Video links and descriptions of presentations are below the schedule.
|All times are US Eastern time (GMT -4)|
|Track 1||Track 2||Track 3|
|10:30-11:20||Painting a portrait of an individual with OSINT
Maureen Gibbons Varela
|Using OSINT and NLP to Track Jihadists in Conflict Zones
|OSINT’s role tackling disinfo in Portuguese elections
|11:30-11:55||A practical application of OSINT in a dark world
|How highly secure organizations approach social engineering awareness training
|JUST JUMP! Lessons for WannaBe Social Engineers by a WannaBe Social Engineer
|12:00-12:50||Tropical Spy: stories and tricks from social engineering
|Red Teaming: Complicated Decision-Making in Work & Life
|Using OSINT for Tactical Investigations and Threat Identification
|1:00-1:50||Using OSINT to Catch an Online Predator
|A Hacker’s Guide to Self Ex-filtration
Emma Peel & Jeff Moore
|Undergraduate Student Experiences in Social Engineering
Rachel Bleiman & Wilson Diaz
|2:00-2:50||Git’ing Users for OSINT: Analysis of All GitHub Users
|Phishy Little Liars – Pretexts That Kill
|Social Engineering Your Metrics: Using Data Science to Provide Value in Reporting
|3:00-3:25||OSINT on the Ocean: Maritime Intelligence Gathering
|What do Elizabeth Holmes and Oprah Winfrey have in common? 4 Effective Ways to Build Instant Rapport
|Naked & Unafraid: The Basics of Securing Your Nudes
|3:30-3:55||Bring Out Your Data; Digital Graverobbing in the 21st Century
|Using OSINT for Competitive Intelligence
|Trust, but Verify: Maintaining Democracy In Spite of Информационные контрмеры
|4:00-4:50||The Misconceptions Of Open Source Intelligence
|Lies, Deception and Manipulation: Let’s talk about Deepfakes
|The Adventure Hacker’s Toolbox
|5:00-5:25||Disappearing Act: Can You Avoid Public Surveillance Cameras?
|Working with Legacy Systems in Security: Humans
|Drinking Lattes, Sitting in Bathroom Stalls, and Running from Security Guards: Storytime with a Social Engineer
|6:00||Post-Conference Networking Event (Supply your own food and beverage!)|
10:30 – 50 minute presentations
Track 1: Painting a Portrait of an Individual with OSINT by Maureen Gibbons Varela
This talk will be about how to conduct OSINT on individuals. It’s possible, with open source information (often that people generate themselves), to paint a picture of a person’s identity, values and interests. I will go beyond listing different platforms that can be sources of information, and talk about how to identify the sometimes very small pieces of information that can help you find more details. Once you have these details, how do you assemble them to get a meaningful understanding of the person? How do you gauge your level of confidence in the understanding you’ve developed? Finally, I will discuss the responsibility we have to the people that we’ve researched.
Track 2: Using OSINT and NLP to Track Jihadists in Conflict Zones by Zeshan Aziz
Due to the disintermediation caused by internet platforms, it is difficult to track extremists. As expected, many of the previously useful automated heuristics for detecting extremists on social media have started to become less relevant. Extremists and their sympathizers have updated their OPSEC and TTPs to counter common detection mechanisms. While some have left mainstream sites like Facebook or Twitter, a large number – mainly those that seek to reach younger and more impressionable audiences – are still online despite clampdowns. In this talk we will present tools and techniques that OSINT analysts can borrow from the data science community to identify and discover targets of interest. With our methods, we were to find a network of extremists and foreign fighters on the ground in Syria. We tracked and analyzed the digital footprint of the late ‘Salman Belarus’ of Malhama Tactical, the infamous private military contractor for jihadis out of Syria. Our methods also found Taliban accounts and some potential members living in Europe. We discovered specific phrases and linguistical modifiers that are unique to this group and are typically used by extremists and sympathizers. Our techniques make it so your analysts need not be linguists to do this research.
