DEFCON 23. “Confessions of a Professional Cyberstalker”. Ken westin

Original author: Ken Westin
  • Transfer
My name is Ken Westin, and I’ll tell you what it means to be a professional cyberstalker (cyberstalking means using the Internet to search for someone, a group of people, or an organization) .

I am the founder of the company GadgetTrak, in which I was a hacker and part-time general director, and a developer of technical tools that allow the return of devices stolen from people. I also created a search engine for searching EXIF ​​data in images.
Now I do not work for GadgetTrak and currently I’m a current senior security analyst at Tripwire Inc., I’m involved in many investigations, gathering information from social networks and other sources and sending bad people to jail.

This slide shows “The Wall of Shame” - these are photos of real people from real investigations in which I participated. You see a lot of photos taken by a webcam, I deliberately blurred the intruders' faces in order to preserve their anonymity. Some of these photos were taken from the devices I returned, and not from a webcam.

Interestingly, more than half of the time when I went to the police to recover stolen devices, they asked for help in other operations they were conducting. Many times I happened to help in matters related to drugs, violent car theft, theft of laptops. Some of these cases were related to the use of Trojan devices that use virus vulnerabilities, malicious programs that spy on people, I will tell about this in more detail during the presentation. I developed tools that helped to monitor intruders while at the same time trying to preserve privacy.

You can imagine that a part of my work provokes criticism of people who do not understand that the spy methods I use serve to solve crimes and prevent their grave consequences.

The screen shows a slide from the Black Hat review review: "I think you should pay attention to the ethical side of using technology that you are so pleased to demonstrate."

I want to note that many of the applications on the market are capable of doing more awful things with information than those that I use to return stolen devices.
I started using my tools when I was working for a company that specialized in locking USB devices. It was a long time ago, in 2006–2008.

At that time, my security impact was similar to how a network administrator tries to protect his web servers and site management. I was really interested in how these USB-based tools are used to hack networks. You know that accessing the network from the outside is quite difficult, but as a lazy hacker, you can use USB devices to hack the system and steal data. Therefore, I started working with these tools and even created a website , where I started posting some of my tools, and the user community began to develop. Working with some members of the community was really interesting, and the interest in my development was on both sides of the law.

Then for the first time I received a small “call” from the FBI, but they still figured out my intentions to be of benefit, not harm. At that time, no one discussed or distributed such security testing tools. But now with the help of these tools, network administrators can really test their networks to see how they will react to such hacking tools.

Many security researchers are still asking me for these tools, so I link to my website , where you can download them, just set up your antivirus so that it does not block these programs. You can adapt them to your needs by changing some scripts, and they will still work.

After I studied these USB devices, I thought about how you can use them, making them more friendly, how to replace malicious Trojan software with something useful.

Usually, you connect a USB flash drive using autorun, run a binary file and can collect quite a lot of information. You can do a lot of things if you can intercept the hash. To return the stolen items, I think you know this, you can get an IP address, you can find out the internal network address, you can determine the geolocation on this IP address and find out what city it is located in. But more useful information was the name of the computer and the name of the user who works with this system.

I posted my tool online for free. Actually, it was part of my master's diploma, part of the system that I built, and I was curious about what people would do with it. I was very surprised how many people became interested in my resource and used the gadget located on the main page of the site. Within 2-3 days, about 20,000 people registered there. You can imagine that all this went through a central server and you could activate remote tracking, since after connecting the device it sent data to the owner. I managed to collect a huge amount of information about the devices with which my gadget worked.

The slide shows the text of the letter that was sent to users.

“Subject: Gadget Theft: Device detected.

A USB flash drive, which you reported as lost or stolen, was connected to a PC and we were able to retrieve the following information from the system for investigation:

- public IP address:,
- host: .xxx,
- internal IP address:,
- computer name: XXXXXXXXX,
- user name: xxxxx
Country: United States
State: Oregon
City: Tialatin,
Zip Code: 97062 Area
Code: 503
Latitude: 45,3653
Longitude: - 122,758 "

This concerned not only USB devices, I found out that my gadget works with external hard drives and GPS devices, because it happened just like updating maps. He also worked with the iPod, and if during this time on the tablet did not have time to change the software, then it was enough to connect a USB flash drive to it and get access. All this was very interesting.

