mnemonic security podcast
The mnemonic security podcast is a place where IT Security professionals can go to obtain insight into what their peers are working with and thinking about.
mnemonic security podcast
Follow the Crypto
In this week's episode, Robby talks with his friend Keven Hendricks, a law enforcement veteran with extensive experience in dark web and cryptocurrency investigations. They explore topics like dark web forums, cryptocurrency's role in illegal activities, and the difficulties law enforcement encounters when monitoring these areas, especially with privacy coins like Monero.
Keven emphasizes the need for companies to take a ‘boots on the ground’ approach to monitoring dark web activities, rather than depending only on third-party tools. «Keep your friends close, but your enemies closer,» right? Keven also touches on the potential value of having a ‘Chief Intelligence Officer’ (CINO) to actively investigate emerging threats.
From our headquarters in Oslo, norway, and on behalf of our host, robbie Perelta. Welcome to the Mnemonic Security Podcast.
Speaker 2:The truth is, I'm too cheap to pay for my own computer. Plus, I enjoy the comfort of knowing that I have a bunch of expensive security software in my work one. Plus, I enjoy the comfort of knowing that I have a bunch of expensive security software in my work one. The only catch to that is that Big Brother could technically look over my shoulder and see everything I do, big Brother being the sock, of course, and I'm pretty sure they don't want me of all people clicking around shady forums and downloading stuff to my work device A right reserved to the adult cinematic, I guess.
Speaker 2:But if I did have a legitimate reason to be on those forums, or perhaps my own Mac, I'd be there, and especially if I had responsibility for the security of my own company, well, I should probably know and understand how that ecosystem works and how it potentially relates to my organization. Stolen credentials, confidential data, exploits, malware, access to compromised environments maybe access to my own compromised environment. As today's guest will tell you, there's no substitute for being there yourself, and by there I mean the dark net, which now, technically, could include the Telegram universe. And yeah, he explain the rest, kevin hendricks, welcome back to the podcast thank you, robbie, great to be back what time do you wake up in the morning?
Speaker 2:uh, I'm usually up around four, thirty or five o'clock, wow every day every day like clockwork I was not expecting you to answer me this morning when I sent you that message Always awake, where's your office. Today. Last time you were in your parents' basement. Yeah, I'm still here. Still here, okay.
Speaker 1:Still in the Cobra Command. Down here in the Technodrome, this is where I have my little bit of a fortress of solitude. Otherwise there will be a cacophony of background noise of my children and dogs.
Speaker 2:So the bad guys, they sit in their basements with their hoodies on and you sit in your basement.
Speaker 1:Yeah, the Lacoste shirt in my parents' basement. I'm going after the, but it's a great guy.
Speaker 2:So, kev, you're my dark web guy.
Speaker 1:Yes, I would hope so.
Speaker 2:Kevin Hendrick is a law enforcement veteran with almost two decades of experience, previously serving as a task force officer for two separate federal agencies. He's a published author and currently works as an instructor for various police training agencies, teaching a class for law enforcement on dark web and cybercrime investigations. Certified cybercrime investigator by the National White Collar Crime Center. A cryptocurrency investigator through the Blockchain Intelligence Group and, last but not least, the founder of the Ubivis project StopDarkWebDrugscom.
Speaker 1:Very nice intro. Thank you for that.
Speaker 2:What should security people know about the dark web and cryptocurrency bubble in 2024?
Speaker 1:I want people to understand it. I don't want people to fear it. I don't want people to have these perceptions as all hooded hackers and a stony outlander, because I am a big supporter of the poor private. I am a supporter of internet freedom and a lot of people do use the dark web for nefarious activities, but others use it as a means to communicate and a means to view information that is heavily censored in their countries. And once we move towards this perception that the dark web isn't all bad and the dark web is not some place where you know you're going to find these horrific things by accident, you're just going to log in and you're going to find some horrific child sexual abuse material, just by logging in there, somehow you're going to fall down this rabbit hole and that's not the case. That's not the case at all.
Speaker 2:I want to say most companies have no Tor traffic. Why is that? What are they worried about?
