 This is Think Tech Hawaii. Community Matters here. Hey, Aloha, and welcome to Think Tech Hawaii Studios. You're watching the Cyber Underground at one o'clock on Friday afternoon. We're going to be talking about open source intelligence and kind of continuing on with this discussion we've had the last few weeks. I'm here with Jeff Milford today from ISC Square. Jeff, good to have you. And we don't have the Professor Howe and we don't have the Professor Dave, so we don't have to do a bunch of analysis today or a bunch of teaching. We can talk a little story, maybe some stories from the field, and we'll see what's been going on. So, open source intelligence gathering, first part of that kill chain. Now, I know you're telling me that ISC Square doesn't really, doesn't necessarily look at the kill chain for the way they stack their credentialing and things like that. For the CISSP that wasn't part of the body of knowledge or the CCSP, but it's something everybody has to be familiar with. In practice, right? The CISSP is as broad as it can be, so you have to understand it and you have to be able to detect when people are doing things like that. That includes the social engineering part, which I particularly enjoy practicing. But from the good side of things. The white hat side. The white hat side. The research side, as we call it. Researchers, researchers get a lot of help. Yeah, like I'm supposed to be allowed to go into this building, but what happens if I try to go in without a badge on? Is somebody going to stop me or wander around and somebody going to ask questions? Yeah. It's to do that at one of my older jobs. Won't mention who it was, but you learn a few buzzwords. You get somebody's name inside the building. You just say, I'm here to fix so-and-so's computer. They're having trouble with the XYZ app and boom, you're in. And people want to be helpful, right? Sure. And I think that speaks to the thing that we teach a lot from my world a little bit more about access control and having that badge and challenging people. If someone comes to you and they've got some story and not a credential, escort them to the desk and let's call the place they say they're going, let's do a little homework. Don't just accept them at face value because they look friendly or they act friendly or they seem to know where they're going. They should have the proper credentials. And this person they were supposed to see, why aren't they with them? That's always a great question, right? Yeah. And so it's a big piece of it. I definitely, when I would bring on new clients or when they wanted to meet with us, I would tend to show up early at their facility and I would do this ad, just walk around, see, what's the posture? Does anyone stop me from going anywhere? Somebody might say, hey, can I help you? I'm just going to the restroom back here. They're like, oh, it's that way. Let me go. Any which way are you? What's in here? Sure. Interesting stuff, interesting stuff. Yeah, the social engineering piece is, I think, what's relied upon a lot. We talk about the idea of we can implement a lot of the technical controls when we have a great mapping for that with the 853, all the stuff from NIST and the cybersecurity framework, wherever you may take your guidance, be it ISAC, ISC squared. And once you get a place technically hardened, you still got this problem called people. That human equation. Gordo calls it the wetware. The wetware, I like that one. So, you know, we have these human problems and the humans make themselves vulnerable really to the exploitation of this open source intelligence by the information that they share. Now some of it, maybe they didn't mean to share. It's been harvested from some place. But when you guys are in practice, what are some of the things that you're looking for in an organization that they may have, some of the sloppy practices that you see with their staff? With the project I'm doing right now, I've been calling vendors and I asked them, can you send me a list of equipment and the IP addresses on our network? And I get these full dumps of everything. They have that information and they send it over on encrypted email, right? Yeah. And granted, I have an email address for the company I'm working with. Sure. But one of the guys in IT overheard me and goes, wow, you're really good at this, aren't you? You're convincing. Yeah. Again, it's people wanting to help people. And I'm representing a client. You know, I'm a customer and I've got a good story on why I need this information. And I'm like, oh, yeah, we pull all that. Sure. Yeah. Let me get that to you. It's tomorrow, okay? Yeah, tomorrow's fine. Wow. Yeah. Isn't that something how easily people would share with that? They didn't verify with a third party. They didn't really have to have a password. They may know you're working over there and trying to help, but are you actually of the authority level that should get that particular information? They didn't really validate that. And maybe your name's on a list. They say if Jeff calls, give him anything. Who knows? But maybe that's not the best practice either, right? Probably not. Because maybe your contract ended yesterday and you're calling again today to get some other information. Now that I did my recon as a contractor, not that I would ever do that, of course. Yeah, you