I also created a USB client for Windows, the code of which is shown on this slide, and you can download it via the link .

It is written in C ++, has autorun and exploits a Microsoft product vulnerability that exists until today. You can see computers running Windows XP in various institutions and medical centers that are still vulnerable to attacks of this type. Later I will give some examples. And although we all know how vulnerable USB devices are, even at the BlackHat conference this year there were a lot of people who "threw" around a bunch of their flash drives and became victims of such spyware devices by which data was stolen from their systems . And I’m not sure that if it were any of you, he wouldn’t take advantage of this opportunity.

Another thing I learned is the problem with getting an IP address. The authorship of such an attack is attributed to China, but it is difficult to unequivocally state where it came up. You know, law enforcement agencies do not like to mess with papers, but when they have to deal with IP addresses, they have to issue a lot of papers in order to get a court order to receive this information from an Internet service provider (ISP).

In addition, it is not possible to identify exactly who was in front of this computer or a stolen device during a crime. You can determine the owner of the IP, but he will say: “It was not me!”, And you can’t prove anything. In addition, he can change the IP-address or use anonymizer. Because of the connection through the proxy server, the definition of the IP address is not particularly accurate.

In general, the process of determining IP takes a lot of time - from 2 weeks to 3 months, and this is a very big problem, so when searching for stolen devices, you need to act quickly, especially if the thief tries to protect them from detection. It should be noted that usually companies engaged in the search for stolen devices, using more "bold" methods of investigation. The next slide shows the iPod I have spotted.

There were many children who installed my gadget on their tablets. Once a certain guy stole such a tablet at school, and when he came home and connected to a computer, my device quickly determined all the necessary data, and luck was that the user name was “Kalpakis family”. Since there was only one child in the school with that name, the school managed to get the iPod back to him.

The point of my idea was that if a stolen device could be traced, many people would have refused to steal such devices.

I also found out that all these devices could work in conjunction with a high-quality infrared camera that captures the thermal image. I turned to the company with a proposal to make a special software agent for them, which we could use to protect these cameras, each of which cost about $ 3000. It was quite simple, since the cameras recorded the image on the SD card, and I wrote a special code for the camera firmware.

The point of protection was that if someone pulled out the old card from the camera and inserted a new one, the code recorded in the camera firmware will be automatically installed on this new card, which will help to block it. This made it easier not only to search for abducted IR cameras, but also made it possible to control their illegal export to foreign countries. For example, if it were discovered that such a camera was connected to a computer somewhere in Iran, the camera seller would have big problems.

In addition, the software agent allowed to use as a password a file with an IR image, such as this photo of a cat.

Then I will tell you how I tried to create a similar client for Apple products. The difficulty was that in Mac OS X there is no autorun feature, but you can fool people. The biggest vulnerability I enjoy is human greed and stupidity. I used the Apple script, and you can ask why it? Because such scripts are more trusted, they are suitable for most applications for the apple axis. Here is the iTunes application, which I tried to fool. I put my trojan in .mp3 file. But the fact is that OS X has such a feature: if you try to change the extension of an application by writing at the end of .mp3, the system will automatically drop the .app extension to the end of the file so that the user knows that this is actually a program and not a music file .

So I had to use such a thing as a homoglyph - a symbol with zero width, for this I took a Turkish letter called “organic”, and the system left .mp3 at the end of my file, without trying to supply it with a “tail” .app. The next slide shows the code used in my script.

It allows you to get information about the system, user name, computer name and other information when running iTunes. This script allows you to learn about all the running applications, and this is cool, because you can write several scripts that fit into them and try to steal data. I made it so that iTunes collected the data I needed and sent it as music files to my URL, so that I could listen to music and do bad things in its background.

The great thing is that you can make shell scripts from Apple scripts, but be careful if you decide to run them on your system.

