Transcription performed by Leah Hervoly www.leahtranscribes.com
JACK: Have you ever thought about escaping from a police station? I’m sure some of you have. It’s probably really hard and you might get shot in the process. But what about sneaking in? Still, you run the risk of being caught and instantly cuffed and detained. So, if you want to break into a police station, the safest way to do it is through the internet, online, by hacking into the network and getting whatever data you wanted. But what would you do once you got in? How could you gain from this? Hm.
JACK (INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet. I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS]
JACK: Alright, so, let’s start with who are you?
NICOLE: My name is Nicole Beckwith and I worked formally as law enforcement for the state in the federal government.
JACK: What branch of law enforcement?
NICOLE: I was a Task Force Officer for the Secret Service.
JACK: Task Force Officer for the Secret Service; that sounds badass.
NICOLE: It was a lot of fun.
JACK: [MUSIC] When you think about the Secret Service, you probably picture those agents with the dark sunglasses and the earpieces who are always following the president around. It’s true; protecting the president is a big part of the Secret Service’s job. But they handle some cyber-crime cases as well, which is the division where Nicole worked.
NICOLE: A lot of people aren’t aware but just like the FBI, the Secret Service, they also work on cyber cases, as well. Any entity can contact their local Secret Service. Most states have a Secret Service Task Force.
JACK: This sounds a lot like the FBI and sometimes there’s overlap between the two.
NICOLE: The difference is, if there was a terrorism angle, the FBI takes that 100% hands down.
JACK: The work the Secret Service handles is usually cases that involving money, like fraud or laundering or scams.
NICOLE: Counterfeit currencies, cryptocurrencies, anything with a financial angle.
JACK: Now, Nicole had been working as a law enforcement agent for some time, but to go into the Secret Service Task Force, you have to be selected by your local Secret Service office.
NICOLE: Because of my background in computers, computer programming, I started working a lot of cases with local law enforcement who then would bring it up to the Secret Service or the case would get worked by the Secret Service and they would say my name. Ended up asking me so, what do you do? How do you know all this stuff? Would you be interested in working with us? Of course, I jumped at the opportunity.
JACK: [MUSIC] Nicole gets some pretty in-depth training on everything security-related. It was eighteen months of training on all kinds of topics.
NICOLE: Cryptocurrency investigations, networking, intrusion response, basic forensics. You name it, they sent me to it. Then the trade off is we get the equipment, my agency, my local agency benefits from that. But then if they have a case, then I am able to help them out by going out and assisting in those investigations as well.
JACK: One day, one of these cases came up for a city in Nicole’s state. Oh, and we’re not gonna say what city it is for privacy reasons, but just know it’s a small-to-midsize city in the US. The Secret Service gets a call from their local police department. [MUSIC] The PD’s computer had been hit with ransomware, effectively encrypting the entire hard drive and was waiting for you to pay an amount of Bitcoin to decrypt it. This is typical cyber-crime activity. Often, these kind of hacker criminals will try to just spray the whole internet looking for insecure computers, then placing the ransomware on them in an attempt to make some money from this. The police department’s network was totally hosed.
NICOLE: They had lost about nine months of their information, their cases.
JACK: Information like records of arrest, evidence they’ve gathered, and all the essential stuff that law enforcement gathers as they’re doing their work was just gone, at least from their computers. They wanted to know if Nicole could help get those records back.
NICOLE: But because they had already reimaged everything, there was nothing we could do at that point.
JACK: Essentially, the IT department had backups from nine months ago and had to roll back to this last good backup. The police department didn’t even consider sending them Bitcoin to unencrypt their stuff. It just wasn’t an option for the police to pay the ransom. Nicole was very limited on what she could do after the fact. Because of that, the police department basically said forget it, we don’t need your help.
NICOLE: They weren’t particularly interested in having somebody come in and disrupt their network for a while.
JACK: Plus, they could just manually reinput the lost data from the physical records, which is annoying [00:05:00] but is still a path to recover their data. That was that; Nicole left and the police department slowly went through all the written police reports and records and began typing them back into the computer system one by one, rebuilding their online database. It was slow process but it was their only recovery strategy. [MUSIC] A month later, Nicole is on the phone with someone from that same police department.
NICOLE: It just so happened that I was on the phone with one of the employees at the police department on a completely unrelated matter. He mentioned that hey, our printers and our network’s acting up again. I think our printers just went down. I said wait, isn’t that what happened the last time right before you guys got hit? He said yeah. I said, don’t touch a thing. Do not call your IT department. I’ll be there in a minute.
JACK: [MUSIC] Nicole grabs her go-bag that she keeps for these exact situations, a bag full of electronic devices specific for doing digital forensics and incident response.