got to stay on one side of the fence. If you want a long-lived career on either in the dark or in the light, you know, one way or the other, crossing the fence will shorten your career. Well, and that's the thing about contracting, too, is you have a reputation. And if it ever gets into the gray area you're done for, you can never reestablish that again. I learned that when I was on the main line working for some companies. You have to always be better, more visit, more transparent, all of that kind of thing. Yes, but I think people are asking better questions today. Hopefully I'm sure you're seeing that from the interviews when people are trying to compile your services. They should be asking better questions. I saw the Microsoft report came out today, the security report. Massive 44% of the vulnerabilities, the sort of the brute force attacks that are happening in people's passwords aren't happening because people are still using that domain password and they're using it over on their Facebook or they're using it on their LinkedIn or someplace else that it's been harvested from. So is that a, how do you see companies combating that? How do they police their employees other than training, of course? Well, inside you can force the password resets, give them a short age. You can't use the same password for 30 times. I mean you can get really crazy with some of the settings. But people, I mean they're going to write it down somewhere. It's difficult. That was another game we used to play when we were contracting because we had to go log into these people's machines when they weren't there. And nine times out of ten we could find their password. It was under the keyboard, it was taped to the monitor, it was behind the picture of the kids. They have a picture of other kids' names. Exactly, and you just turn it on. Okay, here we go. We were talking about this before. Most people don't think like bad guys because we're all honest people. Yeah, we're trusting. And it's the same thing with sharing the information. Most people, it doesn't occur to them that like you guys were talking about sharing a picture with information in the background. You don't think about how that information can be used against you. And you can't live your life as a paranoid because that's like a sign of mental illness. But I've lately been using the word cautious. You need to be cautious. Need to think. You need to think about it. Slow down a little bit. Like you were talking about somebody calls you up and says, hey, I'm so-and-so. Remember, yeah, from school. And yeah, we had a couple beers together. And I started thinking that, yeah, one of the things, one of the reasons why that works is because you give them, you don't have time. You don't have time to process the information. What people need to do is just stop and say, hey, can I call you back? Give me a number where I can call you back at. And hang up and then think about it. Maybe open your yearbook and say- Yeah, dude, I really remember this guy. Right, right. Because again, we want to be helpful. And if they have a good story, you know, we're going to buy it. But if we take a minute and say, you know, I really don't remember this guy. So be cautious. You know, take that extra minute. And if you tell the guy, you know, give me a number where I can call you back. If they're a bad guy, I don't think you're going to get that number anyway. Right. And they're going to like- They're going to move on to the next year. They're going to move on to the easiest thing. You know, burglars are going to look for houses that are unattended with doors unlocked. If you have lights going on randomly and, you know, your house is well set up, you don't have the bushes this high, all those kind of physical security things, they're going to move on to the easier target. So don't make yourself an easy target. Don't use the same password across multiple accounts and such. Yeah, the report talk about it is one of the biggest things that they found is still as the biggest vulnerability for a tax against Azure and things like that. So it's like, wow, you know, people, we've been preaching that for years now, you know, and in my world. And I guess not everyone's as cautious as, you know, we, those of us in the industry are, you know, I guess paying better attention to those rules than we did in the past. It didn't actually occur to us. I had a woman ask me to reset her password to mango. What? And I just said no. That's a- No. No, cannot. We're here in Hawaii that would be a really easily guessable password for somebody, even if it was lower case. Yeah, that's surely in the list that they run in their brute force list. I mean, all the fruit and all the fruit I think is on the list anyway. Like all that kind of stuff. Yeah, you need multiple words. I was, I don't know if you've seen that diceware. I was talking about diceware a little bit last week. So nice list of words that aren't meant. And if you use seven of those, you get really quite a bit of, you know, 270 years at, you know, a billion cycles of processing power. So stuff like that can work out for people who aren't creative enough to, you know, change their password to something difficult. And we don't have quantum computing yet. Not yet. We're still, I was also thinking about the password. And I had mentioned before that I