1 00:00:10,800 --> 00:00:13,080 is the current director of digital 2 00:00:13,080 --> 00:00:15,679 forensics 3 00:00:16,320 --> 00:00:21,240 is a former CIA officer and he was a 4 00:00:21,240 --> 00:00:22,460 fire security 5 00:00:22,460 --> 00:00:26,060 Special Operations 6 00:00:31,679 --> 00:00:34,559 I see thank you and welcome to me 501 no 7 00:00:34,559 --> 00:00:36,239 wait that's his class it's my son and 8 00:00:36,239 --> 00:00:39,180 here's a hump will Baggett and thank you 9 00:00:39,180 --> 00:00:40,559 for coming out Gladwell made it here 10 00:00:40,559 --> 00:00:42,600 from the hurricane 11 00:00:42,600 --> 00:00:47,180 and my mics aren't on so this one on 12 00:00:47,879 --> 00:00:51,420 all right all right 13 00:00:51,420 --> 00:00:52,739 all right thank you for coming out my 14 00:00:52,739 --> 00:00:54,180 name is will back this is mechanical 15 00:00:54,180 --> 00:00:55,980 engineering 501 16 00:00:55,980 --> 00:00:57,899 um turning your oh wait no that's Will's 17 00:00:57,899 --> 00:00:59,160 joke he asked me to make it before I 18 00:00:59,160 --> 00:01:00,780 walk in that's my son in the front row 19 00:01:00,780 --> 00:01:02,219 over there 20 00:01:02,219 --> 00:01:04,619 um Tyler talk his Broken Arrow and 21 00:01:04,619 --> 00:01:05,820 they're all now laughing at him 22 00:01:05,820 --> 00:01:08,760 fantastic uh Broken Arrow so that's the 23 00:01:08,760 --> 00:01:11,640 Army term back in the 60s so if the 24 00:01:11,640 --> 00:01:13,740 American forces are overrun they would 25 00:01:13,740 --> 00:01:15,180 send it out over the radio to ask for 26 00:01:15,180 --> 00:01:17,520 any and all air support in whatever 27 00:01:17,520 --> 00:01:19,619 means whether it's a B-52 for blanket 28 00:01:19,619 --> 00:01:22,140 bombing Napalm or even a Cessna just 29 00:01:22,140 --> 00:01:23,520 giving a little bit of guidance to the 30 00:01:23,520 --> 00:01:25,020 American troops would know which way to 31 00:01:25,020 --> 00:01:26,880 navigate away from the enemy 32 00:01:26,880 --> 00:01:29,820 and I say that because working in the 33 00:01:29,820 --> 00:01:32,159 Cyber field a lot of people come to us 34 00:01:32,159 --> 00:01:33,720 and say you know I've got this situation 35 00:01:33,720 --> 00:01:36,420 and before it used to be fix my desktop 36 00:01:36,420 --> 00:01:38,220 back when I'm dating myself I'll realize 37 00:01:38,220 --> 00:01:40,259 but back when we had desktops that 38 00:01:40,259 --> 00:01:42,240 people would build aside from Gamers and 39 00:01:42,240 --> 00:01:43,619 crypto miners 40 00:01:43,619 --> 00:01:45,960 building your machine was an issue and 41 00:01:45,960 --> 00:01:47,579 the common person comes a cyber security 42 00:01:47,579 --> 00:01:49,619 person an I.T person that asked him to 43 00:01:49,619 --> 00:01:50,700 build it 44 00:01:50,700 --> 00:01:53,280 that's now shifted from fixing things 45 00:01:53,280 --> 00:01:55,820 generally laptops and phones or 46 00:01:55,820 --> 00:01:58,020 non-repairable generally ifixit.com 47 00:01:58,020 --> 00:01:59,340 might help 48 00:01:59,340 --> 00:02:01,439 but now it's fixed my situation whether 49 00:02:01,439 --> 00:02:04,380 it's I'm being gang stalked on Instagram 50 00:02:04,380 --> 00:02:05,880 or 51 00:02:05,880 --> 00:02:07,860 you know my ex knows everything I'm 52 00:02:07,860 --> 00:02:09,840 doing on iMessage 53 00:02:09,840 --> 00:02:11,160 you know I think my account's been 54 00:02:11,160 --> 00:02:14,760 hacked can you come help me fix this and 55 00:02:14,760 --> 00:02:17,040 that talks relevant because here in in 56 00:02:17,040 --> 00:02:19,379 Augusta between the national lab and the 57 00:02:19,379 --> 00:02:22,440 things that go on over at Fort Gordon we 58 00:02:22,440 --> 00:02:25,140 might be we like I'm still in it but we 59 00:02:25,140 --> 00:02:26,480 might be the 60 00:02:26,480 --> 00:02:29,819 Superior at building drones that go deep 61 00:02:29,819 --> 00:02:31,440 underground to take nuclear measurements 62 00:02:31,440 --> 00:02:33,060 or we might be able to determine how 63 00:02:33,060 --> 00:02:34,200 many 64 00:02:34,200 --> 00:02:36,840 people of Interest are living in a house 65 00:02:36,840 --> 00:02:38,760 in Pakistan based on the water drawn 66 00:02:38,760 --> 00:02:41,400 power draw through sources and methods 67 00:02:41,400 --> 00:02:43,379 but when you leave that skiff life and 68 00:02:43,379 --> 00:02:45,120 come back out to your car and start to 69 00:02:45,120 --> 00:02:46,319 drive home and in Georgia you can't 70 00:02:46,319 --> 00:02:48,540 touch your phone for however long it 71 00:02:48,540 --> 00:02:50,700 takes to get back into your house 72 00:02:50,700 --> 00:02:52,319 that's when you truly get back into the 73 00:02:52,319 --> 00:02:54,900 civilian world and you might be a GS 74 00:02:54,900 --> 00:02:57,239 1510 looking at something truly in-depth 75 00:02:57,239 --> 00:03:02,819 in technical but once you get home oh 76 00:03:02,819 --> 00:03:05,099 again because he's here I didn't know 77 00:03:05,099 --> 00:03:06,120 you can make phone calls through 78 00:03:06,120 --> 00:03:09,060 Snapchat and I was a 79 00:03:09,060 --> 00:03:11,879 comms expert for CIA 80 00:03:11,879 --> 00:03:14,099 for counterintelligence group but we 81 00:03:14,099 --> 00:03:15,599 didn't know that because we don't play 82 00:03:15,599 --> 00:03:18,239 with Snapchat and you know you can still 83 00:03:18,239 --> 00:03:19,860 learn from people I didn't know you can 84 00:03:19,860 --> 00:03:22,319 make phone calls through PS4 no idea 85 00:03:22,319 --> 00:03:23,640 never thought to make phone calls 86 00:03:23,640 --> 00:03:26,700 because I'm an adult I have a phone 87 00:03:26,700 --> 00:03:28,920 but you can and you can actually stalk 88 00:03:28,920 --> 00:03:30,780 people and see what's going on you one 89 00:03:30,780 --> 00:03:32,220 person 90 00:03:32,220 --> 00:03:35,099 she built a scraper to see how long 91 00:03:35,099 --> 00:03:36,840 people had been online the amount of 92 00:03:36,840 --> 00:03:38,159 times they're spending on video games 93 00:03:38,159 --> 00:03:41,700 and took that report to the judge to say 94 00:03:41,700 --> 00:03:43,739 uh you know this person claims they 95 00:03:43,739 --> 00:03:45,239 can't get a job but they spend 80 hours 96 00:03:45,239 --> 00:03:47,239 a week on Call of Duty Black Ops zombies 97 00:03:47,239 --> 00:03:50,700 they can obviously get a job 98 00:03:50,700 --> 00:03:52,500 so 99 00:03:52,500 --> 00:03:54,599 from all that when they come to us and 100 00:03:54,599 --> 00:03:56,519 say can you help us our inclinations say 101 00:03:56,519 --> 00:03:58,739 yes and we want to do something 102 00:03:58,739 --> 00:04:00,959 so on the job a lot of us have seen this 103 00:04:00,959 --> 00:04:03,120 you basically sign your life away and 104 00:04:03,120 --> 00:04:04,560 the graphic looks a lot better on small 105 00:04:04,560 --> 00:04:06,420 screen than big screen you basically say 106 00:04:06,420 --> 00:04:08,099 you consent to all monitoring and then 107 00:04:08,099 --> 00:04:09,900 after leaving the intelligence community 108 00:04:09,900 --> 00:04:12,420 and working Insider Threat by God yes 109 00:04:12,420 --> 00:04:14,519 they mean they can see everything so 110 00:04:14,519 --> 00:04:17,100 you've got Splunk you can see all if 111 00:04:17,100 --> 00:04:19,199 it's set up correctly which if it's not 112 00:04:19,199 --> 00:04:21,000 it's a lot of money and that's why the 113 00:04:21,000 --> 00:04:22,800 splunking engineers also have a huge 114 00:04:22,800 --> 00:04:24,060 salary 115 00:04:24,060 --> 00:04:26,100 but you can see every bitten byte that 116 00:04:26,100 --> 00:04:27,300 goes to and from all the email 117 00:04:27,300 --> 00:04:29,639 attachments websites visited then 118 00:04:29,639 --> 00:04:32,820 drilling down with o365 which 119 00:04:32,820 --> 00:04:35,160 that's not vulnerable one bit but you 120 00:04:35,160 --> 00:04:36,660 can see all the email all the teams 121 00:04:36,660 --> 00:04:38,160 chats away 122 00:04:38,160 --> 00:04:39,900 active messages all that can be 123 00:04:39,900 --> 00:04:41,880 harvested remotely without the end user 124 00:04:41,880 --> 00:04:45,300 knowing what's going on with druva you 125 00:04:45,300 --> 00:04:48,780 can connect remotely previously uh 126 00:04:48,780 --> 00:04:50,940 before the virus you would actually have 127 00:04:50,940 --> 00:04:52,800 to do dead box forensics collect the Box 128 00:04:52,800 --> 00:04:55,259 image it and then look at the data and 129 00:04:55,259 --> 00:04:56,880 with endpoint software you can now go 130 00:04:56,880 --> 00:04:58,680 out remotely collect just the files of 131 00:04:58,680 --> 00:05:00,720 interest and look to see is this person 132 00:05:00,720 --> 00:05:02,400 a flight risk for leaving the company is 133 00:05:02,400 --> 00:05:04,620 this a counter Espionage case are they 134 00:05:04,620 --> 00:05:05,759 looking 135 00:05:05,759 --> 00:05:08,340 to take our proprietary research and 136 00:05:08,340 --> 00:05:09,660 then sell it to the competitor or take 137 00:05:09,660 --> 00:05:11,460 it with them for a new job 138 00:05:11,460 --> 00:05:13,860 and even McAfee you can see which USB 139 00:05:13,860 --> 00:05:15,540 device has been plugged in 140 00:05:15,540 --> 00:05:17,820 what was copied to it and where the data 141 00:05:17,820 --> 00:05:19,199 went and you can get the full pattern of 142 00:05:19,199 --> 00:05:20,639 life without the end user ever knowing 143 00:05:20,639 --> 00:05:24,120 it but again going back one slide 144 00:05:24,120 --> 00:05:26,639 you agreed to that as part of the job 145 00:05:26,639 --> 00:05:30,000 that doesn't work at home people 146 00:05:30,000 --> 00:05:31,919 should have a reasonable expectation on 147 00:05:31,919 --> 00:05:33,600 privacy and legally they do 148 00:05:33,600 --> 00:05:35,520 and I've got this in here for a pause I 149 00:05:35,520 --> 00:05:38,280 gave this talk at Defcon in one of the 150 00:05:38,280 --> 00:05:40,560 not critique suggestion was for the 151 00:05:40,560 --> 00:05:43,020 short version the TBR version if you 152 00:05:43,020 --> 00:05:44,400 need resources if you go back to the 153 00:05:44,400 --> 00:05:45,780 Augusta Airport if you're flying out of 154 00:05:45,780 --> 00:05:46,440 here 155 00:05:46,440 --> 00:05:48,960 oh I heard this talk on escaping 156 00:05:48,960 --> 00:05:50,759 domestic digital abuse 157 00:05:50,759 --> 00:05:53,180 the takeaways are go askgrows.com 158 00:05:53,180 --> 00:05:55,560 safeascape.org it's a collection of 159 00:05:55,560 --> 00:05:56,460 people 160 00:05:56,460 --> 00:05:58,620 like myself there's the founders working 161 00:05:58,620 --> 00:05:59,880 for DARPA 162 00:05:59,880 --> 00:06:02,520 people tied to Facebook Instagram 163 00:06:02,520 --> 00:06:06,960 Twitter to help work to squash some of 164 00:06:06,960 --> 00:06:08,820 the issues people are having 165 00:06:08,820 --> 00:06:11,400 if you want to volunteer we always need 166 00:06:11,400 --> 00:06:13,440 more volunteers help at safeascape.org 167 00:06:13,440 --> 00:06:14,880 or if you know somebody who needs help 168 00:06:14,880 --> 00:06:17,340 help at safeascape.org we'll parse the 169 00:06:17,340 --> 00:06:20,179 email where it goes 170 00:06:20,520 --> 00:06:22,680 of this if you've taken any cyber 171 00:06:22,680 --> 00:06:24,120 security class you're familiar with the 172 00:06:24,120 --> 00:06:26,520 Triad data configiality data 173 00:06:26,520 --> 00:06:28,680 availability and data Integrity I've got 174 00:06:28,680 --> 00:06:31,020 a hundred plus slides my old Mentor did 175 00:06:31,020 --> 00:06:34,620 eight slides in four hours 176 00:06:34,620 --> 00:06:36,180 a lot of people falling asleep in that 177 00:06:36,180 --> 00:06:38,580 class so you lose attention after six 178 00:06:38,580 --> 00:06:40,560 seconds I have a lot to cover this is a 179 00:06:40,560 --> 00:06:42,319 basically a week of counterintelligence 180 00:06:42,319 --> 00:06:44,940 technical counter surveillance crammed 181 00:06:44,940 --> 00:06:46,979 into 50 minutes the slides are available 182 00:06:46,979 --> 00:06:48,539 if you want I'll give my email at the 183 00:06:48,539 --> 00:06:49,380 end 184 00:06:49,380 --> 00:06:53,400 uh but we've got this we all know that 185 00:06:53,400 --> 00:06:56,280 so from that Triad the risk mitigation 186 00:06:56,280 --> 00:06:57,960 principles for the domestic abuse front 187 00:06:57,960 --> 00:07:00,300 you need to control the environment 188 00:07:00,300 --> 00:07:02,520 be aware of identity theft and you have 189 00:07:02,520 --> 00:07:04,080 to make sure you have data availability 190 00:07:04,080 --> 00:07:08,100 unlike AWS as your maybe digitalocean 191 00:07:08,100 --> 00:07:11,100 and maybe how the NSA has a site out in 192 00:07:11,100 --> 00:07:12,060 Utah 193 00:07:12,060 --> 00:07:13,800 that data related to these specific 194 00:07:13,800 --> 00:07:16,020 domestic cases that's the only USB drive 195 00:07:16,020 --> 00:07:17,759 that's the only hard drive you have from 196 00:07:17,759 --> 00:07:19,440 this you have to make sure you make 197 00:07:19,440 --> 00:07:21,060 additional copies because if you lose 198 00:07:21,060 --> 00:07:23,280 that the person you're helping won't 199 00:07:23,280 --> 00:07:24,960 have any evidence whatsoever of the 200 00:07:24,960 --> 00:07:27,258 abuse 201 00:07:28,139 --> 00:07:29,940 but out of everything you have to 202 00:07:29,940 --> 00:07:32,400 control the environment where you can 203 00:07:32,400 --> 00:07:33,840 and from that it breaks down to another 204 00:07:33,840 --> 00:07:35,880 three points the personal security the 205 00:07:35,880 --> 00:07:39,419 data security and social media leaks 206 00:07:39,419 --> 00:07:41,280 personal security is obviously the most 207 00:07:41,280 --> 00:07:44,220 important one the horrible example but 208 00:07:44,220 --> 00:07:45,660 the flight that went down the Malaysian 209 00:07:45,660 --> 00:07:48,780 317 flight that vanished oh everyone's 210 00:07:48,780 --> 00:07:50,580 dead but we have the Black Box it 211 00:07:50,580 --> 00:07:52,380 doesn't matter everyone's dead you have 212 00:07:52,380 --> 00:07:53,639 to take care of yourself first and 213 00:07:53,639 --> 00:07:55,020 foremost 214 00:07:55,020 --> 00:07:57,120 now cyber practitioners this is one of 215 00:07:57,120 --> 00:07:58,440 the newer slides we've refined the 216 00:07:58,440 --> 00:08:00,840 process at safe Escape you have to look 217 00:08:00,840 --> 00:08:02,520 for the iocs just like when you're 218 00:08:02,520 --> 00:08:04,440 dealing in a sock environment one is 219 00:08:04,440 --> 00:08:05,699 this person 220 00:08:05,699 --> 00:08:07,680 why are they concerned 221 00:08:07,680 --> 00:08:10,319 how do you think this is happening 222 00:08:10,319 --> 00:08:11,940 and what are the indicators of 223 00:08:11,940 --> 00:08:13,860 compromise why are they think that 224 00:08:13,860 --> 00:08:15,720 something is going on 225 00:08:15,720 --> 00:08:18,180 and we've learned over time improbable 226 00:08:18,180 --> 00:08:21,060 doesn't mean impossible we've most of 227 00:08:21,060 --> 00:08:24,000 the cases are just coincidence 228 00:08:24,000 --> 00:08:25,740 there's some true hacking and we've had 229 00:08:25,740 --> 00:08:28,020 some black hat hackers who actually 230 00:08:28,020 --> 00:08:30,660 pursued the victim digitally to erase 231 00:08:30,660 --> 00:08:33,179 the evidence of their abuse with some 232 00:08:33,179 --> 00:08:35,640 zero days they've earned some unreported 233 00:08:35,640 --> 00:08:37,919 exploits in order to try to erase 234 00:08:37,919 --> 00:08:39,839 evidence and he kept reconnecting her 235 00:08:39,839 --> 00:08:41,458 devices to make sure that pictures of 236 00:08:41,458 --> 00:08:43,919 her abuse were erased it was a cat and 237 00:08:43,919 --> 00:08:47,399 mouse game but that was a very unique 238 00:08:47,399 --> 00:08:49,320 situation that was one out of hundreds 239 00:08:49,320 --> 00:08:52,040 but it did happen 240 00:08:52,920 --> 00:08:54,899 so kind of tying this into last night 241 00:08:54,899 --> 00:08:56,399 you never have to ask permission to 242 00:08:56,399 --> 00:08:58,440 leave a dangerous situation 243 00:08:58,440 --> 00:09:00,540 getting off the exit means if you think 244 00:09:00,540 --> 00:09:03,120 you're in danger it's okay to leave no 245 00:09:03,120 --> 00:09:04,860 bad situation ever get better by 246 00:09:04,860 --> 00:09:06,180 sticking around 247 00:09:06,180 --> 00:09:07,860 you know last night looking at driving 248 00:09:07,860 --> 00:09:09,959 down here from Charlotte we were looking 249 00:09:09,959 --> 00:09:13,200 at I-77 and looking at I-20 westbound 250 00:09:13,200 --> 00:09:15,420 and we'd have driven straight through 251 00:09:15,420 --> 00:09:16,800 the middle of the hurricane tropical 252 00:09:16,800 --> 00:09:19,019 storm coming over to here or we wait 253 00:09:19,019 --> 00:09:20,640 till the next morning get up early and 254 00:09:20,640 --> 00:09:21,720 drive in 255 00:09:21,720 --> 00:09:23,760 if I've just spent two 12-hour days 256 00:09:23,760 --> 00:09:26,940 worrying about 0365 volt about a remote 257 00:09:26,940 --> 00:09:28,680 connection vulnerability for a computer 258 00:09:28,680 --> 00:09:30,420 I'm never going to see plus a new 259 00:09:30,420 --> 00:09:32,459 hypervisor vulnerability 260 00:09:32,459 --> 00:09:34,380 again on thoroughly dispersed machines 261 00:09:34,380 --> 00:09:36,839 sitting on AWS cloud 262 00:09:36,839 --> 00:09:38,580 why would I risk my personal life to 263 00:09:38,580 --> 00:09:40,260 drive through a storm to speak when I 264 00:09:40,260 --> 00:09:42,360 can just wait 12 hours I didn't ask 265 00:09:42,360 --> 00:09:44,160 permission it was just we're going to 266 00:09:44,160 --> 00:09:46,680 wait that was a smart call 267 00:09:46,680 --> 00:09:48,120 same thing if someone's in a bad 268 00:09:48,120 --> 00:09:50,100 situation leave first make it to the 269 00:09:50,100 --> 00:09:51,899 next day and then start to rebuild from 270 00:09:51,899 --> 00:09:54,420 there getting off the X again this is a 271 00:09:54,420 --> 00:09:57,779 domestic abuse digital case however 272 00:09:57,779 --> 00:10:00,420 have your bug out bag pack just like for 273 00:10:00,420 --> 00:10:02,519 a hurricane if we had your wallet your 274 00:10:02,519 --> 00:10:05,700 keys important papers babies passports 275 00:10:05,700 --> 00:10:09,180 babies documents babies vaccine records 276 00:10:09,180 --> 00:10:11,820 your phone and the charger because my 277 00:10:11,820 --> 00:10:14,700 iPhone both life is terrible 278 00:10:14,700 --> 00:10:16,200 and you want to keep the devices with 279 00:10:16,200 --> 00:10:18,000 you but you have to consider what if 280 00:10:18,000 --> 00:10:20,220 they're stalker wear some of the people 281 00:10:20,220 --> 00:10:21,839 I don't like to say victims some of the 282 00:10:21,839 --> 00:10:23,519 clients we've worked with been very 283 00:10:23,519 --> 00:10:25,980 ingenious one of them was a 284 00:10:25,980 --> 00:10:29,339 vet and she kept her alternate phone 285 00:10:29,339 --> 00:10:31,560 documents and prepaid credit cards in 286 00:10:31,560 --> 00:10:33,839 the safe her medicine safe in her office 287 00:10:33,839 --> 00:10:37,200 and said that if my ex breaks in to the 288 00:10:37,200 --> 00:10:38,940 office breaks into the safe 289 00:10:38,940 --> 00:10:40,980 they're not just breaking and entering 290 00:10:40,980 --> 00:10:42,600 this is a major feeling because there's 291 00:10:42,600 --> 00:10:44,279 controlled substances and the police are 292 00:10:44,279 --> 00:10:45,779 going to respond much differently than 293 00:10:45,779 --> 00:10:49,399 just keeping these documents in my car 294 00:10:50,279 --> 00:10:52,019 now that said here's where we want to 295 00:10:52,019 --> 00:10:53,220 split a little bit we've got a person 296 00:10:53,220 --> 00:10:54,959 leaving a bad environment 297 00:10:54,959 --> 00:10:56,579 and then we've got what if that person 298 00:10:56,579 --> 00:10:58,620 leaves the house leaves the apartment 299 00:10:58,620 --> 00:11:00,420 leaves the assigned housing watch 300 00:11:00,420 --> 00:11:01,380 through 301 00:11:01,380 --> 00:11:02,880 a couple of things first you want to 302 00:11:02,880 --> 00:11:04,260 change your passwords that's obvious I 303 00:11:04,260 --> 00:11:05,820 want to say that a lot you probably 304 00:11:05,820 --> 00:11:06,959 won't hear it in your sleep I want to 305 00:11:06,959 --> 00:11:08,940 say it in my sleep you want to change to 306 00:11:08,940 --> 00:11:11,640 Locks and codes to your alarm panels the 307 00:11:11,640 --> 00:11:14,220 third one added in because it seems so 308 00:11:14,220 --> 00:11:15,420 bizarre again being in the cyber 309 00:11:15,420 --> 00:11:18,540 security field there is a flap there was 310 00:11:18,540 --> 00:11:20,339 there's a flap but you pull it down on 311 00:11:20,339 --> 00:11:22,079 the garage door panel to enter your code 312 00:11:22,079 --> 00:11:25,079 to unlock your garage and raise it and 313 00:11:25,079 --> 00:11:28,740 it said if you forget your code do this 314 00:11:28,740 --> 00:11:30,899 to gain access right there on the door I 315 00:11:30,899 --> 00:11:33,120 mean username admin password and right 316 00:11:33,120 --> 00:11:35,160 there hard stamped at the manufacturer 317 00:11:35,160 --> 00:11:37,980 that's a bad thing if you're uh if their 318 00:11:37,980 --> 00:11:40,500 person has a shared garage door opener 319 00:11:40,500 --> 00:11:42,839 with someone else when the 320 00:11:42,839 --> 00:11:44,820 when the locksmith comes out that's 321 00:11:44,820 --> 00:11:46,380 something else to remember to get 322 00:11:46,380 --> 00:11:48,180 re-keyed this is physical perimeter 323 00:11:48,180 --> 00:11:50,820 hardening first and foremost the police 324 00:11:50,820 --> 00:11:52,440 getting a phone call this person came 325 00:11:52,440 --> 00:11:54,480 back into my house with a key that's one 326 00:11:54,480 --> 00:11:56,519 thing but they broke in because I change 327 00:11:56,519 --> 00:11:58,380 the locks they're going to respond much 328 00:11:58,380 --> 00:12:00,360 differently 329 00:12:00,360 --> 00:12:02,040 now from there 330 00:12:02,040 --> 00:12:04,740 on a known safe machine and a known safe 331 00:12:04,740 --> 00:12:06,720 Network change your security passwords 332 00:12:06,720 --> 00:12:09,019 and questions 333 00:12:09,300 --> 00:12:10,620 meaning 334 00:12:10,620 --> 00:12:13,019 something you wouldn't find from a 335 00:12:13,019 --> 00:12:14,880 genealogy or ancestry.com or something 336 00:12:14,880 --> 00:12:17,220 posted on Facebook 337 00:12:17,220 --> 00:12:19,560 because it's okay to lie online it's 338 00:12:19,560 --> 00:12:21,360 okay it's Americans we're conditioned to 339 00:12:21,360 --> 00:12:22,800 always tell the truth and for those of 340 00:12:22,800 --> 00:12:25,079 us who've been through polygraphs 341 00:12:25,079 --> 00:12:27,240 they don't want the truth for four hours 342 00:12:27,240 --> 00:12:28,440 they want for eight hours because they 343 00:12:28,440 --> 00:12:29,640 get paid for the full day but you can't 344 00:12:29,640 --> 00:12:31,980 say that wait I did say that so it's 345 00:12:31,980 --> 00:12:33,360 okay to like where do your parents meet 346 00:12:33,360 --> 00:12:35,339 ukawakadugu 347 00:12:35,339 --> 00:12:36,420 oh 348 00:12:36,420 --> 00:12:38,279 where did they get married 349 00:12:38,279 --> 00:12:40,260 Tatooine 350 00:12:40,260 --> 00:12:42,240 uh what was a memorable experience in 351 00:12:42,240 --> 00:12:43,980 your life living in a van down by the 352 00:12:43,980 --> 00:12:46,860 river something they're not looking for 353 00:12:46,860 --> 00:12:48,540 the truth they're just looking for the 354 00:12:48,540 --> 00:12:50,100 right answer that you've put in it's 355 00:12:50,100 --> 00:12:52,380 okay to lie about this my niece is over 356 00:12:52,380 --> 00:12:54,420 here laughing oh Uncle William told me I 357 00:12:54,420 --> 00:12:56,820 can lie yes lie don't tell the truth 358 00:12:56,820 --> 00:12:58,380 online 359 00:12:58,380 --> 00:13:00,420 except to your mom because she knows 360 00:13:00,420 --> 00:13:02,760 where you live 361 00:13:02,760 --> 00:13:04,740 okay so locksmith is coming the 362 00:13:04,740 --> 00:13:06,180 apartment 363 00:13:06,180 --> 00:13:07,980 managers coming they're changing the 364 00:13:07,980 --> 00:13:09,959 locks while you're waiting 365 00:13:09,959 --> 00:13:13,019 look at your router have your technical 366 00:13:13,019 --> 00:13:14,700 friend look at your router 367 00:13:14,700 --> 00:13:15,959 and here's where I'm going to start 368 00:13:15,959 --> 00:13:18,720 saying capture evidence if necessary the 369 00:13:18,720 --> 00:13:20,160 only things connected should be things 370 00:13:20,160 --> 00:13:22,320 you recognize so here you've got a 371 00:13:22,320 --> 00:13:23,880 Galaxy phone 372 00:13:23,880 --> 00:13:26,160 an iPhone named PC because separate 373 00:13:26,160 --> 00:13:27,899 conversation if you name it colonel 374 00:13:27,899 --> 00:13:29,459 Smith's phone now you're beeping out to 375 00:13:29,459 --> 00:13:30,899 the top of the target list when you can 376 00:13:30,899 --> 00:13:32,040 to a 377 00:13:32,040 --> 00:13:34,019 uh say a Starbucks who goes to Starbucks 378 00:13:34,019 --> 00:13:35,100 but 379 00:13:35,100 --> 00:13:37,019 you're still oh this guy is important to 380 00:13:37,019 --> 00:13:38,700 the military let's sniff his traffic 381 00:13:38,700 --> 00:13:41,880 with Wireshark versus PC phone who wants 382 00:13:41,880 --> 00:13:44,639 to look at that so this is good this is 383 00:13:44,639 --> 00:13:46,380 a normal looking network if you see 384 00:13:46,380 --> 00:13:49,019 something unusual stop call law 385 00:13:49,019 --> 00:13:52,920 enforcement because if you've got a 386 00:13:52,920 --> 00:13:55,200 bug in the house of remote camera 387 00:13:55,200 --> 