Speaker 1:So, from a standpoint of a system admin side, if you're seeing Tor traffic going out, that doesn't necessarily mean it's an end user within your company that's using Tor per se, the Darktide Ransomware Group. One of the telltale signs of when the ransomware affected the network was a call out to specific IPs that were Toronline addresses. So if you're seeing that outbound traffic going to Tor, there could be some sort of compromise within your network and there could be some sort of exfiltration of data in regards to that. But I think that the reason why a lot of people, especially from a networking side, of being a system administrator or a freed of the dark nets, is because of, like, the integrity and safety of that traffic.
Speaker 1:You could have the most secure server, most secure service in the world, but if somebody's using a node that is a proverbial honeypot node on tour and they're entering their credentials into this site, it's like, yeah, there's still going to be some sort of intercept of that data which could be used either on purposes of selling that data, the credentials, the login credentials or somebody using that as a means to get into your network. So, yeah, the concerns are not unwarranted in that regard and there are software-as-a a service type tools that are out there for you to safely navigate Tor through a cloud-based service. One such that I work with and I display in the class is something from Sapper Labs called Cloak, which is a service that's designed for you to log online in a completely sandbox, isolated environment and go on tour, download stuff into this quintessential web-based virtual machine and do your research that way. Yeah, so that is, um, that that is something I would say. If you are interested in tour but you're concerned about compromising a network per se, that would be a alternative solution.
Speaker 2:So basically we have Tor, we have I2P, we have the interplanetary, blah, blah blah. Those are, I'll call them, a dark web platform. And then you have things like Discord, telegram, mastodon Are those forums?
Speaker 1:Channels, channels per se. Yeah, there are those who espouse that Telegram is the new dark net. Right, there are stores and bots on Telegram where you can buy illicit things, and now, with the kind of the upgrade of the open network Ton or Ton, however you want to call it, but the Open Network is a blockchain built specifically for the Telegram network, so it's interoperability with the Telegram network. You could have your own TON wallets where you could have TON coin or whatever stable coin that interacts on the TON blockchain. So really it's becoming its own one-stop shop, because, with the dark web in general, you have to find a way to get your funds to your dark net wallet from an outside clear net or real world-based service juxtaposed to Telegram, which is now basically has interoperability with the TAN network and you can just create your own wallet for your Telegram account via Telegram. So it kind of removes this outside necessity. So I think that is really the new Colossus per se.
Speaker 1:When we talk about what is the new forefront of investigations into illicit activity, it would be something driven to that on Telegram, but the dark web hasn't changed and, if anything, the dark web is always going to be there, because Telegram doesn't protect you in the same way that Tor and iTunes P do. If you click certain things on Telegram, just like clicking links and things like that, that's taking you outside of the Telegram network, and Telegram's main focus is that end-to-end encryption of your chats and your communication with each other. It's not very much concerned about what websites you're browsing on. It's not very much concerned about anything other than that. So that's something that I like to think about is like yeah, there is this expansion and there is this new forefront of having a one-stop shop economy for telegram that doesn't make the dark web and the different darkness obsolete it very interesting because I bet a lot of people on telegram, whatever they're selling illegal pretty much probably a lot of illegal things.
Speaker 1:that is, simplifying their process or their opsec relating to coins, then yes, so there was a well-known case, a well-known dark web and also a Telegram-based shop that was called Televent and at the time in 2000, 2001, before Exit Scammed Everyone. It was actually pretty advanced. What it did was it put the customers in touch with the vendors via the dark web. So if I was looking for something illicit, I would go to Televent's dark web-based site, I would sign up. I'd find the vendors that I'm looking for. If I'm based in Norway, I want to have a Norwegian or Euro-based vendor that's going to be able to ship without maybe touching a customs control. Or if I'm in the United States, I find a US to US-based seller From there. It put me in touch with bots that they had set up individually for each vendor. So the sales necessarily took place on Telegram, where the shop had set up. It was using Telegram's infrastructure as a means to have the escrow account and to have the Bitcoin or whatever currency that they had selected for the transaction, not based on some sort of centralized service on the dark web. And it was very advanced.
Speaker 1:If you look at it, you know televent exit scam.
Speaker 1:There's speculation about it out there, but really what now Toncoin and the Ton network would do is that would kind of just do away with any type of intermediary.
Speaker 1:For example, when you think of how we shop online right now right, we go to any website there's probably some expedited checkout process that's linked to some sort of service like PayPal, amazon checkout, something in those regards.
