How the Innocent Lives Foundation Uses OSINT Skills to Bring Online Predators to Justice

Tod Beardsley: Ahoy, ahoy, I'm doing much better than you.

Jen Ellis: I'm a little, uh, excuse me, while I just cough into the microphone. So we have a pretty awesome guest this week, Todsley.

Tod Beardsley: We do.

Jen Ellis: We are being joined by Chris Hadnagy, who for those who don't know, he is @HumanHacker on the Twits. Chris is the CEO and founder of socialengineer.org, which is basically the company that started the whole thing around, "Hey, social engineering. It's a thing and it's an important thing. And have you heard about it? Because it's used in a lot of attacks." Chris founded the Social Engineering Village at DEF CON, which I believe is the biggest village?

Tod Beardsley: I think it is.

Jen Ellis: And it's for anyone who's never been and checked out and gone and watched, it is really good entertainment and it's fascinating to see how people do this stuff. People who win the Social Engineering Village Capture the Flag actually get a black patch for DEF CON because it's that much of a big deal. Definitely worth checking out. And Chris also runs the Human Hacking Conference because he needs more stuff to take on. And even more than that, he's the CEO of a charity that he's going to talk to us about today. So basically the net of this is that Chris is an incredibly, incredibly busy man and he does an awful lot for the community and really to advance the understanding of social engineering, which in case you have not had the Verizon Data Breach Report tattooed on your body, it is the No. 1 attack vector. Yes, social engineering is a big deal. So yes. Welcome Chris. You're awesome. Thank you for joining us.

Chris Hadnagy: *Intense Chewbacca howl*

Jen Ellis: I love it!

Chris Hadnagy: Just for you.

Jen Ellis: So, here's the thing, Chris, you know, being a social engineer, very quickly realized that I have a somewhat unhealthy—I said it, an unhealthy love—of Chewbacca, and he has shamelessly exploited it ever since.

Chris Hadnagy: I have.

Jen Ellis: For which I am eternally grateful.

Chris Hadnagy: For my own benefit over and over and over again.

Jen Ellis: Also my benefit. It's a win-win. I am delighted by that. What I would like to know is, sometimes I trick you, or I think I trick you but I don't really, you trick me, into doing a Chewbacca impression. Are there any other impersonations that you can do?

Chris Hadnagy: Oh my, I don't think I have, I mean, I have my movie announcer voice but, and then I do pirate really well, but that's it.

Jen Ellis: I want to hear both of these.

Chris Hadnagy: Oh, well you know the movie announcer's like, "In a world where you invite a social engineer on your podcast and he makes noises of a Wookie."

Jen Ellis: So firstly, I like living in that world. And second of all, are you available for voiceover work?

Chris Hadnagy: Of course.

Jen Ellis: Excellent. So now, so we've had the movie announcer. What was the other one you mentioned? A pirate?

Chris Hadnagy: "Arr, Matey! I'm, I'm just a social engineer, matey, yar." That's terrible. Just awful. I've insulted every pirate on the planet.

Jen Ellis: Alright, so we should probably talk about important things that actually matter. And I, so I mentioned in the intro that you are the CEO of a charity, the Innocent Lives Foundation. And just real quick for anyone who's interested, the website is...

Chris Hadnagy: InnocentLivesFoundation.org

Jen Ellis: Awesome. And so tell us about it. What is, what is Innocent Lives all about?

Chris Hadnagy: Well, it's about gathering people from our community, so from the InfoSec community, that have specific talents at finding things that don't want to be found—really, really good OSINTers. Those who can use the internet and its intended use to uncover people who try to hide. And we work closely with law enforcement, both federal and local law enforcements, to uncover people who produce and profit from child pornography and those who traffic children. And unlike a vigilante group, our goal is not to just embarrass them. We don't do that at all. We uncover who these people are that are committing these crimes and then hand them off to law enforcement so they can be properly dealt with.

Jen Ellis: I mean that sounds like a pretty noble thing.

Tod Beardsley: Yeah, that sounds super-duper interesting.

Jen Ellis: Yeah. So I think you, you might have a convert right here. So how did this come about, Chris? How did you end up creating this organization?

