Using OSINT skills for your own protection…

This is probably the most unusual blog post I have ever written here… Oh, well…

TL;DR; My wife and I recently stayed at a pretty expensive hotel. I won’t name and shame, but it’s fair to say they didn’t do the job very well. And after a bit of back and forth with the property management, and some escalations with their senior management, we have eventually negotiated a deal with them – we got a partial refund for our, let’s say… not the best experience at their facilities!

You may think it was easy, but it was not. It was definitely very interesting, humbling even and at the same time, kinda eye-opening experience…

Lesson #1 is this:

Do not book your hotels, apartments etc via 3rd party f.ex. sites that start with “B’ or ‘E’ in their names.

Why?

Because when things go bad, hotel and apartment management will not be able to talk to you about your booking, since it is being ‘managed’ via that third party. And that third party, believe me or not, is NOT (at least in my experience) interested in you, your problems, let alone any conflict resolution. They simply ignore you. That’s their ‘management’ style.

Lesson #2 is this:

Find the place you like on any of these booking/hotel sites, but don’t book it there, and instead – find that favorite place’s actual web site, their phone number, and then book directly with the hotel/hostel/apartment/airbnb owner. Once you do it, you will become a direct client of that entity/facility/property. And that gives you at least some rights.

Back to the original story…. Let me say first that the organization that I discovered to be behind this particular hotel chain was… quite complicated… to say the least. The more I was researching them, the more I was finding. Many layers of ownership, many layers of power, the kind of money in motion that most of us can’t even comprehend… many companies in place, all over the world, and many countries involved. Yes, seriously, billions of dollars in motion.

I literally stood no chance.

But, I was quite pissed off.

And I didn’t even care about money that much, but I kinda hoped to prove to myself that recognizing the problem early, carefully collecting forensic evidence to document issues was very important, and with all that evidence in place I still had some small chance to win _something_ as a customer… Plus, the actual, very basic knowledge of the law that protects me as a customer in UK helped too (more about it later). So, utilizing all these bits and pieces of random knowledge, plus ensuring the process of delivering my escalation was done in a polite, but persistent way was a KEY to achieving that final, positive outcome…

You may ask yourself… How did we even get there?

For our recent holiday we had booked a room at the hotel in a premium location. When we arrived, we got assigned to a room that was… peculiar, to say the least. The room was located inside a very old building, and as such, it certainly had that ‘historical old building’ vibe to it f.ex. the ceilings were at least 4m high, the room decor was very old-school, etc. plus there was also a kitchenette, fridge, and some other basics provided… and with all that ‘old’ vibe around it, It was almost perfect….

Except…

It was also very dirty, wear and tear did show a lot, you could see scuff marks, find actual spiderwebs and dust bunnies, silicon sealing in a bathroom was full of mould, and the bathroom floor tiles’ grout was washed out too (posing a real risk of hurting our feet cuz the edges of exposed tiles were actually quite sharp), then there was an integrated fridge that had a door that could not be closed properly and was actually leaking, and we also found some trash left by previous guests, and on top of that – the carpet was probably either 50 years old or the last time it was cleaned was that ’50 years ago’, then the room’s furniture was barely holding it together, curtains were heavy, but also had a ‘been not washed in last 2 decades’ feel… and I even spotted and recorded some insects happily parading inside the bath tub… Finally, it was a room that was facing an alley that seemed to be quite popular with many late drunkards.. — it was noisy throughout the night!

It felt very bait-and-switch.

Basically, what they advertised on the booking web site vs. what they delivered was substantially different.

Luckily, in the UK, there is a Consumer Rights Act that, at least in theory, helps to address situations like this. I used it as a base for my complain. As such, while still inside the property, I collected a lot of photos and videos, and after I came back home, I have sent these to the Property Managers…

They replied quite quickly, and in a professional manner – they stated that everything I have highlighted in my email is being taken care of, with and immediate effect, and they thanked me for reporting the issues, plus, obviously, were also very sorry.

Interestingly, they also used the chance to tell me that this hotel is not really a hotel, but a minimalistically managed hotelish-like longer-stay more-apartment-than-a-hotel facility. As such, they were not committed to provide housekeeping services frequently, they did not replenish anything in the room unless you asked for it, and.. while staying there you are basically simply left to your own devices…

Huh… Seriously….?

