Defcon 26 Event Debrief

There is a week every year in Vegas where three information security conferences take place: BSides Vegas, Black Hat and Defcon. Those who attend call it Hacker Summer Camp. It is a special time when unsuspecting tourists wonder why their wifi is slow and the digital signage tells them to do strange things. Its a time when some of the most enthusiastic hackers descend upon the desert city of Vegas to (literally):

“drink all the booze and hack all the things.” – Dual Core

This year Trace Labs was accepted as an official contest at Defcon. In February of 2018, we received this email from Grifter:

“This contest is APPROVED for DEF CON 26! We’ll be in touch for your specific needs soon. Seriously, this sounds dope. Looking forward to it!”

In July 2018, Trace Labs had the opportunity to work with Defcon Toronto (a smaller localized hacker group) to host the world’s first OSINT CTF for Missing Persons. This was the trial for Defcon 26 in Vegas. The Toronto event had 150 hackers on site in a room at the University of Toronto and a few dozen more attending virtually. Various local police authorities and missing persons interest groups also attended. The event was the first of it’s kind in history and was a huge success as two individuals were located without causing any issues. The event proved the concept works.
As amazing as the Toronto event was, Trace Labs wanted to evolve the  experience with the following changes:
  • Allowing contestants to get points for intel that was already known to police. While not high value to the police, this did help contestants build the profile.
  • Allowing contestants to see what others had submitted. This transparency allowed contestants to learn from each other and build on previously submitted intel.
  • The biggest change was to move away from a typical CTF which is a closed system where everyone goes for the same flags. While in a theoretical contest this makes sense, it doesn’t when applied to the Trace Labs mandate of actually finding missing persons. While this is a contest, it is also real and we don’t want to waste contestants time collecting the same flags. It was therefore, first to post flags, gets the points. No one got points for submitting  duplicates.
  • 100% virtual: We decided to try and make it as fair as possible for everyone by being 100% virtual. This was a mistake as many people asked to meet. Next year (if accepted) we will have a table.
  • Allowed anyone to sign up and did not limit contestants to Defcon attendees. Many people are unable to make it in person to the Defcon event and this way they were not excluded.
  • Used Slack for the entire contest platform.
  • Ran the contest for 48 hours (straight).

Those were the changes many things stayed the same. The Trace Labs guiding principles of:

  • We never close – 24×7 model
  • We don’t care who you are – as long as your intel is good (verifiable)
  • We are global – missing persons and contestants from all over the world
  • We are not theoretical – We are working with real people and need to always be aware of that.

We stressed the importance of our rule of zero touch (passive reconnaissance) rule. Contestants asked about password resets and other procedures that might produce intel but were in direct violation of the rule of zero touch. Contestants were not allowed to interact in any way with the subjects, their friends or families. This included tagging, friending, posting, password recovery and other active reconnaissance.  Contestants were  however allowed to use sites such as haveibeenpawned.com to see what other service were in use by the subject.

There were 10 operations (plus one last minute entry we will discuss later). The first 4 were made available Friday morning at 9am with a fifth released at noon the same day. On Saturday morning, the other 5 were made available.

DC26-OP-1: Abdul Aziz Khan – Child Abduction – International

The first operation was a case where parents had split up and the mother had taken the son and disappeared. We selected this one as the people who took this child were very careful to cover their digital tracks.

Source: http://www.missingkids.org/poster/NCMC/1316146/1.html

DC26-OP-2: Keyoma Prentiss – North Las Vegas, Nevada, USA

Since the event was in Vegas, Nevada, USA, Trace Labs felt obligated to have at least one missing person from that area being searched for by contestants. The missing’s family has asked for the public’s assistance in locating missing 41 year old Keyoma (Kym) Prentiss out of the North Las Vegas, Nevada area.

Source: http://nevada.missing.report/keyoma-prentiss-north-las-vegas/

DC26-OP-3: Mark Gregory Brazau – Toronto, Ontario, Canada

Another international op which is many years old. We knew this would be very challenging for contestants. A cold case from the Royal Canadian Mounted Police.  Mark Brazau, age 32, was reported missing by a friend after he had not heard from him in several days. He was last seen at his place of work, located on Wilson Avenue, in the City of Toronto on May 23, 2007. Police attended his last known address only to find it had been vacated 3 months earlier. There has been no financial activity on Mr. Brazau’s accounts since his disappearance from Toronto, Ontario.

