 I've introduced everyone by the wrong name for the past two days, so I thought I had to do it to myself as well. Okay, so my talk is on 1983, I'm born, I went thoroughly with the theme of the event of Defconn, and 2018, I'm catching the bad guys. So I've got lightning talks, so that's why I've already started and probably going to race through this kind of quickly. I've got a few caveats though, I'm not a pentester at all, I can't code, I can't do any of this. I do Ozzent Recon for a very different purpose, so commit things from a very, very different angle than 99% of the talks that I've actually introduced and hosted here. The next one is I am suffering massive imposter syndrome and have been for the past three days. Once again, I've kind of come here going, what the hell am I doing here, and then I've introduced everyone, stood there and gone, yeah, you're fine, and then stood here myself and gone, what on earth am I doing? So if you're ever suffering that by all means, just kind of do this and let's see where it goes. The next one is I really ran with the 1983 theme. The 1980s were not the best decade for fashion. If you weren't having to suffer the shell suits in the US, then you certainly were in the UK. Really sticking on the 1983 theme, it was my birthday on Wednesday, so I get to really fully celebrate with the fact that it is a 1983. Okay, so really quickly kind of given my background, because this is why I approach things in a really different manner, I've got 35 years experience of doing stuff, and I kind of sat there and thought, well how can I run everyone through my background, and I thought the best way to do it was in a timeline of dinosaurs to Defcon. Now this is my great timeline in which I start really close to the dinosaurs of 1983 being born. I promise you, 1983 theme will now stop. From then 1990 to 2001, I went to an old girls school in the UK. Old girls schools, brilliant, they basically trained us to think a very specific way so that we all kind of came out the same. They wanted doctors, they wanted lawyers, and we were allowed to do whatever we thought. So on that basis of doctors and lawyers, in 2001 I went to London and I did a master's degree in astrophysics. Didn't really fit the mould, but I thought, well hey, let's go and do this. I was a kid who wanted to be an astronaut. I graduated with my master's when I was 21, and then it was a case of what am I doing next? Where am I going to go? Do I want to my PhD in astrophysics? Nope. I went and joined the Air Force and thought, hang on a second, I'll go and do something different. If you think you're about to hear a reconnaissance briefing from someone who's been in the intelligence branch, that's not me. I didn't do any intelligence training, I'm not a pentester. I was an aerospace battle manager, I was a weapons controller, so for three years I spent all my time basically in the desert controlling aircraft over Afghanistan. Fun fact, I'm the only person to have controlled all of the airspace in Afghanistan, and I'll walk with that the whole way through my career. So in 2012 I got out of the Air Force, they offered me another 12 years, and I thought, do I do this? And I thought, you know what, no. I'm going to go and I'm going to do yet another master's degree and yet another capital city, and I moved to DC. I thought, I know what to do, I'm kind of smart, I've got the military experience, I'll go to DC and help educate people on the hill because they'll want to listen and be educated. Three and a half years I tried to educate people on the hill. I stood there when the 3D going up printed and told them don't panic, they panicked. Ballistic missile defence, every single summer was the topic that we were talking about, it just keeps on going around on the same old cycle. So in 2015 I decided enough was enough, I moved back to the UK, and I ended up falling into an Auditant research post in King's College University. Now the Auditant post was basically looking counterproliferation, nuclear proliferation, can you learn about behaviours of nation states online so that you can really kind of see and predict whether they are going to go nuclear or not. We were doing that on behalf of the United Nations and that's kind of where I kind of realised that the skillset I've got, even though I didn't have any training, and my excessive amount of Facebook stalking really could kind of filter into what we do. I got really tired really quickly in academia because things moved far too slowly. So in 2016 I made the bold move and I joined a cyber security company, didn't know what I was doing and sat next to a pentest of seven months writing his reports because he didn't want to and that was the best way that I learnt. What I ended up kind of sitting there and doing now is going, well why are you only wanting to find out somebody's email address? Why are you doing that? Why are you looking for their email address in a dump that makes no sense? If you look for their kids, the password's likely to be something to do with that or a dog or something else. So I kind of twisted things in my company which is then kind of where I'm still there now. It's also where I'm the head of research. Once again I've got no intelligence training and I'm sitting in the head of research in an arts and company. That's why I do that. So what pays the bills? I've got to be serious here. These are what I do. I do employee screening through OZINT. I do investment due diligence and I do fit and proper tests for senior managers. If you don't know what this is in the UK, we basically now are making all senior managers in banks do a fit and proper test to say that they're trustworthy and honest. It is a self declaration form. I'll leave that one with you. So what actually drives me with what I do? Everything that I kind of do that pays the bills. The rest of this stuff kind of comes into this and I will cover this in the examples. I work a lot with modern slavery charities to really try and see what we can kind of do through open sources to bring the fight to them. I obviously with my background I've got a lot of counter-terrorism experience. So dressing extremism online is a huge thing for me and uncovering fraud and crime moving forward. So how do I actually do this? The first thing that I do and everything that I do is all about the person. I don't go for URLs. I don't go for open ports. I don't go for everything else that I've sat there and heard about today. Yeah, they may be useful, but everything I