DefCon 23: Presentation notes

Here and behind the cut are the notes I took at DefCon 23. They are necessarily incomplete because they're notes, and I refer you to the speakers' presentations and eventually video recordings for the whole story.Applied Intelligence: Using Information That's Not There - Michael Schrenk

• Knowing your operations and resources
• More effective and efficient
• Competitive intelligence
• What's happening outside of your business
• Know your competitors and markets
• Collect, analyze, and apply external data
• There is a professional association of people who do competitive intelligence
• Applied intelligence is actionable and changes what you do
• Most is useless unless you develop it
• Overcollection is a big problem, and is done out of obligation ("Getting everything means you're doing it right.")
• Analytics != intelligence
• Data doesn't always change what you do
• Aggregate data can be used to make projections about what might happen
• Information that isn't there is metadata
• Metadata describes data, provides contect for information
• Parametrics must be collated and created
• Embedded is user created, like image and document headers
• Example: Tony Blair's Iraq dossier was plagiarised from a UK grad student, discovered because the student's word processor left evidence in the document's metadata
• Example: The existence of Google Drive was accidentally leaked in the presenter's notes in a Powerpoint presentation published by Google
• How the NSA uses parametric metadata: Phone number, timestamp, duration, identity of who placed the call
• Any Android app or Perl script can do this
• Establishes call relationships, which can then be profiled
• Anomalies and outliers are identified
• Burner phones are identified as oddities
• Phone call patterns can be correlated to other events
• NSA goes three jumps out to find people of interest
• Telephony metadata is more rich than actual recordings of phone calls
• OPSEC - review day to day operations, see what intelligence an adversary can collect
• Employment postings imply strategic plans (filling work roles to accomplish specific tasks)
• Social media: People leak EVERYTHING
• Order fulfillment: feedback from a vendor and tracking tells much
• Online stores reveal pricing strategies, what you do and don't stock
• Procurement patterns leak financial health; so do cheque numbers (the rate at which they increase shows how much you buy and how fast)
• Regulatory: Financial, court filings, variances
• Sequential numbers are a huge threat
• Unique values are needed
• Exposes a little bit of the database schema from its indices
• How the US government almost left an entire generation fall prey to identity theft:
• Social Security Numbers have the format area-group-serial
• Between 1935 and 1972 SSNs really were sequential
• If the Social Security Administration hadn't stopped issuing sequential SSNs in 1972, by 1986 (when all dependents had to be issued SSNs) families would have had runs of SSNs
• Find a dependent, see if there were any siblings, guess their SSNs
• When you die, your SSN gets published as D-tagged (meaning, the issuee is deeased)
• Bubble or bad month?
• Older numbers were sequential
• Find the orders that were close together which had sequential values
• Last order number in October - last order number in September == number of orders from competitors
• What else can we learn?
• What do you know?
• Major privacy problems for sellers of unique items: Real estate, vehicles, original art, first editions, auographs
• Automatically collect inventory of competitors by what they have for sale
• diff their inventories a few days apart
• Protection: search for something we sell
• Look for stuff getting dumped, buy them to manipulate the market and protect our investment
• Buying underpriced items to add to our inventory and then selling at our usual price

Cracking Cryptocurrency Brainwallets - Ryan Castellucci

• Don't use them.