Source: https://www.services.rcmp-grc.gc.ca/missing-disparus/case-dossier.jsf;jsessionid=JympbpDLR8hLh1Gr6LNrdT37Nh2Y28RHyH5WvZLPww1B7XGcvkRs!-412252302?case=2010006499&id=6#tab1-0

DC26-OP-4: Mollie Tibbetts – Iowa, USA

This case is all over the news and very recent. We thought this would be an easier op with a lot of fresh digital trace and a higher chance of discovery.

Source: https://www.cnn.com/2018/08/03/us/mollie-tibbetts-missing-iowa-student-news-conference/index.html

DC26-OP-5: Alejandro Suarez – Las Vegas, Nevada, USA 

Trace Labs wanted to help the hosting city as much as possible so OP 5 was another missing person in Vegas.  The missing’s family is asking for the public’s assistance in locating missing 21 year old Alejandro Suarez out of the Las Vegas, Nevada area. Alejandro was last seen at West Gate Las Vegas Resort & Casino 3000 Paradise Road Las Vegas NV and Hard Rock Hotel and Casino 4455 Paradise Rd, Las Vegas, NV 89169 and Four Queens 202 Fremont St, Las Vegas, NV 89101 on 1/22/2018.

Source: http://nevada.missing.report/alejandro-suarez-las-vegas/

DC26-OP-6: Suzie Clark – Vernon, British Columbia, Canada

This was another international missing person case. Suzie Clark was last seen July 28th, 2018. Since Suzie’s disappearance, police have followed up on several leads and possible sightings, however Suzie remains missing. Vernon North Okanagan RCMP – Vernon RCMP is requesting the public’s assistance in locating a missing Vernon resident.

Source: http://bc.rcmp-grc.gc.ca/ViewPage.action?siteNodeId=2087&languageId=1&contentId=56229

DC26-OP-7: Benjamin John Kilmer (aka The Cobble Hill Man) – Victoria, British Columbia, Canada

On May 16, 2018 the North Cowichan/Duncan RCMP began an investigation into a missing Cobble Hill man, 41-year-old Benjamin John Kilmer. Multiple resources assisted in the search for Ben, in the Cowichan Lake Road area of Duncan, BC. These resources included RCMP investigators, a police dog team and 29 Cowichan Search and Rescue, who worked through the night.

On May 17, the search expanded to include the RCMP helicopter, 60 Search and Rescue from a number of Vancouver Island search teams; Cowichan, Ladysmith, Nanaimo, Salt Spring Island, Juan de Fuca and the Peninsula Emergency Measures Organization. The Search and Rescue Teams and the RCMP would like to thank the public for their assistance. At this time Search and Rescue have sufficient resources and do not require public assistance in the search area. You can help by keeping an eye out for Ben if you are out walking or hiking.

Despite the extensive efforts Ben has not been located. He is described as 5’10, 180 lbs, short brown hair and blue eyes. Ben is clean shaven and was last seen wearing light coloured pants, a black shirt and steal toed work boots.

Source: http://bc.rcmp-grc.gc.ca/ViewPage.action?siteNodeId=2087&languageId=1&contentId=55400

DC26-OP-8: Allana Nicole Martinez – San Antonio, USA

San Antonio police are looking for Allana Nicole Martinez, who also goes by Lana, was last seen in the 11000 block of Perrin Beitel Road on the Northeast Side, according to police. Allana Martinez, 14, was last seen by family members on Aug. 3, 2018. This young girl went missing very recently so we felt it was very likely we could help collect some good intel.

Source: https://www.mysanantonio.com/g00/news/local/article/SAPD-looking-for-missing-14-year-old-girl-13135191.php?i10c.encReferrer=&i10c.ua=1&i10c.dv=14

DC26-OP-9: Cythia Lowry – San Antonia, Texas, USA

Cynthia Lowry disappeared on January 17, 2018, from John Jay High School in San Antonio, Texas.  She messaged her friend at 10:10 am that an older friend, Tanya, had arrived at the school and she was going to meet with her, then return to class.  Cynthia has not been seen since leaving class that day.

