00:00:00.033-->00:00:05.806 >> So Jake is going to talk about attribution, um, which I can only presume is going to be 00:00:05.806-->00:00:11.879 exclusively about either Russia or China.[laughter] So let's give Jake a big round of 00:00:11.879-->00:00:16.884 applause. [applause] >> Thank you everyone. Great to see everyone here. I seriously don't 00:00:21.121-->00:00:26.193 see enough beverages in people's hands though, so. Maybe you should fix that. But my name's 00:00:26.193-->00:00:30.697 Jake, I'm a CISO with Risk Based Security. Been doing a bunch of vulnerability and data reach 00:00:30.697-->00:00:35.168 intelligence stuff for quite some time. I want to also recognize Lee Johnstone for all 00:00:35.168-->00:00:39.940 the work and creation of data and everything. So the talk here is, uh, today, it's "'Cyber' Who 00:00:39.940-->00:00:46.346 Done It?! Attribution Analysis Through Arrest History." So we really are going to play a cyber 00:00:46.346-->00:00:50.484 drinking game. You guys are just going to have to get over it, because we're going to say cyber 00:00:50.484-->00:00:57.357 a ton through this talk. So, um, anytime you in the slides that it says cyber or you hear me say 00:00:57.357-->00:01:03.997 cyber. You should drink. I only see a few beverages over here, so we'll see. Um, and I don't 00:01:03.997-->00:01:08.936 care if it's beer or Root Beer, so, no pressure. Alright, so if you look back over the last five 00:01:08.936-->00:01:13.540 years. Data breaches keep occurring at alarming rates. Right, it's, it's just 00:01:13.540-->00:01:18.845 ridiculous, uh the amount and it just shows that it's not getting better and so it doesn't matter 00:01:18.845-->00:01:23.150 how many blinky lights, boxes, we buy from security vendors, we're still just seeing a 00:01:23.150-->00:01:27.621 ridiculous amount of breaches. In fact, 2015 was the most amount of breaches that we've 00:01:27.621-->00:01:33.560 ever, ever tracked. When you look at it from, how are these things occurring, there's that 00:01:33.560-->00:01:39.333 old 1970s thought process, I think from the FBI that says, the insider, right? But when you 00:01:39.333-->00:01:43.470 look at the data from 2015, it shows that 77 percent of them are actually coming from the 00:01:43.470-->00:01:49.242 outside. Right? Now, the insider may hurt you the worst, but it shows in terms of likelihood the 00:01:49.242-->00:01:53.146 outside where it's occurring and then when you break it down by the breach types, it's just 00:01:53.146-->00:01:57.150 hackings through the roof, right? So we're just seeing a ton of hacking and it's been 00:01:57.150-->00:02:01.321 that way the last couple of years. When you look at it from where it's happening, what 00:02:01.321-->00:02:06.293 countries, where these organizations are being impacted, this isn't just a USA 00:02:06.293-->00:02:12.499 issue, right? Now while the USA and the, um, and the UK are accounted for 46 plus percent of 00:02:12.499-->00:02:18.338 the breaches, it's not just there, right? So it is a world issue. And year to date, we 00:02:18.338-->00:02:23.010 still suck, right? We're not getting any better. Uh, over 2000 data breaches confirmed 00:02:23.010-->00:02:28.048 already and it's the most amount of records that we've ever lost in a single year. We're already 00:02:28.048-->00:02:32.619 over at 1 point 1 billion records being lost and we still have a couple months to go. So, 00:02:32.619-->00:02:37.557 um, not seeing much improvement at this point. The question we get all the time when we're 00:02:37.557-->00:02:41.795 tracking these data breaches is, who's behind all this stuff? Right? Who is behind and causing 00:02:41.795-->00:02:45.332 all of these data breaches? It comes up all the time. Specifically the hacking events. 00:02:45.332-->00:02:51.104 Who is behind it? So this leads us to this whole concept of attribution, right? And if you 00:02:51.104-->00:02:54.875 try to get your head wrapped around attribution and what does it really mean, you can start 00:02:54.875-->00:02:59.379 looking on good old Wikipedia, right? And that gives us a few different ideas about what 00:02:59.379-->00:03:03.583 attribution is and other disciplines, so in social psychology attribution is a 00:03:03.583-->00:03:08.822 process of explaining cause and behavior events. In copyright law it's about crediting the 00:03:08.822-->00:03:13.994 work. In journalism it's about attribution to a source, right? So you start to get familiar 00:03:13.994-->00:03:20.000 there. Now in the cyber world, we basically just want to know, who did this, right? We want to 00:03:20.000-->00:03:25.005 know, what the hell did you just do? What actually happened? What was done? And then finally, why? 00:03:27.541-->00:03:31.878 Why did you do this, what are the motives, can I have some reasons? Right? So if you think 00:03:31.878-->00:03:35.816 about it, you always hear this saying, you know knowledge is power, but in these days and 00:03:35.816-->00:03:40.454 times, it's really starting to be attribution is power, right? And this seems to be the case, 00:03:40.454-->00:03:47.260 we want to know what's going on, who's behind all this stuff. So, nothing brought this attribution 00:03:47.260-->00:03:54.167 debate and problem, um, more clear than the Sony breach in December 2014. Right? So we 00:03:54.167-->00:03:59.239 should all remember this whole, GOP, Guardians of the Peace, post credit, taking credit for 00:03:59.239-->00:04:03.577 this breach. Um, and there was serious debate over this breach. What was the motives, who did 00:04:03.577-->00:04:08.348 it? And it was so ridiculously bad about the back and forth lead to just a ridiculous amount 00:04:08.348-->00:04:13.320 of lulls from the security community, right? So we actually created these cyberwar 00:04:13.320-->00:04:17.924 attribution bingo cards. It still exists, if you want them, you can go out to the website 00:04:17.924-->00:04:22.262 and generate your own cards and play along, right and see what happens. But if you're not up 00:04:22.262-->00:04:27.300 for games, then then there was a couple of guys who created the Sony Hack Attribution Generator. 00:04:27.300-->00:04:30.904 So that you can go to the website and then sort of refresh to get what you want. So you go 00:04:30.904-->00:04:35.542 to this first one and get the nice report here about a Sony Manager behind it. I don't like 00:04:35.542-->00:04:40.080 that one. Uh, Romania organization. Hmm, that's better. Welp, now we have North 00:04:40.080-->00:04:44.117 Korea. Right, here's a nice detailed report. You can just keep refreshing, right, so you 00:04:44.117-->00:04:48.255 guys can get reports. They weren't the only one, we actually had another website 00:04:48.255-->00:04:52.726 created called, who hacked us dot com. You can get attribution reports here. Here we get China, 00:04:52.726-->00:04:59.332 right? Crouching Panda, Hidden Dragon, so here's your China reference starting. But if you 00:04:59.332-->00:05:04.037 don't want a detailed report and that's just too much, guess what? We had the industry create 00:05:04.037-->00:05:09.876 cyber attribution dice. So you can just roll the dice and get the answer, right? And why would 00:05:09.876-->00:05:13.914 you pay for high price forensics when you can just roll the dice? Right? That's probably the best 00:05:13.914-->00:05:19.019 attribution you're going to get anyway. Some people weren't so thrilled about the cyber dice 00:05:19.019-->00:05:23.790 and they said, you know what