Know that USB devices are still the attack vector. It is known that with their help the Stuxnet virus got into the Iranian nuclear facilities system and in the same way spread to the Russian equipment. Malicious software - the W32.Gammima AG worm - penetrated the International Space Station (ISS) in 2008 using a USB device.

In 2012, the Computer Emergency Response Center at industrial and mission-critical facilities ICS-CERT reported that two US power plants suffered after an employee brought a “flash drive” infected by a virus to work. Many computers using Windows XP are still subject to such threats, as was noted at the Black Hat conference in 2015.

An IP address is one way to detect a loss, but I have to process information from many other sources. This slide shows the “crazy wall”, you have seen such in many television shows, in which the police are trying to solve the murder. They have all the evidence, and they draw all these lines correctly, trying to tie the evidence. This is a kind of thinking process, which I adhere to. I also use tools like Multigo, it automates this process significantly. I’m not sure if you have ever used it, it’s quite a big tool and you can write for it all the specialized modules that help you do a lot of work.

I had a case with tracking of one missing "flash drive". We were able to get the original IP address, which was a strange user name, which did not give the opportunity to identify the person. We wanted to match it with the names that were in the AT & T subscriber database, but you know how it happens with AT & T, we could lose track of this “flash drive” in three months. She was stolen from a professor and contained data on important studies, but we still could not convince the police to use all their resources in this investigation.

Therefore, we began to track any communication of the university and a specific computer lab, which was useful because we also received information from the internal network. She allowed us to advance further in the investigation. We visited the computer security department of the university, taking advantage of the fact that we had an IP address and a timestamp, and determined the internal address of the computer on the network. However, it was a “guest” computer that did not allow to identify the student ID who logged on to the system. I began to ask questions and found out that in order to gain access to computers, it is necessary to scan the student card, and the security system contains relevant records about it.

We linked this to the time stamp and got a list of everyone who was in this room during the theft. We learned that a year ago several desktop devices were stolen from this room, after which surveillance cameras were installed here. Not everyone knows that many of these cameras store data, which is also recorded in a log file. We found out who was in this room with the professor and knew that the guard was outside the room at that time. As a result, we returned the “flash drive” to the professor, we did not even have time to erase the information on it.

I also wanted to find ways to help get back stolen items like laptops. All existing search tools were mainly based on determining the IP address and user identification, which took a lot of time. More progressive were invasive methods of introduction, opening the "back door" into the system, which made it possible to install keyboard input interceptors. However, such methods in many cases made the system more vulnerable to real hackers, since they required changes to the original software.

I came to the conclusion that you should not resort to such extreme measures, but you need to adapt for this existing devices in laptops. For example, I would combine the use of a built-in webcam with Wi-Fi based geolocation. You know, there was a company that supplied MacBooks with cameras, but no one used Wi-Fi positioning. When the first iPhone came out, he already used this feature. I worked with the Skyhook system and it turned out that it is capable of being deployed so that we can get geolocation using the camera information. So it was a kind of "gaming transducer" especially for law enforcement.

However, there are some difficulties with the operation of this system. So, when you activate tracking on a remote server, it will check if the device is stolen and collect a lot of evidence. For example, track the movement of a laptop to another network with a change of IP address, check the login event, notice that the device’s registration location has changed on the network, and then send information.

But at that time I didn’t want to mess around with things like sending photos to the server, so you could go directly to Flickr photo hosting, register an account there and get control over all your data. In this case, you would receive a message of this nature: “We determined that the person shown in the photo above tried to gain unauthorized access to your computer. The information below was collected from your missing MacBook. ” This was followed by data on the external IP address, internal host, user name, Ethernet ID, host name, Wi-Fi network name and access point coordinates obtained using geolocation.

At the same time, you didn’t need to worry about a third party that could access your camera to spy on you.

The point was that whenever the laptop connects to the network, it will receive the location of the Wi-Fi access point, take a photo, and repeat it every 30 minutes so quickly that you do not even notice the flash of the green LED when you turn on the camera.