Source: https://www.casewarriors.org/article/cynthia-lowry-last-seen-at-her-san-antonio-tx-high-school

DC26-OP-10: Harry Schuldt – Chicago, Illinois, USA

Authorities are looking for an elderly man who has been missing since Thursday from the Cargin neighborhood.

Harry Schuldt, 65, was last seen near West Belmont Avenue and North Long Avenue, according to a missing person alert from Chicago police. He is said to frequent West Belmont Avenue and North Long Avenue.

Schuldt was described as 5-foot-8, 180-pound white man with blue eyes, grey hair, police said. He was last seen wearing green cargo shorts, a black T-shirt with the logo of the Tasmanian devil, a U.S. Navy baseball cap, and flip flop sandals.

Source: https://chicago.suntimes.com/news/65-year-old-man-reported-missing-from-cragin/

DC26-OP-11: Mystery Defcon Attendee – Las Vegas, Nevada, USA

I know you are wondering why there is an 11th OP when there should be only 10. Well…

As Defcon was preparing for the closing ceremonies and everyone was packing their bags a call went out on Twitter. One of the Defcon attendees was looking for her husband who had not been seen since the night before. She was extremely concerned and had contacted the police and all the hospitals.

Trace Labs will normally never start an op unless there is an official public link from the police asking for the public’s assistance however since we were at Defcon and this was an attendee, we start doing some preliminary work. Within minutes the husband was found passed out on someone’s coach. Apparently he had been at the Illuminati Defcon party the night before and decided to take a nap. A good news story but he better buy his wife flowers on the way home.

After 48 hours of non-stop OSINT we had three to contestants. While everyone deserved to be recognized, we only had prizes for the top three. Everyone did a great job at following the rules and we generated a lot of intel for the police.

The three winners were posted here: https://www.tracelabs.org/2018/07/defcon-26-osint-ctf-leader-board-and-intel-journal/

The prize for the top place winner was two session with the famous and well respected online investigator, Julie Clegg. Julie has years of experience and is well known for her popular podcast: World Class Investigator as well as staring in the popular TV series: Hunted.

The most amazing thing occurred right after the winners of this CTF were announced…

Nothing.

I mean, no one stopped. Everyone just continued doing their OSINT and searching for these people. I was confused at first and thought maybe they didn’t see the post. Then I realized, the contestants didn’t really care about the CTF closing. They were passionate about what they were doing and wanted to keep going. As I write this days after Defcon, the dc26 channels are still active and the ops are still going. New intel is being dropped in every few hours and sometimes every few moments. Contestants are still collaborating with each other and building upon previous work. Have you ever been to a CTF where this occurred? Remarkable!

Sounds amazing right? You are welcome to sign up and witness this and even help if you want.

Statistics:

  • 10 operations for real missing persons (+1 Defcon missing attendee)
  • Over 150 different intelligence submissions (scored) during 48 hours. Included everything from social media accounts to previous addresses.
  • 3 of the ops were for missing persons from the Vegas, Nevada area.
  • 3 of the ops were for international missing persons (from Canada).
  • 7 of the ops were for missing persons from the USA.

Trace Labs Slack Environment:

  • 1540% increase in last 30 days in membership growth
  • 653% increase over the last 30 days in active members
  • 263% increase over the last 30 days in public channels
  • Over 2000 messages on dc26 channels (many more on general and private channels)

Trace Labs Twitter Account (28 day summary):

  • 100% increase in tweets
  • 361.5% increase in tweet impressions
  • 109.% increase in profile visits
  • 243.1% increase in twitter mentions

Unfortunately, what we can’t measure is how much people learnt about both OSINT and missing persons. The Trace Labs people that were at Defcon we busy monitoring and judging intel but were also amazed at how many people were interested in the concept and wanted to help out. Many great contacts were mad that will further enhance the organization and ultimately increase the odds of bringing someone’s loved one home.

In the News

There are several news artictles being written about Trace Labs as we are breaking new ground. The first one is here: https://motherboard.vice.com/en_us/article/qvmm3x/hackers-hunting-missing-people-osint-defcon-tracelabs

Leave a Reply