 So we're going to have our speeches today and we're looking forward to our first speaker, Hannah Silvers. You notice her theme there on the screen. My stripper name is Bubbles Sunset. Well, Hannah Silvers is a writer, an editor, and a content strategist based in Atlanta, Georgia. She's also a veteran of social engineer with corporate technical writing and vision experience. It was fun to work with her. When she was 17, she was the youngest contestant ever to enter the SECTF booth and at DEF CON. So she told me also that she wanted to know that she's the hottest speaker ever. That's for you to judge. We're not judging here. So, all right. So Hannah, let's give it up for Hannah. Hi. Can everybody hear me? Great. Thank you, cause. Thank you, SC Village, for having me and all of you for coming. My name, as I said, is Hannah Silvers and my stripper name is Bubbles Sunset. At least according to this Facebook meme it is. It says, what's your stripper name? It's your first pet's name in the first street you lived on. This is a really common Facebook meme. I kind of like it. Bubbles Sunset. It's kind of fun. It's kind of flirty. It's kind of totally insecure if you wanted to change my online banking password, right? By answering some security questions like, what was your first dog's name? What street did you live on as a kid? Right? So as security professionals, we look at memes like this that are shared all over Facebook and other social media sites and we see things like, what's your mermaid name? First nine letters of your SSN to find out. Not good. But the thing is that not everybody is a security professional and in fact online marketing professionals look at memes like this and here's what they see. They see free data, free consumer profiles, free marketing information, free money. Right? Because marketing is all about knowing your audience. The more I know about you, the better. And memes like these are hotbeds of the exact kind of information that helps online marketing firms build consumer profiles of you. The way we used to do it, marketing firms, you might remember this, some of the geysers in the room. We used to call people and ask them surveys and gift cards. We used to go to the mall with clipboards. Today, vague looking websites with vague titles like identity resolution, just scrape online platforms for the exact same data that we could get by calling you but we're getting it faster and we're not actually having to compensate you for it. But it's not just about ads, right? Having this kind of information out there about you available to be scraped and it never has been. I think you know where this is going. Do we know where this is from? New York Times, Cambridge Analytica? Yikes. So Facebook users who interacted with the exact types of memes and other personality quizzes like these unintentionally let Cambridge Analytica, an online marketing firm, access to their information. And that consumer profile that was built by that third party gathered information, built a profile that was able to change the course of the 2016 U.S. election by all accounts. So how do we get here? Today what we're going to do is we're going to talk about what's at stake when we talk about these kinds of memes. We're going to talk about why these strategies work and then we're going to talk about what we can do about it and how we can go from there. And we're going to try to get through all of that in the next 28 minutes. So a little bit about me. My name is Hannah Silvers. I first came to DEF CON when I was 14. I don't really remember. We've tried to remember we can't. But I did compete in the SECTF in 2012 when I was 17. And then the SE Village couldn't get rid of me. I worked for social engineer for a little while while I was in college. And I've come back and volunteered pretty much every year since then. I also started working as a definer for dictionary.com. So I spend all of my evenings buried in internet research. And my first full time job out of college was a content strategist for an SEO marketing firm, which is a very fancy way of saying online copywriter. So what I did was I would come in every day and I would learn about SEO strategies, that social search engine optimization. So how to get a webpage or a post on Facebook to the top of people's timelines or the top of search results. What can you do on the back end and to the user experience to make things show up higher and get more engagement on them? So you see kind of how this poses a bit of a question. Because as a social engineer we think don't tell anyone anything. Information out there about you is bad. But as an online marketer, the more the merrier. And in fact I was using the exact kind of information to gather about people to help my clients get their pages to rank number one on Google. So I started thinking how much does it matter that online marketing firms are getting really good at this kind of elicitation and how hard is it really. And shockingly it matters a lot and it's not that hard. So when we talk about data and information it can seem a bit esoteric and a bit abstract. So we're going to pull it down a little, talk about the exact information that we're talking about and then go from there. So marketers don't use this term. But as social engineers we call it PII, personally identifiable information. So traditionally these are the types of things that if I wanted to simulate a breach or if I wanted to steal your identity these are the types of things I would need. For