That was very interesting for us to hear. When we booked the place we had all the expectations of it being a proper hotel room!!! Why? Because we booked it thinking that we are booking an actual Hotel Room – the booking website literally referred to it as such! Ironically, and notably… even today… a few months later… all advertisements for this place that are all over the booking websites still advertise this property as a proper hotel!!!

But let’s get back to our comms. That Hotel Management’s reply was obviously not very satisfying: call me petty, but I did want to get at least some refund!

After checking their web site, googling around, and trying to find out who the real ‘owners’ of the hospitality function at this hotel chain are, I eventually found this hotel chain’s Country Manager for UK, and their email address.

My rationale to contact this person directly via email was that:

  • a) I wanted to bypass all the possible controls in place f.ex. chatbots, support phone and emails, all lines of support really, and evade all the controls put in place that make the complain-to-a-human-person almost impossible (common practice today)
  • b) I wanted to bypass the direct Hotel Management as well, and talk to their bosses directly – I not only wanted to speak to a reason, but I also wanted to show them how BAD the property they advertise and manage is! (naive me)
  • c) I wanted to leverage my corporate experience that gives me an advantage in knowing how escalating things via appropriate corporate channels works (not humble to say, but if you work in a corporate environment for a while, you eventually learn how to press some buttons).

So, my email to the Country Manager was pretty brutal aka very factual. I also made sure that, same as I did with the Hotel Managers, I provided that person with links to an archive saved on my website that included all the photos and videos I took at the property….

The Country Manager reacted in a ‘corporate-nothing-happened’ way at first. BUT, also, honestly stated that they have not seen my videos, photos due to their company’s strict IT security policy that made it impossible for them to download the media archive from some random web site I placed the media files on…

Huh… Okay… Fair enough.

So, I had converted all the iphone HEIC photos I took at the hotel into smaller JPEGs, and have attached them all to my reply email. I also placed larger video files (without any additional compression/archiving) directly on my web site, so they didn’t need to be unpacked aka they could be viewed online, directly, after one clicks the media links I placed inside my reply email.

You can see clearly that I was really trying to connect with them 😉

I did all that and sent my response.

There was no answer.

OK…ay….

So, I decided to escalate it further…

At that stage I have already discovered who the CEO of the company is, and her email address as well, so I forwarded the whole email chain to her, including attachments. Surprise, surprise. She was actually OOO 🙁 But… The automated reply indicated who her temporary replacement is… I forwarded the email chain to that ‘temporary replacement person’ immediately. I must make a note here that both the CEO and her replacement were based in a different country and timezone.

Next morning, 9:00am, I got a quick reply email from the aforementioned UK Country Manager – apparently, the person was unable to answer my earlier emails due to her busy traveling schedule, but given the circumstances (my escalation) she has committed to reply to me later on that very afternoon…

And that promised reply has arrived, in the afternoon, indeed!

By 4pm I got a lengthy response, where that Country Manager addressed all the issues I mentioned, apologized a lot, and then offered to give me a refund of 30% of the total price for our stay…

I was pretty happy to accept the offer and the case got closed.

What this example teaches us?

We, infosec professionals, are in a unique position to help our problems by utilizing OSINT techniques to bypass many of modern ‘customer-blocking controls’. We don’t need to talk to ‘bots’, click through gazillion of pointless links, and/or fill-in web forms that are never handled/actioned. We can, and should, still, find a way to communicate with real people and ensure our business is taken care of by them. And we can communicate these issues better than many other people, because we have a pretty developed understanding of corporate processes, including collection and presentation of forensic evidence, and basic security and privacy frameworks and laws…

I sometimes ask myself: did I just pull an infosec ‘Karen’?

I don’t think so. I fought for my rights and these rights have been eventually recognized. I didn’t try to pay less that I was supposed to — I just wanted to pay a fair price for a poor quality room offered in the greatest possible city location. And I eventually did.