like to use some foreign words or some foreign language. Yeah, I think that's a really good idea. Make the hacker load multiple dictionaries. Make it harder for them so they go on to the easier target. And then I started thinking, well, what else could I do? You know, people will substitute letters for symbols sometimes, you know, the exclamation mark for a one. That starts to become easily guessed. Yeah, they run that. What if, what if you just choose a random word and insert that in the middle of your word? Boom. Yeah. Now makes it very difficult. It's much more complex. And those are simple things people can do. But again, having multiple passwords for all the accounts, I go home and I look at, I keep a list. You have a list? I have a list. Locked in the safe? It's very secure. It is, it is secure. But periodically I have to pull it out and use it because I have probably close to 200 accounts. Wow. And there's no possible way. And I know there are applications on the market, vaults that will store them using a master password, passphrase, everything else. That's what we use. I'm still kind of old school. What happens if it, if the application gets corrupted? Okay. Okay, stored in the cloud. The vendors are responsible for it. A couple months ago, one of the vendors for business, a lot of big named companies got hacked. Sure. And yeah, I mean, it's nobody safe. Nobody's safe. We're going to take a break. We're going to come back in just a minute and talk a little more about Jeff's list. Hello, I'm Helen Dora Hayden, the host of Voice of the Veteran. Seen here live every Thursday afternoon at 1pm on Think Tech, Hawaii. As a fellow veteran and veterans advocate with over 23 years experience serving veterans, active duty, and family members, I hope to educate everyone on benefits and accessibility services by inviting professionals in the field to appear on the show. In addition, I hope to plan on inviting guest veterans to talk about their concerns and possibly offer solutions. As we navigate and work together through issues, we can all benefit. Please join me every Thursday at 1pm for the Voice of the Veteran. Aloha. Planning all week for the day of the big game. Watching at home just doesn't feel the same. What on the list is who's going to drive? It's nice to know you're going to get home alive. Plan for fun and responsibility. Choose the DD. Captain of our team. It's the DD. For every game day, a sign a designated driver. Yeah, we were just loving that commercial. You watched about the designated drivers. Anyway, so we're talking about password lists. We're talking about storing information, critical information. Can you use a password storage tool when you've got hundreds of accounts to manage the passwords for? You can't remember all those passwords. And then can you trust that you've got one password to get into all those passwords? That vendor and where's that information stored? In the US? Is it in the cloud? Is it in Europe? Where is it? Some things you should ask yourself probably for the storage of your information. And when we look at open source information that people... We talked a little bit about images and some of the stuff that could be in the background. We talked about the geotagging that people may not know that that photo actually has information about where it was taken. So if you post it right now and you're there, you're obviously not at your home or at your work or wherever. So, you know, there may be some vulnerabilities there that you're exposing about putting that information out. Let's take a... What about some other things? How about like forums, blogs, IRCs? You know, I was thinking about if you're in an environment like that where you're actively chit chatting with someone, they know that. So they know that you're sort of locked down to your keyboard at that time, perhaps. Now, maybe you're in your office or maybe you're at home or maybe you're on a mobile. Can we tell what type of device someone's using when they're doing stuff like that? Do you have a way to assess that? I know that some of the video display stuff that we have, it can tell if it's showing video on a laptop or on a tablet or on a phone, for example. It changes the frame rate based on the way it's being served up. And I just didn't know if there's some other open source tools for knowing what somebody's using, you know what I mean, on the other end of the line. You'd have to pretty much drill down and know where they are, maybe down to the network location to start being able to read that type of thing. So, starting to look back at where they're coming from, you can maybe figure out where they are. I see, it makes sense. And as you were saying, the whole chatting, you don't know who you're talking to. That's the other point. You know, they say they want to have a date with you. And promise you the world. And actually, they want to rob you blind. Yeah, meet me on the other side of town here while I go and rob your house. Come to dinner at six. Yeah. Well, it's one of the things that we try to teach young people. You know, they aren't as experienced. They don't have the life stories yet. So, they're very trusting in a lot of cases. And that leads to sometimes some very bad things. You know, I forget the statistics. But people under 14 who were meeting people in person that they had met