we need? We need a magic eight ball. And guess what? Twitter 00:05:23.790-->00:05:28.395 answered. We have the attribution eight ball. Right? And unfortunately it hasn't been 00:05:28.395-->00:05:32.032 active here recently, so whoever's behind this account, I'd appreciate if you could step 00:05:32.032-->00:05:37.337 up your game and start tweeting out some stuff again for us. But, Twitter's not just enough, 00:05:37.337-->00:05:42.175 so we have duo that comes up, right and they create the actual attribution eight ball. And of 00:05:42.175-->00:05:47.380 course it's China. And you gotta love the pictures behind there, right? It was China and who's 00:05:47.380-->00:05:53.086 showing, right? so We see that, then we see good old swift own security when we talking about 00:05:53.086-->00:05:57.791 the MySpace breach, and should we blame Russia or what's going on. Saying hey, we need another 00:05:57.791-->00:06:03.964 magic eight ball. And at this point in time, because we know the attribution eight ball is so 00:06:03.964-->00:06:09.236 important, Threatbutt comes to the rescue and so no offense to Duo, but Threatbutt creates an 00:06:09.236-->00:06:13.807 attribution eight ball and if you don't know about Threatbutt, you should, because, uh, they 00:06:13.807-->00:06:18.912 basically provide the maximum protection from threatening threaty threats, like China. So 00:06:18.912-->00:06:22.382 we're really pleased, that they, uh, were able to help us out here. So thanks to Threatbutt 00:06:22.382-->00:06:29.055 for all your hard work. So with all the lulls aside, I mean it's a serious issue and people joke 00:06:29.055-->00:06:33.193 about stuff like this, because there's something behind it, right? And the jokes are funny, 00:06:33.193-->00:06:38.298 but let's get back to the Sony breach and walk through it. And the point was who did this 00:06:38.298-->00:06:43.803 thing? Right, everyone wanted to know. And for the purposes of this talk, there was basically 00:06:43.803-->00:06:49.943 two major viewpoints. One was, North Korea and the other one was an insider, also known as 00:06:49.943-->00:06:54.948 not North Korea. Right? And so, on the North Korea side, we predominantly had Crowd Strike 00:06:58.118-->00:07:03.056 and the FBI and on the insider, also known as, not North Korea, we had Norse, Mark Rogers and 00:07:05.592-->00:07:11.665 Kim Zetter from Wired coming out with information. So here's from Norse, right, so Norse basically 00:07:11.665-->00:07:16.403 was not involved in the case itself, but they said they were doing their own investigation 00:07:16.403-->00:07:20.473 and they said that the Norse data was pointing toward a woman that called herself Lena, and 00:07:20.473-->00:07:25.145 claimed to be connected with this, the GOP Hacking Group. Norse believed that they 00:07:25.145-->00:07:30.116 identified the women who had worked at Sony in Los Angeles for about ten years and then was 00:07:30.116-->00:07:35.088 involved with it. And so what comes from them is, we are very confident that this was not an 00:07:35.088-->00:07:40.093 attack master-minded by North Korea. Right, so they're coming out pretty vocal, it's not like, 00:07:40.093-->00:07:45.498 it may be, it's we're pretty, we're pretty damn confident it's not them. Then you have Mark 00:07:45.498-->00:07:49.302 coming out basically saying, he wasn't seeing hard evidence either and he had some really 00:07:49.302-->00:07:52.272 good articles if you haven't read you should go to his website and read, to better 00:07:52.272-->00:07:57.010 understand his point of view, but he mentioned things like, the broken English that was 00:07:57.010-->00:08:01.081 being used for attribution looked really too deliberate. Right, uh, the code that was 00:08:01.081-->00:08:06.720 written on a PC with the Korean local, um, makes it actually, probably not North Korea. Uh, 00:08:06.720-->00:08:11.624 hard coded paths and passwords and what not, really did uh make it seem like someone knew that 00:08:11.624-->00:08:15.462 information from Sony from the inside. And one of the other things that he said to, was 00:08:15.462-->00:08:20.667 blaming North Korea was an easy way out for people, uh, including the security vendors 00:08:20.667-->00:08:24.270 that were brought in and paid and Sony management and all that because of that whole Interview 00:08:24.270-->00:08:29.075 move and everything, it was just sort of an easy way to do it. And you can see here, even after 00:08:29.075-->00:08:33.279 the FBI started to come out and saying it was North Korea, he still saying, I still don't 00:08:33.279-->00:08:39.085 believe that, that's the case. Kim Zetter from Wired, she basically published a story 00:08:39.085-->00:08:43.323 saying that the evidence was flimsy. Ah, again it's a great article if you want to get some 00:08:43.323-->00:08:47.394 more information about it. And she was basically saying that the assertion about who was 00:08:47.394-->00:08:52.866 behind it, um, you should should be skeptical of these things. And it's easy for attackers to 00:08:52.866-->00:08:58.571 plant these false flags or point to North Korea and those sorts of things and a lot of the 00:08:58.571-->00:09:04.644 evidence that was presented was circumstantial. Right? And then here's Dimitri from Crowd 00:09:04.644-->00:09:10.183 Strike, so he comes in and basically says, North Korea. And that's it, North Korea, nothing 00:09:10.183-->00:09:14.954 else. Now what funny, is at Black Hat, I ran into Dimitri for the first time and I sort of 00:09:14.954-->00:09:19.759 told him, hey Dimitri, your face is going to pop up several times in my talk at DefCon and we sort 00:09:19.759-->00:09:24.397 of had a spirited debate for about an hour. Uh, he still believes it's North Korea and 00:09:24.397-->00:09:30.170 that's that. Right? Now, what was also interesting was we started to see this attribution 00:09:30.170-->00:09:33.973 stuff go really in the mainstream. Right here you have Mark Rogers and Dimitri on PBS 00:09:33.973-->00:09:39.112 doing a live debate on attribution. Who did it, right? So we're seeing this isn't just, 00:09:39.112-->00:09:42.282 you know, in our industry, it's starting to come out, more and more people trying to figure out 00:09:42.282-->00:09:47.754 what's going on. So then we have Sony and this is sort of mid-December 2014, they publish 00:09:47.754-->00:09:53.793 a more official update and a statement basically saying that as a result of our investigation 00:09:53.793-->00:09:58.798 and close collaboration with other government agencies, the FBI has now enough information 00:09:58.798-->00:10:05.371 to conclude that North Korean government is responsible. So pretty definitely from the FBI. 00:10:05.371-->00:10:09.976 No matter even though that came out, we still are seeing Crowd Strike Verse Norse quite a bit 00:10:09.976-->00:10:15.482 and there were a few others, but those were the most loudest, if you will, um talking about this 00:10:15.482-->00:10:19.752 stuff actually FireEye Inc Mandiant who was hired by Sony, they also, they were pretty 00:10:19.752-->00:10:24.591 quiet in the press, Kevin Mandiant did come out and say a few things such as, um, the the 00:10:24.591-->00:10:30.163 the attacks that happened in South Korea in 2013 were very similar, the same, that was 00:10:30.163-->00:10:34.901 being used for Sony, so they attributed those 2013 hacks to North Korea, so therefore, it 00:10:34.901-->00:10:39.906 was Sony, or, uh, North Korea behind this. So we were actually