Track 3: OSINT’s Role in Tackling Disinformation in Portuguese Elections by Ines Narciso
Open Source Intelligence techniques are essential to academic and journalistic work on disinformation. They allow researchers to debunk and fact check disinformative narratives, understand their scope and sharing patterns and possibly identify its origin and key agents pushing. In this presentation we will cover the process used by ISCTE-IUL’s Media Lab work on disinformation in the portuguese general elections in October ’19. The project consisted on the monitoring of portuguese political Facebook pages and groups using Crowdtangle in the four weeks prior to the elections. Each week the 20 most viral posts on the selected pages and groups were analyzed, resulting in 160 reviewed posts, two thirds of which were labelled as potentially disinformative. Different OSINT techniques were overlapped in the fact checking process. Most prevalent narratives were identified and their scope and sharing patterns dissected, namely to understand their reach and if they had transited or originated in other platforms. Finally, an attempt was made to identify the origin of the narrative and / or agents sharing it in an unnatural way. The use of OSINT led, among others, to the conclusion that the opposition party had considerable responsibility in the spread of one of the false narratives that had a direct impact in the electoral campaign leading to an altercation between the Prime Minister and a citizen.
11:30 – 25 minute presentations
Track 1: A Practical Application Of OSINT In A Dark World
by Shane McCombs
Warning: This presentation talks about work the Innocent Lives Foundation does which includes investigating and reporting predatory sexual assaults on children. Topics discussed may be very disturbing and upsetting to people. This presentation will not include information about any specific investigations or specific methodology, but will give an overview of the ILF, their purpose and how OSINT is used.
Track 2: How Highly Secure Organizations Approach Social Engineering Awareness Training by Ernesto Zaldivar
The talk will examine three different training methods observed during field research on this subject.
Case Study 1: Major Private Investment Firm Method
I will examine: Innovative incentive program for phishing training.
Case Study 2: Fortune 500 Healthcare Company With Corporate and Retail Employees Method
I will examine: Security ambassador program that utilizes employee volunteers.
Case Study 3: Government Entity Method
I will examine: One on one training with members of management that are high value targets.
Track 3: JUST JUMP! Lessons For WannaBe Social Engineers By A WannaBe Social Engineer by Joseph Sarkisian
Social Engineering is both the easiest and hardest part of the wider security field to enter; easy in that it doesn’t always require lots of technical knowledge, and hard because it can be absolutely terrifying to start. As someone who knows this feeling, works in the field, and has been forced to make it up as they go (with a little help from some amazing people), I’d like to talk a bit about lessons learned as I began my journey. Lessons like:
1. The simplest ways to get started in the field
2. Overcoming fear (and understanding it will never truly go away)
3. The starter social engineer ‘kit bag’
4. Why planning can sometimes be your worst enemy
5. Realizing there are skills you already have that will help you
6. How to stay safe
12:00 – 50 minute presentations
Track 1: Tropical Spy: Stories And Tricks From Social Engineering
by Marina Ciavatta (audio only)
Have you ever expected to meet a spy in the middle of your workplace? Well, this might have already happened, and in the most unexpected ways, as Marina will tell. Sharing funny stories, special tricks and social engineering techniques, this Brazilian innocent looking girl is a higher threat than you can imagine.
Track 3: Using OSINT For Tactical Investigations And Threat Identification by Michele Stuart
The internet provides investigators with the ability to detect individuals, identify threats and organize offensive and defensive approaches. Focusing on the individual threat is not always the answer. Understanding how technology gathers and disseminates online data empowers the ability to leverage Open Source Intelligence to identify and assess a threat climate, uncover hidden clues, and discover actionable intelligence. Identifying actionable intelligence is an extremely important focus on research to assist in the identification and movement of individuals. This ability to quickly identify personal identifiable information can be used in social engineering attacks. Additionally, correct searches of social media platforms can identify the real threats, suspects, and witnesses in an investigation. In this class, you will learn how to employ OSINT and popular social media to help solve security challenges as well as identify risk and threat assessments.
