrial Security a couple of days back. And they want to know about open source intelligence. And I loved giving this presentation because I scared the absolute crap out of all of them. Physical security guys sometimes don't understand some of this stuff. And physical security, as you know, is becoming highly integrated now with network security. Because we have IP cameras, webcams, digital security locks, fences and stuff like that, all the automated systems. And so the physical security guys are no longer incorporated into facilities management. They're actually in the IT group now, which is kind of weird. But they don't realize some of this stuff is so easy to find. Let's do an example of a huge organization that put out a publicity photo. They kind of gave away too much, in my opinion. And we used Google hybrids images for this and Google Earth and Google Maps. And I combined those three to take this shot of a missile if we can get the missile up there. And there it is. This is a, look at us. We're so glorious in the United States. We have this missile that we can fire and it's buried underground in a secret location. That's this photo from the DOD. And if you look there, I'm actually from the place where this landscape is. So I recognized that terrain is called California Chaparral. That's the undergrowth all over there. The tree in the foreground is a certain kind of tree that you can look up and only has certain elevations and certain parts of the state it grows. And you can see in the background, we have some structures on the right and there's a coastline. You can barely see it's a low-res image, but there's a coastline there. So that's on the Pacific coast of the United States. It's a nice bright blue if you see it in higher res. You can see the roads as well. So I can see where the roads are headed and the terrain and the coastline and I can search Google Maps and Google Earth, which is free, right? And I found out that's Vandenberg Air Force Base, California. So if they were trying to keep that secret, it didn't work. And then I went further and I went to the Congressional Budget Office, CBO online, cbo.gov. And I looked up all the expenses from Vandenberg and I found that missile or that type of missile. So I know what type of missiles they store in that bunker at Vandenberg Air Force Base. And it's all open source intelligence, freely available to anybody. I didn't use any special tools. I didn't have to be a hacker. I just went and asked the question. Oops. Yeah. And it goes to something I tell people quite a bit. When they say, well, I'm just putting this little bit out here. It's not that big a deal. It's not, but what is, is the aggregate of all that information, the compilation of many pieces of information, create something that could be a bad deal. Right? You could do some bad stuff. I'll give you an example. I used to work for a company that measured the square footage of the insides of buildings on military bases. Because, you know, janitorial services would say, oh, you got to, as built plans here, you got a thousand square feet. We're going to bill you so many cents per square feet to mop this up every night. But if you really went inside and measured all the interior spaces, you'd find out some of those spaces were blocked off because it's an elevator shaft or it's a staircase. Or there's three offices in there and each one of them have 12 inch thick walls. And the outer walls are six inches in or six inches out from the inner walls. So there's a lot of square footage that's not really there. So instead of a thousand square feet, you're only dealing with 800 square feet. So it was a money saving operation. But in building an application to show the military personnel these plans and interior spaces so they can plan out who gets what office and where they're going to put furniture and so forth. What they did was they made exact plans down to the micro centimeter, millimeter of all these spaces on base. And then they mapped it all out to tell you which building was where. So if you accidentally got access to this web application for some reason, you could see every single space on the base inside a building. Now that might not be such a big deal but if you want to attack a base now you know where motor T is, where the tanks are stored, where the armory is, I know where the power systems and the January backups are and because of the office space allowances also public knowledge, I know that if you're a general you get so many square feet in your office and it's gonna be the biggest off. So I'm gonna find out where the biggest office is in the most modern building and that's gonna be the highest ranking guy. Now I know. Now I know because of the outer fence perimeter and where that building's located how exactly I can go into the base that's an ingress. Do my dastardly deed and what my nearest egress from that spot is my exit. And so it's not that I mapped a building, it's that I mapped all the buildings on every base and then I put them all in one big web application so you can search for what you want. So now it's the aggregate of the information that is dangerous and you can do bad stuff with it. Have you dealt with this already? No, not really, but the example that comes to mind also military was the thing with the Fitbit. The Fitbit, right, right. Do you remember? Tell us about the Fitbit thing. This is hilarious, right? I guess in order to assist the military personnel with their physical fitness programs. Which is always a problem. They gave them more Fitbits. They would upload into the cloud all the information from the Fitbit, how far they run and what is their location. Right. So with that information, that's all