Please note that at that time I used the Skyhook wireless service, but now geolocation is built into all operating systems - OS X, Windows, Android, iOS. In addition, there are special applications for laptops and mobile devices, such as the Google Maps API. So if you want to write your own device tracking scripts, this app is a good tool.

The first successful return of a stolen laptop using a camera and Wi-Fi geolocation took place in New York. I had to work with a New York police officer who looked a bit taken aback because he had never dealt with this type of “tool” before, and he was angry because he was used to dealing with papers and detaining according to the usual bureaucratic procedure.

But I told him: “No, that will not work, you can perfectly see the location of this guy with an accuracy of 10-20 meters.” He replied: “So what does this mean?” I said: “Yes, just print this photo and go with him to this place!”, To which he said: “Do not teach me how to work!”. But then I did everything right. The police went there, and there was a man from the photo, he was the owner of a tattoo parlor. In the background of the photo you see a lot of cool "toys": a large-screen TV, synthesizers of different types, audio equipment. When the police entered the building, they found a stolen MacBook, three more stolen laptops that were being used in other cases, and a lot of stolen items.

So this is a good example of how a Trojan eye can be used against criminals. Thanks to this, we found stolen items and returned them to their owners 3 times faster than usual.

Another case was in my native Portland, Oregon. There was a group that repeatedly broke into schools and stole laptops. The point was that they returned a week later and again stole laptops, which they replaced stolen ones, in the same schools. It was 4 or 5 different schools in the same area. I talked to the police and offered to install my programs on these laptops, which were baited, we did not even keep them under lock and key. After a week we got the location of one duplex in Vancouver, WA, this is next to Portland, and a few photos. The accuracy of the geolocation was from 10 to 20 m, we passed this information to the detective who worked on this case. He went to this house to check our suspicions, but from there a guy came out, whom he knew well, and the detective got angry at me and said that I don’t know what I was doing.

Then I myself went there myself and began to monitor this house with the help of my laptop. I checked all the wireless networks in this place and found the one that was “lit up” in our data, it was called Russia. I decided to look around and on the other side of the duplex I saw a car with a “Russian pride” sticker on the bumper. Then the guy who was in our photo came out of the house, and I was afraid that he would notice me.

In general, I called and told the whole detective story, and they continued the investigation. They never mentioned using my software; I was an anonymous source of information. As a result, they detained 6 or 7 people, an organized criminal group that stole not only laptops. Some of them were really bad guys, and when they got there, they started giving up each other, which was really cool.

For some reason, there lived a lot of Russian guys who were engaged in theft of property in Oregon and participated in another case. We could not get any data on the stolen laptop for 2 weeks, and I thought that they had already reformatted the hard drive, as suddenly we shut it down. We knew that he was a guy named Victor, he was so kind that he changed the username of the stolen computer to his real name, as if trying to help us catch him.

I had his first photo in McDonalds and another photo in the hotel with the girl in the background. I found his profile on Myspace and noticed that he was a fan of his car Scion, about which he posted a lot of posts with photos on the forums about cars of this brand so that even “lit up” the license plate of his car. He also had an eBay seller account, where he traded all kinds of auto parts.

Unfortunately, he sold the stolen laptop to his friend Omar, as did the hijacked bike. When we came to the prosecutor with our information, he said, we provided enough evidence, and even if Victor doesn’t have a stolen laptop, he can be arrested for possession of the stolen property. So in this case, a special judicial precedent was created.

In fact, in Portland there was a group of Russians who stole property, loaded it into a large white minibus, carried another group of Russians to Missouri and exchanged stolen things with them. It seemed to them smart enough, but still not particularly reasonable - we found out that Victor’s father was involved in this gang, who gave him a stolen laptop for his birthday. So thanks to dad, Victor now has a criminal record.

Another case occurred in Brazil, so I had to work not only in the USA. But it was a bit difficult to work with the Brazilian police.