1:00 – 50 minute presentations
Track 1: Using OSINT To Catch An Online Predator by Cassandra Brunetto
Predators have certain definable characteristics and patterns that can go undetected for years. By learning how to spot red flags and create connections, we can expose predators earlier, preventing harm to countless victims. We will walk you through the investigation that was recently performed to catch an online predator in the information security industry. We will present the OSINT techniques that were utilized to confirm the identity of the predator behind a sock account on Twitter. We will present a timeline of the events that lead to the discovery of the sock account, the correlation between the sock account and its owner, and how we were able to procure concrete evidence to identify the sock account’s owner. We will discuss the telltale signs to spot a sock account on social media platforms (i.e. Twitter, Facebook) and the techniques social engineers use to stay under the radar using sock accounts. We will also provide resources and advice for victims of harassment, stalking, and abuse including collecting and storing evidence, creating a paper trail with law enforcement, and using alarm systems and cameras.
Track 2: A Hacker’s Guide To Self Ex-Filtration by Emma Peel & Jeff Moore
Trigger warning: depictions of abuse, emotional abuse, PTSD
You’re a badass InfoSec/CyberSec professional, but what if one day you were forced to use every technical survival skill you knew to find out who you were to the world and what they saw about you. You have to turn your OSINT skill’s and tools you have… on yourself? Learn one InfoSec professional’s story of overcoming a domestic violence situation by using every trick of the trade to reduce her digital footprint and increase her safety. Learn a vocabulary around emotional abuse, a playbook on what in a time of crisis, programs and assistance to help obfuscate your location & identity, and how (or if) you should approach the topic at work. Finally, learn some techniques on how to handle the cognitive overload and symptoms of PTSD.
Track 3: Undergraduate Student Experiences In Social Engineering
by Rachel Bleiman & Wilson Diaz
This presentation examines two social engineering projects that were implemented in an undergraduate criminal justice course at Temple University. This course, Computer Crime, was designed to cater to multidisciplinary students from both technical and non-technical backgrounds. The first project featured the social engineering tactic of “shoulder surfing”, during which students targeted their classmates’ personal devices to gather information, while they avoided being targeted themselves. During the second project, the class used “pretexting” to social engineer unsuspecting members of the Temple University student body. The students convinced their targets to sign a terms and conditions contract, which included an embedded statement, meant to determine if people actually read the terms and conditions. Two students from different disciplines, who participated in the undergraduate course, examine the student perspective of these projects and explain their experiences, offering insights from their different disciplines. These projects served as an introduction to social engineering for a class with no background on the topic. They highlighted the relevance of human and social factors in cybersecurity, which was not previously known to the students, as emphasis is commonly placed on technical factors. Students were able to explore the field of social engineering, understanding the defensive measures needed to prevent an attack and the offensive measures by playing the role of a social engineer. Students also experienced the role of a researcher, interviewing subjects, collecting data, and analyzing results. Additionally, students were introduced to the role of ethics in research, completing ethics training and working with human subjects. The multidisciplinary nature of the course allowed for different perspectives and skills to be used to achieve the projects’ goals. The course served as an intersection for criminal justice and computer science as it introduced students to the human and social factors of cybersecurity.
2:00 – 50 minute presentations
Track 1: Git’ing Users For OSINT: Analysis Of All GitHub Users by Micah Hoffman
Within the world of OSINT, many people solely focus on what data they can retrieve from a web browser. Others, like me, know the power and potential of using Application Programming Interfaces (APIs) to harvest huge amounts of data from platforms and incredible speeds. In this case, in 2019, by making thousands of API requests to github.com using the official GitHub API, I retrieved over 38,000,000 user profiles from their systems. Join Micah Hoffman as he examines with a critical OSINT eye the user accounts, email addresses, biographies, user-supplied URLs, and other interesting bits that people put in their GitHub profiles and how we can use this data for OSINT.