accessible. So now all you need to do is go out and look at that and someone could look at that and say, oh, now I have a good idea of how many soldiers are on this base, where the bases are, where they run every morning to get there. Right, where's the highest traffic area? Yeah. Where's the lowest traffic area? And didn't this person find out because Google Earth and Google Maps blur out secure locations on the planet? That's a dead giveaway. Yeah, it's a dead giveaway. But then this confirmed bases in Syria and a few other places because the Fitbit locations were not secured or blurred out and you saw the exact layout and every single road that they'd ever jogged on. You saw the perimeter of the base. You saw the interiors. You can see where the gym was. And yeah, it's the aggregate of information that can sink you. Let's go over some of the things that you can use. I have a list of them here. Of course we have Google. I don't recommend it, but Bing is available. It's getting better. You can compare results from Google and Bing and I have to warn people all the time the first three or four results on both the search engines are usually ads. Now, thankfully, they have to put the little tile on there that says add next to it. So look for that. If you click on one of those, all bets are off. You could get whatever information they want to feed you. Just get into the habit of scrolling down to the fourth or fifth. And just trying out links. Yeah, because you know the first three are gonna be ads. Right. Just automatically scroll down to like fourth or fifth item and then that's usually not an ad. Now, this plays into a warning that I give people when they do open source intelligence and they use it as proof of something. I give a random example, divorce cases. I found this on the internet, therefore it's true. Well, not everything on the internet is true. So when you do these things and you find these pieces of information, find cooperating pieces of information at different sources because when someone defends a position or attacks your sources, you want to be able to have several sources to cite to say they all point me to the same information. It's very circumstantial. You'll find something on the internet. As you said, it may or may not be true. It may be half true. You don't really know. So it's kind of circumstantial and in order to carry any really significant way, it needs to be verified by some other evidence and supported by other evidence. You can't just go to Wikipedia. I found this on Google. Your Honor, I found this on Google, therefore it must be true. I don't think it's gonna fly. No, no, no. Then Wikipedia is the same way. It is a great bunch of information on Wikipedia. However, if you scroll down to the bottom, you see all the links that support that article. The less of those there are, the less you can trust the information. And it's got good footnotes and it's got a lot of editors and there's a lot of contributors. That Wikipedia article is solid, but I would follow those links at the bottom to find the other information where those people read that other article and said, oh, this is true and they put it in Wikipedia. You gotta aggregate your information, right? That's open source intelligence. You gotta go with what's right. Where you're not gonna have that problem is going to some place like the government sites. Hawaii.gov, got a great site. However, I will freely admit, you can find all my divorce records. Really? Everything about my divorce. It's all public and if you wanna read any of the court arguments that happen, they're all in there. All the motions, all the rulings, the child support, it's all public. If I get a traffic ticket, it's public. If I'm arrested, it's public. You don't need somebody to go check public records. You can go and it's all online. You can see what they're arrested for. There's certain parts of the information in there, like if they actually were incarcerated, some things are obscured. But you can find out if they have a felony on their record and credit reports. Funny enough, last time I went around the dark web, I should have taken a selfie. I was thinking about it, but I actually found my social security card. You did. An image of my social security. With the correct number. So I was gonna lean into a selfie. But I thought better of it. But it's fantastic that all my information is already out there on the dark web and the deep web because the Office of Personnel Management from the government got hacked. Now with our last minute, let's go over some other sites and tools. We have metadata. We have Wikipedia, social media, Facebook, Instagram, Twitter, photos. There's publicity photos like the one we did. You can use some tools out there to look at the metadata of the photo. So if you were to download my photo off of linkedin.com, there's metadata in that photo still that tells you when and where I took it. Because I took it with an iPhone. So you see my coordinator, you can see I took it at Holly, Eva, Joe's or whatever at the gardens. And that's kind of scary. So you leave in footprints no matter where you go. You gotta be careful. Any warnings before we go? Yeah, I think everyone should go and look to see what data has been accumulated for them both on all these sites, Twitter, Facebook, Google. They now have interfaces, as I said, where you can look at what they have on you and everybody should look. Because I think most people will be just you're gonna be shocked. Completely amazed. Oh, I haven't done it yet. I'm kind of scared, but I'm gonna. Okay, thanks for joining us. We'll be back next week talking about the GDPR. And we'll have a new guest. And until then, please stay safe.