the time about your full name, demographic and biographic information like your birth date, your race and then sensitive numbers, anything from a banking number, credit card number, what have you. But really when we're talking about social media, meme marketing and the dangers of it we're really not talking about this type of stuff because it's too obvious. You know with a couple exceptions people really know now not to share the SSN on Facebook. Please don't see me examples of people doing it I don't want to know. So what we're really more talking about with this is like the actual bad stuff. So on the left we've got what I could kind of vaguely call our marketing PII, that's not a technical term, don't quote me. This is kind of how I think about it. So if we know what you like, we know some basic demographic information about you, maybe what size shirt you wear, how you feel about it, the color palette of photos that you tend to like more than others, maybe how much time you spend in certain places or on certain websites, then I can market better to you. This is information that gets you to buy something and influence a purchasing decision. On the right is kind of this second degree maybe squishy PII. So it's stuff that can be used by social engineers. We see it all the time to infiltrate or steal someone's identity or get them to do something that they may not want to do. But the trick is that a lot of people don't think about this stuff as particularly harmful, so they're more likely to actually share it in an open way. So answers to common passwords like or security questions like your first pet's name or the first street you leapt on. Some people might not understand why that's so harmful to have out there. So with information that you might find in these common passwords or security questions, attackers can access sensitive accounts about you, right? We see that connection. And if they can't get it, then they can also use this information to get you to access it. So to recap these two groups and how they kind of intersect, marketers need this kind of information to make their campaigns more targeted and more efficient, which means they have to spend less time on it. And they get you to buy things quicker. So they make more money, right? Attackers want to harvest credentials and access your accounts to directly take money from you or hold your accounts ransom, and then have you pay them for them, which makes them money. So it's this direct connection between information that can be tied to one person in particular, and how it makes specific types of people money. And it doesn't even matter when we're talking about information that's posted publicly on Facebook or Twitter, which group of people are encouraging you to share it because once it's out there, anyone can use it, right? So how do you actually get it? Well, Facebook, Google and other platforms, they do actually sell hash data or access to like Facebook's marketing API. So there are ways to get information that's I mean, technically, not tied to a particular person. We can argue about that another time. But what they're selling is kind of expensive, and it's kind of not as useful as information that can be tied directly back to a particular person. So you could get it that way, but it's not exactly what we're talking about. And then, of course, you could just hack it. I mean, if individuals can download their Google My Activity tab or go through and delete their Facebook data, anybody else can get to it, right? But the thing about that is that it takes time and it takes resources and it takes energy and somebody might notice. So instead, why don't we just get users to give it away for free and enjoy doing it, right? So if my name is Bubble Sunset, what's yours? You see in the screen here? So the memes encourage us to give away information that we might not otherwise. In open areas where marketers, attackers, whoever may be can get it. And they're encouraging us to not only do that, but to share these things with other people and to get even more people to use it. So let's see some of these in action, shall we? So here's what we're looking for when we look for these. By the way, I screenshotted each of these types of memes that showed up organically on my Facebook feed for about two months, so I had literally hundreds of them, literally hundreds. So you're just kind of seeing the highlights here. But what we're looking for are three things for these memes to kind of be successful. First, we're looking for gamification. They have to be fun. You have to want to interact with them. So maybe hot topics or something kind of sexy like your stripper name, something that's really fun and engaging because it's no use if nobody actually interacts with it. Number two, shareability. These memes have to be very easy to share and easy to see. And they also have to encourage you to see them and to share them. So we usually see some kind of call to action in them, like comment, tag a friend, share, something like that, something to get the spread that we're looking for for it to be useful. But also there are Facebook and other platforms have their own algorithms that it's really important to take note of. So sometimes it'll be posts with a lot of videos will show up higher in the feed or post it tag accounts that have a lot of engagement. Whatever it may be, that's another way to get things higher up and more shared. And then number three, they have to gather information that's actually