Track 2: Phishy Little Liars – Pretexts That Kill by Alethe Denis
The ‘IT Guy’ is the Nigerian Prince of Pretexts. As bad actors grow more cunning and use more specialized and unique pretexts, so too should Pentesters use more specialized, custom pretexts during assessments. Reinvigorate your pretext repertoire and learn to make custom pretexts that fly under the radar and won’t raise any red flags, using target specific data gathered during OSINT. At the end of this talk, attendees will be able to: define the anatomy of a pretext, understand how pretexts fail, conduct OSINT against a company target and its employees and use what they find to build a custom pretext for use in email phishing, voice elicitation, physical assessments or a combination of these attack vectors. Add more value to your engagements, better prepare employers and their employees, and learn how to create pretexts that your targets are much less likely to question.
Track 3: Social Engineering Your Metrics: Using Data Science To Provide Value In Reporting by Joe Gray
Reporting is generally boring. As social engineers, we often get wrapped up in the hustle and bustle of performing the engagement and report writing falls to the side. While the reports do go out and we meet client obligations, a serious question arises: Are we providing meaningful measurements, metrics, and advice to the client? We surely highlight the deficiencies and where to improve in a report, that is pretty standard. How do we measure the things that matter most to the? Measuring opens just tells us how many people read their email and, while risky, clicks do not always translate to negative outcomes. Instead of focusing on email opens or links clicked by users, this presentation is introducing:
– Measurements rooted in statistics
– Data science techniques
– Indicators that actually speak to the security posture and culture of the organization.
The distance of a metric is the time between an event (a click or open) and another event (inputting information or reporting the event). These metrics are far more indicative of how an organization would fare against social engineering than who opens an email.
3:00 – 25 minute presentations
Track 1: OSINT On The Ocean: Maritime Intelligence Gathering by Rae Baker
Get ready to add Maritime Intelligence Tracking to your arsenal of OSINT capabilities. This session will demonstrate several ways to track a ship’s path in real-time, see cargo details and vessel photos, investigate the ship’s crew, and locate satcom systems in Shodan. To round it out, I will run through a brief case study where I pull all these pieces together into an example investigation.
Track 2: What Do Elizabeth Holmes And Oprah Winfrey Have In Common? 4 Effective Ways To Build Instant Rapport by Krittika Lalwaney
Oprah Winfrey and Elizabeth Holmes do have one thing in common and that is the ability to connect with people instantly. Influencing people and gaining their trust have led them to be very successful. Every social engineer knows the best way to a target is by building instant rapport. Building that instant connection with a stranger is difficult and a skill sought after but one that is crucial in building trust. In this talk, you will learn 4 ways to effectively build rapport, create a positive impact, and influence people around you. You can then put the key principles to the test and demonstrate the mastery of instant rapport building in your next social engineering engagement.
Track 3: Naked & Unafraid: The Basics Of Securing Your Nudes
As online dating and sexting become more popular among both teens and adults, there’s a scary trend that’s increasing right alongside it: revenge porn, the non-consensual sharing of private images or videos. This talk aims to give you some basic information on revenge porn, some basic technical information on privacy when it comes to media storage and sharing, how to protect yourself when sharing intimate material, and finally – what your options are if your material DOES get leaked.
3:30 – 25 minute presentations
Track 1: Bring Out Your Data; Digital Graverobbing In The 21st Century by Matthew McMahon
As cybersecurity professionals we do everything we’re supposed to to protect our identities and private data while we’re alive but what happens after we die? After you’re dead you exist on paper for some time while your estate is settled, and this opens the door for fraudsters to digitally pillage your grave. This lecture will cover the OSINT techniques fraudsters use to steal an identity, commit voter fraud, file fraudulent tax returns and open lines of credit with free, publicly available information from obituaries and online repositories. We’ll also cover the likely suspects (family and professional caregivers) as well as things you can do to protect you and your family. While the digital age introduces new tools and techniques the talk will show that today’s methods aren’t all that technologically advanced and bare a strong resemblance to historical grave robbers and “ghosting” techniques employed by groups like the Weather Underground in the 1960’s to steal identities with little more than the information gathered from tombstones and the local paper.