00:13:57,779 that's also a felony and as 388 00:13:57,779 --> 00:14:00,120 professionals we stop we get the law 389 00:14:00,120 --> 00:14:01,440 enforcement involved because we don't 390 00:14:01,440 --> 00:14:03,000 want to tamper with evidence 391 00:14:03,000 --> 00:14:06,180 you can also if you feel like it look at 392 00:14:06,180 --> 00:14:07,680 the law to see what device has been 393 00:14:07,680 --> 00:14:09,779 coming and going through the network 394 00:14:09,779 --> 00:14:12,060 what else is connected what's going on 395 00:14:12,060 --> 00:14:16,500 that you don't regularly see 396 00:14:16,500 --> 00:14:18,180 again the standard disclaimer I can't 397 00:14:18,180 --> 00:14:20,160 talk about every log location for every 398 00:14:20,160 --> 00:14:22,320 router in production Google it 399 00:14:22,320 --> 00:14:24,420 another option would be 400 00:14:24,420 --> 00:14:26,220 if you feel comfortable if you have your 401 00:14:26,220 --> 00:14:28,260 person has the time get a new router go 402 00:14:28,260 --> 00:14:30,839 to Comcast I know I know go to Cox 403 00:14:30,839 --> 00:14:33,420 Infinity wait for Infinity get a new 404 00:14:33,420 --> 00:14:37,079 router get a new IP address and some 405 00:14:37,079 --> 00:14:39,360 isps will let you set a safety phrase 406 00:14:39,360 --> 00:14:40,920 challenge in response so that if you 407 00:14:40,920 --> 00:14:44,339 call in only you would know that 408 00:14:44,339 --> 00:14:46,019 take note of what it is because if you 409 00:14:46,019 --> 00:14:48,420 forget it you won't get any help Source 410 00:14:48,420 --> 00:14:50,940 trust me 411 00:14:50,940 --> 00:14:54,720 Now on iPhone 6 uh yeah iOS 16 412 00:14:54,720 --> 00:14:56,639 they've got a great new feature and this 413 00:14:56,639 --> 00:14:57,660 is 414 00:14:57,660 --> 00:15:00,779 mitigated eliminated a lot of the intake 415 00:15:00,779 --> 00:15:02,339 issues we had a lot of the stalking 416 00:15:02,339 --> 00:15:03,420 issues 417 00:15:03,420 --> 00:15:05,519 you go to settings privacy and security 418 00:15:05,519 --> 00:15:08,699 safety check and then emergency reset 419 00:15:08,699 --> 00:15:10,320 that just nukes everything that's had 420 00:15:10,320 --> 00:15:13,019 access to your phone and mating managing 421 00:15:13,019 --> 00:15:15,800 sharing and access 422 00:15:16,199 --> 00:15:18,839 you can go to lockdown mode 423 00:15:18,839 --> 00:15:21,120 filtering out iMessages so you don't get 424 00:15:21,120 --> 00:15:23,339 fished shared albums all the data that's 425 00:15:23,339 --> 00:15:25,019 shared 426 00:15:25,019 --> 00:15:26,519 that gets it off so it's not 427 00:15:26,519 --> 00:15:28,380 inadvertently leaked out there is a uh 428 00:15:28,380 --> 00:15:31,320 there was there was a 429 00:15:31,320 --> 00:15:33,420 NATO person who had been doing sensitive 430 00:15:33,420 --> 00:15:35,760 slight exploitation over in Iraq 431 00:15:35,760 --> 00:15:38,399 didn't know it grateful he admitted to 432 00:15:38,399 --> 00:15:40,800 the class not admit but 433 00:15:40,800 --> 00:15:42,779 he had been taking pictures of sources 434 00:15:42,779 --> 00:15:44,639 stuffed and things 435 00:15:44,639 --> 00:15:46,920 and that family album was shared out or 436 00:15:46,920 --> 00:15:48,720 that shared album was sent out to Memaw 437 00:15:48,720 --> 00:15:51,000 Papa and the whole family of stuff they 438 00:15:51,000 --> 00:15:52,260 probably shouldn't see probably a little 439 00:15:52,260 --> 00:15:53,820 bit classified but there you go because 440 00:15:53,820 --> 00:15:56,339 this shared setting plus you don't take 441 00:15:56,339 --> 00:15:58,019 your iPhone to combat but that's a whole 442 00:15:58,019 --> 00:15:59,399 different issue for another class for 443 00:15:59,399 --> 00:16:01,820 another day 444 00:16:02,279 --> 00:16:03,120 um 445 00:16:03,120 --> 00:16:06,480 the lower versions of the iOS iOS 15 and 446 00:16:06,480 --> 00:16:08,339 Below same thing 447 00:16:08,339 --> 00:16:11,160 go to settings and look to see where you 448 00:16:11,160 --> 00:16:12,899 have dropped copies of messages there is 449 00:16:12,899 --> 00:16:14,519 a case had been ongoing for five years 450 00:16:14,519 --> 00:16:17,519 that put actually got me into this field 451 00:16:17,519 --> 00:16:20,880 and the person's iMessage have been drop 452 00:16:20,880 --> 00:16:23,339 copied to her laptop but also to the 453 00:16:23,339 --> 00:16:26,040 iMac left behind at her ex's house so 454 00:16:26,040 --> 00:16:27,839 everything she was doing iMessage and 455 00:16:27,839 --> 00:16:30,000 then her email he was getting and then 456 00:16:30,000 --> 00:16:32,100 presenting as evidence as to why she 457 00:16:32,100 --> 00:16:33,899 shouldn't have the children so she was 458 00:16:33,899 --> 00:16:35,100 going out for friends on Friday night 459 00:16:35,100 --> 00:16:36,480 and getting a babysitter 460 00:16:36,480 --> 00:16:38,639 she got served with a change of custody 461 00:16:38,639 --> 00:16:40,740 papers for you know you left the kids at 462 00:16:40,740 --> 00:16:42,000 home on a Friday night with the unknown 463 00:16:42,000 --> 00:16:43,259 person you're not fit to be a mother 464 00:16:43,259 --> 00:16:45,420 multiply that over multiple cases over 465 00:16:45,420 --> 00:16:46,740 five years 466 00:16:46,740 --> 00:16:49,199 range of resources and it's exhausting 467 00:16:49,199 --> 00:16:51,660 but talking to a technical professional 468 00:16:51,660 --> 00:16:54,120 here's where the leak is let's fix it we 469 00:16:54,120 --> 00:16:56,699 also ran a honey pot trap where 470 00:16:56,699 --> 00:16:58,440 honestly we 471 00:16:58,440 --> 00:17:01,800 her person and I talked offline we went 472 00:17:01,800 --> 00:17:03,779 to WebMD pulled three random diseases 473 00:17:03,779 --> 00:17:05,939 Channel a channel B Channel C we 474 00:17:05,939 --> 00:17:07,799 discussed or she discussed having these 475 00:17:07,799 --> 00:17:10,439 symptoms when we ascertained that this 476 00:17:10,439 --> 00:17:12,540 is the one that her ex-husband came and 477 00:17:12,540 --> 00:17:13,859 said you're unfit to have the children 478 00:17:13,859 --> 00:17:16,079 because of this okay we know it's this 479 00:17:16,079 --> 00:17:17,579 Channel That's leaked out let's look at 480 00:17:17,579 --> 00:17:19,919 where it's going that got turned over to 481 00:17:19,919 --> 00:17:22,199 law enforcement CSI I backed out because 482 00:17:22,199 --> 00:17:23,099 I don't want to deal with law 483 00:17:23,099 --> 00:17:24,119 enforcement 484 00:17:24,119 --> 00:17:26,520 and things went from there she's got her 485 00:17:26,520 --> 00:17:28,199 life back all because again I want to 486 00:17:28,199 --> 00:17:30,000 change her password not victim always 487 00:17:30,000 --> 00:17:31,500 change your password if you're unsure 488 00:17:31,500 --> 00:17:33,240 but something like this makes a huge 489 00:17:33,240 --> 00:17:37,100 difference part two on the iPhone 490 00:17:37,919 --> 00:17:40,500 is fantastic in that you can be on your 491 00:17:40,500 --> 00:17:43,080 Mac you have a text message and then 492 00:17:43,080 --> 00:17:44,280 have it propagate through all your 493 00:17:44,280 --> 00:17:46,140 devices the downside is the exact same 494 00:17:46,140 --> 00:17:48,419 thing happens where you can forward your 495 00:17:48,419 --> 00:17:50,760 text messages to multiple devices again 496 00:17:50,760 --> 00:17:52,320 if you're helping this person and see 497 00:17:52,320 --> 00:17:53,100 that 498 00:17:53,100 --> 00:17:55,260 their ex thinks their cue from James 499 00:17:55,260 --> 00:17:56,700 Bond and all they did was enable a 500 00:17:56,700 --> 00:17:58,200 toggle button at his device really 501 00:17:58,200 --> 00:18:00,299 that's not hacking 502 00:18:00,299 --> 00:18:03,000 but again take your screenshot call law 503 00:18:03,000 --> 00:18:04,620 enforcement and then let them deal with 504 00:18:04,620 --> 00:18:05,940 it but now you know where the leak is 505 00:18:05,940 --> 00:18:08,160 coming from 506 00:18:08,160 --> 00:18:09,960 and again you've got your blue Force 507 00:18:09,960 --> 00:18:12,240 tracker in your pocket if you're sharing 508 00:18:12,240 --> 00:18:14,419 your location with unknown people like 509 00:18:14,419 --> 00:18:17,700 Life360 something goes on and your ex 510 00:18:17,700 --> 00:18:19,320 knows everything it's going 511 00:18:19,320 --> 00:18:21,360 it's probably like 360 Apple has this by 512 00:18:21,360 --> 00:18:22,860 default same for the shared family 513 00:18:22,860 --> 00:18:24,120 albums 514 00:18:24,120 --> 00:18:25,740 make sure those are disabled as well you 515 00:18:25,740 --> 00:18:27,240 want to start mitigating the leak and 516 00:18:27,240 --> 00:18:30,080 controlling the access 517 00:18:30,120 --> 00:18:32,640 same thing for Android 518 00:18:32,640 --> 00:18:34,500 you would go to recently used devices 519 00:18:34,500 --> 00:18:38,059 see where you're logged in 520 00:18:38,880 --> 00:18:41,820 and this was a fun one 521 00:18:41,820 --> 00:18:44,520 show of hands Has anyone used Google 522 00:18:44,520 --> 00:18:47,059 takeout 523 00:18:47,220 --> 00:18:51,140 all right what does Google takeout do 524 00:18:51,419 --> 00:18:54,320 what do you mean by all 525 00:19:01,200 --> 00:19:03,360 I would toss it but liability so lock 526 00:19:03,360 --> 00:19:05,580 pick set thank you 527 00:19:05,580 --> 00:19:09,780 use it responsibility responsible 528 00:19:13,140 --> 00:19:16,919 by everything all he literally meant all 529 00:19:16,919 --> 00:19:18,539 we would have throwaway counts for the 530 00:19:18,539 --> 00:19:20,940 troops to use it NATO 531 00:19:20,940 --> 00:19:22,799 so they would use it for two weeks in 532 00:19:22,799 --> 00:19:24,900 class they'd be a week two week month 533 00:19:24,900 --> 00:19:27,240 break reactivate the accounts wipe them 534 00:19:27,240 --> 00:19:28,919 and then I would have them pull Google 535 00:19:28,919 --> 00:19:31,799 takeout to show that here's what you did 536 00:19:31,799 --> 00:19:33,960 and then two weeks ago here's what this 537 00:19:33,960 --> 00:19:35,280 person did for training in two weeks 538 00:19:35,280 --> 00:19:36,600 before so that if you lost control of 539 00:19:36,600 --> 00:19:37,980 your Google account while you're 540 00:19:37,980 --> 00:19:39,360 deployed 541 00:19:39,360 --> 00:19:41,640 everything is out there 542 00:19:41,640 --> 00:19:44,520 which is fantastic if it's your person 543 00:19:44,520 --> 00:19:46,260 you're working with has been accused of 544 00:19:46,260 --> 00:19:48,419 something you can pull down from the 545 00:19:48,419 --> 00:19:50,160 Google servers authoritatively here's 546 00:19:50,160 --> 00:19:51,559 everything done which is fantastic 547 00:19:51,559 --> 00:19:54,120 conversely if they're looking the x is 548 00:19:54,120 --> 00:19:55,440 looking for information on your person 549 00:19:55,440 --> 00:19:57,419 it's still everything as well so it's 550 00:19:57,419 --> 00:20:00,000 the good and the bad 551 00:20:00,000 --> 00:20:02,760 Apple occasionally has this apple backup 552 00:20:02,760 --> 00:20:04,380 data same thing a lot more security 553 00:20:04,380 --> 00:20:07,740 controls but it is the same thing and I 554 00:20:07,740 --> 00:20:09,120 know that you know picking on my son 555 00:20:09,120 --> 00:20:10,320 because I'm grateful he showed up 556 00:20:10,320 --> 00:20:12,840 because 557 00:20:12,840 --> 00:20:14,640 I don't get to teach my son very often 558 00:20:14,640 --> 00:20:18,660 uh but it does like there was a we got a 559 00:20:18,660 --> 00:20:20,820 Wonder Woman ad like back in 2000 560 00:20:20,820 --> 00:20:22,919 because I pulled it for my account I got 561 00:20:22,919 --> 00:20:25,020 a Wonder Woman game ad your sister 562 00:20:25,020 --> 00:20:26,940 clicked on it so it shows here are the 563 00:20:26,940 --> 00:20:28,919 four stats and here's the ones that she 564 00:20:28,919 --> 00:20:30,840 clicked on it gets that granular for 565 00:20:30,840 --> 00:20:34,679 what data is actually stored 566 00:20:34,679 --> 00:20:37,380 and I'm looking at time I've got a lot 567 00:20:37,380 --> 00:20:38,820 of ground to cover 568 00:20:38,820 --> 00:20:40,860 he broke his iPhone in New Mexico his 569 00:20:40,860 --> 00:20:42,660 iPad in New Mexico 570 00:20:42,660 --> 00:20:45,120 I'm in Charlotte I'm downloading is old 571 00:20:45,120 --> 00:20:46,799 data because he was like eight or nine 572 00:20:46,799 --> 00:20:48,179 ten whatever 573 00:20:48,179 --> 00:20:50,220 and I could tell like whatever video 574 00:20:50,220 --> 00:20:51,840 game he was level he was trying to beat 575 00:20:51,840 --> 00:20:54,059 that granule of a full forensic backup 576 00:20:54,059 --> 00:20:55,980 was pulled down from the cloud to the 577 00:20:55,980 --> 00:20:58,500 very point where his phone broke 578 00:20:58,500 --> 00:21:00,720 and apple wasn't forthcoming with what 579 00:21:00,720 --> 00:21:02,820 they do forensically for backups and 580 00:21:02,820 --> 00:21:04,740 that's when the light bulb came on if I 581 00:21:04,740 --> 00:21:06,960 can get a full copy of this device 582 00:21:06,960 --> 00:21:09,059 remotely and apple isn't featuring this 583 00:21:09,059 --> 00:21:11,700 yet how can we use that 584 00:21:11,700 --> 00:21:13,500 at the company 585 00:21:13,500 --> 00:21:15,120 for collection because now I don't have 586 00:21:15,120 --> 00:21:16,559 to go first anyway 587 00:21:16,559 --> 00:21:18,660 the amount of data that you can use to 588 00:21:18,660 --> 00:21:20,160 protect yourself in court or the amount 589 00:21:20,160 --> 00:21:21,660 of data that can be used against you 590 00:21:21,660 --> 00:21:23,160 it's all the same it depends on the 591 00:21:23,160 --> 00:21:25,520 optic 592 00:21:25,620 --> 00:21:28,200 and this one same thing for Facebook 593 00:21:28,200 --> 00:21:30,000 everyone some people love their Facebook 594 00:21:30,000 --> 00:21:32,640 you go to account settings security 595 00:21:32,640 --> 00:21:34,500 active sessions see everywhere you're 596 00:21:34,500 --> 00:21:36,539 logged in there's a lot of places people 597 00:21:36,539 --> 00:21:39,179 that have logged in onto Facebook don't 598 00:21:39,179 --> 00:21:41,700 realize they're there 599 00:21:41,700 --> 00:21:45,299 in we've only got 45 minutes left I 600 00:21:45,299 --> 00:21:47,159 don't have time to touch everything but 601 00:21:47,159 --> 00:21:48,179 literally 602 00:21:48,179 --> 00:21:50,039 so many places that can be logged in 603 00:21:50,039 --> 00:21:51,600 that people can Shadow what you're doing 604 00:21:51,600 --> 00:21:53,580 unless you're doing that case in point 605 00:21:53,580 --> 00:21:55,740 Georgia Tech Hotel went to use one of 606 00:21:55,740 --> 00:21:58,380 the shared iMacs and somebody who had 607 00:21:58,380 --> 00:22:01,500 their math their PHD paper in cyber 608 00:22:01,500 --> 00:22:04,620 security remain logged into Facebook so 609 00:22:04,620 --> 00:22:06,059 yeah 610 00:22:06,059 --> 00:22:09,240 this is one of the holy of holies there 611 00:22:09,240 --> 00:22:11,460 is a ZIP file on Facebook that contains 612 00:22:11,460 --> 00:22:13,200 you can read as well as I can read it to 613 00:22:13,200 --> 00:22:15,539 you but contains records of granular 614 00:22:15,539 --> 00:22:17,640 details for all of your calls and text 615 00:22:17,640 --> 00:22:19,799 messages between you and whoever for the 616 00:22:19,799 --> 00:22:22,320 past year plus again 617 00:22:22,320 --> 00:22:24,240 if 618 00:22:24,240 --> 00:22:26,580 you're a pro athlete and someone's 619 00:22:26,580 --> 00:22:28,080 accused you of doing something you've 620 00:22:28,080 --> 00:22:30,120 got an authority of sourcing here's the 621 00:22:30,120 --> 00:22:32,460 actual calls here's what's actually gone 622 00:22:32,460 --> 00:22:34,320 on you pull it from Facebook it's 623 00:22:34,320 --> 00:22:37,020 authoritative conversely if someone's 624 00:22:37,020 --> 00:22:38,640 looking for information to use against 625 00:22:38,640 --> 00:22:39,900 you or to say you've done something 626 00:22:39,900 --> 00:22:41,640 wrong that's also there that's why 627 00:22:41,640 --> 00:22:42,780 you've got to make sure that Facebook 628 00:22:42,780 --> 00:22:46,200 password is changing locked down 629 00:22:46,200 --> 00:22:48,299 a little bit easier here but going to an 630 00:22:48,299 --> 00:22:50,760 iMac or going to a Mac laptop if you go 631 00:22:50,760 --> 00:22:52,679 to keychain in the username and password 632 00:22:52,679 --> 00:22:54,179 if you search your laptop people should 633 00:22:54,179 --> 00:22:57,780 know it and then you go to keychain find 634 00:22:57,780 --> 00:22:59,580 the Wi-Fi password Facebook password 635 00:22:59,580 --> 00:23:01,860 Gmail doesn't matter 636 00:23:01,860 --> 00:23:03,299 and then you type in the username 637 00:23:03,299 --> 00:23:05,280 password for that laptop in clear text 638 00:23:05,280 --> 00:23:07,320 you get to see the password that that 639 00:23:07,320 --> 00:23:09,179 person thought was there protected so 640 00:23:09,179 --> 00:23:11,340 again change the password it's stored in 641 00:23:11,340 --> 00:23:13,020 so many places for your convenience 642 00:23:13,020 --> 00:23:17,059 you're not even sure where everything is 643 00:23:17,059 --> 00:23:19,320 the one percent of the cases I talked 644 00:23:19,320 --> 00:23:20,700 about earlier he had full physical 645 00:23:20,700 --> 00:23:23,400 access to her laptop he enabled sharing 646 00:23:23,400 --> 00:23:25,559 on Mac go to settings sharing users and 647 00:23:25,559 --> 00:23:27,960 groups to look at those two 648 00:23:27,960 --> 00:23:30,780 he gave himself full remote login remote 649 00:23:30,780 --> 00:23:33,120 remote management so her battery life is 650 00:23:33,120 --> 00:23:35,640 terrible everything every copy and paste 651 00:23:35,640 --> 00:23:37,980 every logon he had a full remote SSH so 652 00:23:37,980 --> 00:23:40,919 anytime she was logged on he was able to 653 00:23:40,919 --> 00:23:44,159 Shadow everything she was doing online 654 00:23:44,159 --> 00:23:46,559 flip side is the oh it's going to 655 00:23:46,559 --> 00:23:48,419 compliment but the person 656 00:23:48,419 --> 00:23:50,340 his uh 657 00:23:50,340 --> 00:23:52,320 gpg key that he left on there to 658 00:23:52,320 --> 00:23:54,659 activate the remote hacking was actually 659 00:23:54,659 --> 00:23:56,220 under his true name on Roots so there's 660 00:23:56,220 --> 00:23:58,140 your evidence 661 00:23:58,140 --> 00:23:59,760 going further for the person you want to 662 00:23:59,760 --> 00:24:01,980 go social to the accounts and look and 663 00:24:01,980 --> 00:24:05,120 see what's running on the logon 664 00:24:05,280 --> 00:24:07,020 this one I like I was working with a 665 00:24:07,020 --> 00:24:07,820 local 666 00:24:07,820 --> 00:24:10,440 Pi a long time ago 667 00:24:10,440 --> 00:24:13,760 he gave me a USB drive 668 00:24:13,919 --> 00:24:17,400 and this is a deleted text message 669 00:24:17,400 --> 00:24:19,200 saying make sure you delete your text 670 00:24:19,200 --> 00:24:21,179 messages that the Pi had deleted from 671 00:24:21,179 --> 00:24:23,460 the USB drive that he gave to me I ran 672 00:24:23,460 --> 00:24:25,320 this Grill and he's able to recover that 673 00:24:25,320 --> 00:24:27,059 so if you're in a contentious case you 674 00:24:27,059 --> 00:24:30,179 don't want to just share it used USB you 675 00:24:30,179 --> 00:24:32,400 want to use New Media the ten dollars 676 00:24:32,400 --> 00:24:34,919 you spend at Walmart for clean versus I 677 00:24:34,919 --> 00:24:37,320 think it's okay it's ten dollars versus 678 00:24:37,320 --> 00:24:39,900 data security 679 00:24:39,900 --> 00:24:41,820 we talked about Facebook helped a 680 00:24:41,820 --> 00:24:43,980 neighbor move a 65-inch TV that began 681 00:24:43,980 --> 00:24:46,320 picking on my son he got a 55-inch TV 682 00:24:46,320 --> 00:24:49,260 for him and his he and his twin sister 683 00:24:49,260 --> 00:24:51,900 Christmas a few years back that was the 684 00:24:51,900 --> 00:24:53,460 second TV 685 00:24:53,460 --> 00:24:56,520 the first TV your dad put in the cart at 686 00:24:56,520 --> 00:24:58,620 Walmart and the weight of the TV kind of 687 00:24:58,620 --> 00:25:00,659 bent and you know flat screens are 688 00:25:00,659 --> 00:25:03,600 fragile be honest here yeah so that one 689 00:25:03,600 --> 00:25:06,059 got returned because a nice big crack 690 00:25:06,059 --> 00:25:07,799 down the middle 691 00:25:07,799 --> 00:25:10,320 so anyway the person's moving a 65-inch 692 00:25:10,320 --> 00:25:12,780 TV left the TV behind sold on Facebook 693 00:25:12,780 --> 00:25:14,159 Marketplace 694 00:25:14,159 --> 00:25:17,100 and the attorney told me they were still 695 00:25:17,100 --> 00:25:19,320 logged into Twitter in Facebook why 696 00:25:19,320 --> 00:25:21,659 someone needs to see Twitter on 65 inch 697 00:25:21,659 --> 00:25:23,340 TV I don't know 698 00:25:23,340 --> 00:25:25,320 but you've got to consider if it's a bad 699 00:25:25,320 --> 00:25:27,000 domestic situation you have to log out 700 00:25:27,000 --> 00:25:29,760 of all the edge devices 701 00:25:29,760 --> 00:25:31,820 something else to consider with Facebook 702 00:25:31,820 --> 00:25:34,559 there's some repositories on GitHub also 703 00:25:34,559 --> 00:25:36,960 on oscent framework.com 704 00:25:36,960 --> 00:25:38,760 you can take the aggregate of Facebook 705 00:25:38,760 --> 00:25:42,059 IG Instagram Twitter and look and see 706 00:25:42,059 --> 00:25:43,799 when someone's working when they're 707 00:25:43,799 --> 00:25:45,179 sleeping when they're prevently posting 708 00:25:45,179 --> 00:25:48,960 if they're posting after 5 30 P.M Monday 709 00:25:48,960 --> 00:25:51,179 through Friday and they're silent from 710 00:25:51,179 --> 00:25:53,700 eight to five are they working in a 711 00:25:53,700 --> 00:25:54,720 skiff 712 00:25:54,720 --> 00:25:57,000 or on the other side for the 713 00:25:57,000 --> 00:25:58,740 counterterrorism side you can see okay 714 00:25:58,740 --> 00:26:00,480 this person's betting down on these 715 00:26:00,480 --> 00:26:02,760 hours were they sleeping or if you're a 716 00:26:02,760 --> 00:26:04,080 little bit unscrupulous you can say okay 717 00:26:04,080 --> 00:26:05,880 Tom Brady didn't sleep well last night 718 00:26:05,880 --> 00:26:07,860 I'm going a bit on the Green Bay Packers 719 00:26:07,860 --> 00:26:09,299 instead of the Bucks because based on 720 00:26:09,299 --> 00:26:11,400 the Sleep Cycle would never do that she 721 00:26:11,400 --> 00:26:13,140 was a little scuzzy to me but that's 722 00:26:13,140 --> 00:26:15,299 still there that's implied data from 723 00:26:15,299 --> 00:26:18,120 Facebook that's already out there 724 00:26:18,120 --> 00:26:19,860 we talked about family and friends data 725 00:26:19,860 --> 00:26:21,120 leaking 726 00:26:21,120 --> 00:26:22,740 see a lot of this actually in the 727 00:26:22,740 --> 00:26:25,200 military and some in the IC of hey Mom's 728 00:26:25,200 --> 00:26:26,760 going here don't tell anyone Dad's going 729 00:26:26,760 --> 00:26:28,200 here well if you post it on Facebook of 730 00:26:28,200 --> 00:26:30,720 don't tell anyone dude it's online 731 00:26:30,720 --> 00:26:32,279 so if you're saying you know my 732 00:26:32,279 --> 00:26:34,500 daughter's under this issue but she's 733 00:26:34,500 --> 00:26:36,419 going out tonight with her friends down 734 00:26:36,419 --> 00:26:37,799 to 735 00:26:37,799 --> 00:26:40,440 Frontier in Stockbridge well right there 736 00:26:40,440 --> 00:26:42,900 now the Hostile Target knows they're 737 00:26:42,900 --> 00:26:44,039 going there they don't have to hack 738 00:26:44,039 --> 00:26:45,480 anything because someone else shared the 739 00:26:45,480 --> 00:26:48,000 data for you 740 00:26:48,000 --> 00:26:49,620 something else just like onboarding 741 00:26:49,620 --> 00:26:51,840 off-boarding at corporations if they've 742 00:26:51,840 --> 00:26:53,820 had access to the ring doorbell 743 00:26:53,820 --> 00:26:55,740 has anyone worked with a ring doorbell 744 00:26:55,740 --> 00:26:58,220 data 745 00:26:58,320 --> 00:27:01,340 anyone set one up 746 00:27:01,500 --> 00:27:03,059 nobody in the audience has a ring 747 00:27:03,059 --> 00:27:04,020 doorbell 748 00:27:04,020 --> 00:27:06,419 one person 749 00:27:06,419 --> 00:27:07,980 what's that 750 00:27:07,980 --> 00:27:10,919 right the camera quality is amazing the 751 00:27:10,919 --> 00:27:12,900 audio quality is even better like it's 752 00:27:12,900 --> 00:27:14,580 Crystal Clear there's an accident near 753 00:27:14,580 --> 00:27:16,440 the house two in the morning police had 754 00:27:16,440 --> 00:27:18,659 me pull the data from the camera 755 00:27:18,659 --> 00:27:21,179 and I don't have one at home I just 756 00:27:21,179 --> 00:27:22,620 don't 757 00:27:22,620 --> 00:27:25,020 it was superb it wasn't like the bank 758 00:27:25,020 --> 00:27:28,200 videos where it's all blurry it was 759 00:27:28,200 --> 00:27:30,299 like movie quality 760 00:27:30,299 --> 00:27:33,539 so you've got uh 4K video quality and 761 00:27:33,539 --> 00:27:34,919 all you have to do is add someone to the 762 00:27:34,919 --> 00:27:37,020 access control list but do you remember 763 00:27:37,020 --> 00:27:38,820 to take them off because now they've got 764 00:27:38,820 --> 00:27:41,159 someone new coming into your house they 765 00:27:41,159 --> 00:27:42,720 can hear the conversations to and from 766 00:27:42,720 --> 00:27:43,799 the porch 767 00:27:43,799 --> 00:27:46,799 add that into the Alexa date model or 768 00:27:46,799 --> 00:27:48,600 they can go back if they have access to 769 00:27:48,600 --> 00:27:50,760 your Amazon account and they can go back 770 00:27:50,760 --> 00:27:52,620 in here every conversation you've had 771 00:27:52,620 --> 00:27:54,720 every Alexa hey Alexa sorry if I 772 00:27:54,720 --> 00:27:56,340 triggered anything 773 00:27:56,340 --> 00:27:58,740 you can