1 / 38

Information Security Topics for PI’s

Explore information security techniques relevant to private investigators, including GPS location spoofing, EXIF data, IP tracking, and mail header analysis.

crossmary
Download Presentation

Information Security Topics for PI’s

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Security Topics for PI’s Michigan Council of Private Investigators 1/4/2020 Mark Lachniet mark.lachniet@cdw.com (517-242-4874)

  2. Trivia QuestioN What 19th Century Writer is credited with having invented the detective fiction genre?

  3. Trivia QuestioN Edgar Allan Poe: the “Dupin” novels The first popular model of a logic-based detective – C Auguste Dupin "The Murders in the Rue Morgue" (1841) Poe Found Dead, October 7th 1849 (167 years + days ago)

  4. Disclaimer • I will be discussing techniques that could be misused • Make sure you know the law • Consult a lawyer • Opinions expressed are my own not that of my employer • Be particularly aware of wiretap and intrusion laws | Security solutions

  5. About The Speaker • Information Security Solutions Manager, CDW (previously Security Engineer) • Penetration testing • Incident response & forensics • Regulatory compliance • Past employment: • K-12 Technology Director (Holt Schools) • Instructor, Masters in Information Assurance, Walsh College • Consulting at Analysts International, Promethean Security • Industry certifications: • Certified Information Systems Security Professional (CISSP) • Certified Information Systems Auditor (CISA) • Licensed Private Investigator #3701-205679 (Michigan) | Security solutions

  6. About The Speaker • Several terms on the board of the Michigan chapter of the High Technology Crime Investigation Association • Meets quarterly, usually in Troy • Composed of law enforcement and private industry • Focuses on: • Computer crime investigation • Forensics • Incident response • See http://www.htcia.org | Security solutions

  7. About The Speaker • M.S.U. English Major™ | Security solutions

  8. Agenda • Discuss areas of information security that might be of interest to private investigators • GPS location spoofing • Fun with picture EXIF data • Tracking IP addresses • Reading mail headers • “Stump the Chump” | Security solutions

  9. EXIF Location Data in Photos • Depending on how a smart phone is configured, it may embed extra information into pictures that are taken on it • Most notable is that it may include GPS coordinates for the place at which the picture was taken • Thus it may be possible to place a phone (possibly a person) at a specific place • GPS is not always turned on • EXIF data can be spoofed | Security solutions

  10. GeoSetter • Free download from: http://www.geosetter.de/en/download/ • A bit outdated • Can search a large directory of photos to find the ones that have EXIF data and display it on a map • Live demo | Security solutions

  11. Finding on Google Maps | Security solutions

  12. Finding on Google Maps | Security solutions

  13. GPS Spoofing • Yes, it’s illegal to spoof GPS signals! • Popular article: http://www.rtl-sdr.com/cheating-at-pokemon-go-with-a-hackrf-and-gps-spoofing/ • Technical article: http://spectrum.ieee.org/telecom/security/protecting-gps-from-spoofers-is-critical-to-the-future-of-navigation • Some interesting things that have been spoofed… | Security solutions

  14. GPS Spoofing – Free Drones for Iran • http://www.csmonitor.com/World/Middle-East/2011/1215/Exclusive-Iran-hijacked-US-drone-says-Iranian-engineer • Yeah, we never got that back to the CIA • Also a good way to get those drones out of your yard without resorting to shotguns? | Security solutions

  15. GPS Spoofing – The White Rose of Drachs • Step#1: Identify big fancy ($80M) boat with Civilian GPS (Military GPS is encrypted) | Security solutions

  16. GPS Spoofing – The White Rose of Drachs • Step#2: Get a GPS Spoofer on-board or nearby | Security solutions

  17. GPS Spoofing – The White Rose of Drachs • Step#3: Slowly increase GPS signal with small correction (3 deg) | Security solutions

  18. GPS Spoofing – The White Rose of Drachs • Step#4: Wander into pirate waters | Security solutions

  19. GPS Spoofing – The White Rose of Drachs • Step#5: Profit! | Security solutions

  20. GPS Spoofing – Lachniet’s Attempt • Used freely available software to generate a GPS signal file: https://github.com/osqzss/gps-sdr-sim • Used the HackRF One Software Defined Radio (SDR) to transmit the signal: http://greatscottgadgets.com/hackrf/ • Transmitted the signal and convinced my Nuvi GPS that I was in Hell, MI • But….. | Security solutions