useful. It seems like a dumb thing. But if you're asking people directly for their mother's maiden name or for their social security number, they're unlikely to give it to you. But if you go too far the other way and ask them for things that people are very likely to share, it might not actually be useful for you and you've wasted a bunch of time. So we're trying to find that balance between information that's just far enough to remove that it doesn't set off red flags, but also useful enough to where we can actually get something out of it. You ready? So let's first talk about something very simple just to get a specific example, your birthday. So your birthday or elements of it, I'll read this to you, don't worry. Offer a lot of value to marketers and to attackers for a couple reasons. So if I know your age, then I know what types of things you might be more likely to click on. And this comes from either what types of things you might want to buy or what types of fish might grab you. Also your birth date, we've all gotten those emails that's like, hey, it's your birth month. From Adidas, happy birthday, 60% off shoes. Right? So things like that that tie into information that makes us feel like we're getting something special because of it. That's when we click. Also your zodiac sign, we can laugh about mercury being in retrograde all we want, but really people buy into stuff like this. So personality quizzes, things that tie into different personality traits with the zodiac or even just knowing it can really influence and bring a lot of people forward. So here we have a princess is our born in February, March, July, August and December. We have somebody commenting. Here we have the perfect time to get married. Each month is paired with 22 years old, 19 years old, never when you're dead. And we have somebody commenting and telling their friend, LOL, how's it working out for you? And then here we have your sign and your birthday. Again, tying that in. So if we know your sign and we know your actual birthday, we can figure out the month. This is where it gets really squishy and really fun is when we're eliciting answers, common passwords and answers to common security questions. So we could go for direct answers, something like this. So it says, give your pet's name and see if others can guess it. So my friend, bless her, has commented a gift of the moon crossing across the sky. So, okay, so our dog's name is Luna moon. I mean, we've got like three options here. We can also do some reverse engineering to get to some really useful information. So this says your hipster business name is the first dorm you lived in and a plant that starts with the first letter of your first name. We don't care about the second part, but we care about is that she has said the name of the first dorm that she lived in. So imagine if this person is just graduated. We know where she went to school. Probably she's using her real name in her Twitter handle. We probably have a pretty good geographic profile of her. She might even post about where she went to school. So she just graduated and she gets an email that says, hey, we found damages in your room. You owe this school $550. Click this link to pay it. She's going to be like, um, are you joking? And click it. I would. So here also we have used the last three digits of your phone number to see what you need to be happy. So it's like Jesus chocolate more sleep all of the above. So the last three digits of your phone number. I mean, what are you really going to do with that? But if you look on the other posts that this page has published, you get a bunch of other posts that say use the first three or the middle four or the, you know, so it's an aggregate thing. So sometimes it does involve a bit of reverse engineering. It is an extra step, but sometimes it's worth it. Also something a bit less obvious when we're relationship mapping. So it's not always about actually finding specific information about one person. Sometimes what's really valuable is just knowing who's connected to who and how they're connected. So that can give us some really important OSINT on one level because we know the name of someone who's important to you. But also that gives us an attack factor because sometimes the targets we're going after actually have pretty sophisticated security posture, but everybody's got that aunt or that grandma or that brother who loves to tag them in things. And they're opening you up, right? So here we have I was an innocent being and then my best friend came along. So we have the best friend tag. Next we have best couples. So we have someone whose birthday is matched up. If you look at the rest of this page, it's essentially the same thing just with the months matched up, right? Till we get everyone. Anyway, we have names of mothers with the best behaved children. My name's on that list. I would share that. Am I a best behaved child, mom? Oh, never mind. I won't share it. Sometimes also, it's not even about getting information from the particular post. And this is something that's really important to understand from an SEO perspective. Sometimes it's literally just how many people can we get to spread this thing. So it'll be giant lists of names, very common names or giant lists of common characteristics that someone might have. If you got brown eyes, share it. I'm brown eyes. So does everyone. The trick here, I know, but they're beautiful. But the trick here is that we're going off this concept of