also used to be a terrible CSI 774 00:27:58,740 --> 00:28:01,260 cyber episode you know Swift on security 775 00:28:01,260 --> 00:28:03,120 is making fun on Twitter way back in the 776 00:28:03,120 --> 00:28:05,700 day but you can actually disable the 777 00:28:05,700 --> 00:28:07,860 smoke alarm burglar alarm 778 00:28:07,860 --> 00:28:10,320 so if the Hostile other person can have 779 00:28:10,320 --> 00:28:12,539 access to disable this just through your 780 00:28:12,539 --> 00:28:14,220 Amazon Alexa account 781 00:28:14,220 --> 00:28:16,380 that's a bad thing 782 00:28:16,380 --> 00:28:18,659 so you need to disable that change your 783 00:28:18,659 --> 00:28:20,940 password same thing because as a fraud 784 00:28:20,940 --> 00:28:22,799 examiner you have implied trust implied 785 00:28:22,799 --> 00:28:25,020 approval that if even though you've 786 00:28:25,020 --> 00:28:26,400 split and they still have access on 787 00:28:26,400 --> 00:28:29,039 Alexa to on Amazon to your credit cards 788 00:28:29,039 --> 00:28:32,059 and they rack it up 789 00:28:32,640 --> 00:28:34,260 you've still left them there you didn't 790 00:28:34,260 --> 00:28:35,700 remove them that means you're still 791 00:28:35,700 --> 00:28:37,260 responsible for the your person's 792 00:28:37,260 --> 00:28:39,240 responsible for it again changing that 793 00:28:39,240 --> 00:28:41,760 just like off-boarding at work you have 794 00:28:41,760 --> 00:28:43,140 to off-board someone from all of your 795 00:28:43,140 --> 00:28:44,460 digital media 796 00:28:44,460 --> 00:28:47,039 same for the printers so they're leaving 797 00:28:47,039 --> 00:28:48,659 I would say take the printer with them 798 00:28:48,659 --> 00:28:50,039 printers are relatively cheap and 799 00:28:50,039 --> 00:28:51,720 there's a point to this 800 00:28:51,720 --> 00:28:54,720 sorry 801 00:28:56,580 --> 00:29:00,179 one of the classrooms over in Belgium 802 00:29:00,179 --> 00:29:02,580 to demonstrate that the metadata that's 803 00:29:02,580 --> 00:29:04,919 left behind we just walk over hit print 804 00:29:04,919 --> 00:29:06,419 list and you can see the travel 805 00:29:06,419 --> 00:29:08,880 itineraries of the soldiers is the 806 00:29:08,880 --> 00:29:10,860 headers and you could go back and show 807 00:29:10,860 --> 00:29:12,419 and piece together based on the travel 808 00:29:12,419 --> 00:29:14,640 itinerary this group is going here that 809 00:29:14,640 --> 00:29:16,440 group is going there just based on the 810 00:29:16,440 --> 00:29:18,360 file names printed 811 00:29:18,360 --> 00:29:20,820 so again there I was in a skiff for a 812 00:29:20,820 --> 00:29:22,260 partner country 813 00:29:22,260 --> 00:29:25,620 not I don't have access for National I 814 00:29:25,620 --> 00:29:27,179 just walk over did the same thing and lo 815 00:29:27,179 --> 00:29:29,580 and behold it prints every single 816 00:29:29,580 --> 00:29:31,320 document 817 00:29:31,320 --> 00:29:33,000 ever print on that print until it ran 818 00:29:33,000 --> 00:29:35,760 out of paper I looked at that like I'm 819 00:29:35,760 --> 00:29:37,140 not touching that I went and got the 820 00:29:37,140 --> 00:29:39,120 warrant officer to look I was doing this 821 00:29:39,120 --> 00:29:41,159 as part of the class there's all y'all's 822 00:29:41,159 --> 00:29:43,200 classified data about 500 pages I'm not 823 00:29:43,200 --> 00:29:45,000 touching it 824 00:29:45,000 --> 00:29:48,059 and that was something they fixed but in 825 00:29:48,059 --> 00:29:50,700 this world with the 826 00:29:50,700 --> 00:29:52,799 potentially hostile abuser if they have 827 00:29:52,799 --> 00:29:54,480 the ability to just reprint every file 828 00:29:54,480 --> 00:29:56,279 as a feature of the printer that's 829 00:29:56,279 --> 00:29:57,600 something that's also got to be 830 00:29:57,600 --> 00:29:59,220 considered 831 00:29:59,220 --> 00:30:01,260 on an Apple if you've left it behind if 832 00:30:01,260 --> 00:30:03,419 they've left it behind you go a little 833 00:30:03,419 --> 00:30:06,860 bit more you go into uh 834 00:30:07,559 --> 00:30:12,120 oh you go to terminal far spool cups and 835 00:30:12,120 --> 00:30:13,080 then 836 00:30:13,080 --> 00:30:14,760 you get a list of every file ever 837 00:30:14,760 --> 00:30:16,860 printed the ones that start with C you 838 00:30:16,860 --> 00:30:18,299 get the metadata 839 00:30:18,299 --> 00:30:20,820 the ones that start with D the ones is 840 00:30:20,820 --> 00:30:23,220 ends in zero zero one that's an actual 841 00:30:23,220 --> 00:30:24,419 PDF 842 00:30:24,419 --> 00:30:26,640 so you can move copy that PDF to the 843 00:30:26,640 --> 00:30:27,840 desktop and see the image of what's 844 00:30:27,840 --> 00:30:29,159 printed 845 00:30:29,159 --> 00:30:31,620 so this a simple strings command on that 846 00:30:31,620 --> 00:30:33,659 in terminal you can see it that one 847 00:30:33,659 --> 00:30:36,600 random one for this example it was a 848 00:30:36,600 --> 00:30:39,059 World Market coupon printed off big deal 849 00:30:39,059 --> 00:30:41,220 but you get the example that there's 850 00:30:41,220 --> 00:30:42,840 your proof of concept if you want to see 851 00:30:42,840 --> 00:30:44,039 everything ever done on that printer 852 00:30:44,039 --> 00:30:46,020 that could be done on the Mac something 853 00:30:46,020 --> 00:30:47,760 else to consider what you leave behind 854 00:30:47,760 --> 00:30:50,840 or that person leave behind 855 00:30:52,440 --> 00:30:56,159 this is a creepy one email mail and PDF 856 00:30:56,159 --> 00:30:58,679 social media tracking 857 00:30:58,679 --> 00:31:00,179 superhuman 858 00:31:00,179 --> 00:31:03,360 it's a marketing tool I yeah 859 00:31:03,360 --> 00:31:05,880 it's going to let you see every time the 860 00:31:05,880 --> 00:31:08,520 user has opened the email where they 861 00:31:08,520 --> 00:31:09,840 open the email in the geographic 862 00:31:09,840 --> 00:31:11,520 location where they opened it that's the 863 00:31:11,520 --> 00:31:13,080 service they offer for money 864 00:31:13,080 --> 00:31:15,299 that's cool 865 00:31:15,299 --> 00:31:17,279 so when you get the emails from vendors 866 00:31:17,279 --> 00:31:19,500 that say Hey we've seen you open this 867 00:31:19,500 --> 00:31:21,480 email four times are you interested in 868 00:31:21,480 --> 00:31:23,220 our product that's what they're using 869 00:31:23,220 --> 00:31:24,779 the way you block this is blocking the 870 00:31:24,779 --> 00:31:28,080 tracking pixel through a VPN 871 00:31:28,080 --> 00:31:30,059 Gmail is now also out of this so if 872 00:31:30,059 --> 00:31:31,320 you're in sales 873 00:31:31,320 --> 00:31:32,700 personally think it's a little bit 874 00:31:32,700 --> 00:31:34,440 creepy 875 00:31:34,440 --> 00:31:36,360 and even better now you've got PDF 876 00:31:36,360 --> 00:31:38,039 tracking again for sales where they can 877 00:31:38,039 --> 00:31:40,500 see what pages you open on the PDF how 878 00:31:40,500 --> 00:31:42,360 long it's been open what pages you 879 00:31:42,360 --> 00:31:44,039 skipped what you read and how long you 880 00:31:44,039 --> 00:31:46,080 read it so you combine the two if you're 881 00:31:46,080 --> 00:31:47,880 thinking of uh business acquisition 882 00:31:47,880 --> 00:31:50,100 whether you're thinking 883 00:31:50,100 --> 00:31:53,100 a contentious divorce child custody case 884 00:31:53,100 --> 00:31:55,919 and you can know how long they took to 885 00:31:55,919 --> 00:31:57,480 read that document 886 00:31:57,480 --> 00:32:00,240 and when they opened it you're going to 887 00:32:00,240 --> 00:32:02,340 have an Insight which again I believe is 888 00:32:02,340 --> 00:32:04,020 Thoroughly unethical 889 00:32:04,020 --> 00:32:06,360 there is an easy risk mitigation for 890 00:32:06,360 --> 00:32:07,860 this 891 00:32:07,860 --> 00:32:09,600 printed 892 00:32:09,600 --> 00:32:11,580 done because if you print it they're not 893 00:32:11,580 --> 00:32:13,260 going to be able to track you 894 00:32:13,260 --> 00:32:15,779 we found one way to identify the beacon 895 00:32:15,779 --> 00:32:17,399 haven't been able to identify this yet 896 00:32:17,399 --> 00:32:19,919 on a Windows box 897 00:32:19,919 --> 00:32:22,860 so open Terminal type in mdls metadata 898 00:32:22,860 --> 00:32:24,659 list 899 00:32:24,659 --> 00:32:26,880 drag and drop that hit enter and you're 900 00:32:26,880 --> 00:32:28,559 going to see that B can pop out there 901 00:32:28,559 --> 00:32:29,640 most 902 00:32:29,640 --> 00:32:31,799 PDFs most files won't have that 903 00:32:31,799 --> 00:32:34,080 extension pulling down the beacon to let 904 00:32:34,080 --> 00:32:36,419 them know how long you've read it 905 00:32:36,419 --> 00:32:38,460 and if this is a classroom or we had 906 00:32:38,460 --> 00:32:41,299 more time I'd have you all open your Mac 907 00:32:41,299 --> 00:32:44,100 mdls take something from iMessage and 908 00:32:44,100 --> 00:32:45,720 view the file metadata 909 00:32:45,720 --> 00:32:47,279 and then see where the file came from 910 00:32:47,279 --> 00:32:48,960 who composed it how long it took them to 911 00:32:48,960 --> 00:32:51,179 compose it whether it was phone number 912 00:32:51,179 --> 00:32:53,220 whether it was email address and 913 00:32:53,220 --> 00:32:55,140 actually see the metadata short story a 914 00:32:55,140 --> 00:32:56,940 friend sent me a photo he said hey I'm 915 00:32:56,940 --> 00:32:58,500 interested this girl keeps talking to me 916 00:32:58,500 --> 00:33:00,600 online something doesn't feel right 917 00:33:00,600 --> 00:33:03,240 same mdls and the photo is actually from 918 00:33:03,240 --> 00:33:05,880 a model website he has been catfished he 919 00:33:05,880 --> 00:33:08,700 cut contacts saved his time 920 00:33:08,700 --> 00:33:10,860 but the example is still there whether 921 00:33:10,860 --> 00:33:12,059 it's 922 00:33:12,059 --> 00:33:13,500 flip side if you're sending that out 923 00:33:13,500 --> 00:33:16,080 with your GPS enabled now the abuser can 924 00:33:16,080 --> 00:33:17,880 see your new location for your house so 925 00:33:17,880 --> 00:33:20,159 that's something you consider 926 00:33:20,159 --> 00:33:22,200 we've actually got real packet 927 00:33:22,200 --> 00:33:24,419 interception from man in the middle 928 00:33:24,419 --> 00:33:27,899 anyone heard of this informed delivery 929 00:33:27,899 --> 00:33:29,460 by the post office 930 00:33:29,460 --> 00:33:33,120 anyone used it okay 931 00:33:33,120 --> 00:33:34,980 no problem right 932 00:33:34,980 --> 00:33:37,679 only two ways to know that if what you 933 00:33:37,679 --> 00:33:39,720 get I won't get ahead of myself you get 934 00:33:39,720 --> 00:33:42,779 a PDF for jpeg of the incoming mail 935 00:33:42,779 --> 00:33:44,940 so if someone has signed you up for it 936 00:33:44,940 --> 00:33:46,380 they can see if you have a check 937 00:33:46,380 --> 00:33:48,539 something important coming they can take 938 00:33:48,539 --> 00:33:49,980 that document out of the Sacramento 939 00:33:49,980 --> 00:33:51,059 you've got the rest of the mail and a 940 00:33:51,059 --> 00:33:52,380 Bed Bath and Beyond coupon that never 941 00:33:52,380 --> 00:33:55,140 expires you've got that but you don't 942 00:33:55,140 --> 00:33:56,580 know the key check from the government's 943 00:33:56,580 --> 00:33:58,200 coming 944 00:33:58,200 --> 00:34:00,000 the two steps I went to the Postmaster 945 00:34:00,000 --> 00:34:01,919 General it's not that big of a deal I 946 00:34:01,919 --> 00:34:03,059 went to the Postmaster General in Fort 947 00:34:03,059 --> 00:34:05,100 Mill South Carolina I was in line of 948 00:34:05,100 --> 00:34:06,419 just curious 949 00:34:06,419 --> 00:34:08,520 the only two ways to identify this risk 950 00:34:08,520 --> 00:34:10,020 is to ask in person in the post office 951 00:34:10,020 --> 00:34:12,119 if it's been enabled for your account or 952 00:34:12,119 --> 00:34:13,918 to try to sign up for it yourself and it 953 00:34:13,918 --> 00:34:15,119 would tell you it's already been signed 954 00:34:15,119 --> 00:34:17,879 up fantastic if your TDY PCS overseas 955 00:34:17,879 --> 00:34:18,960 and want to know what's coming at home 956 00:34:18,960 --> 00:34:21,300 how you're deployed but for the domestic 957 00:34:21,300 --> 00:34:22,859 abuse this is another Vector where you 958 00:34:22,859 --> 00:34:25,560 have true packet interception 959 00:34:25,560 --> 00:34:29,779 another case where we've seen is 960 00:34:31,260 --> 00:34:33,480 the I calendar if you forget to remove 961 00:34:33,480 --> 00:34:35,040 someone from shared eye calendars you're 962 00:34:35,040 --> 00:34:36,480 going to see what's going on as well as 963 00:34:36,480 --> 00:34:38,219 for your travel schedule so that can 964 00:34:38,219 --> 00:34:41,118 definitely disrupt you 965 00:34:41,639 --> 00:34:44,280 the same for your social media account 966 00:34:44,280 --> 00:34:46,800 you go to tnfolique.com and you can see 967 00:34:46,800 --> 00:34:48,659 the person's using iPhone which would 968 00:34:48,659 --> 00:34:50,159 give you the vector to say hey this is 969 00:34:50,159 --> 00:34:51,960 iMessage click here to verify your 970 00:34:51,960 --> 00:34:53,520 account 971 00:34:53,520 --> 00:34:55,260 so something else to consider do you 972 00:34:55,260 --> 00:34:56,460 really need to be on social media and 973 00:34:56,460 --> 00:34:58,800 you're in a contentious event 974 00:34:58,800 --> 00:35:00,780 you can spoof your GPS location I 975 00:35:00,780 --> 00:35:01,980 actually was in the back of the 976 00:35:01,980 --> 00:35:03,780 classroom at NATO I was posting from 977 00:35:03,780 --> 00:35:08,640 Dara slum Mogadishu and Iran 978 00:35:08,640 --> 00:35:10,740 that was just to show some things on 979 00:35:10,740 --> 00:35:12,480 your recon are accurate some things 980 00:35:12,480 --> 00:35:14,040 aren't so don't believe everything you 981 00:35:14,040 --> 00:35:15,180 see online 982 00:35:15,180 --> 00:35:18,780 uh the grug grugq says you signals use 983 00:35:18,780 --> 00:35:21,000 tour I say assume everything is 984 00:35:21,000 --> 00:35:24,420 compromised until you've reset it 985 00:35:24,420 --> 00:35:26,520 from the new Star Wars series never 986 00:35:26,520 --> 00:35:28,140 carry anything you don't control if 987 00:35:28,140 --> 00:35:29,400 you've not got this locked down and 988 00:35:29,400 --> 00:35:31,260 secure if you person thinks they're 989 00:35:31,260 --> 00:35:32,579 being stalked 990 00:35:32,579 --> 00:35:34,680 use personal meetings 991 00:35:34,680 --> 00:35:36,900 just like old style Russia House 992 00:35:36,900 --> 00:35:38,820 tradecraft bricks and sticks personal 993 00:35:38,820 --> 00:35:40,380 meetings leave your electronics 994 00:35:40,380 --> 00:35:41,880 somewhere routine secure if you go to 995 00:35:41,880 --> 00:35:43,260 Planet Fitness leave your phone there 996 00:35:43,260 --> 00:35:45,480 walk next door to the coffee shop have 997 00:35:45,480 --> 00:35:46,920 your meeting with your family with your 998 00:35:46,920 --> 00:35:48,720 attorney whoever it's going to Beacon 999 00:35:48,720 --> 00:35:49,920 out that you're still at Planet Fitness 1000 00:35:49,920 --> 00:35:52,200 when you're actually having a meeting 1001 00:35:52,200 --> 00:35:53,700 you'll have the chance to arrange 1002 00:35:53,700 --> 00:35:56,400 non-verbal paroles in my case it would 1003 00:35:56,400 --> 00:35:58,140 be posting a picture of yourself wearing 1004 00:35:58,140 --> 00:35:59,460 a rival teams 1005 00:35:59,460 --> 00:36:01,619 shirt so if you ever saw me online with 1006 00:36:01,619 --> 00:36:03,780 Georgia Bulldog shirt send Lawyers Guns 1007 00:36:03,780 --> 00:36:05,880 and Money it's gone bad people would 1008 00:36:05,880 --> 00:36:08,520 know I've never done that 1009 00:36:08,520 --> 00:36:11,700 uh very quickly iPhone monitoring I'm 1010 00:36:11,700 --> 00:36:13,140 the biggest one we've seen at safe 1011 00:36:13,140 --> 00:36:17,820 Escape is mspy for if a has B's username 1012 00:36:17,820 --> 00:36:20,280 and password they give to mspy here's a 1013 00:36:20,280 --> 00:36:22,260 lot of ifs you have to sync up connected 1014 00:36:22,260 --> 00:36:25,440 to Wi-Fi while powered in mspy connects 1015 00:36:25,440 --> 00:36:27,839 your entire device to the cloud gives a 1016 00:36:27,839 --> 00:36:29,099 report that's what you done that's not 1017 00:36:29,099 --> 00:36:31,740 hacking that's just having your password 1018 00:36:31,740 --> 00:36:33,839 the more malicious one is the Android 1019 00:36:33,839 --> 00:36:36,000 where you can create a custom phishing 1020 00:36:36,000 --> 00:36:36,960 link 1021 00:36:36,960 --> 00:36:39,480 the target clicks on it and then mspy 1022 00:36:39,480 --> 00:36:41,400 Begins hoovering the data down again 1023 00:36:41,400 --> 00:36:43,339 change your password reset your device 1024 00:36:43,339 --> 00:36:46,200 we've seen it working over at whatsapp 1025 00:36:46,200 --> 00:36:48,359 where a fuzzy picture of puppies was 1026 00:36:48,359 --> 00:36:50,940 sent the target clicks on the picture 1027 00:36:50,940 --> 00:36:53,220 and it loads malware that's a more 1028 00:36:53,220 --> 00:36:54,900 esoteric case but it is out there's a 1029 00:36:54,900 --> 00:36:56,099 change your username change your 1030 00:36:56,099 --> 00:36:57,780 password 1031 00:36:57,780 --> 00:37:01,320 one thing for trapping your device 1032 00:37:01,320 --> 00:37:03,540 program called Sleep Cycle put on your 1033 00:37:03,540 --> 00:37:05,579 mattress and you can see how well you 1034 00:37:05,579 --> 00:37:07,260 sleep that's cool 1035 00:37:07,260 --> 00:37:09,780 but that would also tell you 4am my 1036 00:37:09,780 --> 00:37:12,060 phone's been picked up and tampered with 1037 00:37:12,060 --> 00:37:14,940 and put back down that's formed 95 I 1038 00:37:14,940 --> 00:37:18,119 think for the pro but now Apple has 1039 00:37:18,119 --> 00:37:20,339 your battery health is a cycle that 1040 00:37:20,339 --> 00:37:21,900 cannot be reset unless you reset the 1041 00:37:21,900 --> 00:37:24,500 whole phone so if at 2 am Snapchat 1042 00:37:24,500 --> 00:37:27,780 Twitter and Facebook are open when 1043 00:37:27,780 --> 00:37:29,820 you've been sound asleep that's going to 1044 00:37:29,820 --> 00:37:31,200 let you know something's going on with 1045 00:37:31,200 --> 00:37:33,540 your phone your person is compromised 1046 00:37:33,540 --> 00:37:35,220 and you're not spending any money or 1047 00:37:35,220 --> 00:37:36,240 millions of dollars on the government 1048 00:37:36,240 --> 00:37:39,420 program for camper awareness same 1049 00:37:39,420 --> 00:37:41,940 I just made that up 1050 00:37:41,940 --> 00:37:44,160 oh it would be over here I'm sorry uh 1051 00:37:44,160 --> 00:37:45,780 right there you can see the date and the 1052 00:37:45,780 --> 00:37:46,859 time 1053 00:37:46,859 --> 00:37:51,300 under battery 12 p.m 3 8 P.M 6 A.M 1054 00:37:51,300 --> 00:37:53,460 and you'll see what apps are open at 1055 00:37:53,460 --> 00:37:55,859 what time when you click on the time 1056 00:37:55,859 --> 00:37:57,960 so if your mom wants to make sure you're 1057 00:37:57,960 --> 00:37:59,760 not on Snapchat with your friends at 1058 00:37:59,760 --> 00:38:02,420 three in the morning 1059 00:38:03,420 --> 00:38:05,460 then that would work conversely that's 1060 00:38:05,460 --> 00:38:07,440 everyone's looking at the 16 year old in 1061 00:38:07,440 --> 00:38:09,119 the audience 1062 00:38:09,119 --> 00:38:11,880 um but that's a way to know that your 1063 00:38:11,880 --> 00:38:13,560 person's going through the phone thank 1064 00:38:13,560 --> 00:38:14,220 you 1065 00:38:14,220 --> 00:38:15,599 or 1066 00:38:15,599 --> 00:38:17,160 someone's tampered your phone or you 1067 00:38:17,160 --> 00:38:18,720 left you leave your bag in the hotel 1068 00:38:18,720 --> 00:38:20,880 room while you're overseas and this 1069 00:38:20,880 --> 00:38:22,260 would let you know your phone has been 1070 00:38:22,260 --> 00:38:24,060 moved and tampered with while you're 1071 00:38:24,060 --> 00:38:25,680 which might mean either the maid was 1072 00:38:25,680 --> 00:38:27,000 curious or there's someone looking 1073 00:38:27,000 --> 00:38:29,660 through stuff 1074 00:38:30,359 --> 00:38:32,339 one trick we not trick 1075 00:38:32,339 --> 00:38:34,920 on a Mac if you hit command R if you 1076 00:38:34,920 --> 00:38:36,599 think your phone is a laptop is 1077 00:38:36,599 --> 00:38:38,820 compromised command R it gives you a 1078 00:38:38,820 --> 00:38:40,619 startup option to boot from a protected 1079 00:38:40,619 --> 00:38:43,680 environment no key loggers no vpns no 1080 00:38:43,680 --> 00:38:46,380 grammarly just the absolute value of a 1081 00:38:46,380 --> 00:38:48,540 clean OS and then ironically you go to 1082 00:38:48,540 --> 00:38:50,099 get help online where you can access 1083 00:38:50,099 --> 00:38:52,079 email that people wouldn't have access 1084 00:38:52,079 --> 00:38:53,880 to because of trackers on your phone or 1085 00:38:53,880 --> 00:38:57,079 your excuse me on your laptop 1086 00:38:59,160 --> 00:39:01,140 so someone comes to you and says they 1087 00:39:01,140 --> 00:39:02,579 found a device they think they're being 1088 00:39:02,579 --> 00:39:04,440 tracked we're getting more into the NSA 1089 00:39:04,440 --> 00:39:08,040 the s p Total Access style tracking that 1090 00:39:08,040 --> 00:39:11,540 civilians have access to now 1091 00:39:13,079 --> 00:39:15,720 the fun thing is the devices that before 1092 00:39:15,720 --> 00:39:18,300 took painful and hard cable coordination 1093 00:39:18,300 --> 00:39:19,980 between the field and headquarters to 1094 00:39:19,980 --> 00:39:22,320 get access to the device 1095 00:39:22,320 --> 00:39:23,880 these are now things you can order off 1096 00:39:23,880 --> 00:39:25,320 of Amazon 1097 00:39:25,320 --> 00:39:28,680 so here's a power charger not my video 1098 00:39:28,680 --> 00:39:32,060 put the SD card in 1099 00:39:32,099 --> 00:39:34,200 plug it in put the faceplate back over 1100 00:39:34,200 --> 00:39:34,980 it 1101 00:39:34,980 --> 00:39:37,980 you've got audio video downside is 1102 00:39:37,980 --> 00:39:39,300 someone's gonna have to watch the video 1103 00:39:39,300 --> 00:39:42,240 process the take and listen to it 1104 00:39:42,240 --> 00:39:44,280 and that's a lot of free time and no 1105 00:39:44,280 --> 00:39:46,380 one's ever said oh they stalked me so I 1106 00:39:46,380 --> 00:39:48,839 I went back to like 1107 00:39:48,839 --> 00:39:51,420 doesn't gain you anything it's terrible 1108 00:39:51,420 --> 00:39:54,000 as for a nanny cam possibly but in a 1109 00:39:54,000 --> 00:39:57,119 domestic situation that's a hard no 1110 00:39:57,119 --> 00:39:59,400 the limitations of electronic 1111 00:39:59,400 --> 00:40:00,900 surveillance devices 1112 00:40:00,900 --> 00:40:03,839 if you have continuous collection you're 1113 00:40:03,839 --> 00:40:06,180 going to need AC power 1114 00:40:06,180 --> 00:40:07,800 and if you have a continuous collection 1115 00:40:07,800 --> 00:40:10,440 with AC power that means your storage is 1116 00:40:10,440 --> 00:40:12,060 going to be either limited to the device 1117 00:40:12,060 --> 00:40:13,560 which means someone has to physically 1118 00:40:13,560 --> 00:40:15,119 come and collect it or it's going to 1119 00:40:15,119 --> 00:40:16,740 connect to Wi-Fi going back to the 1120 00:40:16,740 --> 00:40:18,540 router if we saw the beginning of the 1121 00:40:18,540 --> 00:40:20,220 talk 1122 00:40:20,220 --> 00:40:21,839 so if it's got limited collection 1123 00:40:21,839 --> 00:40:23,280 limited power they're going to have a 1124 00:40:23,280 --> 00:40:25,079 service it changes the batteries 1125 00:40:25,079 --> 00:40:27,300 change the SD card 1126 00:40:27,300 --> 00:40:30,119 again photos from Amazon 1127 00:40:30,119 --> 00:40:33,240 this alarm clock is Wi-Fi enabled has a 1128 00:40:33,240 --> 00:40:36,420 1080p camera and audio collection so if 1129 00:40:36,420 --> 00:40:38,400 there's a string situation your person's 1130 00:40:38,400 --> 00:40:40,020 come to you about and you see this is 1131 00:40:40,020 --> 00:40:41,820 plugged in 1132 00:40:41,820 --> 00:40:44,400 that's a pretty big clue there's a 1133 00:40:44,400 --> 00:40:46,440 surveillance device 1134 00:40:46,440 --> 00:40:47,940 I would leave the house call the police 1135 00:40:47,940 --> 00:40:49,920 let them deal with because again that's 1136 00:40:49,920 --> 00:40:51,780 a major felony that's not something you 1137 00:40:51,780 --> 00:40:53,940 would want to deal with just point the 1138 00:40:53,940 --> 00:40:55,920 police out let them deal with it 1139 00:40:55,920 --> 00:40:59,520 the other devices are more 1140 00:40:59,520 --> 00:41:01,560 the Amazon blink camera just to drop in 1141 00:41:01,560 --> 00:41:03,119 the living room it's pretty obvious why 1142 00:41:03,119 --> 00:41:04,680 it is but you could still change the 1143 00:41:04,680 --> 00:41:06,000 housing make it a surveillance device 1144 00:41:06,000 --> 00:41:07,980 that would still have to go back through 1145 00:41:07,980 --> 00:41:09,780 Wi-Fi connection the device if you don't 1146 00:41:09,780 --> 00:41:12,480 recognize on the router log there it is 1147 00:41:12,480 --> 00:41:15,260 uh that is a 1148 00:41:15,260 --> 00:41:19,320 128 gig USB drive you flip the switch up 1149 00:41:19,320 --> 00:41:21,300 it's continual recording you flip it 1150 00:41:21,300 --> 00:41:23,339 down it's burst recording only when it 1151 00:41:23,339 --> 00:41:24,540 hears something the battery is good for 1152 00:41:24,540 --> 00:41:26,460 about a week 1153 00:41:26,460 --> 00:41:28,619 downside is processing the take does 1154 00:41:28,619 --> 00:41:30,680 anybody want to sit through 1155 00:41:30,680 --> 00:41:33,900 120 hours of audio 1156 00:41:33,900 --> 00:41:36,180 No Hands no takers 1157 00:41:36,180 --> 00:41:37,920 for one thing if it's 1158 00:41:37,920 --> 00:41:40,740 a collection of a foreign adversary of 1159 00:41:40,740 --> 00:41:42,839 you know troops are