  21. GPS Spoofing – Some things I learned • You should never attempt to do a proof of concept on bleeding edge software in the 48hrs before you are intending to present on it! • There are a lot of incompatibilities and hassles with the hardware and software • Specifically, I needed to buy a clock generator to get my hardware to work correctly… That one picture I took was taken in about 20 seconds of 10 minutes of the PoS working correctly • Civilian GPS is not secure and should not be trusted, presumably this includes trackers and phones • Cell phones are more accurate because they can use cell towers to more accurately calibrate their location • You can’t trust GPS locations, even in EXIF data (these can be spoofed in GPS or simply re-written by software | Security solutions

  22. GPS Spoofing – Some things I learned • Hardware like what I used is referred to as Software Defined Radio • You can purchase a USB dongle for $25 that will allow you to tune in virtually any channel you want, if you know where it is • Can be used to listen to unencrypted audio like baby monitors, wireless landline phones, FM/TV, Police radio, etc. Legality? • Can be used to find emanating signals (potentially used for finding “bugs” that are transmitting on a particular frequency, though I didn’t have time to check this out very much) • Check out: http://www.rtl-sdr.com/ | Security solutions

  23. IP address types – private and public • All Internet-connected devices have an IP address (usually IPv4, sometimes the newer IPv6) • Some of them are Internet-accessible such as 207.179.121.162, but in residences there is usually only one of these, and you don’t directly use it • Instead, you have a “private” network that uses RFC1918 addresses: • 10.0.0.0 - 10.255.255.255 (10/8 prefix) • 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) • 192.168.0.0 - 192.168.255.255 (192.168/16 prefix) • These private addresses cannot normally be accessed from the Internet because they are protected by a router, or rather a firewall • They are also fairly useless for tracking unless you are trying to identify a specific machine on a network | Security solutions

  24. IP address types – private and public • The firewall “converts” them with address translation allowing outbound communication but not inbound • There are some exceptions… for example you can configure your firewall to allow some traffic in, but you usually have to do this manually • Usually, a “real” IP address means a server, but it could also be a cable or DSL modem • Cable and DSL modem IP addresses change, but not that frequently (on the order of days/weeks usually) • Check your own public IP address by googling “whatsmyip” • Also, some businesses and especially schools use “real” IP addresses for workstations (this is really dangerous) • If you contract malware, it is your protected workstation that is “phoning home” out to the nasty internet, just as if you were browsing a web site, not the bad guy “coming in” but the end effect is the same | Security solutions

  25. DNS Servers turn words into IP addresses • It is not convenient for humans to memorize the IP addresses of their favorite web sites, so we use Domain Name Servers (DNS) for this purpose • Your computer connects to a DNS server and requests a name such as images.prometheansecurity.com, and gets an answer back such as 207.179.121.162 • Reverse DNS can do the opposite but is less reliable • This also allows tricks like load balancing or disaster recovery, among other things • The IP address that a DNS name points to can change • A lot of malware uses Domain Generation Algorithms to create predictable (to them) names over time, making it hard to block attacks by blocking names • Public IP addresses can be “tracked” to some degree but for residential users the end result is only approximate | Security solutions

  26. IP Addresses - ARIN • Check our ARIN online: https://www.arin.net/ (free) • WHOIS will show you who “owns” the IP address, but for residences this is almost the ISP (send subpoena) • This used to show my name and home address! | Security solutions

  27. ARIN Advanced Searching • https://whois.arin.net/ui/advanced.jsp • When you are trying to find IP addresses for a specific organization (i.e. you have an idea already) • This usually means a business or organization! Not residential | Security solutions

  28. ARIN Advanced Searching • If you keep clicking and digging, you may find more • These records require you to register your IP addresses, so there is usually a lot of paperwork | Security solutions

  29. On IP address Hunting • You can use geolocation lookup databases, but these are typically only going to do a lookup based on the WHOIS record (street address, etc.) • For residences you will often only get the location of the Internet Service Provider or city (my Cable modem shows my proper home city, my DSL modem shows the location of my ISP in Lansing) • One thing that sometimes works is using the built in “traceroute” utility to see what Internet “hops” your traffic takes to get to the end destination – you can sometimes guess at the location based on these • Note that being physically close does not mean being “Internet close”! | Security solutions