Chris Hadnagy: Well it's an interesting story that has some sadness to it but, but some happiness. So, we were doing a pen test for an organization, and during one of the internal scans we saw this one IP address that just constantly had Tor traffic. You know, in the logs. So we had asked the manager, the owner, you know, is there any reason why someone in X department would need to be on Tor at all? And they said, no, not at all. You know, they said, can you see the traffic? We're like, no, you can't see inside the Tor traffic. So our suggestion is if you own the computer he's on, it's in your four walls, you should install a keylogger. You should find out what he's doing on Tor. So they did. And we caught this guy. Sadly, he was flying to the Philippines on business trips. He was molesting little kids and videotaping it and then trading those videos over the Dark Web at work.

Chris Hadnagy: It was a difficult, it was a difficult job, very difficult. But I was sitting in a cafe in, in the city where this company was with the director of the organization when that guy was landing on a "business trip," and he was being arrested at the airport. And that felt really good.

Jen Ellis: Good.

Chris Hadnagy: You know, that felt like, I'm just like a greasy little hacker, you know, I didn't think I'm ever going to do anything that led to someone's life maybe being saved. So that, that was a, that was an interesting feeling. And I was telling that story at a class I was teaching and a guy came up to me after the class and he said, "Hey, I didn't say this and the sign-up, but I work for an organization that hunts people who bring children in from Asian countries to work in massage parlors here in America as sex slaves. You know, would you be interested in using those same skills and helping us?"

Chris Hadnagy: So, I did a few jobs with them where we ended up getting some people arrested that were trafficking five- to seven-year-old girls to come into the country to work in these horrible massage parlors around big cities. And that felt really good, that we were stopping these things. So I said, I wonder if there's like-minded people, you know, at cons that we go to in our community that would be willing to do this. So I went out and I talked to a couple people, couple friends and they said, that's interesting.

Chris Hadnagy: And then I talked to two people who are not in the industry at all. So, first one was my lawyer, who was also a friend of mine, but he's my business lawyer. And I said to him, "Tim, I got this idea, I want to start a nonprofit that does this stuff, you know, what do you think?" I was fully expecting him to say, “You're going to end up in prison, and you need to not do this.” And instead, he said, "This is amazing. I want to help you and I want to be on the board." And I'm like, okay.

Chris Hadnagy: And then this is not, this next one is not meant to be a humble brag if you're a fan, but I also had a friendship with Neil Fallon, who's a lead singer of Clutch at the time. And he had been on the podcast and we hang out when he comes and does shows and stuff. And I had just said, you know, let me get someone totally out of the space, like not anything. And I called him and I said, "Neil, I got this crazy idea and I'm telling you, 'cause I want you to be on the board if you think it's not nuts." And I told him and he just said, "Whoa, dude, like you can't just call someone, lay this on him, like I need a day." So again, expecting him to call back and be like, you are nuts. And he called me and said, "Look, I was sitting here talking with my wife about it. And she said, now that you know it exists, how do you not help?"

Chris Hadnagy: So yeah, that statement stuck with me very powerfully because I realized that is what I was feeling, but I didn't articulate it well. So, went to my accountant, we filed for 501(c)(3). I've heard from multiple people, this is unbelievably fast, but we got the completed paperwork back in two months. So it was DEF CON 25, it was a month before DEF CON 25 came around and I said, "Hey, you know what? I'm going to announce it at DEF CON, see what happens." And I did, I made the announcement at DEF CON and the SE Village about the organization, and I thought to myself, you know, "People are going to be horrified. Get ready for the community backlash. There's going to be Twitter hate, you know, and I'm going to just be ready to defend it."

Chris Hadnagy: And instead, I had grown men and women coming up hugging me after, crying and telling me how they were abused as kids and they wished there was someone like us around when they were little, just unbelievable human contact. It was like something I can't really describe in words and that solidified it, like I have to do this, this has to happen.

Chris Hadnagy: And we had 300 people volunteer to help out. I realized that just because of the way it affected me, right? So when I, when I did those couple of cases, there were some times like where I would literally just sit on the floor of my office and like weep because of the things that you hear people say and the things that people can do to kids and not, and not care.

Chris Hadnagy: And I just was like, I don't know how to deal with this. I don't know how to, like, manage that process. So I had a therapist that helped me a lot through those things. And I said, "You know, before I hire one person to help me do this project. I'm going to see if I can find a group of therapists that will work with us." So I went out on the search and got some contacts from other people in the industry and we met this woman named Casie, who was so in, she's like, "I'm going to help, I want to help build a whole wellness program." So we had her on the board. So now it was, it was Neil, and Tim, and myself, and Casey, you know. We're, we're going full at it and we thought we have a shrink, you know, now working with us and we start bringing people on.