Speaker 1:But when we talk about DeFi and Web3, you know, when you have a wallet like Metamaskask or you have some sort of wallet that is browser based, if you were going on these websites you wouldn't even need some sort of expedited checkout process. You would simply have the funds there already in your wallet, as it means to pay for whatever you're doing. And that's really what Telegram and the open network ton is about is like now you don't need some sort of outside service, everything could be done encapsulated within Telegram. Open network ton is about is like now you don't need some sort of outside service, everything could be done encapsulated within telegram. So that's that's really what I think is going to be the new forefront in how people purchase illicit things and pay for services on telegram so the the bad guys are moving towards platformization as well but again, they know that the dark vans don't become obsolete because of that.
Speaker 1:It's just one medium and you know if for a app like telegram that's got billions of users around the world uh, really, that's, that's. That's something that I think is a phenomenal investment. Now you don't need some sort of intermediary payment service to pay for it. Think about in Norway you guys have Vips. We don't have that in the United States but with Vips. Vips is kind of the intermediary between some sort of financial institution, your credit card or something like that. That's in the app, and then you use that app to pay for whatever, to send the funds like that. Just think of VIPs but being incorporated into Telegram and not really needing that other financial institution because you're already transferring the funds into your wallet. So it's a little bit abstruse when I talk about it that way, but I think a lot of people can't conceptualize exactly what it's going to do.
Speaker 2:Is law enforcement super angry about this of people can't conceptualize exactly what it's going to do? Is law enforcement super angry about this because they can't do anything? Because obviously they I'm assuming most law enforcement looks at this as like shady business, but they can't stop it.
Speaker 1:I wouldn't say angry, because this is a very honorable viewable network. You can view the open network very easily. There was some reporting that came out about the Killnet group. They had parked their own domain on the open network blockchain. You can look up their domain and when you look up their domain you can see all the transactions associated with that. So, for example, if the Modic were to build its own domain on the TAN blockchain, you can search the Modic domain and then you can see all the transaction history deposits, withdrawals etc. Affiliate with that specific domain.
Speaker 1:So it's no different than a viewable open blockchain like Bitcoin, lancer or Ethereum or Polygon or any of these other different blockchains out there. Everything is ornamentable. Every single transaction is documented, so there's still investigative methods out there. I think what this is really throwing the curveball in is the necessity to have some sort of outside service to back your ecosystem. Right Like you don't need those traditional financial institutions, albeit something has to buy the not coin or the top coin somewhere, but once it's in your wallet, you don't need anything else except Telegraph.
Speaker 2:This is actually making it easier for their customers to buy stuff actually, so that they think that it's going to increase their business.
Speaker 1:Basically by getting rid of the bearish entry Correct and the exploits would still be there, in the sense where, again, you have to liquidate it somewhere. Right, it's like winning the lottery but not being able to cash your ticket. What is your lottery ticket worth? Is it worth the paper it's printed on? So there has to be some sort of mechanism to convert it back into fiat, to currency that you can use, and obviously the exploits and the monitoring and anti-money laundering stuff would still be there for whatever financial institution packs the liquidity of the open network it weaves to cash out. So, yeah, it's an interesting time.
Speaker 2:Let's go there. You have to take your dirty money, mix it with some sort of clean money and then pull it out. Right, they call that fiat means like dollars, euros, and then you have all the different coins. Went down that rabbit hole. Not sure what I learned. Very interesting. What I did learn is that it seems like there is Monero, something called Zcash, dcash.
Speaker 1:Zcash. What are the?
Speaker 2:most secure coins and I want to know. You have all these cryptocurrencies that are non-traceable, and you have washers and you have something called peer clips, peer clips, yeah, okay.
Speaker 1:So all right, let me break it down in layman's terms. If I walk off the plane in Norway and I have $5,000 dirty money US dollars and I go to a kiosk for an exchange for Kroners, I go there and I convert my $5,000 US dollars to Kroners. I've laundered money, I've literally got rid of my dirty United States money and now I have Croners. Cryptocurrency works the same exact way. Same exact way, and that's why these low know-your-customer-compliant mediums like crypto HMs, which there are none at Oslo, for good reason. That's why those mediums are used. If I'm a local drug dealer, I'm doing some sort of nefarious activity. If I go to a financial institution with a large amount of money, they're going to find that very, very suspicious Banks all over the world do this as a means to prevent money laundering, as a means to prevent their banking being used for services, for child exploitation, human trafficking, terrorism, et cetera, et cetera. But cryptocurrency doesn't discriminate. All cryptocurrency can see is that I'm purchasing a specific amount. So if there were a money laundering cycle, how it would work is I would find a way to convert my fiat into currency, cryptocurrency, and from there, I'd find a way to sell that cryptocurrency and then, if this chain makes sense, if I go to a crypto ATM with $5,000 cash and I buy $5,000 equivalent worth of Bitcoin and I transfer that into a service like Revolut or I transfer it to some sort of intermediary payment digital wall service that supports crypto. If, from there, I sell it via the service itself, or if I send it to a virtual asset service provider in exchange, like Binance, coinbase, et cetera, and I sell it there and then I transfer my money into my checking account or my savings account From the bank side, that just looks like standard commerce, right? That looks like maybe I'm a crypto day trader, maybe I'm involved in something else, so they're just looking at the way the money comes into the accounts. And that is why cryptocurrency is such an easy medium to launder money with. And, like you brought up the privacy coins different coins like Binero, which uses RingCT to obfuscate the blockchain, zcash, which uses ZKStarks, which is a separate protocol. Even the MimbleWimble-based privacy protocol that Litecoin uses. Yeah, these are about obfuscating and protecting the transactions and the sending and receiving parties and things of that nature, but eventually you have to liquidate the funds somewhere.
Speaker 1:I could have 500 000 monero in my wallet. Right now I can't go to burger king and buy a whopper with it. I still have to find a way to convert it and that is where a lot of the investigative uh, the investigative lichpins happen is to see exactly how these suspects and these people that are using it for no good are converting it back into the fiat that they can use. So that example of me walking off a plane to go right to the currency kiosk and changing that money for the kroner I've laundered that money very easily. So when I go to put the, if I open up a bank account in Norway which is pretty hard to do if you're not a citizen if I just go there and I go, hey, look, I want to open up this bank account. Here's 5,000 kroner. They're not really going to ask questions, right? Like it's like okay, this is our currency. He got this currency somehow.
Speaker 1:Versus, if I now have this account open and I'm constantly making incremented deposits or things of that nature, like wait a minute, this guy's out of a job, what's he doing? How is this money coming in? But if the banks see it coming in as sale of crypto from a virtual asset service provider or an exchange, they're not going to scrutinize it as much. I might just be a stay-at-home crypto day trader. I might be a crypto bro, you know. So when we talk about privacy coins as well that's more or less about the way that virtual asset service provider exchanges would be able to do their due diligence to trace where these funds are coming from, because you can't trace those funds in a traditional sense. So that's why Binance decided to not support a lot of the anonymity-enhanced coins like Monero anymore.
Speaker 1:So you're seeing the liquidity be a factor in how the money is, or rather how the cryptos are used, and financing of terrorism, and it has nothing really to do with Monero itself. Like a lot of the Monero bros and people got mad at me because I bought that out I have no ill will against Monero. I actually admire Monero. I think it's a really brilliant blockchain, but again it's being used as a medium for people to finance terrorism, specifically ISIS-K and the Moscow terrorist attack. Could that have been funded by Monero, since they've been accepting Monero since like 2020?
Speaker 1:So this is something that I think a lot of people kind of trip up is exactly how money laundering happens with crypto.
Speaker 1:It happens very, very easily and it's a perfect mechanism to launder money and in order for there to be some sort of compliance or due diligence, that's up to both the banks and it's up to the virtual asset service provider, the exchanges, to vet their customers more, to be seeing the activity on the accounts.
Speaker 1:Because, again, if I'm laundering money through a legitimate service like Binance or Coinbase, more often than not I'm not going to be buying the cryptocurrency on the sites themselves, I'm going to be transferring the cryptocurrency in, and that, in and of itself, to me, is a red flag because, as long as I've been doing these investigations whether it's dark web related narcotics or whether it's a traditional sense of scamming and fraud it really remains to say is that these funds are coming in from an outside source as crypto, and then they're liquidating the funds on the exchanges and then sending it to the financial institutions or whatever instruments of payment that are attached to that account. So it's kind of a unified effort that needs to happen in regards to really locking down the ease of money laundering via crypto.
Speaker 2:And then, from those videos I was watching, it goes from that crypto whatever Binance, coinbase and then it goes to a bank, and then it goes from that bank to another bank and they try to make it as many banks as possible, just to make it harder and harder to get behind the corporate banking walls, right?
Speaker 1:So, yeah, interesting. Well, keep in mind the volatility of crypto in general too. Right, if you're laundering money, it has to be quick, because bitcoin could be worse. I'm using around figures here sixty thousand dollars at the beginning of the day and by the end of the day, for forty five thousand dollars. So did I lose money right, did I not? I could lose money if I leave it in crypto too long, so the movement of funds has to be rather quick.
Speaker 2:It's usually done within a matter of hours I'm sure that the government agencies have their uh, there they could see they probably know what to look for and what's shady, but it's just kind of hard to actually do anything about it don't think it's too hard.
Speaker 1:No, I think it comes down to, uh, just understanding really how cryptocurrency works, and you'd be surprised how many people don't understand. I'm one of them. Yeah, it's not anything to do with technical savvy. It's got nothing to do with how good you are with computers, right, because that's completely divorced for each other. That's like the belief that because somebody's using crypto, they're a quote-unquote hacker, which is such a comical thing.
Speaker 1:In my opinion, to understand how cryptocurrency works is obviously something you have to learn about. You can't just go off of YouTube videos. You can't just go off of these things because, again, a lot of these people that are on there talking to you, a lot of them are profiteers in some way, shape or form, absolutely, knew. A lot of them were profiteers in some way, shape or form. So, absolutely, and and believe it or not, robbie, even having a very minimal knowledge of crypto, you can mint your own cryptocurrency, you can find investors for it. You could do a lot, uh, as, as somebody who might be a novice in the space and there's enough guide well, I want to say guidebooks and things out there for you to become somebody who can really sell your next meme token, right, it's not too hard to do that, even minting your own NFT.
Speaker 1:There are services online like Rarible and things, where you can upload your artwork and you can mint the non-fungible token for that artwork. And I find it so amazing because when we talk about artists who died, broke, but their artwork is worth millions today, right, do their families really see any of that? Not really. But now, for example, with NFTs which can exist as artwork or song or things of that nature, built into the ones and zeros, the code is the royalty wallet, where anytime that NFT is transacted with, with the royalties, will be sent to the specific artist's wallet and that's amazing and I I think that you know, as as as the interoperability of web3 expands, like nfts are not only artwork, they're smart contracts, they're domain names, like mnemoniccom or whatever.
Speaker 1:That's what most people don't realize is that you don't own that domain. You rent that domain, you have to pay for that domain. It's like you have to pay your tax, you have to pay your rent, you write that domain, but as we talk about ownership of Web3, it's like parking your domain and putting your flag there and in perpetuity. As long as you own it, it's not going anywhere. So that's something that's. That's that's pretty uh, uh cool, in my sense, about what people don't think of when we talk about these different cryptos and the blockchains.
Speaker 2:It's like the other usage of these blockchains besides the currency transactions oh, so much for you to follow on a daily basis all these things since I talked to us. It's like, uh, it's like a whole, not world. Yeah, one thing I really want to touch upon here, and that is we've spoke about dark net, dark web monitoring. There's a bunch of different vendors all around the world that say, hey, we wanted a dark web for stolen credentials, confidential corporate data that has been leaked, everything from zero-day exploits, malware, ransomware tools and then everything to access to compromised systems and environments. Those are just some of the things that are underneath this dark net monitoring, and I just want to get your opinion. Like for the security people, what should they know about the dark web or forums, about those specific things I just mentioned?
Speaker 1:There is no substitute for being on there yourself. There is no substitute, again, the way that this data gets put back to some sort of software as a service or monitoring tool. What is the lapse of time, right? Is there a day? Is there a week? How long does it take for them to actually realize that this data is out there? And, honestly, I think that there is no better way of being abreast to what's going on than being in the forums yourself. Yeah, there's these certain forums that might require membership, but most of them just want to get paid for you to be a member. So if you were to just have some sort of budget for however much it would cost like 300 US dollars to join a forum like Exploit, or to have maybe a quick translation tool for you to be able to join XSS rather quickly, once you're on there, you could do the searching and everything yourself.
Speaker 1:And I think that that's where a lot of people kind of get tripped up is in the sense where, well, I need this tool to monitor these different, you know, forms and things for me to find stuff, uh, that that might be uh, very much important to my company. It's like, well, if you're on there. If you have your own dedicated, almost like counterintelligence type branch out there, red team aspect per se, that's doing it, and you really don't need these tools because you can do it yourself. And I think that that's the most important thing that I feel companies should ask. The question is like okay, exactly where is this data coming from?
Speaker 1:Right? Is this something where it's like a very, very closed off form and they have some sort of undercover that they have in there that's getting this data? Yeah, then that's something. Okay, it's going to be very hard for me personally to do to get into that circle, but if it's just, you know, like I like to say like a cookie cutter example of dark web monitoring, it's like they're just looking at specific forms. If they find something there, the question is how much time has lapsed between it being posted and me being notified? Is it a day, is it a week? Is it literally in real time? And again, I see that what you can do on your own with such a minimal budget is much more than what a lot of these services offer.
Speaker 2:You know, a counter argument to that may be like maybe like language, right like I would assume they're not in english or they're not in the language that you are looking for things in, but now we have chat, gpt, I guess, so that's probably not that big of a problem these days, or?
Speaker 1:yeah, the browser is like.
Speaker 1:Chrome has built-in translation, like a lot of these browsers do a good job.
Speaker 1:I think it's a more or less along the line of where language is going to be concerned is this if you're going to actively engage somebody, right, if you're going to go from this form of posting there where the person says, reach out to me for more, these actors leave so much for you to contact them their Telegram channel, their Pox chat, whatever they post up there because they want business, it's about business. When you're going to start to engage them, yeah, then there might be a little bit of uncomfortability and things of that nature there. If you're looking to engage a specific target but just be on the forums and seeing the posts, that's something completely, completely different, and Chrome has built-in translation. A lot of Chromium-based browsers do there's extensions out there you can buy that can translate it based browsers do there's extensions out there you can buy that can translate it and more often than not, it's going to be from Russian to English or however it's going to, whatever your native tongue would be per se.
Speaker 2:Yeah, and I mean, if you're on that just to protect your company, you're not there to talk to them. You're just there just to see if you're, if I can buy stolen credentials from my company there and if there is just go to change the password, I guess. So you shouldn't really need to be talking to people.
Speaker 1:Percent yeah um, and these other, these other shops too, like russian market and things where they sell a compromise rdp and things of that nature like that's. Something also important to to realize is that your rdp access might already be out there for sale and these shops that have the for sale. I mean how these monitoring platforms are able to index as because they themselves have people that are on the shops. So it's like you can remove that necessity but be on the shop yourself to do your own searching. So I mean I fancy this question out there how hard is it for you maybe to have somebody that logs into Social Work and Dark Web or Deep Web Service once a day, just to go?
Speaker 2:And type in mnemonic right.
Speaker 1:And type it in and see what is out there. Right, it's not too hard to do that.
Speaker 2:Because it's actually that easy. Can I literally go on there and just search the organization that I'm trying to?
Speaker 1:like okay, has RDP access on there. I can literally go type in mnemonic and they've indexed it that easily for me, I think. In regards to the accessibility of the site and how the search engines and the sites themselves work, yeah, if you were to search it at mnemonic email domain or something like that, yeah, you could probably get results Interesting If it were out there. If it were out there, yeah, historically though that, yeah, historically though that is where, also, if these things have been, if these services have been indexing like for years, before you decide to do your own, you know boots on the ground approach yeah, you're gonna want to see that because, again, this site might have been posted like four years ago and now you're searching, it's no longer there because the posts have been deleted or it's gone.
Speaker 1:The, the site, the software as a service, is tools that offer dark web monitoring. They also offer it in historic searching sense. So if it were something where now you're concerned about what exposure there was at one point, but most of that, uh data finds its way onto data breach, um searchable, searchable repositories, so it's almost like you, you know, if you're worried about real time, if you're worried about that. That's why it would need to be boots on the ground. If you're worried about historical, maybe that might be more geared towards something a platform would offer.
Speaker 2:Why would you care about that? Just to figure out how somebody got in, that'd be like an initial root cause of a breach, basically, yeah.