  30. On IP address Hunting C:\Users\marklac>tracert 216.120.196.23 Tracing route to user23.middlecoast.net [216.120.196.23] over a maximum of 30 hops: 1 1 ms 1 ms 1 ms 192.168.2.252 2 * 9 ms 9 ms 96.120.41.209 3 9 ms 9 ms 9 ms 68.85.85.5 4 13 ms 13 ms 14 ms te-0-3-0-15-ar02.pontiac.mi.michigan.comcast.net [68.85.235.249] 5 22 ms 20 ms 20 ms be-33668-cr02.350ecermak.il.ibone.comcast.net [68.86.90.45] 6 20 ms 19 ms 24 ms hu-0-10-0-6-pe01.350ecermak.il.ibone.comcast.net [68.86.89.170] 7 20 ms 19 ms 19 ms ae12.chi11.ip4.gtt.net [199.229.229.249] 8 22 ms 23 ms 21 ms us-signal-gw.ip4.gtt.net [77.67.79.70] 9 36 ms 32 ms 32 ms te0-3-0-2.core-01.dtw.ussignalcom.net [70.34.130.206] 10 57 ms 137 ms 33 ms te0-0-0-2.agg01.kwd.ussignalcom.net [70.34.131.66] 11 33 ms * 34 ms host-74-204-21-14.host.ussignalcom.net [74.204.21.14] 12 34 ms 35 ms 33 ms gr-dist-rtr.trivalent.net [216.120.132.15] 13 36 ms 36 ms 36 ms 216.120.199.254 14 36 ms 43 ms 36 ms user23.middlecoast.net [216.120.196.23] | Security solutions

  31. On IP address Hunting • Unfortunately, a lot of times the closest you can get without a court order of some kind is the ISP for residences • If the perp is stupid enough to use a work address its entirely different though! • Not only do you need to figure out who owns the public IP address, you then need to figure out which of the private IP addresses it might be! • Can find this by reviewing logs, looking at browser features, or by laying out a “beacon” • Each browser is pretty unique! You can use all the VPN and TOR you want to hide your IP address but your browser doesn’t change • You can hide a little with the right software like Chrome and Ghostery • See: https://panopticlick.eff.org/ (me=unique!) | Security solutions

  32. Beacons • Send an HTML email • Include a link to an image on a server you control • Can be an invisible image if you want to be tricky • If the user(s) that read the e-mail have poor security you can get some information • Examples: • file://images.prometheansecurity.com/images/logo.gif (uses Windows files sharing - can get you a username and workstation name but rarely works anymore) • http://images.prometheansecurity.com/images/logo.gif (works on any web server – works if the mail client will display images) • You could also just give a link to an interesting sounding file like “contract.doc” and see who goes for it | Security solutions

  33. Beacons • Results from e-mail I sent last night: • File server: 0 hits (yay!), Web server: 53 hits • Often shows hardware and software versions • 162.255.130.248 - - [01/Nov/2016:23:11:57 -0400] "GET /images/logo.gif HTTP/1.1" 200 50322 "https://outlook.live.com/" "Mozilla/5.0 (Linux; Android 6.0.1; SAMSUNG SM-G900P Build/MMB29M) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/4.0 Chrome/44.0.2403.133 Mobile Safari/537.36" • 64.53.220.226 - - [01/Nov/2016:23:14:10 -0400] "GET /images/logo.gif HTTP/1.1" 200 50322 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Microsoft Outlook 16.0.6965; ms-office; MSOffice 16)“ | Security solutions

  34. Email Address Headers – Example #1 Return-Path: <xxxxx> Received: from colo14.roaringpenguin.com ([198.41.29.199]) by mx.perfora.net (mxeueus004 [74.208.5.21]) with ESMTPS (Nemesis) id 0MQx20-1cRby02DgU-00UHcV for <mark.lachniet@prometheansecurity.com>; Wed, 02 Nov 2016 02:18:34 +0100 Received: from middlecoast.net (user23.middlecoast.net [216.120.196.23] (may be forged)) by colo20-v-ob.roaringpenguin.com (8.14.4/8.14.4/Debian-8+deb8u1) with ESMTP id uA21IWan028317 for <mark.lachniet@prometheansecurity.com>; Tue, 1 Nov 2016 21:18:32 -0400 X-Default-Received-SPF: pass (skip=loggedin (res=PASS)) x-ip-name=98.224.252.52; Received: from [10.0.0.110] (unverified [98.224.252.52]) by middlecoast.net (SurgeMail 6.9c) with ESMTP (TLS) id 766539-1269429 for <mark.lachniet@prometheansecurity.com>; Tue, 01 Nov 2016 21:43:51 -0400 From: “xxx@kxxxx" <xxx@xxx.com> Content-Type: multipart/alternative; boundary="Apple-Mail=_AAB69870-6E0D-47A8-9C0F-A68118010B27" Mime-Version: 1.0 (Mac OS X Mail 10.1 \(3251\)) | Security solutions