Chris Hadnagy: And Ryan, who's my, my, my COO here at Social Engineer, he also joined ILF to help me with infrastructure support. So we built a proprietary virtual environment where all the research gets done and it has a ton of protections built in so people can be, not have to see the bad things and they can be logged, and they know that they're safe, and has all sorts of internal protections. We met with Amazon about that, they donated so much space that it's not even funny. Google donated all their space for email servers and storage and stuff like that. And I was like, man, we are getting like unbelievable support in this.

Chris Hadnagy: But then it was still like, I don't know what we do about money because we need money to run it, you know, and, and, and up to this point, no one was even talking about taking a salary.

Jen Ellis: Sure.

Chris Hadnagy: No one was talking about making this a job. It was all donated. And then people like, you know, and I'm sure he's going to hate me for saying it, but people like Dave Kennedy came out of the woodwork and just donated like massive sums of money to us and helped out. The community came together and you know, you might say, well yeah, they're $10 or $20 donations, but when a thousand people do that, it's amazing, you know? And it's so impactful. And then Humble Bundle. My publisher from the books that I wrote is Wiley, and Wiley, the main guy there, Jim, he called me and he said, "Hey, I just heard the announcement at DEF CON about your foundation. Can I make your nonprofit a part of the Humble Bundle network?” And I was like, “Yeah, please. That'd be awesome." Thinking, you know, man, maybe we'll get it like a few thousand dollars. The first Humble Bundle we did, we got, we got $150 grand.

Jen Ellis: Whoa! That's so great.

Chris Hadnagy: Yeah. I was like, what the heck?

Jen Ellis: Then it becomes a very different proposition.

Tod Beardsley: Right.

Chris Hadnagy: Yeah, the whole organization then went from, this is an idea to holy mackerel, right? And then it took off and now I'm running, you know, like you said in the intro, I'm running my company, I'm running a conference and you know, and I have a family, which is primary, and now I'm running this nonprofit. And I said, oh my gosh, we need people. And that's when we finally started looking to hire people that would work for the organization, not just volunteers.

Chris Hadnagy: So we hired Shane as our COO and he's took over daily operations. We have something like 13 or 14 people in what we call the "PIT" now. This is great. "PIT" stands for Predator Identification Team. And what I want to say is, I want to say it's the "MOSH PIT." The "Mostly Open Source Hackers Predator Identification Team." But they tell me, I can't call it the MOSH PIT. It ticks me off. I want it to be the MOSH PIT, but...

Jen Ellis: I asked Shane if they were "PIT" bulls and I don't think he liked that.

Chris Hadnagy: [Laughs] So, we have the PIT, and then we have like 20 some other volunteers doing blog writing, research, marketing, fundraising, development of tools. And I have six therapists that work for us now in managing our wellness program. And each person is assigned to a therapist or a therapist has a group of people that they have to meet with them once a month, not as a group, individually, where they do it over a HIPAA-compliant web application. And if they need something deeper, you know, like in-person, we refer them out.

Chris Hadnagy: We hired a young woman named Samantha Gamble. She came aboard as our PIT coordinator. So she works in the PIT with these folks, every day and coordinates all their efforts and work. So we have two full-time employees now and we're just hiring our third, and everyone else is a volunteer. And as of now, this year, so far, and we're not even done yet, we've handed over 70 cases to law enforcement. Which means we've identified 70 predators and handed them off to law enforcement to be arrested and dealt with. So it's like, it went from like our first year when it was just me and a few guys—nine is what we had—and now we're up to over 70, and we probably have at least four to eight more that we'll do before the end of the year.

Jen Ellis: Yeah, congratulations. That's amazing. And that's huge impact.

Chris Hadnagy: Thank you.

Jen Ellis: And I love the fact that you've really thought about how to make this as robust as can be in terms of like you've built a plan for how you stop the emotional strain on it.

Chris Hadnagy: I mean, you read those stories of the moderators at like Facebook or Google, right? And you see the thing that these people go through and some of them are so depressed and they hate life and some of them have attempted or succeeded at suicide.

Jen Ellis: Yeah.