NICOLE: Everything from USB sticks with FTK Imager, and just a whole lot of software on those USB drives. Then I also have toasters if I need to plug in and grab a hard drive image, adapters and plugs and cables, yeah.
JACK: Oh, a toaster, that’s something I haven’t heard before. Maybe that’s a Secret Service thing. But this is just a little device like a USB hub that you can plug memory sticks into. You could put USB drives on it, or SD cards. I guess it kind of looks like a little bit like a toaster, so sure. But these are handy because you can quickly copy the contents from one USB drive to another or swap USB drives, and you never know what kind of memory cards you’ll be given onsite to examine the contents. Oh man, this is great; I picture you with the aviator sunglasses and the little curly earpiece that comes down into your shirt.
NICOLE: I wish. No, I’m not that cool. Aviators do not look good on me and I wasn’t issued an earpiece, so no, definitely not.
JACK: She hops in her car and starts heading to the police station.
NICOLE: I’m calling my chief, I’m calling Secret Service, I’m calling everybody that I need to to get sign-off that this is okay to do as well.
JACK: Now let me describe this network to you in a little bit more detail. This is a city police department. The number of people who actually do IT in this police department was like one or two people, not enough.
NICOLE: A lot of cities do that to save money. They don’t see IT as a risk.
JACK: They didn’t have a good team or big team and they needed help with their network. [MUSIC] So, they outsourced some of these tasks to a managed service provider which was another company who just lives and breathes IT, networking, and security and troubleshooting, and has full access to this police department’s network.
NICOLE: They only paid the IT company if something went wrong. There was no proactive measures to keep anything protected other than just to go back and do the basic vulnerability scans and to update software, that sort of stuff.
JACK: Now at this point, the only problem still is that those printers are down; no ransomware has actually infected any computers yet. But this is what happened a month ago right before they got infected with ransomware. Nicole arrives onsite and starts asking for access to the critical devices in the network. These key devices to her are the perimeter devices like a router or firewall that sits between the network and the internet, and also the domain controller. She immediately starts looking around for the IT staff within the police department. She finds that person who has full administrator rights and has access to everything. She gets that person to login to all the things and she sits down and gets to work.
NICOLE: I immediately start running Volatility, I start running Wireshark, but try to capture anything I can possibly capture right off the bat.
JACK: Okay, so Volatility and Wireshark. Let’s jump into these tools for a second because I think they’re really cool. Volatility is an open-source free tool which is used in digital forensics. Step one is that she gets into any Windows computers that she finds interesting and tries to take a snapshot of those computers. This snapshot copies a ton of data onto her USB drive; files, folder structures, but also all the running processes, all network connections, and all the data which was in memory at the time. Once she has this raw dump of everything from that computer onto her USB drive, she switches that USB drive onto her own computer and begins analyzing everything on it. Are there any suspicious programs running? Who’s connected to this machine right now? What activity has this computer been doing lately? But depending on how big these snapshots are, each of these questions can take a while to get answers to.
It’s a slow process to do all of this. In the meantime, she swivels her chair around to get access to the edge network devices. This is either a firewall [00:10:00] or a router which is the device that all incoming and outgoing traffic must go through. She begins capturing all packets coming in and out of the police station’s network. She’s not sure if this will be helpful, but it might give her some clues later as to who might be connected to the network and what devices they’re accessing, or how things are getting infected. As she captures the packets, this is where Wireshark comes in. Wireshark is a free tool used to analyze packet captures. You can begin searching for IP addresses or large files being transferred. But finding stuff in Wireshark really is like finding a needle in a haystack.
Her network captures were capturing a lot of data and where do you even look to try to find a bad guy in all that? Now, what was really fortunate for her was that she got there early enough and set up quickly enough that no ransomware had actually been activated yet. But she had all her listeners open and was ready in case something did happen. While she’s bouncing around everywhere looking for anything out of the ordinary, she finds something. There’s another person logged into the domain controller with her. She asks the IT staff at the police station, are you logged into the domain controller? [MUSIC] No. Double check. Yeah, no. She contacts the managed services company and asks that team if they were logged in. They say no, also. At this point she knows whoever is in this domain controller should definitely not be there.
NICOLE: Then my heart really starts racing. I know that somebody’s in there as I’m in there, potentially either destroying evidence or getting ready to deploy the ransomware. At that point, you do ask the question okay, do I immediately kick them out now or do I pull data and forensic evidence to see if I can’t capture something?
JACK: Waiting is risky. Remember, the police department had already been hit once and they don’t want to lose another big chunk of case data. But Nicole also knows that if she just chases them away, they might not ever find out who was doing this or where the hack came from. You kind of want to know how they got in so you can close that door properly.