The essence of the case under investigation was as follows. There were a couple of guys, robbers - car thieves. They jumped out of their car with pistols, attacked the driver of another car, ordered him to get out of their car, and when he got out, they hit him in the face, knocked him to the ground, broke ribs and nose. It turned out that shortly before this, the owner of the hijacked car installed my spyware program on his laptop, and at the time of the hijacking the laptop was in the back seat of the car. So, we started to get information, and then when the police detained these robbers, I was excited by such luck, because these guys committed a lot of similar crimes. So this case served as an example of international cooperation in returning stolen items.

An advantage when searching for mobile devices is that they have a built-in geolocation function, but it’s more difficult to determine the IP address. We found out that people do not really care about their data on such devices, so we created a system for backing up photos and contact information. I was really worried about how to store photos of people on the server, because if someone hacks it, it will get access to the data of all clients. Therefore, we used an application that creates a private key that encrypts photos and contacts before sending it to the server.

I am very pleased with this decision, because if the server is hacked, then without a key, no one will have access to the information, in addition, it is an important function for law enforcement officers who can, if necessary, contact the client for a key to decrypt the data. I want to show you an excerpt from the news program "Channel 8", which tells about one case.

Text of the video:

Our correspondent spent the last two days with the police and investigators on the case of theft of mobile devices. The suspect lives outside the Washington Square Mall where the theft took place. A Sprint store manager said they were confident about tracking software for stolen mobile phones, which they installed on two display cases worth $ 500, and that it would help arrest the criminal.

After the store's video surveillance system recorded the fact of phone theft, store employees initiated tracking software installed on the stolen phones. They could not only determine their GPS location, but also monitor any phone activity. This activity allowed us to get a photo immediately after the phones were stolen, and on it we see the robber's face in the car.

The police admitted that this is a “brave new world” when photos taken with a stolen phone are sent to its former owner as soon as the device is stolen. This software has aroused the great interest of our investigators, since it is essentially a very reliable source of information about the robber.

The creator of this software from Portland says that the police are on the right track when using it to catch criminals.

In the photo taken by the stolen phone, a temporary driver's license is visible above the robber's head on the rear window of the car.

This allowed investigators to go to the Vancouver ID center and get an address. The investigator came there, but the woman opened the door, who said she did not know anything about these phones.

Then he came to the duplex, where the signal came from the second stolen phone, but the man living there also said that he did not know anything about the Samsung Epic phone. Well, in search of phones, we returned here to Washington Square Mall, where we just received a recording from this device of a temporary driver's license and now the men in the pictures will have to explain to the police how their faces hit the camera of the stolen phones.

As you have seen from this example, some discrepancies may come out with the determination of coordinates by GPS, but the information recorded by the camera of the phone in the photo as EXIF ​​data is very useful, as it has a time stamp and other important data. As it turned out later, these guys stole not only phones, they also had other possessions and a stolen car.

Studying these photos, I realized that the data embedded in the images is really a very useful thing. EXIF metadata is stored in images, audio, and video files, reports camera GPS coordinates at the time of the snapshot, shows a timestamp, and high-quality digital cameras also place information on the manufacturer, model, and serial number of the device in EXIF ​​data. Download tools for processing EXIF ​​information at . You can also upload an image to and get all the information contained in the EXIF. The next slide shows a list of digital cameras that place their serial number in EXIF. This can be used to track stolen cameras.

One reporter made me think about photos of naked celebrities that were publicly available, and the media claimed that they came from hacked phones. But the relevance of EXIF ​​data, which has persisted over the years, has shown that this was not the case. In fact, hacked e-mail, and a guy named Chris Cheney, who was doing this, picking up passwords, was sentenced to 10 years.

I thought about how this data can be used not only to find the serial number of stolen devices. Of course, you can save something on Flickr, but I wanted to create a database in which I can look and get the right information.

I was just starting to experiment with something similar, and one of my friends was doing what is called CP usage. This process consisted in the fact that they gave you money for providing computer time, that is, you rented idle computer capacities of university laboratories. In this case, researchers could use the power of thousands of computers for their calculations, creating something like a home project SETI.