Chris Hadnagy: And, and I said that, I can't ever, like, what does it matter if you help one kid but in doing so, you ruin a family? Right? So I take a husband or a wife and they're so depressed, they can no longer function as a family man or woman. And, but yet we got to save another kid. It doesn't make sense. Right? So we said we have to make sure that we're not, we're not just saving the kids that are under harm, but we're keeping our people as safe as possible.

Jen Ellis: Yeah, I love the fact that you've taken that approach. So, I mean, before we get into like some of the, like, what have you learned and what haven't you and all that kind of stuff, I think the No. 1 question people listening to this are probably going to want to know the answer to is, how can people volunteer if they're interested in helping?

Chris Hadnagy: So if you go to the InnocentLivesFoundation.org website, there is a section up top where you can volunteer. And there's two different areas: technical volunteer and nontechnical volunteer.

Chris Hadnagy: And this question always happens, so I'll just answer it before you even ask, is a "technical volunteer," what are we looking for? It's easier, and this sounds a little rude, but it's easier for me to tell you what we don't want. If you are just learning how to do OSINT on the internet, we don't need that kind of a person yet as a technical volunteer. Now let's say you're learning how to do OSINT, but you're great at marketing and fundraising. Great, we can use you. But from the technical side, we really need people who are great at OSINT. And, and when I say that, you know what happens is people self-judge, and we've had some people come in that are like, I don't think I'm that good, and they're amazing. So just be honest with yourself. Like, do you use OSINT daily? Have you been successful at uncovering people during your job or things when you met someone at a bar who you're able to go find their Facebook on their family and all that other stuff and figure out who they are? That's OSINT.

Jen Ellis: Wait, wait, are you a stalker, is one of your questions?

Chris Hadnagy: Yes. You know, it's that kind of person we're looking for that can, that can do that kind of digging because the end goal for us is when we hand a file off to law enforcement, they need to be able to follow the 10, 20, 100 steps that we took to uncover the guy. Because there's two things that we demand that we don't want. We do not want credit from law enforcement for anything we do. We don't want them to mention us in a news report. We don't want to be in their press release. We are not doing this for the spotlight. We don't want the bad guys to know which cases we helped law enforcement with. Cause we don't want to be a target for that.

Jen Ellis: Yes, very smart.

Chris Hadnagy: So we tell law enforcement, our goal is to give you a file that you can reproduce the work that we did without needing us in court. So we can't use illegal activity, we can't use methods or hacking methods that may border on the gray. We can't use things that a law enforcement agent could not reproduce. So we need people that have that OSINT, you know, open source intelligence gathering skill, that can, you know, step into that, that role and just dig through the internet to find these horrible humans.

Tod Beardsley: So when you say technical, just to I guess state the obvious, you know, you are looking for that OSINT stuff. You're not looking for like exploit devs or you know, folks like that, you know, you know you're not looking to like you know, pop the networks of these guys and like set up fake sting websites and stuff like that? Like, that's FBI's job, right?

Chris Hadnagy: Now that, that is a great question, though. So I'm going to answer this cautiously because right now, we are not doing that but that doesn't mean we don't want to. But we need to have a lot of approvals in place. So we have some developers that work with us now and these guys are developing tools that really, really help us with our work. Like we have a tool that is proprietary, it's just for us it's not public, and it blurs all images and videos on a screen. So if one of our researchers ends up on one of these dark websites that just the child porn is there, as soon as you load it, you're not having to view those images. They are not stuck in your mind. Those things are blurred and, and you can't see them. That's wonderful that developers like that now, so we do want developers and we have people who are great at OSINT and they're also really good at exploit writing. But we're not yet at that level.

Chris Hadnagy: But again, we're working so closely with law enforcement, you know, I tell my guys this story, is that when NCMEC started, and if you don't know who they are, and it's the National Center for Missing and Exploited Children, when they started, that was literally, it was a cop and a professor that came up with this idea that a lot of child abuse cases were flawed because a child abuser would move from state to state and there was no central repository where child abuse material could be stored and then law enforcement can access it across the U.S. or the globe. So these guys were smart, and they would say, you know, I'll just abuse a kid here, abuse a kid here, and then you know, you move around, you never get caught. Well, this guy in the state of Pennsylvania, he decided, let's start this, this thing called NCMEC. We'll, we'll be this the central repository for all child abuse material. And the federal government tried to have him arrested, and now they are the only place that has an open federal license to store child abuse material, child pornography, and things like that because they are used by every government agency around the globe to have a central place where these images can be cached, hashed, and stored so that way they can use them in investigative cases. I tell my people this story because the things that we're talking about doing now have never been done. And the reason they haven't been done is because the difficulty level of what we're asking law enforcement to trust us in doing. So, will we get there? Maybe. I hope so.

Jen Ellis: I think the important thing here is to remember that, you know, there is a lot of legality and, and a lot of red tape around this stuff for very good reason. And that, in general, the oversight that's placed on this is to protect the innocent and to also ensure that people don't abuse systems and all that kind of stuff. And so I think, you know, there is the potential for you guys to move into this area but that you have to do so in lockstep with law enforcement who are already covered by our legal framework and oversight framework. And so you have to be in a situation where that framework extends to you and you are basically operating as an extension of them. And that's a process to get to, right? And so I think the approach you're taking is 100% the right approach.

Chris Hadnagy: You know, because you think about like these vigilante groups, like just a few months ago, there was a group of older teenagers that formed a, like, nothing better to call than a vigilante group, where they were looking for people who were preying on children on Instagram. And they uncovered, and I think this was genius, but the way they handled it was idiotic, they uncovered a series of hashtags that pedophiles were using to, things like this would be one "diaper time," there was a hashtag or "bath time" was a hashtag. And what a pedo would do is look for an open Instagram account where parents were posting innocent, like what they think is innocent, pictures of their kids getting their diaper changed. But there's a naked infant there. Now to you, me, normal people, that is not a sexual object, but to a perverted person that, that is a picture they look for.

Chris Hadnagy: So, these kids figured out their methodology, they figured out the hashtags they were using, but then instead of reporting it, all they did was blast it over social media. "If you see anyone using these hashtags, they're probably a pedophile." Guess what every pedophile did? Just stopped using them. Just moved on to a new one.

Chris Hadnagy: So the vigilante groups don't work because all they do is they train the bad guy and they make them smarter. So our goal, one of our like five founding principles is to never, never train the perpetrator. So we don't release information on what things we're doing. We don't tell people how we're finding them, because the last thing we want to do is somebody's listening to this that may not be right in that area and they go, wow, I didn't know that they can do that. And now they're going to cover their tracks.

Jen Ellis: Interesting. So, so you mentioned, you know, the, the kinds of technical volunteers you're looking for and, and you talked about the sort of wellness program that you create for them. How do you vet that people are appropriate to participate?

Chris Hadnagy: That's a beautiful question. So our vetting process is actually so intensive that we've had people walk away after the first discussion just because of our vetting process. So let's just start from the beginning, someone comes to the website, they put their file and they say, I want to volunteer. That record comes to a small group of us, gets passed eventually to Shane if we feel that the person's got the skillset to be able to step into one of those roles. So let's say a researcher, you know, part of the PIT. So they got the great OSINT skill and we say, okay let's onboard this person.

Chris Hadnagy: So first thing that happens is they have a meeting, a video meeting, over the internet with Shane to describe what it is that we do and how we do it, and to explain what I'm just about to tell you, which is the onboarding process and then to ask them, do you want to continue? If they say yes, they get, they get emailed a $0 employment agreement. It does not interfere with any of their other employment but it allows them to sign NDAs and other things saying you were basically working for us for no money. And, and the end part of it is allowing us to do background checks. In addition, they have to sign a medical release form that allows the therapist to get their medical records if they feel it's needed.

Chris Hadnagy: So it's pretty extensive, right? Cause you're giving a lot of info over to us. We then do a full criminal, financial, and federal background check on that person and we're looking for a few key things. One is, if you have a huge amount of recent debt, right? So someone's got a lot of debt and it's recent, it's not like 10 years old, 20 years old. That person may be a liability cause they could be, that could be used for blackmail. Of course, it's obvious if anyone has any record to do with molesting kids, we would not work with them. But there's even a little bit more than that. We had a case where a young man came to us, he was like in his late twenties, early thirties, when he was 19 he was in the military, he went to Canada, went to a bar, hooked up with a girl who said she was 18. Next morning, dad's freaking out, she never came home, finds out where she is, sees her with this guy, and has him arrested cause she's 16 years old. He's now a registered sex offender in the database and we can't work with him. We just can't, we cannot have someone, all we need is one person to announce ILF hires sex offenders, and all donors go away. So can't, can't do it.

Chris Hadnagy: And there's not too many other things that will affect our ability to use you. You know, we tell people like, okay, as long as you don't have like a DUI last week, we get it. Sometimes you mess up, people got into fights, got arrested, we get that. We don't care about those things. We're looking for things that may be used against you right now or that can be used against ILF.

Chris Hadnagy: So once the background check is done, we hold another meeting with the person to tell them the results of the background check and then to have a skills assessment. So it's mainly like a discussion to talk about what it is that you think you can do and, and that discussion kind of brings them a step further. If everything works out from there and they still want to continue, we then have a VDI, which is our desktop or virtual desktop infrastructure created for them. And then we have an onboarding meeting where they are walked through how to use it. They're given an email account, they're given space on our storage, and then they're brought in to give that technical training on how to use all of that, and then from there they're given a case. So, that can take weeks of time.

Jen Ellis: Right. So yeah. I think important as a callout, that if you are interested in participating, don't expect that you're going to sign up and it's going to happen tomorrow.

Chris Hadnagy: Yeah. And there's one, one other thing I forgot a really important thing, which is they have to also in between those two meetings, they have to have a wellness session with one of our therapists. And we pay for that, that's perfectly fine. It's done over video. And we do that for, so now the background check tells us that you're, you know, financially, federally, and criminally okay. The wellness check tells us you're mentally able to do the work. And because it's a real therapy session, the therapist doesn't come back to us and say, "Hey, here's everything we talked about." She comes back and she says something like, "This guy's good. You can use them, maybe put them in lighter stuff," or "This guy's good. You can use them, put them in harder stuff," you know? Or, "This guy's okay. I wouldn't put them in the PIT, put them somewhere else." And they give us recommendations on where and how to use that person. So once all of that is done, then we onboard them.

Jen Ellis: Okay. So then do you have an expectation of how much time people will, will spend on this?

Chris Hadnagy: No. And that's the wonderful part about this because you're a volunteer, we have a, so I'll give you two extreme examples. We have a guy working full-time as a pen tester, he travels a lot for his job. We may get five hours or less per week, you know, when, whenever he can fit it in. And I have another guy who's a cop and he works three 12-hour shifts and then he's got four days off and he gives us sometimes up to two of those four days. So it's two extremes. We have a woman running our marketing right now, our like, our marketing over social media and I think she's working every day. Probably like an hour or more so a day on this. So it really depends and we tell everyone, here's the only thing we ask, if you need to take a break or you need to pause, you need to stop, just communicate with us. Just tell us, you know, tell us. We had a guy, life came up, I have too much stuff I've got to take care of. I got to go away for two months. Okay, no problem. We paused him, you know?

Chris Hadnagy: And then, and then they, when they come back we're like, "Hey, are you ready?" And just one guy was like, man I can't right now. Okay cool. Yep. Down the road, let us know if something changes. You're more than welcome back. Right? Now we have a rule that if it's over the six-month period we'll have to do all those background checks again. But you know, we do that.

Chris Hadnagy: And then for the PIT, they have to meet with a therapist once per month, that's mandatory. Part of staying a volunteer and for everyone else who's not in the PIT, they have to meet with their wellness therapist once every quarter.

Jen Ellis: That sounds very sensible.

Tod Beardsley: It sounds like a pretty professional organization you got there.

Chris Hadnagy: Thank you. We try. We really try hard.

Jen Ellis: This was so interesting and we were so into it that we actually haven't already asked you very much about all of the things that you're super famous for like, the Social Engineering Village, and your company, and the Human Hacking Conference, your many books, etc. We would love to have you on in the future again to talk about some of those things. For sure. And, in the meantime, I really strongly urge people, if you're interested, check out the website. What is the website again?

Chris Hadnagy: InnocentLivesFoundation, all one word .org.

Tod Beardsley: Perfect.

Jen Ellis: And if you cannot volunteer time, which many people can't for obvious, reasonable reasons, consider making a donation. It is an excellent cause. Chris, thank you so much for everything you do. I cannot say enough good stuff about you and I know most people feel the same way. I'm sure you know, I'm sure that you hear that a lot and, and ILF sounds like an incredibly important and noble endeavor. And you know, you know where I am and I'm happy to help, I think Todd's going to try and go and brush up on his OSINT skills. Thank you very much.

Chris Hadnagy: Thank you.