NICOLE: In this case, I chose to wait and pull some data first before I kicked this individual out. Luckily, because they were in there a while, I was looking at it this time, I was able to get that forensic data that I needed.
JACK: With the hacker out of the system, Nicole quickly deactivates all the other admin accounts on the entire domain controller and then changes the password for the admin account she’s logged into.
NICOLE: I knew at least for a little bit of time that we were safe.
JACK: With all this data she was able to collect, she starts asking some hard questions. She starts talking with the IT company that manages this network.
NICOLE: They were not a fan of me just because I saw all the vulnerabilities when I was in. I could immediately see a whole set of them.
JACK: Nicole is basically like look, if you want to solve this problem, you’re going to have to work with me.
NICOLE: It’s a very frank conversation and there’s nice Nicole and there’s not-so-nice Nicole, and they saw not-so-nice Nicole.
JACK: I mean, if the Secret Service is asking you to cooperate and the police department is backing her up, then yeah, the IT company had to come around and start helping Nicole, no matter how much they didn’t like her questions. She starts asking for any information that they have about this ransomware, stuff like…
NICOLE: Did the IT company happen to save the ransomware file? Did they save their copy of the ransomware letter? Did they have screen shots? Did they log anything or have any logs that they could share on their side that maybe I wouldn’t have access to on my side.
JACK: Luckily, they did have stuff. That, combined with what Nicole was able to capture, allowed her to start doing some better analysis.
NICOLE: I’m looking at IP addresses of the individual that was logged in as that admin user.
JACK: She got an IP address for that user. This was a public IP; someone from the internet was connecting into that domain controller. She did a quick geo-IP lookup. This is what will give you the rough coordinates of where that IP address is located in the world.
NICOLE: I was really surprised to see that that IP address came back to a local address. At this point I’m thinking okay, who did they arrest that then got really upset with them and decided to hack them?
JACK: Someone in the very city as this police station appears to be hacking into them right now. She quickly gets a search warrant and submits this request to the local ISP. ISPs must comply with local law and if they get a search warrant like this requesting information about who owns a certain IP address, they have to give it to the feds. From there, she gets the name and address of the person who owns that IP.
NICOLE: And couldn’t believe what I was seeing. [MUSIC] It was the mayor of the city. When I looked at that, I’m like, there’s – what is going on here? What am I looking at? This can’t be correct. [00:15:00] I called the PD; is there any reason that your mayor would have admin access to this server?
JACK: Yeah, good first question. Why or how did the mayor get an admin login password to this domain controller? The mayor typically isn’t going be the person who will need admin access to this server. They’re not going to be troubleshooting things on there or making configuration changes. There’s no need for it. The police department said yeah, no way, the mayor has no business logging into our domain controller as admin.
NICOLE: I’m like, alright. Then I start thinking; the mayor clearly isn’t going to hack the police department, right? [MUSIC] He doesn’t have a grudge. Then I start doing some investigative work and realized that in fact, the mayor does have both motive and opportunity. He had been arrested previously, prior to becoming mayor.
JACK: Nicole doesn’t know what to think. Here she is, a third-party consultant, trying to help a local police department but her first suspect is the mayor of the city?
NICOLE: I’m calling my boss at the Secret Service and I’m saying, what are your thoughts? How do we proceed in this? This is obviously a sensitive issue here, right? I can’t just go to the mayor and be like did you deploy ransomware on the police department’s server?
JACK: Nicole decides before any sort of confrontation, she’s going to just see who would even have admin access.
NICOLE: I call up their IT department and I say okay, I need you to give me the name of everybody that you have given admin access to. What kind of numbers are we talking here? Are we talking three people or are we talking fifty people? He’s like oh yeah, well, we have admin access and then we give admin access to all the city council, the mayor, the blah, blah, blah. He lists off a ton people and I’m like, you did not say that the first conversation that we had.
JACK: Nicole is stunned. This is crazy. The only people who should have admin access are the IT teams, not the mayor, not the city council. There’s a concept in security called the principal of least privilege. It means you only give people enough access to the network so that they can do their job and then stop there. Don’t give them any more access. Yeah, well, this concept was totally foreign to this IT company who were doing the exact opposite; giving people the most privilege, so much more privilege that they would never possibly need. For what? Just in case the mayor needs to do some domain changes one day? Aargh! This is a personal pet peeve of mine.
NICOLE: Why in the world do these people have admin access to a server? I’m speechless at this point and that’s a – it’s rare for me to be speechless. [MUSIC] He’s like, oh, well, they log in to check their e-mail. My jaw probably hit the floor at this point. Like, that is not how this works. That is not how any of this is supposed to work.