moving here here's 1160 00:41:42,839 --> 00:41:44,640 our nuclear secrets that's one thing you 1161 00:41:44,640 --> 00:41:45,660 may be able to run that through 1162 00:41:45,660 --> 00:41:47,160 classified AI 1163 00:41:47,160 --> 00:41:49,800 but the inflection given for a domestic 1164 00:41:49,800 --> 00:41:51,839 case or that'll never happen versus oh 1165 00:41:51,839 --> 00:41:53,460 that'll never happen 1166 00:41:53,460 --> 00:41:55,500 AI is going to miss that so somebody had 1167 00:41:55,500 --> 00:41:57,599 to physically process that 1168 00:41:57,599 --> 00:41:59,579 so even though it's there you've got to 1169 00:41:59,579 --> 00:42:01,260 think does the adversary have time to 1170 00:42:01,260 --> 00:42:03,240 truly process the take 1171 00:42:03,240 --> 00:42:07,260 that's a 720P 1172 00:42:07,260 --> 00:42:09,599 camera built into an air freshener 1173 00:42:09,599 --> 00:42:11,579 limitations are storage and Battery 1174 00:42:11,579 --> 00:42:13,079 meaning someone's gonna have to come 1175 00:42:13,079 --> 00:42:15,240 back into the residence and change those 1176 00:42:15,240 --> 00:42:17,479 out 1177 00:42:18,480 --> 00:42:21,900 anybody guess what's coming next 1178 00:42:21,900 --> 00:42:23,400 what's that 1179 00:42:23,400 --> 00:42:27,380 no not air tag no no 1180 00:42:27,780 --> 00:42:30,060 yeah 1181 00:42:30,060 --> 00:42:32,820 because when the kids go from parent Aid 1182 00:42:32,820 --> 00:42:34,260 apparent B's house and they take their 1183 00:42:34,260 --> 00:42:36,060 favorite teddy bear we had a where the 1184 00:42:36,060 --> 00:42:38,160 teddy bears behind mom and the teddy 1185 00:42:38,160 --> 00:42:39,720 bears shoulder surfing usernames and 1186 00:42:39,720 --> 00:42:43,440 passwords because it has SD card camera 1187 00:42:43,440 --> 00:42:45,900 and batteries which every teddy bear 1188 00:42:45,900 --> 00:42:47,339 needs right now 1189 00:42:47,339 --> 00:42:49,560 again that's again completely legal it's 1190 00:42:49,560 --> 00:42:51,240 a nanny cam sure 1191 00:42:51,240 --> 00:42:54,060 if you want to have it in the newborn's 1192 00:42:54,060 --> 00:42:55,680 bedroom watching to make sure they're 1193 00:42:55,680 --> 00:42:56,940 sleeping just get a regular camera 1194 00:42:56,940 --> 00:42:58,319 they're babies you don't have to go 1195 00:42:58,319 --> 00:42:59,819 through James Bond level just to watch 1196 00:42:59,819 --> 00:43:01,560 your kids 1197 00:43:01,560 --> 00:43:04,140 the next one is good for the right 1198 00:43:04,140 --> 00:43:05,940 environment but it's terrible for 1199 00:43:05,940 --> 00:43:08,220 collection as a domestic so something 1200 00:43:08,220 --> 00:43:10,680 else to consider the Apple air pods 1201 00:43:10,680 --> 00:43:12,900 paired with a hearing aid 1202 00:43:12,900 --> 00:43:14,579 feature on your phone 1203 00:43:14,579 --> 00:43:16,619 you can leave your phone in a room put 1204 00:43:16,619 --> 00:43:18,599 the airpods in and then listen to the 1205 00:43:18,599 --> 00:43:19,920 conversation around the phone even 1206 00:43:19,920 --> 00:43:21,960 though you're upstairs 1207 00:43:21,960 --> 00:43:23,940 completely unethical and I really don't 1208 00:43:23,940 --> 00:43:25,020 want to know what someone's saying about 1209 00:43:25,020 --> 00:43:26,880 me if I'm out of the room I'm just not 1210 00:43:26,880 --> 00:43:28,140 emotionally strong enough to hear like 1211 00:43:28,140 --> 00:43:29,700 the person I truly love is running me 1212 00:43:29,700 --> 00:43:31,740 down I'm not good with that like 1213 00:43:31,740 --> 00:43:33,599 yeah whatever my cooking's terrible but 1214 00:43:33,599 --> 00:43:36,359 I will say it's good it's fine 1215 00:43:36,359 --> 00:43:37,800 the same thing for the Bose headphones 1216 00:43:37,800 --> 00:43:39,720 we had somebody reverse engineer these 1217 00:43:39,720 --> 00:43:41,520 so they could actually serve as a 1218 00:43:41,520 --> 00:43:42,960 microphone because you have the active 1219 00:43:42,960 --> 00:43:45,300 listening microphone 1220 00:43:45,300 --> 00:43:47,640 again esoteric case but the one person 1221 00:43:47,640 --> 00:43:49,560 did that again dude if you're going that 1222 00:43:49,560 --> 00:43:51,300 far to watch what your person's doing 1223 00:43:51,300 --> 00:43:53,280 it's over move on 1224 00:43:53,280 --> 00:43:55,440 pinders free hinges free I don't know 1225 00:43:55,440 --> 00:43:58,079 what you kids date on if it if it's 1226 00:43:58,079 --> 00:44:00,180 Clemson sheep Harmony I don't know but 1227 00:44:00,180 --> 00:44:03,000 just like no that it's impressive but 1228 00:44:03,000 --> 00:44:05,040 don't go that far same thing if you're 1229 00:44:05,040 --> 00:44:07,319 on the phone you've got winterpod and 1230 00:44:07,319 --> 00:44:09,359 someone else is listening the second 1231 00:44:09,359 --> 00:44:11,940 earpod and you don't know what probably 1232 00:44:11,940 --> 00:44:13,260 a little bit over the line something 1233 00:44:13,260 --> 00:44:15,060 else to consider 1234 00:44:15,060 --> 00:44:17,700 Amazon offers 1235 00:44:17,700 --> 00:44:19,560 tracking devices it goes into Pelican 1236 00:44:19,560 --> 00:44:21,420 little bitty Pelican case under the car 1237 00:44:21,420 --> 00:44:23,880 looks like an old 2G antenna 1238 00:44:23,880 --> 00:44:26,579 or you can track your spouse or person 1239 00:44:26,579 --> 00:44:28,260 or whoever you have to have physical 1240 00:44:28,260 --> 00:44:30,359 access to change the battery 1241 00:44:30,359 --> 00:44:33,060 and this is what I lied that's not from 1242 00:44:33,060 --> 00:44:36,420 a beacon that's a GP that's a image of 1243 00:44:36,420 --> 00:44:38,520 an iPhone that I scraped the geolocation 1244 00:44:38,520 --> 00:44:40,619 from 1245 00:44:40,619 --> 00:44:43,260 a location I think it was Twitter 1246 00:44:43,260 --> 00:44:45,780 but that's actually GPS stored from 1247 00:44:45,780 --> 00:44:48,119 Twitter so your devices are always 1248 00:44:48,119 --> 00:44:50,640 speaking if you have GPS enabled plus 1249 00:44:50,640 --> 00:44:52,260 that's a cool KML file I just want to 1250 00:44:52,260 --> 00:44:55,260 show off but you have to watch what your 1251 00:44:55,260 --> 00:44:56,760 blue Force tracker these things will 1252 00:44:56,760 --> 00:44:58,079 give away your data if you don't control 1253 00:44:58,079 --> 00:44:59,760 it 1254 00:44:59,760 --> 00:45:02,160 there is a Strava issue where classified 1255 00:45:02,160 --> 00:45:03,960 locations overseas were beaconed out by 1256 00:45:03,960 --> 00:45:06,119 Strava fitbits if you're concerned about 1257 00:45:06,119 --> 00:45:07,440 your person's concerned about being 1258 00:45:07,440 --> 00:45:09,420 stalked don't wear one 1259 00:45:09,420 --> 00:45:11,040 problem solved easy 1260 00:45:11,040 --> 00:45:12,660 like don't wear the beacon if you think 1261 00:45:12,660 --> 00:45:14,760 you're being followed by your beacon 1262 00:45:14,760 --> 00:45:17,280 all right right it's too much it's a 1263 00:45:17,280 --> 00:45:20,819 nice thick Chicago deep dish pizza right 1264 00:45:20,819 --> 00:45:23,400 no because face uh 1265 00:45:23,400 --> 00:45:25,500 Domino's stores two years of your 1266 00:45:25,500 --> 00:45:26,460 history 1267 00:45:26,460 --> 00:45:28,079 of where you've ordered pizza delivered 1268 00:45:28,079 --> 00:45:29,579 so if you get pizza every Thursday night 1269 00:45:29,579 --> 00:45:31,440 you go to a new place to get away from 1270 00:45:31,440 --> 00:45:33,900 the abuse of X and you don't change this 1271 00:45:33,900 --> 00:45:35,760 password now your ex knows you get pizza 1272 00:45:35,760 --> 00:45:38,280 every Tuesday night and you haven't 1273 00:45:38,280 --> 00:45:39,540 cleared this you've just given your 1274 00:45:39,540 --> 00:45:40,980 location away 1275 00:45:40,980 --> 00:45:42,720 I wouldn't do that I go to the gym I'm a 1276 00:45:42,720 --> 00:45:45,540 gym rat well Planet Fitness also tracks 1277 00:45:45,540 --> 00:45:47,520 all of your logins so you've got to go 1278 00:45:47,520 --> 00:45:49,260 for the low hanging fruit because if you 1279 00:45:49,260 --> 00:45:51,119 don't change all of the passwords and 1280 00:45:51,119 --> 00:45:52,319 the person's wondering how they're being 1281 00:45:52,319 --> 00:45:54,720 tracked the Myriad of ways that it's out 1282 00:45:54,720 --> 00:45:56,220 there that you're unaware of you've got 1283 00:45:56,220 --> 00:45:58,200 to consider the whole picture 1284 00:45:58,200 --> 00:46:00,720 because most stalker wear isn't Magic 1285 00:46:00,720 --> 00:46:03,140 Agatha all along Apple Google Amazon 1286 00:46:03,140 --> 00:46:05,880 telecommunications and Home Access got 1287 00:46:05,880 --> 00:46:08,940 to change the usernames and passwords 1288 00:46:08,940 --> 00:46:10,980 one of the issues transitioning from the 1289 00:46:10,980 --> 00:46:12,300 control of the environment to identity 1290 00:46:12,300 --> 00:46:14,819 theft we see this a lot identity 1291 00:46:14,819 --> 00:46:16,500 theft.gov it's one of the few government 1292 00:46:16,500 --> 00:46:18,359 websites it's actually 1293 00:46:18,359 --> 00:46:21,180 well done well read and efficient 1294 00:46:21,180 --> 00:46:23,520 the fraud triangle you have 1295 00:46:23,520 --> 00:46:26,280 I'm going to divorce this person 1296 00:46:26,280 --> 00:46:28,560 I've done so much for them they haven't 1297 00:46:28,560 --> 00:46:30,960 given me my fair share I'm going to lose 1298 00:46:30,960 --> 00:46:32,819 half my three quarters of my income I've 1299 00:46:32,819 --> 00:46:34,680 got pressure rationalization opportunity 1300 00:46:34,680 --> 00:46:36,720 I have access to all the documents 1301 00:46:36,720 --> 00:46:38,940 and as a certified fraud examiner that's 1302 00:46:38,940 --> 00:46:41,099 the triangle they teach us of the 1303 00:46:41,099 --> 00:46:42,420 conditions or someone that's still 1304 00:46:42,420 --> 00:46:45,680 Financial issues 1305 00:46:45,900 --> 00:46:48,420 add in the spoof card app where if you 1306 00:46:48,420 --> 00:46:50,060 know the SunTrust phone number is 1307 00:46:50,060 --> 00:46:52,200 404-230-5555 it's going to show up on 1308 00:46:52,200 --> 00:46:54,480 your phone as SunTrust you can spoof 1309 00:46:54,480 --> 00:46:55,500 that call 1310 00:46:55,500 --> 00:46:58,619 where it beacons out as SunTrust as 1311 00:46:58,619 --> 00:47:00,480 Planet Fitness as Bank of America 1312 00:47:00,480 --> 00:47:01,980 whoever 1313 00:47:01,980 --> 00:47:03,540 and you've got the implied trust because 1314 00:47:03,540 --> 00:47:05,460 it looks accurate 1315 00:47:05,460 --> 00:47:07,800 your person has to be aware that this 1316 00:47:07,800 --> 00:47:09,839 would be a vector of identity theft and 1317 00:47:09,839 --> 00:47:12,480 they have to watch what they're saying 1318 00:47:12,480 --> 00:47:14,579 so you go to Identity theft.gov click on 1319 00:47:14,579 --> 00:47:16,680 the link start the case you get a case 1320 00:47:16,680 --> 00:47:17,819 number if you go to the police they're 1321 00:47:17,819 --> 00:47:19,140 going to send you here as well and that 1322 00:47:19,140 --> 00:47:20,460 gives you a case number where you can 1323 00:47:20,460 --> 00:47:22,560 start to stop start to stop is that 1324 00:47:22,560 --> 00:47:25,740 right the fraud that's going on 1325 00:47:25,740 --> 00:47:27,359 again it's either by either there's 1326 00:47:27,359 --> 00:47:29,099 identity theft and fraud or there's not 1327 00:47:29,099 --> 00:47:31,619 pretty simple to deal with if it is 1328 00:47:31,619 --> 00:47:34,200 reported if it's not cool move on from 1329 00:47:34,200 --> 00:47:34,920 there 1330 00:47:34,920 --> 00:47:37,800 last bit data availability 1331 00:47:37,800 --> 00:47:39,480 we would say in the CIA if it ain't in 1332 00:47:39,480 --> 00:47:41,400 cable traffic it ain't but 1333 00:47:41,400 --> 00:47:44,460 if it's not documented it doesn't happen 1334 00:47:44,460 --> 00:47:46,140 when you're going through all of this 1335 00:47:46,140 --> 00:47:47,760 and you're looking the files and helping 1336 00:47:47,760 --> 00:47:49,980 this person get out from what's going on 1337 00:47:49,980 --> 00:47:53,160 this is a from disk drill 1338 00:47:53,160 --> 00:47:54,900 good luck remembering which file it's 1339 00:47:54,900 --> 00:47:57,119 which you've got to document The Source 1340 00:47:57,119 --> 00:48:00,960 trust me no don't want to do that again 1341 00:48:00,960 --> 00:48:02,579 find an interesting file I'll go back to 1342 00:48:02,579 --> 00:48:04,740 it and take notes when it's happening 1343 00:48:04,740 --> 00:48:06,599 make copies share it out because you 1344 00:48:06,599 --> 00:48:09,660 don't want to duplicate work 1345 00:48:09,660 --> 00:48:12,420 create that timeline 1346 00:48:12,420 --> 00:48:14,760 you've got to document things with 1347 00:48:14,760 --> 00:48:16,980 authorities as they happen 1348 00:48:16,980 --> 00:48:19,500 and the other is not to be all mushy but 1349 00:48:19,500 --> 00:48:20,760 you've got to be available because if 1350 