Jen Ellis: So, that was amazing. Chris, thank you so much for coming on and telling us all about the Innocent Lives Foundation. Again, I highly encourage people to check out the charity, and if you think that you have the kind of OSINT skills that they're looking for, please do think about volunteering your time. It is a very worthwhile cause.

Tod Beardsley: Done and done.

Jen Ellis: So, okay, Tod. When you're not volunteering your time for nonprofits, I believe that you are keeping your finger on the pulse of what's happening in security. And quite a lot's happened recently really, this has been a good week.

Tod Beardsley: Yeah. Well, good is relative, I guess.

Jen Ellis: Tell us about it.

Tod Beardsley: Well, as we're recording this, this is the week of Patch Tuesday, the first of 2020. Yeah, and a whole bunch of stuff happened. Microsoft in past years have followed a similar pattern where it tends to be a pretty light December and a pretty heavy January. And this January is no different. The one that caught everyone's attention, of course, is the NSA disclosed a crypt32.dll vulnerability. I'm not going to spend any time on that, you probably have your fill on that, TLDR, patch your stuff. You can detect it, great, but please just patch.

Jen Ellis: We can move on. But like, yeah. So yeah, again, like we don't need to dwell on what the actual bug itself is. What's interesting here is this is NSA disclosing a bug. Like that's actually quite a cool, this is your vulnerabilities, equities process at work.

Tod Beardsley: Yeah. In public. Yeah, for sure. They had a press conference, they coordinated with Microsoft and a bunch of OEM vendors ahead of time. You know, they are doing coordinated vulnerability disclosure as we would expect kind of a normal security company to do it. Except this is the NSA. So I would expect more of this through the year. There's a lot of like theories of why they're doing it this way, that I think it's great press for them. I think they are more than willing to burn bugs that they don't intend to use.

Jen Ellis: I think this is a great thing. Very positive.

Tod Beardsley: Yep. So that was part of the reason why it was a big deal is that yeah, it comes from the NSA. Also it's like deep wonky crypto stuff. So it's kind of fun to read. And of course the NSA being a fundamentally a cryptography organization, the cryptography organization on planet earth, they're going to care about bugs like these a lot. So I don't expect this to be the last, but it's certainly the biggest they've released like on purpose. *Cough, Shadow Brokers.* But you know what happens when you have a pile of almost 50 vulnerabilities and one gets a whole lot of press that almost necessarily means other ones don't. And there are a couple other good ones in there. Good for offensive use.

Tod Beardsley: Anyway, I'm thinking specifically of my absolute favorite after having a couple of days to read over these things is CVE-2020-0640. This is a Internet Explorer memory corruption vulnerability. This is a old-timey bug. We used to have bunches of these and they they dry up. It gets harder and harder to to pop IE. But if you're going to pop a web browser, Internet Explorer as the one to do. Because that tends to get updated less frequently than something like Chrome.

Tod Beardsley: It's about middle of the pack. Firefox bugs tend to be pretty long-lived because there's a whole class of Firefox browsers that like runs off a USB key and people use tails and all that jazz. But IE is a pretty great client-side target. I'm reading through it like we don't have a ton of detail on it. No one's published anything yet. I would expect to see... I would hope to see some kind of proof-of-concept or maybe more chatter about this now that the NSA news has died down over the next couple weeks.

Tod Beardsley: This is a bug that is tailor-made for drive-by download kind of stuff. Essentially it's some crazy HTML element triggers a bad memory read in IE and you get code execution on the browser. So this can come from any number of sources, forum posts, compromised websites just like clicking on a link in an instant message, something like that. It is IE, it's not Chrome, it's not Safari, it's not Firefox. People are using IE less and less as time goes on. But there are a lot of, say, kiosks that running IE that you walk up to and you know sometimes can browse. So like if you want to own that kiosk, not that you should, but if you're on a penetration test and you want to own a kiosk that's sitting in the front office of an office building, this is the kind of bug that would be good for that.

Jen Ellis: Okay. So I have a lot of questions.

Tod Beardsley: Okay. I'm excited.

Jen Ellis: You mentioned the IEE is not always like very timely in the updates department. Users aren't always up-to-date. Why is that do you think?

Tod Beardsley: So IE bugs or IE vulnerabilities get patched through Windows updates. So they get passionate as often as Windows does, as opposed to something like Chrome, which runs its own update service. Google Chrome is basically constantly updating and Mozilla Firefox is similar.

Jen Ellis: They update automatically?