JACK: As appalling as this is, right now Nicole can’t worry about how insane that set-up is. Her main concern though is that she now has confirmation that the mayor did have easy access to the server. She knows she has to ask him about it. I mean, what other option is there? As far as her investigation goes, he’s the most obvious lead. [MUSIC] They head down to the mayor’s office to question him. As she goes over there, she starts thinking what’s the best approach to this? Do you quiz the mayor somehow on the network to try to prove he knows his way around things? Do you trick him to look the other way and try to grab an image from his computer to analyze it? Nicole arrives at that mayor’s office and what does she choose? To ask him point-blank.
NICOLE: Hey, what were you doing on this date and time?
JACK: But the mayor denies it. He says hey, I wasn’t even at home during that time. I was here, at work.
NICOLE: I’m like okay, so now we have a bigger problem because his IP address has logged him into a server. He’s not at his residence, according to him, so somebody is logged into this server from his IP address.
JACK: [MUSIC] Alright, so at least for me at this point, I’m thinking the mayor might be lying. He could have done some sort of remote connection back to his home, right? Then use his home computer to attack the police department. That’s possible right? But wait; if the mayor was that clever, then he probably wouldn’t have done the attack from his home address. That would just be the smoking gun to ruin his career. Nicole goes through all this mental gymnastics too, trying to come up with possible scenarios. That’s when she remembers something the IT company told her.
NICOLE: He’s like oh, well, they log in to check their e-mail.
JACK: Right. Ah, yes, the dots are connecting; the mayor was home one night, checking his e-mail from his home computer. What’s the dangers of e-mail? [00:20:00] Yeah, you guessed it. Nicole got a chance to examine his home PC to figure it all out.
NICOLE: We were able to show that the mayor ended up being phished. A key logger was deployed on his computer at home. Then when he logged into the server to check his e-mail, they were able to capture those credentials. Because it was the admin, they had access right there.
JACK: The mayor wasn’t some cyber-criminal exacting a vendetta against the police; he was just phished like any of us could have been. This is why the principal of least privilege is so important. Yeah, sure, the mayor may never actually log in as admin to the domain controller but if a hacker gets his login information, that hacker has access to everything. But if the mayor’s privilege was only enough that he could check his e-mail and nothing else, then this ransomware attack would have never been successful in the first place. With some additional investigations, Nicole was ultimately able to trace the real IP address to whoever hacked the mayor back to Europe.
NICOLE: However, that process to get information from another country is tedious and time consuming. To date, there’s nothing that’s been done or any other details that have come up that would helpful.
JACK: I think this incident really did wake up the city and police department to take security more seriously.
NICOLE: They fired the previous IT company. They were able to hire a new firm, who – just a tremendous company; came in, were able to lock down the city, they were able to lock down the mayor and make sure everybody was good to go.
JACK: Which, of course, wasn’t cheap.
NICOLE: For the police department and the city, in order to upgrade all their systems and networks, it was several hundred thousand dollars.
JACK: [MUSIC] While that sounds like a lot, it’s actually extremely important for the city because of so many reasons. But one big reason is that the attorney general heard about these breaches and cut the police department off from the city’s gateway network. The gateway network connects all the other agencies together. When the police want to do something like look up someone’s license plate number, they have to go through this gateway to get into the DMV and search there. They can also look up property information or tax records, or tattoo descriptions, or court cases, and there’s so much more that goes through this gateway. But the AG revoked their access because their network was insecure. By spending all this money to upgrade their security was important in order to get access to this network again so the police can do their job properly. Besides that, the amount of information this hacker had access to was mind-blowing. I’m not sure they ever even tried to look around to see what was there or if they went straight for the ransomware. But they could have found so much more.
NICOLE: If they would have spent a little bit of time, they could have gained access to all of the traffic from the police cruisers to this server and all their reports, which would have included license plates, all their registration, people’s names, social security, birth dates, so this could have been a really big issue.
JACK (OUTRO): [INTRO MUSIC] A big thank you to our guest this episode, Nicole Beckwith. She’s moved on from the Secret Service and is now doing DFIR work for the private sector. This show is made by me, the not-so smooth operator, Jack Rhysider. This episode was produced and sound-designed by Andrew Merryweather who’s always spinning at a constant 7200 RPM. Editing help this episode by the decompiled Damienne. Our theme music is by the beat-weaver Breakmaster Cylinder. Even though when I was a UNIX admin, I would sometimes write in the MOTD stuff like the DBA team sniffs cats’ butts, I was told this doesn’t cultivate good team relationships and had to remove it, this is Darknet Diaries.
[OUTRO MUSIC ENDS]
[END OF RECORDING]