00:48:20,760 --> 00:48:22,079 this person's come to you for help and 1351 00:48:22,079 --> 00:48:23,040 they call and say hey I'm going through 1352 00:48:23,040 --> 00:48:24,780 a rough time let's meet at your pie and 1353 00:48:24,780 --> 00:48:27,119 get pizza tonight yeah it they're going 1354 00:48:27,119 --> 00:48:28,619 through a lot you've got spare time why 1355 00:48:28,619 --> 00:48:31,140 not be a decent person 1356 00:48:31,140 --> 00:48:34,260 the old Pace plan for the data you found 1357 00:48:34,260 --> 00:48:37,260 the screenshots everything else 1358 00:48:37,260 --> 00:48:38,819 if you've got a primary copy an 1359 00:48:38,819 --> 00:48:40,200 alternate copy 1360 00:48:40,200 --> 00:48:41,940 the contingency copy and emergence so 1361 00:48:41,940 --> 00:48:43,500 you've got the primary that might go on 1362 00:48:43,500 --> 00:48:45,240 a safe deposit box 1363 00:48:45,240 --> 00:48:47,880 the alternate copy and contingency might 1364 00:48:47,880 --> 00:48:49,200 be the two you're working on and the 1365 00:48:49,200 --> 00:48:50,880 emergency might be stored with your 1366 00:48:50,880 --> 00:48:53,640 friends over in ugawagadu I don't know 1367 00:48:53,640 --> 00:48:55,319 but that way you've got Geographic 1368 00:48:55,319 --> 00:48:57,359 disbursement of this sole source of data 1369 00:48:57,359 --> 00:48:59,400 that way when they have to go before the 1370 00:48:59,400 --> 00:49:01,140 judge go before attorneys and say this 1371 00:49:01,140 --> 00:49:03,180 is what's happened you've got redundant 1372 00:49:03,180 --> 00:49:05,400 backups because you don't have AWS to 1373 00:49:05,400 --> 00:49:10,220 build bill you for what's going on 1374 00:49:10,500 --> 00:49:12,720 a couple of things is we're wrapping up 1375 00:49:12,720 --> 00:49:16,339 here the end game for this 1376 00:49:16,859 --> 00:49:19,260 as your person's escaping when we would 1377 00:49:19,260 --> 00:49:22,619 close out a sensitive or a human asset 1378 00:49:22,619 --> 00:49:24,599 and even though they might be fantastic 1379 00:49:24,599 --> 00:49:27,240 they might be terrible you don't tell 1380 00:49:27,240 --> 00:49:29,400 them that you don't build resentment 1381 00:49:29,400 --> 00:49:30,839 it's hey you provide a lot of good 1382 00:49:30,839 --> 00:49:32,520 information you've helped us achieve our 1383 00:49:32,520 --> 00:49:34,740 gains that we had mutually together you 1384 00:49:34,740 --> 00:49:36,240 wanted to help stop this regime's 1385 00:49:36,240 --> 00:49:38,579 oppression of this group we've achieved 1386 00:49:38,579 --> 00:49:41,579 that your data went to the present it 1387 00:49:41,579 --> 00:49:43,200 but it went to the president he took 1388 00:49:43,200 --> 00:49:44,940 action on it 1389 00:49:44,940 --> 00:49:47,640 and you know here's we'll take that old 1390 00:49:47,640 --> 00:49:49,740 laptop back let's copy your data out 1391 00:49:49,740 --> 00:49:52,200 let's give you a new laptop and here's 1392 00:49:52,200 --> 00:49:53,760 an extra bonus for your time thank you 1393 00:49:53,760 --> 00:49:55,740 so much you've effectively terminated 1394 00:49:55,740 --> 00:49:57,180 the relationship you've got your stuff 1395 00:49:57,180 --> 00:49:59,040 back they've got cash they've got a new 1396 00:49:59,040 --> 00:50:00,480 laptop their egos been stroked they're 1397 00:50:00,480 --> 00:50:03,359 happy and this world 1398 00:50:03,359 --> 00:50:05,819 it's I want my own cell phone plan I 1399 00:50:05,819 --> 00:50:07,260 don't want them to know who I call I 1400 00:50:07,260 --> 00:50:09,240 don't want them to know what's going on 1401 00:50:09,240 --> 00:50:11,040 but if you say that it's an adversarial 1402 00:50:11,040 --> 00:50:12,780 issues hey I've got a great new cell 1403 00:50:12,780 --> 00:50:14,280 phone plan through work 1404 00:50:14,280 --> 00:50:16,140 I've signed up for it I know money's 1405 00:50:16,140 --> 00:50:17,760 tight right now 1406 00:50:17,760 --> 00:50:19,260 and 1407 00:50:19,260 --> 00:50:21,000 that's going to help save us some money 1408 00:50:21,000 --> 00:50:23,400 it looks like you're doing a benefit but 1409 00:50:23,400 --> 00:50:25,140 what you've actually done is taken your 1410 00:50:25,140 --> 00:50:26,940 data off of their plan so they don't get 1411 00:50:26,940 --> 00:50:28,380 the Insight the metadata for everything 1412 00:50:28,380 --> 00:50:30,300 you're doing or they're doing 1413 00:50:30,300 --> 00:50:32,819 same outcome versus I don't want you to 1414 00:50:32,819 --> 00:50:34,440 see who I'm calling well that's a red 1415 00:50:34,440 --> 00:50:36,119 flag versus 1416 00:50:36,119 --> 00:50:40,260 being a little more persuasive about it 1417 00:50:40,260 --> 00:50:42,180 so there's this movie called Star Wars 1418 00:50:42,180 --> 00:50:45,119 it's about this domestic conflict 1419 00:50:45,119 --> 00:50:46,140 um 1420 00:50:46,140 --> 00:50:48,059 there's these two store there's these 1421 00:50:48,059 --> 00:50:50,280 two Androids one of the strong 1422 00:50:50,280 --> 00:50:53,720 encryption strong Authentication 1423 00:50:53,940 --> 00:50:56,099 and the other had weak encryption and 1424 00:50:56,099 --> 00:50:57,839 was white if the data had just been 1425 00:50:57,839 --> 00:50:59,160 deleted 1426 00:50:59,160 --> 00:51:01,140 you run disk reel you're an undulation 1427 00:51:01,140 --> 00:51:04,800 oh wow Anakin's actually gone bad Star 1428 00:51:04,800 --> 00:51:06,240 Wars is over in about 20 minutes the 1429 00:51:06,240 --> 00:51:08,640 right uh forensic technician right 1430 00:51:08,640 --> 00:51:10,619 same thing to keep in mind unless you're 1431 00:51:10,619 --> 00:51:13,079 sure that it's truly locked down maybe 1432 00:51:13,079 --> 00:51:15,059 get a new device maybe get a new USB 1433 00:51:15,059 --> 00:51:17,099 drive maybe get a new laptop just to 1434 00:51:17,099 --> 00:51:18,660 make sure 1435 00:51:18,660 --> 00:51:19,859 Bring It Forward a little bit 1436 00:51:19,859 --> 00:51:23,220 unauthorized devices on a network I hate 1437 00:51:23,220 --> 00:51:24,300 to say it that's a good movie about 1438 00:51:24,300 --> 00:51:25,740 dating it 1439 00:51:25,740 --> 00:51:28,260 when Thanos saw that nebula showed up he 1440 00:51:28,260 --> 00:51:30,420 had a unauthorized device on his Network 1441 00:51:30,420 --> 00:51:32,700 he performed live memory forensics did 1442 00:51:32,700 --> 00:51:34,740 an extraction of her memory 1443 00:51:34,740 --> 00:51:36,900 did a takeout analysis of her location 1444 00:51:36,900 --> 00:51:39,720 chat and images to find out what the 1445 00:51:39,720 --> 00:51:41,460 opposition was doing which is pretty 1446 00:51:41,460 --> 00:51:43,559 fantastic for literally blue team 1447 00:51:43,559 --> 00:51:45,960 operator working kind of with the sock 1448 00:51:45,960 --> 00:51:48,240 Maybe 1449 00:51:48,240 --> 00:51:51,180 but that remains conversely The Avengers 1450 00:51:51,180 --> 00:51:52,680 didn't know that one of their devices 1451 00:51:52,680 --> 00:51:54,480 had fallen in the adversary's hands and 1452 00:51:54,480 --> 00:51:55,680 everything that they thought was 1453 00:51:55,680 --> 00:51:57,599 confidential and secure had been leaked 1454 00:51:57,599 --> 00:51:59,700 out so you want to make sure your device 1455 00:51:59,700 --> 00:52:02,220 is not being cloned to somewhere else 1456 00:52:02,220 --> 00:52:04,140 couple of things we've had to remind 1457 00:52:04,140 --> 00:52:06,660 Folks at safe Escape nobody has 1458 00:52:06,660 --> 00:52:09,059 unlimited resources today's October 1st 1459 00:52:09,059 --> 00:52:10,200 start of the fiscal year for the 1460 00:52:10,200 --> 00:52:12,420 government anybody who yesterday was 1461 00:52:12,420 --> 00:52:13,740 scrambling because they're out of budget 1462 00:52:13,740 --> 00:52:15,359 now is a flush new budget for the next 1463 00:52:15,359 --> 00:52:16,619 12 months 1464 00:52:16,619 --> 00:52:19,680 regardless unless you're the FED Reserve 1465 00:52:19,680 --> 00:52:21,119 but most people don't have an Elizabeth 1466 00:52:21,119 --> 00:52:24,180 of resources Occam's razor anybody want 1467 00:52:24,180 --> 00:52:26,779 to guess for that 1468 00:52:27,480 --> 00:52:30,420 all right simplest answer is the best 1469 00:52:30,420 --> 00:52:33,059 and who will process the collection 1470 00:52:33,059 --> 00:52:35,280 just because someone says it's possible 1471 00:52:35,280 --> 00:52:36,720 oh they're listening to all my phone 1472 00:52:36,720 --> 00:52:39,420 calls all the time how let's talk about 1473 00:52:39,420 --> 00:52:41,400 it let's get to the why do you think 1474 00:52:41,400 --> 00:52:42,480 that's happening 1475 00:52:42,480 --> 00:52:44,940 because oh there everyone's following 1476 00:52:44,940 --> 00:52:46,140 okay 1477 00:52:46,140 --> 00:52:47,760 whereas gang's talking may be a thing 1478 00:52:47,760 --> 00:52:49,680 having a full-blown surveillance team 1479 00:52:49,680 --> 00:52:52,680 watching you 24 7 365 is an amazing 1480 00:52:52,680 --> 00:52:55,920 amount of resources in gasoline 1481 00:52:55,920 --> 00:52:58,140 I drive a Jeep gas is not cheap and I'm 1482 00:52:58,140 --> 00:53:00,540 not going to just drive around 24 7 to 1483 00:53:00,540 --> 00:53:02,760 follow somebody for why for no money 1484 00:53:02,760 --> 00:53:07,079 what that's not going to happen 1485 00:53:07,079 --> 00:53:09,960 so the short version of all this of 102 1486 00:53:09,960 --> 00:53:12,300 slides change your passwords if your 1487 00:53:12,300 --> 00:53:13,920 person thinks something's going on on a 1488 00:53:13,920 --> 00:53:16,020 clean machine change the password change 1489 00:53:16,020 --> 00:53:17,280 your locks 1490 00:53:17,280 --> 00:53:19,500 report the events as they happen to law 1491 00:53:19,500 --> 00:53:21,839 enforcement document everything 1492 00:53:21,839 --> 00:53:23,400 because if you don't document it it 1493 00:53:23,400 --> 00:53:24,839 didn't happen 1494 00:53:24,839 --> 00:53:27,359 it's my Twitter handle my email if you 1495 00:53:27,359 --> 00:53:29,040 go to mail.com you can there's 200 1496 00:53:29,040 --> 00:53:30,300 different domains if you're looking for 1497 00:53:30,300 --> 00:53:32,099 work rather than having AOL Gmail or 1498 00:53:32,099 --> 00:53:33,619 whatever else you can go to 1499 00:53:33,619 --> 00:53:35,579 engineer.comconsultant.com just to help 1500 00:53:35,579 --> 00:53:37,020 you stand out 1501 00:53:37,020 --> 00:53:39,180 and it's free but that's it and remember 1502 00:53:39,180 --> 00:53:41,099 if it's probably not hacking it's 1503 00:53:41,099 --> 00:53:43,020 probably Agatha all along it's probably 1504 00:53:43,020 --> 00:53:44,880 Amazon Google Facebook it's probably 1505 00:53:44,880 --> 00:53:47,040 access to one of those 1506 00:53:47,040 --> 00:53:51,020 so with the next last minute left 1507 00:53:51,359 --> 00:53:52,920 any questions 1508 00:53:52,920 --> 00:53:55,460 yes sir 1509 00:53:59,940 --> 00:54:02,780 that's slick 1510 00:54:04,200 --> 00:54:06,920 so get to the first time 1511 00:54:06,920 --> 00:54:10,079 you spoke at the beginning about uh 1512 00:54:10,079 --> 00:54:11,880 volunteers yes 1513 00:54:11,880 --> 00:54:13,619 Three Links to those 1514 00:54:13,619 --> 00:54:16,819 those three links and uh 1515 00:54:20,640 --> 00:54:23,640 second question was 1516 00:54:23,640 --> 00:54:24,900 when you're talking about leaving 1517 00:54:24,900 --> 00:54:26,760 devices in certain locations when you're 1518 00:54:26,760 --> 00:54:28,200 doing you know meeting with lawyers and 1519 00:54:28,200 --> 00:54:31,098 stuff like that um 1520 00:54:32,880 --> 00:54:35,660 thanks pouches are those valid devices 1521 00:54:35,660 --> 00:54:38,640 can be used for stuff like that uh well 1522 00:54:38,640 --> 00:54:40,740 one of the the two links 1523 00:54:40,740 --> 00:54:42,960 geez I feel like Jim pasaki will Circle 1524 00:54:42,960 --> 00:54:45,980 back first it's go ask rose.com 1525 00:54:45,980 --> 00:54:49,140 safeascape.org and then to get help as a 1526 00:54:49,140 --> 00:54:51,359 volunteer or as a incoming client it's 1527 00:54:51,359 --> 00:54:53,819 help at safeascape.org second the 1528 00:54:53,819 --> 00:54:55,460 Faraday bag one will drain your battery 1529 00:54:55,460 --> 00:54:57,900 two then you're going to disappear from 1530 00:54:57,900 --> 00:54:59,579 the network so you've got a gray spot 1531 00:54:59,579 --> 00:55:01,740 where you're not truly there 1532 00:55:01,740 --> 00:55:03,599 so pick your poison do you want to 1533 00:55:03,599 --> 00:55:07,200 either trust the device is going to be 1534 00:55:07,200 --> 00:55:11,099 secure or leave it somewhere in pattern 1535 00:55:11,099 --> 00:55:12,660 say if you work at one of the secure 1536 00:55:12,660 --> 00:55:13,800 sites 1537 00:55:13,800 --> 00:55:16,140 you leave it in a locker or whatever 1538 00:55:16,140 --> 00:55:18,000 people might do there 1539 00:55:18,000 --> 00:55:19,619 and take your car drive somewhere else 1540 00:55:19,619 --> 00:55:23,420 so pick your poison but