at RBS, we were documenting this 00:10:42.242-->00:10:45.445 whole thing and we've got this big article, like a breakdown of it trying to track everything 00:10:45.445-->00:10:50.149 that was going on. And we started to think, right, you have these two, you know, you've 00:10:50.149-->00:10:55.688 got Crowd strike and you've got Norse, so these two ridiculously funded VC companies, the hottest 00:10:55.688-->00:10:59.726 threat intelligence, with ridiculously polar opposite, like, it's an insider and this 00:10:59.726-->00:11:03.530 is North Korea and they are both sort of arguing. So it made sort of start to think, these bold 00:11:03.530-->00:11:09.469 statements, um, if you make this bold statement and it turns out to be wrong, does it mean that 00:11:09.469-->00:11:14.407 the intelligence you sell sucks? Can't be trusted? Right? You come out and say, oh, this is 00:11:14.407-->00:11:19.178 definitely and in and it's proven wrong, then is your product any good? So, what we 00:11:19.178-->00:11:25.652 happen is is in January, so all that stuffs going on in December 2014, then we see, um, the FBI 00:11:25.652-->00:11:31.891 comes out and again says, hey, look, it definitely is, um, North Korea behind this. A week 00:11:31.891-->00:11:36.462 or so after that update, then we see Krebs come out and say that, there's some rumors that Norse 00:11:36.462-->00:11:41.601 is about to implode. Right? And there the ones remember, that said it was an insider, not 00:11:41.601-->00:11:45.805 North Korea. Whether that has to do with it or not, it's quite interesting. Further on that, in 00:11:45.805-->00:11:50.276 March of 2016, you can see this Tweet, sadness defined, the RSA booth, it looks like they 00:11:50.276-->00:11:55.415 through down a huge amount of money for a booth and then it was just this kind of deserted 00:11:55.415-->00:12:00.153 smaller thing, right? So, not so good. And everyone was immediately worried, right? 00:12:00.153-->00:12:05.091 We're going to lose the live attack map and while most people that I know could care less 00:12:05.091-->00:12:08.261 about that, they like showing it to management to get more budget, right? Like look at 00:12:08.261-->00:12:14.834 that, it's serious stuff in cyber, right, we need help. But the good news is we have good 00:12:14.834-->00:12:18.938 old Threatbutt that's come back to help us again. I'm serious, right? The Threatbutt Internet 00:12:18.938-->00:12:24.410 Hacking Attack Attribution Map. And you can see here by leveraging the patent Crowd 00:12:24.410-->00:12:29.582 Strike technology, they've made it even better. Right? So they did give credit to, uh, pew pew, 00:12:29.582-->00:12:35.822 but they make all the threat stuff better, so. Alright, so why is this attribution stuff so 00:12:35.822-->00:12:41.828 hard? And it's actually even hard to put into words. And this people that will disagree, if 00:12:41.828-->00:12:45.898 you're in this space, I'm sure you're already upset at me or Tweeting me back things or 00:12:45.898-->00:12:50.036 whatever, but the reality is, it's still challenging, right? So I want to put out a few 00:12:50.036-->00:12:55.208 things of, why attribution in the cyber space is a little tricky. So a lot of the 00:12:55.208-->00:12:59.746 attributes that you typically see in the real world just don't exist in the cyber world. So 00:12:59.746-->00:13:06.686 that sort of hardcore CSI forensics investigation work just isn't as possible, right? 00:13:06.686-->00:13:11.491 It's considered to be easy to spoof some of these things. Plant these things. It's 00:13:11.491-->00:13:16.229 considered to be easy to embed other people's work. Tools, exploits, malware. You know, 00:13:16.229-->00:13:20.199 just because you see this sample of this in this particular attack doesn't mean it was the 00:13:20.199-->00:13:24.237 exact same person, right? Someone else could have easily taken that code. Now for people 00:13:24.237-->00:13:28.274 in this space, they'll get a little snippy sometimes and say, well if the source code wasn't 00:13:28.274-->00:13:31.678 available, there was no way it could have been found, I mean, there's lots of debates about 00:13:31.678-->00:13:36.482 this stuff, but it makes it challenging. And then that whole sort of concept of not having a 00:13:36.482-->00:13:42.855 a physical territory right, some markers that you'll hear in the cyber warfare world or the 00:13:42.855-->00:13:49.662 traditional warfare world, like an assembly zone, boundaries to cross, be able to track things 00:13:49.662-->00:13:53.666 back specifically on missile launch. All those sorts of things, they just don't really 00:13:53.666-->00:13:57.904 exist in the cyber space, right? And honestly, I have so many slides to get through 00:13:57.904-->00:14:00.707 because as I'm working on this talk, there's more and more shit happening. Right, so then we 00:14:00.707-->00:14:07.113 have the DNC that gets hacked, right? Um, so right. And then it's actually so bad that Jeff 00:14:07.113-->00:14:13.619 in Blackhat have to decide they gotta raise some money for them to get better at security it 00:14:13.619-->00:14:18.024 seems, so. Alright. So, um, this one we have the, we have the issue, right and we have 00:14:18.024-->00:14:22.528 Guccifer 2.0 that comes out and takes credit for the breach, right? So now we're starting to 00:14:22.528-->00:14:27.333 look at attribution in terms of taking credit for it. So if you know anything about the original 00:14:27.333-->00:14:32.338 Guccifer, it was a Romanian man who hacked, uh, lots of high profile government accounts, 00:14:32.338-->00:14:37.009 claimed to hack Hilary's private e-mail servers. All those sorts of things. And Guccifer 2.0 goes 00:14:37.009-->00:14:42.215 onto say, uh, Guccifer may have been the first one who penetrated Hilary and other 00:14:42.215-->00:14:46.452 Democratic mail servers, but he certainly wasn't the last, no wonder any other hacker could 00:14:46.452-->00:14:52.358 have easily got into these DNC servers, right. So then again now we go immediately into the 00:14:52.358-->00:14:56.929 press to, alright, cyber attribution and questions there, right. And so everyone's 00:14:56.929-->00:15:01.334 immediately trying to figure out who did this and it seems like an absolute broken record and, 00:15:01.334-->00:15:07.907 uh, Dimitri's back. Right, so, uh, he's back. And Crowd Strike tells us, this time it's Russia. 00:15:07.907-->00:15:11.878 Now, what's interesting for this one, it's a little bit different for the Sony one, there was a 00:15:11.878-->00:15:16.949 lot of people sort of arguing on both sides on the Sony one, but so far, most people seem to 00:15:16.949-->00:15:22.421 agree and are saying that it's Russia in this particular case. Actually the only one so far 00:15:22.421-->00:15:26.526 that I've seen that hasn't said it was Russia, was Donald Trump was being interviewed and he 00:15:26.526-->00:15:31.998 said something like Russia, Russia, eh, it's probably China. So, um, now China's somehow 00:15:31.998-->00:15:37.870 brought in allegedly. But here we actually have Fidelis, they're another security company 00:15:37.870-->00:15:42.375 and they came out and they basically said, they are also very confident that it's Russian 00:15:42.375-->00:15:48.147 or actors and what they said it was that they looked at the code, uh, there was the use of 00:15:48.147-->00:15:53.152 the Russian alphabet keyboard and the time zone it was compiled in. Some of the malware 00:15:53.152-->00:15:57.590 on those sorts of things. They also went on to say that the evidence pointing to Russia was 00:15:57.590-->00:16:02.662 so convincing, it would have had to have been a very elaborate scheme, um, for it to be anyone 00:16:02.662-->00:16:07.667 else. And so that's a little, um, I don't know. I look at it and I start thinking, these are 00:16:11.370-->00:16:14.874 the things that people complained about the last time around that could be spoofed and 00:16:14.874-->00:16:18.444 all those sorts of problems, so if it is, the wording that they're using is a little tough. 