In my experiments, I was going to use the Flickr system and wrote scripts to enter the Flickr API, but there was a limit on the number of calls from their IP from the same system. If you accessed the service frequently and quickly from the same IP address, you could be blocked. I talked with a friend who had problems with the Yahoo service at that time, and we decided to use the power of about 200 computers to work with Flickr. It took almost a month, as a result of which we created a database of EXIF ​​metadata from almost 4 billion images.

It was a huge database, and I posted information about its availability in the media. We also collected images from some other photo hosting sites and placed this information in our database.

Thus, we created a search engine "EXIF", which allowed us to find the stolen camera by serial number, which was contained in the metadata of her photos posted on the Internet.

The idea is that if your camera was stolen, and after 3 months someone uploaded photos from it to Flickr, you can try to return the camera, using this data as evidence. This happened to photographer John Heller, who took photographs in the Egyptian theater on the instructions of the Getty. They stole his camera and all the equipment, so he lost $ 9000 and did not fulfill the contract, and was very worried about this.

And then, after 3 months, photos appeared on Flickr, taken by his camera after the theft, and he with the help of Facebook went to another professional photographer, on whose page he saw a photo of equipment stolen from him. He contacted the Los Angeles police, who found out that the thief sold the stolen camera on Craigslist's electronic ad site, then the guy who bought it resold it on eBay, and so she got to the current owner, who had no idea that he was buying the stolen goods. This man returned the camera to John, and then demanded his money from the seller on eBay, and he managed to return it. A year later, on Craigslist, property appeared from a robbed apartment, which the police managed to track down, and she detained a thief, who, as it turned out, kidnapped John’s camera.

I had another case where the search for a stolen camera had to be combined with stalking in social networks.

There was one guy who sold cameras and photographic equipment on Craigslist (after such cases I would like to call this site Crimelist). Somehow a buyer came to him, showed a bunch of cash in his hand and said he wanted to buy a camera. The seller took him to the garage, where there was a box with a camera, and then the buyer hit him, threw him to the ground and ran away with the box.

Later we found images made by this camera after the theft, and we looked at many other social sites where the thief posted his photos. These were quite interesting photos, where he smokes weed, driving on the freeway, brings a gun to his head, photographs a car speedometer at a speed of 110 miles per hour and the like.

So, with the help of geolocation and time stamps, the police managed to find it.

My tools also helped the Child Cybercrime Center’s Investigation Unit (C3).

They used the information in photographs to investigate crimes of which children and adolescents became victims. The idea was that you know that Joe is a pervert, he uploads child porn to the network, but maybe he uses the same camera when he goes to Disneyland and takes pictures with his family. So if you extract the serial number of the camera from one of these innocent photos and compare it with information on pornographic materials, the coincidence of the number can serve as proof of the identification of the suspect in the crime.

Edmond Lokar, who is called the “forensic forensics”, said that each contact leaves its mark. Of course, he spoke of physical crime, but I believe that in fact this is also true for the digital world.

There is an interaction of things that allows you to track some events even after years and will retain what allows you to identify. And when we talk about the Internet of things, we need to remember that all these devices have the ability to identify us. For example, you or someone sends an SMS message, then you delete it, another person also, but the problem is that there are 20 log files that are generated by the mobile network provider and display all the events.

Thank you for staying with us. Do you like our articles? Want to see more interesting materials? Support us by placing an order or recommending to friends, 30% discount for Habr's users on a unique analogue of the entry-level servers that we invented for you: The whole truth about VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR4 240GB SSD 1Gbps from $ 20 or how to share the server? (Options are available with RAID1 and RAID10, up to 24 cores and up to 40GB DDR4).

Dell R730xd 2 times cheaper? Only we have 2 x Intel Dodeca-Core Xeon E5-2650v4 128GB DDR4 6x480GB SSD 1Gbps 100 TV from $ 249 in the Netherlands and the USA! Read about How to build an infrastructure building. class c using servers Dell R730xd E5-2650 v4 worth 9000 euros for a penny?

Also popular now: