How Was Your Easter?
I was asked the question How was your Easter, my first day back in college after the Easter brake and my reply was simple “Tracked some Terrorist, Saved some lives and stopped the world from being destroyed” By reading the title and my quote, Id understand why you would think it was a satire, but this was the reality of my Easter break from college, most of what you read hear won’t be found in any news paper or article because our sheer intervention has changed the course of these events, meaning they never needed to be reported.
So for some context I’m a member of multiple communities that including Hackers, Crackers, Law Enforcement and Government Officials from all over the world, that are all dedicated to helping track and locate missing persons, or educate and research on multiple forms of security including, Penetration testing, Forensics and even lock picking with some amazing people, and memorable characters, people who without ever knowing have changed my views and life so much for just being there.
The stuff that happens here, I’d like to say it that it was a rare accordance, but with this mix of backgrounds and locations you’d be amazed how often, we as a community go from in-depth security research into things that could reshape the earth to tracking down a missing person or spending hours on the phone to a counter-terrorism office.
Sounds nuts right, but we get some crazy stories and events from all over the world and before you think, oh they get paid for this… I can tell you as much as we probably should, we don’t, we do this as hobby… why because if we don’t who will, my dad always quoted Edmund Burke to me growing up, “the only thing necessary for the triumph of evil, is for good men to do nothing.” And with that in mind, lets jump into the madness.
New York – Counter-Terrorism Office
so Monday, after a long day of doing nothing cause well you know Easter break from college, as I can usually be found, sitting in general voice talking absolute trash with the usually group of backlashers on The Many hats Club. All we well, not a skid was stirring, not a single drama was resetting the clock, Then BAM a user joined the channel “is anyone seeing what Kat posted in the server” first taught went to, Jesus am I gone have to ban a bitch. but no it was worse “Yo, she just said someone’s going shoot up their school”, within 2 minutes a group chat was span up, and members where joining the server and gathering all the details that could be.
within another 10 minutes we had screenshots of the chat with logs and precise date and time, a open channel of conversation with the server administrators, and the curtail starting point, The username.
From the username we dug further, found all connected social media accounts such as steam and other servers they are a member of, from here we where able to get a twitter username. From more in-depth analysis of the actual message from this user we where able to deduce that this user was located in New York state, and that they had in fact access to firearms as there was past conversation of going shooting with there father and firearms they had.
it took a total of 3 hours and 5 people using basic OSINT to go from username to enough information that could be used to find the person by law enforcement, after which we spent another hour on the phone to the NYPD counter-terrorism Center with an officer known as VR, explaining the situation and who we where , this was ended with us sending over all the details we had to the officers email.
1 week passed before then this news article was found
https://nypost.com/2019/04/10/student-in-custody-after-bringing-loaded-gun-to-school/
The VPS of Doom
After the craziness that happened on the Monday, we expected Tuesday to be calm and uneventful, oh boy we where wrong. about 5pm on the Tuesday a tweet goes up from a person many users follow, with what seemed to be an automated post which seemed to be sent from a VPS “Virtual Proxy Server” via a Deadman switch of some type that simply read “I have been Detained, Please Contact my Lawyers, I am at X location”.
Straight away panic mode, this person was arrested, what have they been arrested for. checking with multiple contacts and it was found out it was for the persons own safety. OK fine we knew the person was so good all will be OK. but then it happened one of the person a person in the large call mentioned “That’s the first message of the Deadman switch”, there was silence “First message” everyone barked out. which was replied to “Yeah he has a 24hr Deadman switch that if something happens all the bad shit that the person has ever done is dropped to the world”, another moment of panic set in and we all sat in silence for a few minutes imagining all of the shit that could be on that Deadman switch, which made us panic even more.
First thing done was a online clock was made, that started a count down of 24 hrs from the first message as we knew that was the time frame we had. we sat as a large group trying to figure out the options we had and just how bad we, the options on the table where. Find the server and do a DOS attack on it so it cant continue to count down, ok good idea but wait what if the Deadman switch fails over and just instantly dumps everything. ok next option, lets find out what’s going on, many people asked around to contacts they have in Law Enforcement to confirm he definitely is in. After a hour of calling contacts, it was confirmed without being confirmed that the person is in custody and safe.
the next few hours were spent contacting the hotel the person was staying at to make sure the room wasn’t touched until someone that was trusted got there to collect his things, and hope his password to get into the VPS was on a keychain so that we could gain access and kill the switch.
it was about 4am of panicking and still no word of the person being released or not getting access to the switch so I went to bed, the whole next day was spent counting down the hours to the drop, until 10 minutes before the drop was to happen based on our set clock, the person said they were free and ok meaning the switch had been stopped. this was followed by a LONG talk of setting your stuff to a lot long then 24hrs
Tracking a Psychotic Driver on the English Roads
So the day after the person who was arrested gets out of jail and stops the VPS, he calls the group to basically say thanks for looking out for them while he was in, but while using his hands free kit and driving down a unnamed road in England. When with a loud shout and a confusing moment of cursing with an Australian accent, “when we all asked what the hell”, with was explained to us that a crazy guy signing and screaming in a car with the roof cut off, lights pained over and no windscreen and a ton of other faults, and by description the guy was leaning out the windows, signing and acting crazy.
Right away the now infamous backslash gang got into gear and started by getting the road they where driving on and any landmarks at this point in the call it was a road sign for a pet shop. after a few seconds of searching we had the location, with a simple plugin we could take the speed and current location an have a representation of a car traveling on the motorway that was effective as long as the person stayed on this road and our Australian caller kept tabs and followed safety behind, while this was happening other members of the team where tracking down the Tax and MOD status of the car as this is open information using the license plate on the DVLA system, while another member’s where contacting the local police station of the areas the car was passing trough, the Australian driver got their passenger to take a picture of the car and send it into the group chat.
One of our members with a local-ish accent called the local police station and explained that we where tracking a suspicious vehicle down “THIS” road and that it was driving dangerously, that It has been modified past the legal allowances for the road, This involved multiple of us detailing in text chat the drivers appearance the vehicles appearance and its current location and next turn off’s, the police finished the call saying thank you for the tip and so on.
unfortunately the Australian caller had to turn off but as they where turning off they should between laughter as the car disappeared into the distance, but could see blue flashing lights coming up behind them on the main road fast.
Anti-Skid Direct Actions
The day started like any other, but that was soon changed when someone joined the discord channel shouting “Their Going To Raid us”, With this the first taught was the dreaded Sharon, but this changed to Skids when it was explained very well to the group.
It turned out a skid group that came from an old community called raid forums where getting together raiding discord servers, from their discord channel, so like the specialist in counter-terrorism, espionage and direct action that we can be from multiple free online courses, we do the proper thing, we make fake accounts and join the channels, have multiple members read their conversations to understand who they are striking, where they are striking, how their striking and why they are striking. While other members sneakingly use their powers of Social Engineering to contact seniors server admins, and personnel becoming trusted and close to them and learning the inner workings, even to the point that one of our team had admin privileges on the server in only a few hours.
we watched as they attack multiple servers, and learned the tactics they use to avoid detection when joining, so we could better defend our servers, who raided these servers so we could pre-ban them before they raid us, and even common phrases and keywords they used so we could get our bots to automatically Alert and Kick anyone new who uses the phrases.
From the inside trusted positions, we had gained the trust of multiple senior members, this allowed us to sway choice within the group and it was found from within this group we had found their where multiple other raid accounts on discord, so of course what did we do. We poisoned the mind of the Admins, by saying the groups where planning to raid their server and take the control away from them, this worked perfect because they started to spread this poison to members of the raiding server who had administration privileges in the other servers. This lead to members deleting their other servers, and our fake accounts getting more trust and power. then it came to the point, a member of the skid raiding server posted our discord servers name, and with that all our fake accounts that where now power after a few hours, started mass banning the members with messages saying “your shit, you don’t deserve to raid with us skid” this broke down the moral and get the admins and many others bad mouthed on multiple raiding locations online, and being that their was Admin privilege’s over the server they had the power to escalate the roles and delete the server, which by the end of the night the server was deleted along with all its members and raids.
This insured the safety of our server and many other information security servers on discord, it was only later after the operation that it was found out that the discord we removed was known for targeted harassment’s of people, that lead to threats, doxing and multiple other crimes that caused effects to their victims such as attempting to commit suicide. so Like any good backslashers the information such as Usernames and Alias and the pages of data we gathered was handed over to law enforcement, no more information was received from law enforcement so can only hope that they looked more in-adept into them.
Insider Threats
Out of Respect and Safety and Security I’m going to leave this one blank for now
Suicide Prevention
For the safety of those involved, I will not discuss this topic, but it basically involved myself and fellow research doing advanced OSINT to track and locate the person home address based on only a name and a few details, to prevent further injury, lucky enough we were just in time and the person got the help needed.
Bugs In All the Systems
so this is another topic I can discuss right now as it is an ongoing with the people involved and will report more when their solved and I have proper permission for it, This will be detailed in a post called “300 Disclosures in 3 days”