00:16:18.444-->00:16:23.883 Alright, so then the media right now still isn't clear. There's another article that's 00:16:23.883-->00:16:28.387 publishedsaying, hey is this an individual? Is this a Russian front. Um, even though I see 00:16:28.387-->00:16:32.592 most of the security people agreeing, they're sort of saying experts aren't so sure, can you 00:16:32.592-->00:16:36.996 imagine that, we don't agree in the security world. Uh, Crowd Strike were the ones hired by 00:16:36.996-->00:16:43.369 the DNC, but again everyone does sort of point to Russia right We have Clinton stating it's 00:16:43.369-->00:16:49.208 Russia, she draws some sort of line to Trump maybe, um, it's a bit confusing because it sounds 00:16:49.208-->00:16:54.313 like the DNC's been owned for a very long time, so in my mind, Trump wasn't even considered a 00:16:54.313-->00:16:59.185 candidate then, but now we're blaming him for potentially even doing it. And my sort of, the 00:16:59.185-->00:17:04.023 reason why I think this one's interesting, is because now it's just not who did it, it's who's 00:17:04.023-->00:17:07.994 behind it trying to orchestrate and make people do these hacks. You know, so we're just getting 00:17:07.994-->00:17:12.765 more and more of this sort of stuff. And the conversation of what is there to be gained and 00:17:12.765-->00:17:18.004 who can gain from these attacks? Alright, now we're getting a little more interesting in the 00:17:18.004-->00:17:24.644 DNC, because shortly after the DNC, uh, hack was attributed to Russia, it's now reported that 00:17:24.644-->00:17:28.814 there's a professional cyber-attack that hit the Russian government. So we start 00:17:28.814-->00:17:33.819 thinking back back now, right? And so some articles come out saying that the NSA is likely 00:17:33.819-->00:17:39.725 hacking back, uh, due to the DNC hack. Now most of you are giving me blank looks, dirty looks 00:17:39.725-->00:17:43.663 saying, hey, you think this is the first time that we haven't been hacking all over the place? 00:17:43.663-->00:17:48.067 The NSA hasn't been hacking. But other people will say and start to believe that this may be the 00:17:48.067-->00:17:53.072 first major time you know that a sanction nation state hack back has occurred, right? So we just 00:17:53.072-->00:17:58.210 keep going down this path. So it leads us to the question of, does it actually matter if we 00:17:58.210-->00:18:02.748 get cyber hack attribution correct? Do we even care, right? For most companies and 00:18:02.748-->00:18:07.153 organizations where you work, does it really matter who attacked you? You've got to deal 00:18:07.153-->00:18:11.157 with the breach, you got to deal with the problem. The fact that you got hacked is the issue. 00:18:11.157-->00:18:15.494 That's not going to change a whole lot about financials or whatever else, right? Uh, but 00:18:15.494-->00:18:20.666 for other cyber attribution, it does really matter. Because after the Sony attack, right, 00:18:20.666-->00:18:25.471 when the FBI concluded it was North Korea and the USA imposed sanctions on North Korea in 00:18:25.471-->00:18:30.476 response. In February of 2016, Congress sends North Korea cyber sanctions bill to Obama, uh, 00:18:33.646-->00:18:38.084 saying that anyone that's caught aiding the country's cyber cane, they're going to get penalties 00:18:38.084-->00:18:44.290 now as well. So we're seeing the attribution leading to real world things. So last month, 00:18:44.290-->00:18:48.961 North Korea expressed their thoughts about the US sanctions. Uh, the foreign ministry issued 00:18:48.961-->00:18:53.866 a statement carried by the Korean Central News Agency, basically saying the sanctions 00:18:53.866-->00:19:00.072 on Kim and ten other and officials were peppered with lies and fabrication and then 00:19:00.072-->00:19:05.478 went on to say that now that the US has declared war on the DPRK, any problem arising in relations 00:19:05.478-->00:19:10.182 with the US will be handled under the latters wartime law. So we're seeing things, even 00:19:10.182-->00:19:14.020 though there's a lot of rhetoric that comes out of certain countries, we're seeing things 00:19:14.020-->00:19:19.325 escalate base on attribution. And then just a few days ago, um, now it's reported that the 00:19:19.325-->00:19:23.596 United States is considering economic sanctions on Russia for hacking, right? The various 00:19:23.596-->00:19:28.768 activities in cyber space, that economic sanctions have been used before and they could 00:19:28.768-->00:19:35.274 possibly be used in preparing for response of cyber threats. So how can we actually figure 00:19:35.274-->00:19:40.913 out what's going on behind these hacks? Um, No, or why can't we might be a better question, 00:19:40.913-->00:19:45.851 right? Those security firms typically tend to agree. Uh, we can't trust when people are 00:19:45.851-->00:19:51.791 claiming attacks, easy to hide IP addresses via proxy servers, Tor, etc. Correlations as we've 00:19:51.791-->00:19:55.861 already talked about between certain pieces of malware really aren't just hard evidence, 00:19:55.861-->00:20:01.133 although people in this space will debate that to death. Uh, information and evidence many 00:20:01.133-->00:20:06.739 times isn't fully shared, uh to protect sources. So just say, trust me, this is what it is. 00:20:06.739-->00:20:11.477 And then there's this whole behavioral analysis of of doing analysis of writings and things 00:20:11.477-->00:20:16.916 like that, which doesn't come across to many as very hard evidence. So then as we go from 00:20:16.916-->00:20:21.320 there, then the question becomes do we actually need to improve our cyber attribution 00:20:21.320-->00:20:26.358 capabilities. And you know I don't really care for the folks that think that they're doing it 00:20:26.358-->00:20:30.429 really awesome and it's well enough or perfect, that's great. There's still, uh, others that 00:20:30.429-->00:20:34.333 they aren't so sure, but I think that if we're going to be punishing countries and getting 00:20:34.333-->00:20:38.104 more of this act of war rhetoric, we better be damn sure that when we come out and say 00:20:38.104-->00:20:41.974 something that we actually know what's going on and so regardless of whether you're on 00:20:41.974-->00:20:46.112 one side or the other in terms of how we are with attribution right now, I think we can all 00:20:46.112-->00:20:50.282 agree that we need to continue to invest in and improve a digital attribution. It's clear 00:20:50.282-->00:20:53.986 that the impact could have and there are a lot of smart people working on this, so I think 00:20:53.986-->00:21:00.226 that's great. Alright, so this leads us to the Arrest Tracker Project. So what we wanted to do 00:21:00.226-->00:21:05.364 was we want to collect data to hopefully better understand, um, what's going on with cyber 00:21:05.364-->00:21:11.937 crimes, right. Another view point, of to attribution and of much different lens, right? And 00:21:11.937-->00:21:15.808 so, Arrest Tracker was originally founded by Lee Johnstone, uh, he's also the 00:21:15.808-->00:21:19.945 founder of Cyber War News if you've ever follow any of his stuff, really smart researcher 00:21:19.945-->00:21:25.317 and so was founded 2013. Uh and the project aims to track computer intrusion incidents 00:21:25.317-->00:21:31.857 resulting in arrest, detaining of persons, uh, seizure of goods and all sorts of other things. 00:21:31.857-->00:21:36.295 Uh, tracking incidents from all cyber - again if you have alcohol, drink. I've been trying 00:21:36.295-->00:21:40.399 to say it as much as I can. Also, if you notice in the lower right hand corner it says cyber 00:21:40.399-->00:21:45.404 on every slide, so, I wanted to make sure we were gonna get to where we needed to for later 00:21:45.404-->00:21:51.977 tonight. Um, and hacking related incidents. Um, so right now there's over 1400 incidents 00:21:51.977-->00:21:55.814 collected and it's more than just arrests, but we ended up finding out that there's there, 00:21:55.814-->00:21:59.385 if you just say you're only going to track arrests, there's a lot that goes on, so there's, 00:21:59.385-->00:22:04.290 it's it's, it's more than that, we're labeling it cyber-crime. And now, uh, as of today, the 00:22:04.290-->00:22:09.261 project is officially launching, you can go out and sign up and check things out, etc. So it's 00:22:09.261-->00:22:14.466 Arrest Tracker dot com. So the, uh, fields in there, we're trying to figure out all the 00:22:14.466-->00:22:19.205 different fields that we're trying to track and with any project, if you've ever done 00:22:19.205-->00:22:22.508 data work, you start out and try to track a few fields and all of a sudden you're like what about 00:22:22.508-->00:22:26.512 these and you keep adding stuff on, right? Um, but so far we're trying to figure out things like 00:22:26.512-->00:22:31.350 the profile, the name, alias, gender, age, location are they part of hacker collectives, 00:22:31.350-->00:22:35.254 operations, all those sorts of things. In terms of the incident, when did it occur, 00:22:35.254-->00:22:39.792 which country, arrested charge, rated, all that sort of stuff. And then even then looking at 00:22:39.792-->00:22:45.798 things like courts. Um, was there a deal, was there trial, fines, fine amounts, convicted, 00:22:45.798-->00:22:50.035 sentenced, all those sorts of things. And even some more things about, um, the legal side 00:22:50.035-->00:22:56.575 and authorities. Alright, so what can Arrest Tracker help us with? Well, first we definitely 00:22:56.575-->00:23:00.846 need to recognize there's some limitations with the date, right? So some quick 00:23:00.846-->00:23:05.684 disclaimers. So if you're a data scientist or uh a data security metrics nerd and you want to 00:23:05.684-->00:23:09.388 come give me grief, I get it. But we're trying to start somewhere and grow this so we 00:23:09.388-->00:23:13.592 can have some data sets to look at as we improve and get better, but you have to remember, uh 00:23:13.592-->00:23:18.030 there are some limitations. We have to remember that this is mostly about arrest data, right. 00:23:18.030-->00:23:23.302 Arrest incidences is what we have the most of and so it tells a story from that viewpoint. Uh, 00:23:23.302-->00:23:27.573 we've expanded, as mentioned to cover more cyber-crime, we're going continue to add as much as 00:23:27.573-->00:23:33.812 we can. We're using data based on reported, uh, arrests and raids, right, so we're gathering 00:23:33.812-->00:23:38.851 everything we can from the media. So if the reporting's bad or wrong it's an issue. Right, 00:23:38.851-->00:23:42.788 we do source everything in there to try to have our own attribution to where we got the 00:23:42.788-->00:23:48.127 information from. And if the courts are wrong, which when has that every happened, right. Um, 00:23:48.127-->00:23:53.599 that's an issue too, but we're pulling all the data that we can in and putting it in. So we also 00:23:53.599-->00:23:58.203 need to remember that in many cases the government allegedly would rather track and follow 00:23:58.203-->00:24:02.207 criminals instead of arresting them for various reasons. So again, we're only, we're only 00:24:02.207-->00:24:06.412 adding in data here that, that has had some sort of, uh, some sort of crime prosecution, 00:24:06.412-->00:24:12.217 arrest, etc. So with that said, what can Arrest Tracker tell us? Well, quite a bit actually, um, 00:24:12.217-->00:24:17.323 so, detailed statistics about crime arrests, who's behind these data breaches and crime, 00:24:17.323-->00:24:21.994 what are the demographics, what's going on with extradition, details on census, 00:24:21.994-->00:24:27.566 monetary fines. Um, learning about law enforcement and what's going on certain judges and how 00:24:27.566-->00:24:32.404 do they view cases. And then profile a hacker and I'm sure anything else that you guys can 00:24:32.404-->00:24:37.810 think of we can ask the data set. So most people always are asking us, you know, what is a 00:24:37.810-->00:24:41.413 hacker, what's the profile a hacker and you know the media basically settled in on the ski 00:24:41.413-->00:24:45.951 mask behind the laptop, right? We all agree on that. I sort of thought it might be funny and 00:24:45.951-->00:24:50.189 interesting if I ask Google images of what it was and here it is and what I found here is 00:24:50.189-->00:24:55.461 as long as you have a hoodie on, you're a hacker in Google's mind. But we also have couple 00:24:55.461-->00:25:00.833 new faces now with Mr. Robot, right? So now these new faces of what a hacker is. But what's 00:25:00.833-->00:25:05.237 even more interesting is these are the real faces from Arrest Tracker behind the project, 00:25:05.237-->00:25:08.974 right? So we're tracking what what folks look like and all those sorts of things as well, 00:25:08.974-->00:25:15.647 so you can see, uh, this helps us better understand. So looking at the timeline. Here's, uh, an 00:25:15.647-->00:25:20.085 eye chart for people way in the back. Um, shows that there's been crime and incidents going 00:25:20.085-->00:25:25.758 back to the 1970s, right? Uh, there was some you can see that over the course, but really not 00:25:25.758-->00:25:31.096 a lot of activity in this space. Or incidents that we've tracked until the 2000s. If you drill in 00:25:31.096-->00:25:35.434 closer on the 2000s, you can see that things are on the rise without a doubt, right, we're 00:25:35.434-->00:25:40.839 seeing a lot more activity in this space. So the cyber incidents over the past decades, 00:25:40.839-->00:25:45.844 the 70s we saw 2, 80s 37, 1990, uh 59 incidents and the 2000s 345 and the and current decade 00:25:50.449-->00:25:55.988 998 incidents. So we're seeing quite a bit that we're adding in. Now, that being said, there 00:25:55.988-->00:26:00.292 is a lot of old research, so, uh, Jericho Vertrition dot org has on it's to do list. It's 00:26:00.292-->00:26:03.996 been on it for a while actually, I've going to have to give them some grief, to go through some 00:26:03.996-->00:26:07.966 of these old books and pull out some more incidents from the 70s and 80s, so definitely need more 00:26:07.966-->00:26:12.471 help and more research putting in some of the older things as well. So the oldest incident 00:26:12.471-->00:26:18.410 from the 70s we actually have is from 1971. And that's just a screenshot of what the, uh, 00:26:18.410-->00:26:22.581 Arrest Profile looks like where we're trying to capture all the different bits of data. And so 00:26:22.581-->00:26:29.555 you can see here, Hugh Jefferey Ward it occurred in '71. He was 29 years old at the time. He was 00:26:29.555-->00:26:34.560 accused of breaking into the ISD computer systems and stealing data. Uh, trade secret theft, 00:26:34.560-->00:26:39.565 plead guilty. Fined 5000 dollars and 36 months of probation. So that's 1971. Now, does anyone 00:26:44.102-->00:26:49.107 recognize this picture? That's laughing, but does anyone really know it? The guy that had the 00:26:51.376-->00:26:56.381 most friends on the internet for a while. This is Tom! There we go. This is MySpace Tom. So 00:26:58.650-->00:27:04.623 MySpace Tom, um, maybe people don't know this, he was a co-founder of MySpace, but the 00:27:04.623-->00:27:09.628 media back here reported him as a real life war games hacker in the 1980s. And so he was also 00:27:11.964-->00:27:16.969 known as Lord Flathead, aka Myspace Tom and so this is his profile in Arrest Tracker. And 00:27:19.004-->00:27:24.343 so 1985 he had an issue, he was about 14 or 16 at the time, there's some conflicting reports 00:27:24.343-->00:27:29.414 there. But he, uh, hacked, allegedlyhacked into Chase Manhattan Bank, told his friends 00:27:29.414-->00:27:35.721 how to do it, uh, the FBI, uh raided him in California and ceased all of, uh, his 00:27:35.721-->00:27:41.159 computers. And so no charges or criminal convictions have ever been made in related to this 00:27:41.159-->00:27:45.264 incident. He was a minor at this time. So again that's one of those reasons, why we expanded 00:27:45.264-->00:27:50.302 out the project just saying these arrests into tracking a bit more stuff. So 1980s, 00:27:50.302-->00:27:54.473 MySpace Tom. And what's interesting about this, as we've been collecting each of these 00:27:54.473-->00:27:59.378 incidents about the people and what's going on. Each incident in Arrest Tracker has this story 00:27:59.378-->00:28:04.583 to be told, right? And so, from the 90s, you know we pulled out some folks, the Mitnick story's 00:28:04.583-->00:28:09.154 been told many times, even last night, you know we had the movie night of the 2600 stuff. But 00:28:09.154-->00:28:12.891 there's many other people in here that each have their own story to be told. Here's from 00:28:12.891-->00:28:18.830 the 2000s. Some notables that you may recognize or not. Um, but some of these folks that you 00:28:18.830-->00:28:22.868 may not know what they were up to and they have their own story. And then and here some 00:28:22.868-->00:28:27.272 more recent incidents and then some of them have some really bad and sad consequences of our 00:28:27.272-->00:28:33.145 legal system as well. So there's lots of other notable arrests out there for various reasons. 00:28:33.145-->00:28:37.683 Things like the first prosecution of a particular crime, the severity of a crime, 00:28:37.683-->00:28:42.888 the length of a jail crime, or what the fines were, potential overreaching of regulatory 00:28:42.888-->00:28:47.893 actions, impact to those accused, etc. Alright, some specifics on arrests. So we get 00:28:50.762-->00:28:54.866 asked just absolutely all the time, anytime we mention Arrest Tracker, it's the profile of a 00:28:54.866-->00:28:58.437 hacker. That's the biggest question that comes up. So we knew that once we had a fair 00:28:58.437-->00:29:02.741 amount of data, we need to start looking at demographic of things. And so we started with 00:29:02.741-->00:29:08.213 age. And so the youngest age that we have is 12 years old. Believe it or not. Traded 00:29:08.213-->00:29:14.753 pirated information to the activist group anonymous for video games. Um, so. Sentenced 00:29:14.753-->00:29:20.692 to 18 months. Includes limited access to internet devices, 30 hours of community service. And 00:29:20.692-->00:29:25.764 under supervision for 6 months, uh, the boy must also, had to choose some sort of structured 00:29:25.764-->00:29:30.702 activity of his choosing. And this was in 2013 in in Canada. So 12 years old was the 00:29:30.702-->00:29:37.609 youngest. And the oldest though, was 66 years old. Um, Uh John McHugh, a guy named Devil Man as 00:29:37.609-->00:29:43.215 well. Male, busted for selling cards on the dark web. Uh, this was in the United Kingdom and he 00:29:43.215-->00:29:48.487 was jailed for two years. So you can see this one. And so what that led us to look at is we 00:29:48.487-->00:29:53.158 knew we had the youngest at 12 and the oldest at 66, but what's sort of the breakdown and the 00:29:53.158-->00:29:57.529 distribution of ages, right? Most people when you say whose hacking, whose doing all this 00:29:57.529-->00:30:02.134 stuff, it's some bored high schooler or, uh, ya know, or some college university student 00:30:02.134-->00:30:08.573 on spring break. Um, but what we saw from the distributions is you can see 18 through 25, 349 00:30:08.573-->00:30:14.413 incidents and 26 through 35, 304 incidents. So were the largest groups while there were still 00:30:14.413-->00:30:20.218 other age groups. And that currently leads us to an average age of 27 years old. And then we 00:30:20.218-->00:30:24.589 want to look at that 27 year olds across all the years to see, ya know, was it, how was it 00:30:24.589-->00:30:29.494 year over year and it was, it was pretty spot on, year over year in that range. Alright, 00:30:29.494-->00:30:34.032 gender equality. There's been a lot talked about this all over the place and so we though, hey, 00:30:34.032-->00:30:37.869 we should look at the same thing to see, ya know, what's the breakdown in genders. Uh, uh, 00:30:37.869-->00:30:42.874 for crime and arrests and yeah, it's all guys. [laughter] So we still have a little more 00:30:46.044-->00:30:52.017 research to do here, um, but in general it was 81 plus percent were male. Um, and so we're 00:30:52.017-->00:30:55.153 going to do a little bit more work in this space, but again, just trying to get those profile 00:30:55.153-->00:31:00.926 demographics. So which countries do most hackers reside in or what's in our world, what's the 00:31:00.926-->00:31:06.064 country of origin for the arrests? Um, we get asked this all the time as well and 00:31:06.064-->00:31:09.501 everyone really thinks it's just gonna be this, ya know, it's gonna be China, right, this is 00:31:09.501-->00:31:14.372 what it looks like with just Chinese hackers everywhere. Um, but again, if you think about 00:31:14.372-->00:31:19.945 what we're doing with the arrest data it's based on arrest data, right? And so obviously for us, 00:31:19.945-->00:31:24.649 United States is number one, right? You can see there. Note that China's number ten in this. 00:31:24.649-->00:31:30.122 So there are arrests and there are crime, uh, things going on, but because of the data and the 00:31:30.122-->00:31:33.725 lens that we're looking through, number one is the United States and number two is the United 00:31:33.725-->00:31:39.431 Kingdom. Now collectives, we wanted to get our heads wrapped around, do most folks that get 00:31:39.431-->00:31:45.871 in trouble, um, in a cyber-crime area, are they sort of solo, like lone wolf hackers on their 00:31:45.871-->00:31:52.544 own. Or are they part of some sort of collective? And also, if one person gets arrested, does 00:31:52.544-->00:31:56.481 that lead, does that mean that like a bunch of others are gonna follow? And so Arrest Tracker, 00:31:56.481-->00:32:02.187 there's 