Speaker 1:Well, yeah, One, how did that data get out there? Is that point of access still open, Like? Is that someone like, oh, we never closed it and it's been open for a while? And then is it something in regards to password recycling, right? If Robbie at mnemoniccom was compromised and their password is bass guitar and then they go, okay, well, maybe let me try that with some sort of credential stuffing, right? So it might be very much a operational security aspect. Yeah, it would be very useful in that regard.
Speaker 2:And then you also mentioned that there was like these, like no access circles, like undercover people working for a company, what is sold there, like what kind of environments are those?
Speaker 1:or those. That is really where you'll see a lot of maybe a more classified material, maybe something along the lines that can be incredibly, incredibly damaging to a company, something where it's it's not going to go out there to the the peanut gallery on these, on these other forms like this is going to be something. Where are? You know? These vetted circles are like legitimate. Maybe some of them are state-sponsored actors that are in there as well, that are are looking for things that are just like, hey, I've got a hundred you know emails compromised, like they're not interested in that. They're interested in like some big, big time stuff.
Speaker 1:And I think when you have a service that offers people that are in those circles, yeah, of course, it's going to be a big value, right, like if you're a very large, multi-billion dollar company with offices all over the world, you know that might be something where you do need a access, or by proxy access, to whatever information would be shared in those circles. That would be like closed telegram channels or things where these actors were being and they all knew each other, and it's like all right, we're putting this out there. I just exfiltrated it. I exfiltrated some sensitive data from some government network, right, there's something like that and that could be used in a, you know, terrorist aspect. That could be used in different things.
Speaker 1:But I think, for the most part, what people are concerned about is the exposure of their, their companies or things of that nature that's out there for the the masses to see, on these different forms like breach form one of us still online as well as the other forms that are out there. And, uh, I see, in regards to you know, the really high, high-end stuff, like there's a reason why they say the, the high-end liquor is always on the top shelf, right, it's like because they're not always going to get it. You know, the bartenders are not always going to get it. They probably have everything on bottom shelf which is easy for them to access.
Speaker 2:So if you're top tier yeah, like you're you're going to want to pay for a service like that dude, do you think most companies, their cyber teams, are actually doing anything at all with the dark webs like?
Speaker 1:any sort of monitoring? Not not, I mean not from um. As long as I've been doing this and at the events that I've been speaking at, it always seems like this is some sort of a weird area that somehow people just know there's bad things going on, but they don't look into it, they don't go on there, and it's like I always feel that you know to know your enemy is to know yourself, right, like to know exactly what the enemy is capable of and what they're try to do the work for you. It's more or less along the lines of you're not being very diligent. That's just my opinion about it.
Speaker 1:What I present at payment conferences like the Payments Association Financial Crab 360 Conference, it's like they use the dark web in almost a buzzword aspect. It's like, oh, the dark web, the dark web, the dark web. And then when I really show them, it's like, okay, the dark web is a component, but look, all this stuff is already for sale on these different forums, on these carding forums that you could go to without ever touching the dark web. It's like all this stuff is for sale. Look what they're doing, look at how they're defeating other avenues of illicit sales that just consist of IDs and selfies, and why do they want those? To defeat the know your customer compliant aspect of it? Because what do most services ask for when you set up Copy of your ID? To match your selfie to the ID. It's like those are for sale out there.
Speaker 1:And when I presented that at a conference, a very, very predominant financial institution came to me. They're like we had no idea that that even existed. On how to security, I was like you didn't know that there are services out there where all they sell are like docs and selfies. It's like look what? But it's true, and the only way that I know about it is my boots on the ground approach to it because you just have to follow. You just have to follow the actors in the forums and then they'll tell you to come to my Telegram channel. Now the Telegram channel. You'll see what people are interested. You'll see other actors discussing openly.
Speaker 1:Hey guys, I'm running into issues with VIPs, right, I'm running into issues with VIPs. I'm trying to create all these fake accounts on VIPs and I need some guidance and the actors will tell them what to do. They'll be like oh okay, I've had the same issue, but I found it was very easy to do this and that's all out there in time to read, and the only way you're going to get to know that is if you're on there reading. Can you also scrape these things? Yes, it would be. It would be, but again, you'd have to know what to scrape and you have to know where to scrape.
Speaker 1:And I know that there are tools out there that do scrape television channels. There are tools out there that do scrape dark web and deep web forums, which are very much important. But again, in real time, viewing these actors that are posting and being able to see exactly what they're looking for, why they're looking for it, maybe some operational security questions they might have, or some tradecraft that they've discovered works, that's something important, and you can scrape all you want. If you just don't know what you're looking for, it doesn't matter.
Speaker 1:Until usually, more often than not, it takes some sort of vet or some sort of cataclysmic failure or something for them to be like okay, well, why didn't we see this coming? It was like, oh no, it was coming.
Speaker 2:But they just weren't looking for it. Just a way to wrap up this chat, kev, there's a blog post of my colleagues. I haven't read it yet, but it was like are we missing the title? Chief Intelligence Officer? And obviously that must. I haven't read it again, but it must have been like in a security context and everything you're talking about now would be definitely in scope in my mind of somebody that works with intelligence.
Speaker 1:I agree. You know my biggest pet peeve is dark web intelligence, right? No, there's no such thing as dark web, it's intelligence. It doesn't matter if it's the dark web or the clear web. And intelligence is one thing, but counterintelligence is another. Like knowing what the adversary knows, like just being able to talk about things that are going on in real time, right, like going on these forums and seeing it. That's a completely separate thing. When you have people that transition from the government sector to the private sector with all the prestige of what they did in their careers, that makes for great conversation at the bar. You and I have a great time at the bar in Oslo talking about whatever right, but that doesn't mean anything if I'm not staying current with it. So if you want to hear about how great I was, however many years ago, what I did, and some great stories, that's where it's for. That's for the bar, that's not for the company. The company is for what's in real time, what is going on right now? What do they know? What do they think they know about our insecurities? And are they correct? Is somebody actively already in our network with planned desk line access? What is going on there?
Speaker 1:And to understand, you know, with credit card fraud and I always bring up credit card fraud because that's such a robust area of criminality it is so overlooked, it is so viewed as a nuisance versus a crime Most people don't realize that a lot of that bulk data of credit cards being sold on the different channels to which they're sold, there's really three components of that how that data was exfiltrated, who's selling that data. And then who's the person purchasing the data, because usually those three are divorced from each other. How did they get that access? Well, maybe they have some sort of malicious script and some sort of checkout process on a very popular site and from there they're selling that data, almost like the way that big data is with data brokers. Right, they're selling that data to somebody who's going to try to sell it as a secondary port. And you go hey guys, I've got 100,000 credit cards from Norway, right, I've got 100,000 credit cards that were exfiltrated from the Norway mass transit system. And then you have someone who's like, okay, I want to purchase those. And then when they purchase them, they're the ones that are really the end users. How are they using those credit cards? Or how are they using those compromised payment services to commit other crimes. So, just when you break that down, so many people are just like oh, I never thought of that.
Speaker 1:I thought the person who was stealing the credit card data is the person who's trying to either sell it or the same person who's using it. That's not always the case. So that's something I feel like when you said chief intelligence officer, yeah, that's very important, but it's also, if you're going to have that position, you're going to create that position, you're going to hire somebody, you have to hire the right person. If you want to hire somebody who's going to talk great and tell great war stories at a bar, that's maybe for sales right, that's what they'd be good at trying to sell. They're selling you a story, they're selling you a fairy tale. But to have somebody that's like listen, this is the threat, this is what they're talking about on these specific forums and what are we doing about it on our security side, right, that's something that I feel is very much relevant and you got to have somebody who is versed in that field and is still active.
Speaker 2:Are you coming out for HackCon this year? Kev.
Speaker 1:Or next year, If they invite me. You know, you just got to rub the lamp, you get the genie. But if Mnemonic wants me at their conference too, just let me know.
Speaker 2:You are officially invited to speak at the C2 Summit 2025. But I hope you come to HackCon as well, because your class has always been full every year.
Speaker 1:You tell the right people there. Hopefully they want me back.
Speaker 2:Mr Hendrix, thank you so much for your time. Keep up the great work.
Speaker 1:Talk to you soon. Yes, sir.
Speaker 2:Take care. Well, that's all for today, folks. Thank you for tuning in to the Mnemonic Security Podcast. If you have any concepts or ideas that you'd like us to discuss on future episodes, please feel free to hit me up on LinkedIn or to send us a mail to podcast at mnemonicno. Thank you for listening.