  35. Email Address Headers – Example #1 Subject: Re: MCPI: Testing e-mail for MCPI session tomorrow Date: Tue, 1 Nov 2016 21:18:30 -0400 References: <a9e9ce4a-68e6-d333-cc20-f847fcf1f2c7@prometheansecurity.com> To: Mark Lachniet <mark.lachniet@prometheansecurity.com> In-Reply-To: <a9e9ce4a-68e6-d333-cc20-f847fcf1f2c7@prometheansecurity.com> Message-Id: <8330786E-64E0-4E9F-8951-082E294A9344@xxxx.com> X-Mailer: Apple Mail (2.3251) X-Authenticated-User: xxxx@xxxx.com X-Bayes-Prob: 0.0001 (Score 0, tokens from: middlecoast-net, @@RPTN) X-Spam-Score: 1.78 (*) [Hold at 10.00] HTML_FONT_LOW_CONTRAST:0.001,HTML_MESSAGE:0.001,PORN_RP_PICS:0.5,RDNS_NONE:1.274 X-CanIt-Geo: ip=216.120.196.23; country=US; region=Michigan; city=Grandville; latitude=xxxxx; longitude=-xxxxx; http://maps.google.com/maps?q=xxxx,-xxxxx&z=6 X-CanItPRO-Stream: outbound-container-realm:middlecoast-net (inherits from outbound-container-realm:default,base:default) X-Canit-Stats-ID: 0jS2NiwwW - 868c64c5dded - 20161101 X-CanIt-Archive-Cluster: irqpXI7aJGyo4Ewta7qVH399FOg X-CanIt-Archived-As: xxxxx-com/20161101 / 0jS2NiwwW X-Scanned-By: CanIt (www . roaringpenguin . com) on 198.41.30.184 | Security solutions

  36. Q&A / Additional Demo • Q: If you can speak to cell phone "pinging", that could be helpful. Specifically how it works, if it works, etc.? • As I understand it only law enforcement and the phone company can legally do this! They have the ability to do it pretty easily • There are illegal ways to do it… • Install malware on the phone • Use fake cell towers • Q: If you can speak to the latest rules, laws, etc. regarding software which can be installed in PC's to copy all keystrokes? • Simply put, you can only do this if you have a legal right to do it. • If you are an employer and you have given warning • If you own the machine in question (beware of shared machines! Just because the wife wants you to do it doesn’t mean you can get into the husband’s stuff) • Google “Mark Lachniet Hostile Forensics” | Security solutions

  37. Q&A / Additional Demo • Q: If you can speak to hidden listening devices in homes which can be accessed remotely, say via smart phones and how does one find those besides looking? • Sorry I don’t know enough about this to say for sure – it is tough to figure out complaints of “someone is bugging me” there are just so many possibilities • Odds are good it’s a phone or PC and not a spy – re-format and re-install software on ALL their stuff • Check with the phone company to make sure there is no monitoring of text messages (see my previous article) • Q: On the iPhone: Will using the thumbprint (in lieu of typing in password) safe when using public wifi systems (like at a restaurant)? • Shouldn’t make a difference how you are connecting but thumb prints can be lifted, copied or compelled (whereas a passcode you could have legitimately forgot right?) | Security solutions

  38. Q&A / Additional Demo • Q: Legality of using drones for surveillance • Sorry, I don’t use these so I haven’t looked into it. I do understand that you can’t shoot them out of the sky even if they are peeking in your window. Your research is as good as mine. • Beware of no-fly zones and altitude • Use a GPS spoofer on it and tell it that its over the pentagon, maybe it will land and you get a freebie (only works on good ones) • Seems like a potentially expensive way to do the work, but good in some situations like fenced areas, or possibly with IR? • Don’t underestimate the value of thermal imagers! Demo? • THANKS! | Security solutions

More Related