58 known collectives that have had some sort of confirmed incident. And we see 00:32:02.187-->00:32:06.424 that anonymous is at the top with 130. So anytime that we'll find out about an issue, if it's 00:32:06.424-->00:32:10.829 related to back to a collective then we go ahead and add it in. Same thing with hacker 00:32:10.829-->00:32:14.900 operations, we want to start trying to get a better feel, when you talk about these hacker 00:32:14.900-->00:32:18.637 operations and what they're going after, ya know, how many are they and and what do they 00:32:18.637-->00:32:22.274 lead to in terms of arrests or or any crime sort of prosecution, right now we know 00:32:22.274-->00:32:28.380 about 21 hacker ops. Um, with operation payback at the top. And for some of you old school 00:32:28.380-->00:32:31.449 folks in there, you'll laugh at a couple other ones that are listed up there as well. 00:32:31.449-->00:32:33.451 Alright, so is an arrest inevitable? Are you definitely going to get arrested? So if you 00:32:33.451-->00:32:36.922 look at it in terms of the data breaches, right, so in 2016 year to date we already said there is 00:32:36.922-->00:32:38.924 approximately 2000 data breaches, year to date. We've seen 70 confirmed arrests so far 00:32:38.924-->00:32:44.229 and 2015 there were approximately 4000 data breaches and we saw 134 confirmed 00:32:44.229-->00:32:46.231 arrests. Going back to 2014 sort of the same message, right, approximately 3000 data 00:32:46.231-->00:32:48.233 breaches, about 47 arrested. So nowhere are we seeing, um, ya know the, in terms of a data 00:32:48.233-->00:32:53.238 breach equaling arrests, right? Um, and what's interesting is the data so far shows that 00:33:10.555-->00:33:17.095 there's 610 days on average from when a crime happens, if you will, until the incident, or the 00:33:17.095-->00:33:21.833 arrest. So there's definitely a tail from when something occurs to when there's some sort of 00:33:21.833-->00:33:25.804 prosecution or raid or whatever and we're going to continue to add data and stats in that 00:33:25.804-->00:33:31.943 regard. Alright, so we then we started to wonder, maybe silly things, but when would you most 00:33:31.943-->00:33:36.948 likely to be raided or arrested? Which would it be? Anyone have a guess? [audience responses] I 00:33:39.784-->00:33:46.691 think I heard it over here. Hello, Monday! Right. So someone maybe had a bad case of the 00:33:46.691-->00:33:50.896 Mondays, could be really bad, right? Um, we originally guessed when we thought about it, we 00:33:50.896-->00:33:54.099 thought it's be on a Friday, but it looks like looking at the data, you get to enjoy your 00:33:54.099-->00:33:59.104 weekend and then on Monday it's gonna be a real bad day for you potentially. And then we started 00:33:59.104-->00:34:02.941 asking other questions like what part of the year, what month would it be, right? And Arrest 00:34:02.941-->00:34:07.012 Tracker could tell us that same thing. No one ever gets this one right, so I won't even ask you 00:34:07.012-->00:34:12.017 guys, but April seems to be when more showers can come into the hacker community as well. So now 00:34:14.352-->00:34:20.058 countries pursuing cyber-crime. As you can easily guess, USA's the most active number one, 00:34:20.058-->00:34:25.196 right. But the top ten's somewhat surprising in some cases and and China, no, that 00:34:25.196-->00:34:30.735 they're not, they're not in the top ten of pursuing cyber-crime, ok? Umm, we started to look at 00:34:30.735-->00:34:36.641 things like extradition, extradition And we're currently seeing that only the USA has 00:34:36.641-->00:34:41.313 any, uh, extraditions that are tracked and there's 42 of them that we're aware of and so you 00:34:41.313-->00:34:46.918 can see the top five countries. Russia to the United States had 8, uh, Romania to the US 7. 00:34:46.918-->00:34:53.491 Estonia to the US 6. Canada to the US at, uh 3 and the United Kingdom 3 as well. Not every 00:34:53.491-->00:34:58.630 country allows the USA to extradite folks, but there are treaties in place with more than 00:34:58.630-->00:35:03.668 100, 100 countries out there. Here's a quick little map of it, you can see in the darker 00:35:03.668-->00:35:08.540 purplish, uh color, that's the USA and all the blue ones are places that we allegedly, 00:35:08.540-->00:35:13.545 according to Wikipedia, have, uh, extradition treaties. So now we looked at jail time. The 00:35:15.847-->00:35:20.719 longest jail time that we had, the worst case, we thought what would that be and what we found 00:35:20.719-->00:35:25.724 was it was actually crazy. 334 years. So, uh, a guy in Turkey he created fake websites and 00:35:27.959-->00:35:32.998 impersonated banks and I think the lesson that Arrest Tracker all of you right now is don't 00:35:32.998-->00:35:38.603 mess around in Turkey, because it's bad news there in terms of jail time. Right. We started 00:35:38.603-->00:35:42.841 look at fines and we want to understand things, what's the average fine, what's the most 00:35:42.841-->00:35:44.843 common, uh, the largest fine, etc and what we found is the average fine that we know of 00:35:44.843-->00:35:46.845 right now is a million US dollars, but the most common fine that we, that occurred 13 00:35:46.845-->00:35:48.847 times, uh within the database, was 5600 dollars. The largest fine was, uh, the world pay 00:35:48.847-->00:35:53.852 hacker Victor, 8 point 9 million US dollars and he was convicted and tried in a Russian court 00:36:01.626-->00:36:06.631 under FBI charges. The other thing too that goes on is there's some people that just 00:36:09.834-->00:36:15.006 can't help themself, they just can't stop. Um, so many times you know, there'll be cases, 00:36:15.006-->00:36:19.077 multiple cases, that are consolidated into one case so this can be a little bit hard to 00:36:19.077-->00:36:25.216 figure out sometimes, but we've been able to find Arrest Tracker, uh, 17 people have had 00:36:25.216-->00:36:30.655 multiple arrests. And we're asked all the time, this is another question we get asked 00:36:30.655-->00:36:34.993 all the time, is how many people when they get busted are assisting authorities. And so we 00:36:34.993-->00:36:40.065 do have the fields in Arrest Tracker to track this, however, it is pretty rare and it's hard 00:36:40.065-->00:36:43.902 to find this data, but when looking through the database right now, there are 30 people 00:36:43.902-->00:36:49.274 that have confirmed, uh, to have, uh, assisted the authorities in some fashion. 