online. It was two out of five, something like that. It was really scary. That's kind of scary. It is. And that's somebody who's being socially engineered, right? Exactly. Yep. Through compliments or whatever. And they just say, oh, wow. And so, they feed their ego and the kids don't understand that vulnerability. They couldn't be there. And adults are like that too. I mean, you know, I'm sure. Wow. Okay. So, let's go to, so forums, a little bit of chats. What about, so we talked, we talked, we kind of beat up the social networks. So, we can maybe, maybe be there for a little bit. What about like people's search engines? So, what familiarity do you have? Because we talked about like, so LinkedIn and Google. And, you know, obviously you can go, but where else can you find stuff about people that they may not know? I just, in prep for today's episode, I downloaded a list out of Google, of course. Okay. And it must have had 60 or 80 websites that I had no clue about because I don't typically use them. Sure. One of the things it didn't have though was LinkedIn, which I found odd, but there were probably 15 business sites on there. There are sites for checking to see if people have arrest records, things like that. The picture sharing websites. And it was very easy to get that list. Okay, interesting. And now here's, here you go. Here's a whole bunch of ways to start developing some information on somebody. Sure. And again, we don't always recognize how that information can be used. And in most cases, people don't stop and think about what they're sharing. This week, I was working, trying to contact a vendor. I'm doing a risk assessment on their application. And I need to get some technical information. So I go to their website. They have a sales number that nobody answers. They just goes to voicemail. They must. They're either too busy or they're not busy at all. I don't know what that means. Something. When you're salespeople don't answer the phone, you have a business problem. And there's no email address, but they do have an online web form. Okay, thanks for filling out the form. I tried. Was it HTTPS by any chance or was it HTTPS? And three different browsers didn't work. I type in my message, hit send, and it just... A lot of people, a lot of the browsers now reject if it's not HTTPS, right? They're not going to, so that started. That wasn't working for me. And the weird thing was, I logged into their site. I created a support incident, got a ticket number back to my email address at work. Okay, so that worked. So then I go to log in with the account I created to create the support request. And it tells me access denied. How can you deny me access? And then I get an email back from them telling me that your incident has been noted and will be in touch. And it got to be like Groundhog Day. It was just a constant loop. And I finally reached a point where I just said, okay, enough is enough. There's got to be a way to contact these people. Okay. So I fired up the Google and typed in their company name. And after I think about three links, I got a beautiful list of all the people that work for them. There you go. And what they do with their pictures. So here's a guy, John Smith. He's head of their technical support. Nice. So I know their domain name at company.com. So I just started trying different formats for an email address, first letter, last name, put a period between first and last name. Sure. It took four, five attempts. But I got through it pretty trivial. Yeah. Sure. Yeah. And the guy's like, how did you get my email address? He didn't want to work at all. Yeah. More importantly, why aren't you responding to my request? Sure. So the cool thing was that when it was giving me access denied, it's because their system was blocking me because their system didn't know my domain. Okay. But you were coming from their customer site, though. Right. But the customer internal to the company was actually using a slightly different domain name. Okay. So that's what they would have allowed that. That would have allowed that. And of course, there was a ton of this information floating around at your clients. They no one knew what to do. So he actually told me the two people that I should be talking to within the company, which was very helpful. Okay. So I contacted one of them and I said, hey, this is what I'm doing. This is what I'm trying to accomplish. I'm working for this person inside the company, blah, blah, blah. Do you want to authorize me to speak with these people? Or would you like to pass on my application questionnaire to get it filled out? And I was so happy that she chose a second option. Yes. No. No need to authorize me. I have no need, no business at all communicating with these people, except for this one time. So she passed on the questionnaire and hopefully I'll see it back before too long. I don't know. Their track record's not that good. Although once you got to them, actually it was okay. Yeah. Yeah. And the guy explained to me why I kept getting access denied. Okay. I understand that. I'm in security. I understand that. And you're kind of doing the right thing here. But the rest of all this stuff? Oh my gosh. With HTTP web forms? Yeah. Yeah. So they're probably working on building up their back end or something. That sounds kind of interesting. Yeah. So basically I social