do is about the person. Now, the really interesting thing about this is over the past two days I've heard so many talks as to what with GDPR and with this being locked down and with that being locked down. Well, I'm sorry, but for me, you can't lock down your face. So once I recognize your face, I'm following you as a person. So everything that I do follows the person online. Yes, there might be an IP connection, but that's just a tick in the box as a confirmation for me. People's behaviours and applying behavioural science to open source is really where you can learn more about a person than anything else. It also means that if you end up going on to the dark web, people tend to behave the same way. We've sat there and looked at people who have the same username on ebay as they do on dark web forums. Well done, kids. You're great. So the best way that I end up doing this is through primary identifiers and secondary identifiers. Now, basically, this is kind of for any pen testers out there, you're going to sit there and you go, oh, well, my primary is going to be this and this and this. Basically, if I've got your name and your date of birth, I can pretty much go everywhere. A lot of the research I end up starting with is just a name. If you've used, ever used a site like jeans reunited or ancestry.com, you can get people's birth records, their marriage certificates, their everything. If I can get that, I've got your date of birth, I've got your mother's maiden name. I'm already answering a lot of questions to be able to open a bank account. Once I've got your address, we've just been hearing about the voter register. If you can get you off that, if you can get you off the electoral role in the UK, any company's data or anything else, I'm then moving forwards. Email addresses, you all know how to trace them as well, phone numbers, usernames, key individuals as well. The number of times I'll speak to people is like, it's okay, I'm not online. I'm like, okay, you're not, but you're kids are everywhere. Somebody spouses everywhere and everything else. Having the key individuals there as a primary identifier is one of the key things moving forwards. Once I've got those key primary identifiers, I can do a lot of work with really following somebody and their behaviours to do everything like that. The secondary identifiers, that list is never ending, but I put the bank details at the top for a simple reason. For one guy who I actually worked with, wrote a report on, I was like, oh dude, you've kind of like put your bank details on a website you created for your 30th birthday party because you made people buy tickets. And it was like, point one, how obnoxious. Point two, why have you put your bank details there and he's like, well, what are you going to do? Pay me. And I was like, just watch. So he gave me his bank details. I knew his full name, his date of birth, his mother's maiden name. I knew his home address. I knew from Google Earth exactly where his mailbox was. Brilliant. His wife then happened to post that they were boarding a flight in two days time to go on holiday. And all of a sudden I'm sitting there going, I can intercept everything. I've spoken to a number of different payday loan companies and I was like, what information would you actually need? And all the information that I would need was already sitting there. So the worst that I could do was take a £10,000 loan out in his name so that when he came back off holiday, he had all those debt collectors already coming after him. Okay. The thing about all of this is, and people are like, oh, well, I'm not posting stuff about it and GDPR and all the information getting locked down. The simple fact of the matter is we're sharing more information than ever before. And it starts before we're even online. How many people are sitting there going, oh, I've seen this. People put the baby scans on Facebook. People do this. And then the kid's born. Brilliant. You've given me the kid's date of birth, the full name of the kid, the fact that the kid's got a sibling. If I go through that mom's Facebook page, I'm probably going to get her maiden name as well because maybe it's in the URL that she hasn't changed it or anything else. So the person's footprint, with a lot of the key identifying information, is already there before this kid can even pick up an iPad. Like, we're not kind of sitting there going, oh, well, this is secret and everything else. It's already a lot there. So the bad and the ugly and how this information can be used. So back to my drivers, I think that kind of fits into the good. This can be used in a really, really negative way, let's be honest. But if you actually spin it and try and use it against some of the biggest crimes that we're facing internationally, then you can start to build those networks and to actually build those behaviours to try and see what we can combat. Obviously with social engineering, whether you're doing it for pen testing, whether you're doing it because you want a really good date, I don't know. But the good, the bad and the ugly are there. And extreme Facebook stalking, I absolutely mean searching. And it is one of those that the fight to the matter is people aren't reading all of those terms and conditions. People aren't sitting there and going, oh, what on earth do I need to do or anything like that? Okay, so here's a couple of examples that I'm going to end up running through really, really briefly. We were approached by an insurance company and the guy basically came to us and was like, can you find our information being sold online? I know it's going to be on the dark web, I just know it. Why? Because everyone fears this magical beast and it's definitely where all the information was. Well, we found the information for sale, we found it on LinkedIn. It's sitting there, people will use this guy, was using his LinkedIn to sell the information and this is just a couple of posts that he was actually doing. He'd not been doing it for a short amount of time either, this was just a couple of weeks before. He'd actually been doing it, this post is for two years earlier and apologies to Mark Edge for putting your information on, but he was actually using Sniffer to the data and posting it onto LinkedIn. There was a whole network of individuals who then interacted with all these posts to turn around and go, oh yeah, I'll buy this, I'll buy this. So before it know it, we already know our network of everything else. So we spoke to the insurance company