00:36:49.274-->00:36:55.747 Alright, so getting down to this what is a profile of hacker? So the data suggests that really 00:36:55.747-->00:37:00.151 there's no single hacker or cyber-criminal type, right, that sort of a bit all over the 00:37:00.151-->00:37:02.153 place, but if, uh, we were forced to say what the profile of a hacker is based on averages 00:37:02.153-->00:37:04.322 and things that we can find, uh, genders gonna be a male, age range is gonna be 18-35 or in 00:37:04.322-->00:37:09.327 that average 27 age range. Again, gonna be in the USA, a lot of that is because again the 00:37:16.067-->00:37:19.204 arrest data that we source, but if not USA, it's gonna be UK or Phillippines. Uh, the crime will 00:37:19.204-->00:37:25.944 be hacking. If it's not hacking, then after that, it'd be some sort of cyber fraud or data 00:37:25.944-->00:37:30.949 theft that we classify. And most likely active since year 2000. Motivation right now, still 00:37:33.284-->00:37:37.021 having problems tracking that in a relevant way, so we're still trying to figure what we can do 00:37:37.021-->00:37:43.628 in Arrest Tracker to make that a bit more clear. Alright, most wanted. Who hasn't been arrested 00:37:43.628-->00:37:47.899 yet? Well, I'm not sure if everyone knows this or not, but the FBI at their website 00:37:47.899-->00:37:52.570 maintains a listing of wanted cyber folks. You can go out there and check it out. There 00:37:52.570-->00:37:58.743 are 28 total listed as of just this this week. Uh, they have a profile basically on everyone 00:37:58.743-->00:38:03.681 that's listed up there, so they'll have your, ya know, your picture and a wanted poster and 00:38:03.681-->00:38:08.019 an alias and whole bunch of other information, ya know weight, eye color, all that sort 00:38:08.019-->00:38:13.124 of stuff and then details on the rewards that they'll offer if you can help bring them down. 00:38:13.124-->00:38:18.229 Some other remarks. Um, and there's this other section that's called "caution" that 00:38:18.229-->00:38:22.300 I'll put a lot more details on what they're up to and even mention things like if they're 00:38:22.300-->00:38:27.872 considered a flight risk and all those sorts of stuff. And in this particular case, uh, offer 00:38:27.872-->00:38:32.610 a reward up to 3 million dollars for information leading to the arrest or conviction of this 00:38:32.610-->00:38:37.615 particular guy. So you can see here, here's a listing from all the images from the website. Um, 00:38:39.817-->00:38:43.888 the profile looks a little different than the arrest data that we've been talking about, 00:38:43.888-->00:38:48.860 right? Um and what's interesting, if you had to guess the total amount of reward money 00:38:48.860-->00:38:55.200 all added up, uh, it's about 4 point 49 million dollars in potential rewards if all these 00:38:55.200-->00:39:00.138 people were, someone informed them to the FBI. What we're also starting to see too is that, um, 00:39:03.341-->00:39:08.446 when hackers or doxed or when information becomes aware, are they definitely going to get 00:39:08.446-->00:39:14.352 arrested? And so what we saw in March of 2016 is GhostShell, many of you know. Uh, doxed 00:39:14.352-->00:39:19.857 himself, he revealed himself, uh and he described that he's been active since January 2012. That 00:39:19.857-->00:39:23.661 he was one of the ones that started OpRomania. He's attacked the government, all those sorts 00:39:23.661-->00:39:29.634 of things. So this is, you know, March 2016, but then here he's leaking 39 million accounts in 00:39:29.634-->00:39:34.505 protest and that was in June, right, so. All the information about him, he came out and 00:39:34.505-->00:39:39.077 basically said everything. Who he was, etc, but he's still active. And so it's clear that 00:39:39.077-->00:39:42.780 for us, we still want to make sure we understand a bit more about law enforcement specific 00:39:42.780-->00:39:47.252 about cases. Are there certain characteristics of data breaches or cyber-crime that leads to 00:39:47.252-->00:39:51.956 more law influence. Um, those sorts of things. So we're trying to track more on that, so we can 00:39:51.956-->00:39:57.362 get a better answer. Alright, so as we're wrapping up here now. So what's next for us? Well the 00:39:57.362-->00:40:01.299 actions are clear for us, is data quality is top of our mind. We want to make sure that we 00:40:01.299-->00:40:05.370 continue to have the best data, that we can have everything that we need to so these, we can 00:40:05.370-->00:40:09.774 answer these questions as as best as we can, but at the same time answer all the questions 00:40:09.774-->00:40:14.045 that people have for us. So if you find something wrong and you log into the project, please 00:40:14.045-->00:40:17.482 tell us. Right, there's no pride in authorship, we want wanna we wanna fix things up. We care 00:40:17.482-->00:40:22.053 about the data, we want it to be accurate. And we want more data. We want to increase coverage of 00:40:22.053-->00:40:26.858 cyber-crime events. We want more data fields per incident by person. All those sorts of 00:40:26.858-->00:40:31.763 things. So if you're interested in helping out, please do. For future ideas and features that 00:40:31.763-->00:40:36.100 we're looking at. We're trying to add more data, uh, field about individual persons. So the 00:40:36.100-->00:40:38.102 ability to handle complex issues. Things you wouldn't necessarily think like, uh, a 00:40:38.102-->00:40:40.104 Romanian national that lived in Canada for 15 years, but then was arrested in the United 00:40:40.104-->00:40:42.106 States, right? We want to be able to try to track some of those things. When we ask, we 00:40:42.106-->00:40:44.108 get asked about location and profile, we can explain it a bit more. A lot of, a lot of 00:40:44.108-->00:40:46.110 thoughts been going in the ability to track motivation. And then mapping to known data 00:40:46.110-->00:40:48.112 breaches so we can understand impacts and all those sorts of things. Ya know, are there 00:40:48.112-->00:41:07.165 certain types of hacker profiles that go on after certain types of industries, etc. More work on 00:41:07.165-->00:41:10.468 the most wanted. Uh, some thoughts we've had about are, ya know, are how long are they on 00:41:10.468-->00:41:15.173 the most wanted before they get arrested. Um, things like that. Now how many people that have 00:41:15.173-->00:41:21.012 been arrested were for security companies, right? Um and then even a subsection for piracy and 00:41:21.012-->00:41:26.117 all those sorts of things. So what comes next? Are we gonna see arrests in cyber-crime 00:41:26.117-->00:41:31.389 prosecution increase or decrease? We think the answer is gonna be increasing. Um, we're 00:41:31.389-->00:41:35.426 trying to figure out what the legal environments gonna look like and if that's gonna get 00:41:35.426-->00:41:40.798 more harsh. Um and then can we take this data from Arrest Tracker and actually apply it to 00:41:40.798-->00:41:45.370 your work, right. Can you use this to help you, not just, ya know, laugh about yeah it's 00:41:45.370-->00:41:49.874 Monday and April and those sorts of things, but if you're in the legal space, can you look at how 00:41:49.874-->00:41:54.512 things are happening. Are there overreaching regulations in your day to day job. Can this help 00:41:54.512-->00:41:59.016 you figure out how to be offensive, etc. So we're open for new ideas. If you're 00:41:59.016-->00:42:02.086 interested in working with us, we'd love it. If you've got other ideas, we're open to that 00:42:02.086-->00:42:06.691 feedback. And if you want to help, definitely please contact us. So I want to thank, uh, Lee 00:42:06.691-->00:42:10.995 Johnstone for all his hard work founding the Arrest Tracker project. It's a ton of data, 00:42:10.995-->00:42:15.900 it's a ton of work. I wanna thank Brian Martin for all his help. Um, I want to thank 00:42:15.900-->00:42:19.904 everyone else that's been interested and hung out here and been drinking with us for this 00:42:19.904-->00:42:24.642 session. And thanks to the DefCon CFB team for, uh, for the opportunity to present. So 00:42:24.642-->00:42:29.647 believe it or not, this was 140 slides and cyber was pretty much on every single one of them. So 00:42:29.647-->00:42:32.750 I hope you guys had fun playing along. Look forward to seeing you tonight. If you have 00:42:32.750-->00:42:37.755 questions, I'll be up here. Thank you. [applause]