engineered my way to the head of their test disorder. Did he like that you did that? Did he ask you how long it took? No. He couldn't really say too much because technically I am a customer, so you don't want to alienate them. That's true. But if he's smart, he's probably going back to his team and saying, you know, we've got a little problem here. Or maybe we shouldn't have put those pictures of ourselves. We're too easy to find. Yeah. Wow. Yeah. And it looked like a fairly couple year old page I'd gotten to. And you know, another thing you can do on websites is you go to sitemap. And you can see down the old pages that they don't display anymore. And as they didn't have it there, they did. I mean, their site was reasonably secure. And the product that they manufacture is something that you would want them to be secure about. But it just struck me as funny. And I'll find a way to get in touch with you. So this brings up actually a pretty good point. You can go to places like Facebook and Twitter. And I don't know about Twitter. Twitter may live forever. But you can have a lot of your information taken down. You can send requests into Google to take old information down. So if you have stuff out there, that doesn't mean if someone else linked to it or whatever. But at least in your own profile and searches for you, you can get some of that stuff out of there. Especially if it's no longer. If I say it's a place you used to work that has your photo up there. Maybe it's got your title. And there's no telling what could be there. But there's no reason for that information to be there any longer. And possibly it's all already been archived by the dark web. I don't know. But there's no sense to leave it searchable from the open source intelligence world. You found all this stuff in open source. So before we get, we had Tom Fielding in here. Of course, we talked about the dark web and all the information that's down there that those guys monitor for. They can find out if somebody's building a profile of you in the dark web and things like that. So this is just open source intelligence that you hunted up. So it's interesting that a company like that's gone to an extent to hide themselves. They're not really a marketing posture. Normally they're very open and there's all kinds of ways to get a hold of a company. So that's of interest to me. It's pretty good. But I was stunned by the number. Everybody uses being Yahoo, Google, the major search engines. But there was a list of 20 search engines here. And it wasn't like ASGIS or some of the... When the onion, right? It just went on and on and on. And if people are determined to learn something about you, they will. And again, we go back to the privacy. Stop for a minute before you upload something. I understand. I have friends who use Facebook to stay in touch with family, different parts of the country. It's really cool. But I'm in a position right now where I'm trying to find work. I don't want to go to my cousin's website and like something political on there. Yeah. Because that could come back to bite me. Definitely. Yeah, employers definitely do that. They do those same searches. At least cursory. And some go deeper depending on the type of job you're looking for, especially in the security world. Some people would say that's paranoid. I prefer to look at it as being cautious. Today it's common sense. I mean, you made a great point about people oversharing, people trusting. And that's been something that has, I think, already been shown to be a bad practice. And maybe some people don't feel like they have anything valuable to lose. But when a guy goes and takes your world away from you and becomes you and gets credit in your name or whatever he does, all that identity record information becomes, wow, I didn't think someone could do that to me. I didn't think anyone cared about me. No one knew about me. I'm no one. Actually, the no ones are, there's a purpose for using the no ones actually. Yeah. I've read about a woman who was spearfished because the guy found out where she lived. She had posted pictures of herself in front of her house with the street address visible. She had posted pictures of herself in her kitchen. And this sounds probably kind of silly to a lot of people. But in the picture, you could see various kitchen appliances. And the security researcher said, what if I impersonated somebody from Cuisinart and told them that there was a product recall? Click on this link. Boom. You're going to get her. You're going to get her. Yep. Yep. So there you go. Your open source intelligence world, there are a ton of people out there gathering that information, using it for things that aren't always in your best interest. So make sure if you're putting your information out there, you're putting it out there for a reason and you know what it is and why it's out there. And be very cautious with putting this information about yourself out. Take a minute before you click send. Take a minute before you click send and think about it. All right. That's all we got for this week. Thank you so much for joining Think Tech Away and listening to us on the cyber underground. Come back next week and I think we'll probably still be doing some open source intelligence and maybe starting to look at some of these tools that are used by these researchers.