In 2023, our enemies are not just Threat Actors…

The Hour Between Dog and Wolf

10-15 years ago DFIR / EDR / Threat Hunting were not even a ‘thing’. Apart from law enforcement efforts, and a few consulting companies… there were literally no companies doing this sort of work, and even if they actually did… their focus was primarily on QIRA/QFI (today’s PFI) aka analyzing carding breaches, or analyzing APT attacks targeting US gov and defense contractors.

At that time my big wishful thinking was that if I had at least a snapshot of volatile logs from the system I wanted to analyze I would be already better off as opposed to if I had to look at the content of the HDD image alone.

Many in this field of course agreed, and even more, often led us all by an example, so in the years that followed we went through iterations of different solutions… from basic volatile data acquisition batch/bash scripts, memory acquisition tools, then memory dumpers supported by parsing scripts, and we finally ended up with EDR solutions that feed our log just-in-time and fulfill our needs very well today.

Are we better off tho?

I am wondering…

The emergence of EDR evasions, living of the land techniques, static EDR rule breakers, reemergence of macromalware, new code injection techniques, powershell obfuscations, supported by exploits, fileless attacks, code signed with stolen certificates, supply chain attacks, etc. makes me believe that… EDR is going to be for a host what IDS/IPS ended up being for a network.

At first all we got power drunk with firewall/IDS/IPS/proxy capabilities… few years later though many companies literally ignore alerts from these systems as they generate too much noise.

I see a similar trend with EDR.

By comparison… we are very used to AV generating many alerts (especially when AV is configured in a paranoid and/or ‘heuristic’ and/or reputation-check state), but AV itself is still a pretty high-fidelity business. And we often ignore AV alerts that are lower fidelity.

When EDR joined the alerting battleground we at first thought it is going to add a lot of value. After the few years of experience now we face the very same alert fatigue as we experienced with firewalls, IDS, IPS, AV, and proxy. Same old, same old. Just a different marketing spiel.

Along came Threat Hunting… a discipline that is hard to define, but it somehow got its foundation solidly embedded in many companies thanks to Mitre Att&ck Framework. Today’s definition of Threat Hunting is pretty much ‘the act of Mitre Att&ck implementation in your org’. It is actually far more serious than it sounds because it is far more difficult than many people feel. You get to implement a lot of detection in your own environment. One that almost by definition is poorly managed, doesn’t have a proper asset inventory and enforcement of rules is hard. It’s fu, but it’s VERY tough in practice. Yes, in practice, we walk through all the known Mitre tactics and techniques, we cross-reference them with our own org threat modelling/log situation and then come up with new alerts/dashboards that help us to cherry-pick the bad stuff…. hah… very easy.. it it not…

So…

Now we have tones of alerts from ‘high-fidelity’ alert sources: AV, IDS/IPS, proxy, WAF. Then we have middle/low level fidelity alerts from EDR/AV/IDS/IPS/WAF/proxy. Then we have very FP-prone alerts / dashboards from Threat Hunting activities.

What is next?

I do believe it’s time to go deeper and trace user’s activity on a spyware level. Ouch. Yes. I said it. It’s a very difficult topic from a legal perspective, but imho it’s the only way to link user’s actions to actual events we see on our blinkenlight boxes. If we can establish a solid link between user clicking certain GUI elements, typing certain commands, credentials, etc. it’s only then we can be sure that we can provide a context for events we observe in our logs. I mean.. seriously… if we need to spend a lot of resources trying to link multiple Windows Event Logs together to narrow down activity that could be easily tracked to actual user’s behavior.. then why not doing it the opposite way? Follow the user’s behavior and track it high-level.

It’s not the first time I refer to this topic, but I guess it finally has to be said: you can’t fully monitor the box if you don’t monitor its users activities _fully_.

Welcome to the world of next-gen, panopticon EDR solutions of tomorrow.

And for the record… take any advanced OCR/ICR dictionary software, desktop enhancer, IME, accessibility suite, etc and then you realize that at least for the Windows platform, problem of tracking/monitoring of UI and the data flow as well as user interaction is already solved. Did I mention existing spyware solution used in the Enterprise environment? EDR can be cool, but will never be as cool as a proper keylogger…

Time to hook more APIs EDR vendors…