Track 2: Using OSINT For Competitive Intelligence by Chris Kirsch
Understanding the companies you compete with, otherwise known as competitive analysis or competitive intelligence, is key to guiding your company strategy, product roadmap, and to make your sales and marketing more effective. (It’s also really helpful when screening future employers before you sign the offer letter.) In this session, you’ll learn how you to use OSINT to understand a company’s financial situation, growth rate, product strengths and weaknesses, patents, internal structure, areas of investment, corporate strategy, technology stack, corporate culture, patents, and installed base.
Track 3: Trust, But Verify: Maintaining Democracy In Spite Of Информационные Контрмеры by Allie Mellen
In this session, we’ll discuss how Russia has influenced worldwide elections using disinformation and how countries have fought back. We’ll understand the natural asymmetry between how countries are able to respond, and how they have changed their approach since 2016.
4:00 – 50 minute presentations
Track 1: The Misconceptions Of Open Source Intelligence by Zoey Selman
Open Source Intelligence (OSINT) is a #buzzword within the hacker and intelligence community. I’ll be talking about the differences between Open Source Information (OSINF) and Open Source Intelligence (OSINT), and the common mistakes when conducting Open Source Intelligence (OSINT) on International targets. Whether you’re an intelligence n00b or a well seasoned professional, I guarantee you will walkaway having learnt something new and useful to put into action.
Track 2: Lies, Deception And Manipulation: Let’s Talk About Deepfakes by Erich Kron
Digital image and video manipulation has reached a new level of sophistication. From the simple “Photoshop” to the modern equivalent in video, fakes are becoming more and more difficult to spot. This makes them a great candidate for abuse. For years we have been telling people that what they post on the internet will be there to stay and can have huge ramifications later in life, but what if they don’t actually do what is portrayed? Modern technology can use Machine Learning and AI to dissect videos, extract faces and build virtual models that are used to automatically replace the faces, all while retaining eye blinks and facial expressions. For millions of people, realistic fakes can ruin a career, destroy families and possibly even influence elections. Even if proven fake later, the damage can be irreversible and in this digital age, can last a lifetime. This session will look at the technology behind creating these fakes, potential attacks using the technology and what is being done to combat this trend and protect us from what even appears to be ourselves.
Track 3: The Adventure Hacker’s Toolbox by Tom Harrison
When performing a red team test, the impersonation/in person aspect of social engineering is usually used to gain initial access, be that to a location or a resource of the organisation being tested. This talk hopes to cover the question “Then what?” by discussing some of the devices and gadgets that should be in your bag and pockets to turn that sweet physical access into further compromise and happy hacking. As well as covering some of the commercial products that are out there, we’ll discuss “rolling your own” and building similar out of cheaper components.
5:00 – 25 minute presentations
Track 1: Disappearing Act: Can You Avoid Public Surveillance Cameras? by Lauren Brennan
Exploring the question “can you avoid surveillance cameras in public locations and still travel around major cities?” through use of Shodan and OSINT techniques to map security cameras and their field of view in a major city.
Track 2: Working With Legacy Systems In Security: Humans by Gabriel Whalen
The majority of effective data breaches rely on social engineering techniques, but organizations are focused on technical responses to behavioral vulnerabilities. Evolutionary psychology illuminates not only why social engineering is so effective, but how organizations can enable users to deflect these attacks.
Track 3: Drinking Lattes, Sitting In Bathroom Stalls, And Running From Security Guards: Storytime With A Social Engineer by Steve Laura
So there I was sitting in a bathroom stall for three hours………..This may not be the first thing you expect to hear when you hear stories about Physical Social Engineering Engagements, but it will be something you hear in this talk! This talk will be a fun adventure through the best (real) stories of Physical Social Engineering Engagements I have performed. We’ll talk about the shenanigans of breaking into a highly secured Power Plant, “exercising” with corporate security guards, and hanging out in tight spaces like bathrooms and closets. We’ll even cover the time I had everyone so fooled at one company they actually thought I worked there full time! The stories are guaranteed to provide not only good laughs, but also some effective tips and techniques that Social Engineers can incorporate into their toolbox for their next Physical Social Engineering engagement.