domain authority, right? So when you have a particular post from a particular page on Facebook or a website, whatever the domain may be that gets a lot of interaction or a lot of attention and people stay on it for a really long time, whatever search engine or platform you're using things at that page or that domain is really important and worth a lot to a lot of people. So the next time somebody searches for a similar keyword or goes to that page or opens their Facebook, if anybody in your network or the Google machine thinks that you're looking for something like that, it'll bump it up higher in your search results. So if nine memes out of 10 have nothing to do with anything shady and they get a lot of interaction, then that one post that is asking for something shady is going to show up a lot higher in your timeline the next time you log on. So we're building authority over time. That was fun. Now the not fun part. So we think about who's susceptible to this type of thing. We might think, okay younger generations, they're the ones on Facebook, which is true. They're used to sharing these types of things. All of us have. But we might think, okay, but why does it matter? They're just kids. Well, kids information can be really important. So if you are if you as a 16 year old or you as a nine year old have your identity stolen and someone is filing tax returns in your name, you might not realize that until you start filing tax returns years later. And then who knows what damage has been done and how long it's going to it's going to take for the to convince the IRS that you are who you say you are a 40 year old probably wouldn't have at the extent of the problem. Also younger people when we think about whale fishing, we're talking about their parents who maybe have a sophisticated security posture, but the kids might not. So they might be the gateway into a CEO or even an institution that's really important that might not be able to be hacked on its own. But when you go through someone young who's associated with it using their credentials or their identity or something you know about them, you open them up to attack that they might not have been open to otherwise. And then of course we talk about older generations. I mean, bless them. They love sharing the stuff on Facebook. I know my grandmother does don't look her up. Please. But it can be really difficult to explain when they're going from my first pet's name to fraudulent charges on my credit card to the IRS doesn't know who I am. Right? That's really hard for older people to follow because they just haven't had to do it for as long. We get it but they don't. Right? So they're really susceptible to these types of things that take a couple of steps. But I mean really when we get down to it, all of us are susceptible with the right emotional trigger at the right time. So what are we going to do about it? Cheery, right? As a user, if you think that these memes are funny, which I do, just screenshot them and share them with a friend individually. There is no reason why you need to comment publicly, contribute to the domain authority, contribute to the spread and share your information or the information of your friends out there. Just send it privately. Honestly, that's something I've started doing since I've started thinking about this and it has made a huge difference. Also fake answers to your security questions. I mean, this seems like kind of a basic thing we talk about a lot. But even if you're not the one that's sharing sensitive information about yourself, what if your aunt is tagging you in something like this? Right? So if, oh, tag it if your high school mascot was the war eagles or the eagles or the tigers or the lions, whatever it may be. If your bank thinks that your high school mascot was Scooby-Doo, doesn't matter if it was actually the war eagles or the lions or the tigers or whatever it was, somebody who has found that, like, objectively true information about you on Facebook can't use it to get into your banking account. Right? So fake those answers, store them somewhere safe and use them instead. You can also, on a more public-spirited level, use that reporting feature on Facebook. So if you notice accounts like this that are sharing information that they shouldn't be or encouraging people to share information that they shouldn't share, then report the page, submit it to Facebook. Who knows what the process is actually like, how long it takes, but every little bit counts because it contributes to people understanding that this is a bigger problem. Also, and I don't know if I would recommend doing this, but I've seen this a lot on a lot of these posts that already have millions and millions of comments, you can literally comment, yo, fan, this is password harvesting. Like, are you serious? Don't, don't do this. And I've seen that more and more as I've been looking at these is people kind of having that public-spirited mindset of saying, y'all don't do this. Really, come on. Another way you can do that without commenting on the actual post itself, screenshot the post, and then share it just as a picture with your own social network and say, yo, if you see anything like this, come on. Don't do it. Maybe even share a link to this talk once it's posted to explain why it's bad. And then, of course, the biggest thing we can do as a user is educate our family and friends about why this is bad. So sending them things that explain why it's a bad thing and why their information