Tod Beardsley: They update automatically behind the curtain, behind the scenes, like you rarely have to do anything. It's actually kind of a pain to avoid getting updated. You know, you have to go way out of your way to not get updates. IE, though, is still fairly strongly tied to regular old Windows updates. Current versions of like Windows 10 tends to do that automatically, if you don't mess with anything. You know like Windows 10 will schedule updates for you, but it's the whole operating system, so it's sometimes like an all-or-nothing kind of deal. Whereas your browser is if you're using Chrome, your browser is getting updated all the time regardless of patch cycles. If you're in a managed environment, a lot of times your IT department is responsible for making sure you get your updates and so they're gating those updates. So you may be a couple of weeks out from release before you get this update on your work computer, if you live in that kind of environment.

Jen Ellis: Cool. Okay, thank you. And you mentioned tails, and I'm assuming some people may be unfamiliar...

Tod Beardsley: Yeah, it's for the goofy libertarian Linux people. It's basically this, this notion that you have your static build of everything. I've never really super understood... I kind of understand it. Like want to know what you're running at all times. So you'd like boot off the USB key and you're using your secure enclave and all this jazz. And then you use your browser and you know exactly what's on the browser. The bummer of that is that you miss out on automatic updates. So while it's purported to be like, "Oh, this is your secure solution" and you're not going to get... Mainly, you're not going to get updates that you don't know about, malicious or otherwise. You also are not getting updates. So that's, so that's a little bit of a bummer for those folks. But it's a pretty small minority. It is a paranoid minority. And if they care about a particular fix they're going to go get.

Jen Ellis: So tails is not really designed for like the average Joe internet user, is it? It's really more for people with specialist needs, who you just described as paranoid but perhaps they're not paranoid and the world really is out to get them. So it's sort of activists and journalists and that kind of thing when people who have a higher need for secrecy, right.

Tod Beardsley: People who are aware. Yeah. People who are aware of their risk profile in a very intimate way. Right. These people by the way do not use Internet Explorer like at all. So this is not a bug for them.

Jen Ellis: Right. Okay. Excellent. Excellent. Cool. All right. It's unusual to hear you talking about Patch Tuesday!

Tod Beardsley: Yeah. And you know this, it comes up because there was a lot of press about it. There was a lot of hand-waving and speculation for like the few hours between the public announce and the public release, which is why I wanted to talk about it, you know. But like I said, like January tends to be a pretty heavy period because it also lines up with things like Oracle's patch releases, Adobe's patch releases. There's a couple of other organizations. I think Mozilla kicked some stuff out, too, on Tuesday. So like basically anyone who has a passion cadence, January is the time that they tend to roll out things that they may have been hanging on to because of holidays and all that.

Jen Ellis: As if January wasn't depressing enough and now security professionals have to deal with patching everything.

Tod Beardsley: Yeah. I mean you get a little bit of time to come back. Of course, right now everyone in tech that I know is sick. It is like tech flu basically all across the nation. Office buildings are ghost towns right now. So this is a good time to make sure your VPNs are working, because a lot of people are working at home. So there's that.

Tod Beardsley: There was one other bug I just want to touch on super quickly. Mostly because it's just giant mystery to me. It's CVE-2020-0646. It's a .net framework RCE bug. So remote code execution. There is like no detail on this. I've seen nobody talk about it. It seems pretty juicy if, but if only we knew a little bit more about it. The the only way we're going to learn anything about this is through like reversing the patches to see like exactly what this is. Because like the only detail Microsoft gives is quote, "To exploit the vulnerability and attacker would mean to pass specific input to an application utilizing susceptible.net methods." Which is basically anything like it's completely unknowable, like what this means.

Jen Ellis: So you're like yes, this is in fact how these things work, well done.

Tod Beardsley: Yeah. Yeah. Yes, to use this program that's also what you do. So again, it's going to be a little bit... It's probably clienty. It might be a server thing. Who knows? Like we don't know anything about this. I assume that the Metasploit elves are hard at work on both of these bugs because they give you direct remote code execution, unlike the crypto library bug, which gets you to code execution, but more in a roundabout because I'm faking my identity sort of way.

Jen Ellis: All right, so thank you very much. That was great. I look forward to you what you're going to find to be indignant about next time. As ever thank you for educating me, and thank you to the amazing Bri, who is also sick, but still put up with us and will be doing some great editing hopefully. All right, we look forward to the next episode.