and I was like, we found some of your information for sale and everything else and he went, can you identify the guy? Well, let me see. Luckily for him and his information within his LinkedIn account, he had his Twitter handle. Well, that's kind of convenient. So I then went to his Twitter handle and where I then got a location for him. I got a pretty obnoxious picture of him and the content within his Twitter basically went off along the lines of a certain type of individual who really isn't up my street. But never mind. His very first post that he had on Twitter was him telling me, oh, by the way, I've just set up a LinkedIn account thinking that this LinkedIn account would go to his other LinkedIn account. I was like, okay, let's click away. It didn't. It went to somebody else in an entirely different name that that account had then been shut down. But hang on a second, I've now got a different name to work from. What ended up then subsequently happening by combining a number of different things, basically he'd been trying to sell number plates on LinkedIn as well. Those number plates he's also tried to find on Facebook. And then all of a sudden you find his Facebook and he's standing there holding a gun. This isn't the US kids. This is the UK. So when I'm sitting there with somebody in Manchester around the corner from me and I'm seeing a picture like this, I'm like, oh no, something bad's happened. What you can't really see there is his current profile picture, which is his two picture of his two baby girls. Well, you've kind of changed the direction there and everything else. He had so many pictures. He had pictures of stolen goods. He had pictures of his name spell out in money and everything else. And it was one of those moments of, are you really utterly this stupid? Yes. So we contacted the insurance company and we basically turned around and said, okay, this is the guy. Don't quite know his name because he's seeing a number of different variations. But what do you want us to do? We'll get as much as you can, and we'll hand that over to the authorities. So 24 hours later, I went back and this Facebook account's been deleted. He'd been tipped off by somebody in the insurance company to get rid of his footprint. Well, that kind of pissed me off. So basically I then kind of went and sat there and went, well, what am I going to do? What I ended up handing over to the police was his full name, his date of birth, his spouse, his kids, his addresses for the past 16 years, his associates and his contact details. Why had I done all that? Because through everything that had ended up happening through his Twitter account, through his Twitter account logout, I knew I had an email address. He'd actually gone and done an insurance quote using that email address. Insurance data when they say, do you want to share this with third parties? They are saving the data that you put in there, and all it was the case of going was, well, hang on a second, I've got that email address, I've got an address. Let's see the name of the individual who lived there, which ended up being a combination of a number of the different usernames and handles that I'd ended up seeing. So we handed that over. Okay, one final kind of thing that I will run through, the Nigerian businessman. I'm not being stereotypical, but these are two guys. It was a multimillion dollar deal. I had to kind of just do the seal of approval. Tell me these two guys are great. Well, this is kind of why I ended up getting them. The simple fact of the matter is the two guys ended up being spread across the web under many different names. They had self elected each other into different roles. One of them had elected himself into the environmental role, who then gave approval to his brother's company to set up this water purifying station, who then gave approval back to the other brother's cement company to build the plant, who then gave permission back. What ended up happening was they poisoned an entire village. A number of people actually ended up dying for that, and the two of them went underground. They didn't go underground. They changed their names and they moved to Newcastle in the UK where they set up an entirely other business. That kind of went on. So in December 2017, this was referred to the UK Serious Fraud Office. The deal all obviously fell through, and that's kind of where we left it. I thought this was such an interesting case that I ended up moving it into my training processes that I ended up training my analysts at my company with, and I was like, you know what? Here's your trial. Go ahead. And then all of a sudden, it didn't end there. So we go back and when we're reviewing it and everything else, it's gone to the Serious Fraud Office in December 2017, and in January 2018, oh, my ex-commissioner's dead in China. He went on a business trip, and he's died, and everything. I was like, oh, well, that's kind of changed the dynamic of all this. Only here he is in February on his Facebook page, a brand new picture of his new outfit, because he's moved back to Nigeria under a new set of names. He's using the same Facebook account, though. And it's not a case of, oh, he's just posted a new picture or somebody's posted a picture or anything else, because he keeps on going. I looked at this this morning, and he's still actually posting. He's talking about how you can build something great, and they're once again trying to be elected in under a different name in the same state that apparently he was a previous dead person. I don't even know. Absolutely craziness there. Okay, the other thing that I do kind of want to finish off in my last three seconds is that I actually work with a charity that does a lot of this. The charity that I work with is Stop the Traffic, and basically they've got a Centre for Intelligence-led Prevention. What they're doing is using open sources to try and learn as much about the methodologies, the people involved, and everything else. It's not about saving people who are trapped in slavery. It's not about anything else. It's about disrupting those networks from the outside in. If we can try and learn more about them than they know about the networks, then that's kind of what this is trying to do. If you want any further information on that, I spend a lot of my spare time working with them to try and figure out exactly who and what, and everything else is recruiting. I fitted it in, seeing as I've told everybody else to stay on time, and thank you very much.