shouldn't be out there, even if it doesn't seem like particularly sensitive information. And I know it's exhausting. Y'all are probably in the same boat as everyone else in the room, including me, where you're always the one educating your friends and family about security. And it gets exhausting. I know it does. But, I mean, think about it this way, a self-preservation. If somebody who you didn't tell tags you, now you're in the mess. So share it with your family and friends. Tell them why it's important. And then as a security professional, let's look at it two ways. You can take the lessons of SEO meme marketing in your next pen testing engagement, especially if you're doing social engineering. Think laterally. Think a little bit out of the box. Do a bit of reverse engineering. Take that gamification, shareability, that idea of domain authority. And use it. Why not? It works, obviously. But then just realize that the reality is that marketing people are going to continue to do this because it works. And we have demonstrations of why it works and how it works. So in the same way that you would, if you saw an executive at some firm you were working for or consulting for, share a picture of their access badge or their ID badge on Instagram, the same way you'd be like, yo, you know, people can just make something like this in Photoshop and print it, right? Do the same thing. Bring it up. If you notice it in the network, just be like, hey, yo, this is something you should think about. Talk them through why it's bad, how it can be used against them. Sometimes people just really need to see it worked out and talked out to understand it. Otherwise it just seems fun and they don't think anything of it, right? So I think I'm going to leave you with that. I want to leave plenty of time for questions if we have them. But really, thank you. And thank you especially to mom and dad for listening to me when I talk about this all the time or at least being really good at pretending to listen to me when I'm talking about this all the time. But thank you guys. Even a great audience. Questions? The most memorable post? OK, so the question was, what was the most memorable posts of these kinds? Actually, it wasn't a single post. It was a page. It wasn't a single post. It was a page like this, one of those that's run by whatever brand it is that's trying to get their stuff out there. And it was like the one where it was like, oh, share the last three digits of your phone number. Except it was like, oh, share the first two digits of your address. And then like three memes later, it was like, oh, share the street name of your address. And then like four ones later, it was like, oh, share the last two digits of your zip code. And if you just kept going, you keep seeing like all these pieces that are getting put together to put together an address are ported that page so fast. But anyway, so it's stuff like that. When you see it in aggregate and you see how it's clearly thought out, that gets kind of scary. So the question was, for people who are sick of hearing about technology from you, how do you tell them, yo, this is bad and you should stop doing it? Well, there are plenty of news stories that I'd be happy to link you to where you can Google. Cambridge Analytica would be the biggest one probably. And that was personality quizzes, so it's even more engaging. So I would share in news stories. And I would also talk them through actual scenarios like every step of it and be like, yo, if you share this and then somebody sees it and they call your bank and you're trying to change your password or withdraw something and they ask your security question, that person's gonna have an answer and then they get to reset. So sometimes it just takes actually talking down the steps for somebody to be like, oh, you're right. That is kind of nutty. You're totally right. Does that help? Yep. So the question is, can Facebook police these kinds of scams? Can they probably, will they? No. The trick with Facebook and a lot of these online platforms is that they don't see themselves as publishers, they see themselves as platforms. And we've seen this when they went to the Hill, there was a Facebook hearing, like that's how they're selling themselves. So they're trying to do the least possible because they don't want the responsibility of these sorts of things. But the nice thing is that they do say, oh, if there's a spammy account or if there is a harmful account or something, we have this fancy reporting feature that you can use. And so if enough people get in the habit of using it, which I know is incredibly idealistic, but if we get enough people using it, they do have a feature set up to do that. So we can kind of on an individual basis encourage them to take down spammy pages because they do it. But as far as making it a policy, I don't think they would see this as something particularly urgent. But I don't know, surprise me, if anybody works for Facebook. What's already here? Taylor. Can you tell me more about how exhausting it is to educate your family about security? Especially your dad. The question was, can you tell me about how exhausting it is to educate your family about security? Especially your dad. Especially your dad. I love you too, Taylor. Yeah. I can do a real question. Does ever goal yours, when you start to come to deaf not at 14, actually be on stage giving a speech? Yeah. And then to goon next. Next year. You've achieved your goals. Nice job. Nice job.