Using OSINT skills for your own protection…

This is probably the most unusual blog post I have ever written here… Oh, well…

TL;DR; My wife and I recently stayed at a pretty expensive hotel. I won’t name and shame, but it’s fair to say they didn’t do the job very well. And after a bit of back and forth with the property management, and some escalations with their senior management, we have eventually negotiated a deal with them – we got a partial refund for our, let’s say… not the best experience at their facilities!

You may think it was easy, but it was not. It was definitely very interesting, humbling even and at the same time, kinda eye-opening experience…

Lesson #1 is this:

Do not book your hotels, apartments etc via 3rd party f.ex. sites that start with “B’ or ‘E’ in their names.

Why?

Because when things go bad, hotel and apartment management will not be able to talk to you about your booking, since it is being ‘managed’ via that third party. And that third party, believe me or not, is NOT (at least in my experience) interested in you, your problems, let alone any conflict resolution. They simply ignore you. That’s their ‘management’ style.

Lesson #2 is this:

Find the place you like on any of these booking/hotel sites, but don’t book it there, and instead – find that favorite place’s actual web site, their phone number, and then book directly with the hotel/hostel/apartment/airbnb owner. Once you do it, you will become a direct client of that entity/facility/property. And that gives you at least some rights.

Back to the original story…. Let me say first that the organization that I discovered to be behind this particular hotel chain was… quite complicated… to say the least. The more I was researching them, the more I was finding. Many layers of ownership, many layers of power, the kind of money in motion that most of us can’t even comprehend… many companies in place, all over the world, and many countries involved. Yes, seriously, billions of dollars in motion.

I literally stood no chance.

But, I was quite pissed off.

And I didn’t even care about money that much, but I kinda hoped to prove to myself that recognizing the problem early, carefully collecting forensic evidence to document issues was very important, and with all that evidence in place I still had some small chance to win _something_ as a customer… Plus, the actual, very basic knowledge of the law that protects me as a customer in UK helped too (more about it later). So, utilizing all these bits and pieces of random knowledge, plus ensuring the process of delivering my escalation was done in a polite, but persistent way was a KEY to achieving that final, positive outcome…

You may ask yourself… How did we even get there?

For our recent holiday we had booked a room at the hotel in a premium location. When we arrived, we got assigned to a room that was… peculiar, to say the least. The room was located inside a very old building, and as such, it certainly had that ‘historical old building’ vibe to it f.ex. the ceilings were at least 4m high, the room decor was very old-school, etc. plus there was also a kitchenette, fridge, and some other basics provided… and with all that ‘old’ vibe around it, It was almost perfect….

Except…

It was also very dirty, wear and tear did show a lot, you could see scuff marks, find actual spiderwebs and dust bunnies, silicon sealing in a bathroom was full of mould, and the bathroom floor tiles’ grout was washed out too (posing a real risk of hurting our feet cuz the edges of exposed tiles were actually quite sharp), then there was an integrated fridge that had a door that could not be closed properly and was actually leaking, and we also found some trash left by previous guests, and on top of that – the carpet was probably either 50 years old or the last time it was cleaned was that ’50 years ago’, then the room’s furniture was barely holding it together, curtains were heavy, but also had a ‘been not washed in last 2 decades’ feel… and I even spotted and recorded some insects happily parading inside the bath tub… Finally, it was a room that was facing an alley that seemed to be quite popular with many late drunkards.. — it was noisy throughout the night!

It felt very bait-and-switch.

Basically, what they advertised on the booking web site vs. what they delivered was substantially different.

Luckily, in the UK, there is a Consumer Rights Act that, at least in theory, helps to address situations like this. I used it as a base for my complain. As such, while still inside the property, I collected a lot of photos and videos, and after I came back home, I have sent these to the Property Managers…

They replied quite quickly, and in a professional manner – they stated that everything I have highlighted in my email is being taken care of, with and immediate effect, and they thanked me for reporting the issues, plus, obviously, were also very sorry.

Interestingly, they also used the chance to tell me that this hotel is not really a hotel, but a minimalistically managed hotelish-like longer-stay more-apartment-than-a-hotel facility. As such, they were not committed to provide housekeeping services frequently, they did not replenish anything in the room unless you asked for it, and.. while staying there you are basically simply left to your own devices…

Huh… Seriously….?

That was very interesting for us to hear. When we booked the place we had all the expectations of it being a proper hotel room!!! Why? Because we booked it thinking that we are booking an actual Hotel Room – the booking website literally referred to it as such! Ironically, and notably… even today… a few months later… all advertisements for this place that are all over the booking websites still advertise this property as a proper hotel!!!

But let’s get back to our comms. That Hotel Management’s reply was obviously not very satisfying: call me petty, but I did want to get at least some refund!

After checking their web site, googling around, and trying to find out who the real ‘owners’ of the hospitality function at this hotel chain are, I eventually found this hotel chain’s Country Manager for UK, and their email address.

My rationale to contact this person directly via email was that:

  • a) I wanted to bypass all the possible controls in place f.ex. chatbots, support phone and emails, all lines of support really, and evade all the controls put in place that make the complain-to-a-human-person almost impossible (common practice today)
  • b) I wanted to bypass the direct Hotel Management as well, and talk to their bosses directly – I not only wanted to speak to a reason, but I also wanted to show them how BAD the property they advertise and manage is! (naive me)
  • c) I wanted to leverage my corporate experience that gives me an advantage in knowing how escalating things via appropriate corporate channels works (not humble to say, but if you work in a corporate environment for a while, you eventually learn how to press some buttons).

So, my email to the Country Manager was pretty brutal aka very factual. I also made sure that, same as I did with the Hotel Managers, I provided that person with links to an archive saved on my website that included all the photos and videos I took at the property….

The Country Manager reacted in a ‘corporate-nothing-happened’ way at first. BUT, also, honestly stated that they have not seen my videos, photos due to their company’s strict IT security policy that made it impossible for them to download the media archive from some random web site I placed the media files on…

Huh… Okay… Fair enough.

So, I had converted all the iphone HEIC photos I took at the hotel into smaller JPEGs, and have attached them all to my reply email. I also placed larger video files (without any additional compression/archiving) directly on my web site, so they didn’t need to be unpacked aka they could be viewed online, directly, after one clicks the media links I placed inside my reply email.

You can see clearly that I was really trying to connect with them 😉

I did all that and sent my response.

There was no answer.

OK…ay….

So, I decided to escalate it further…

At that stage I have already discovered who the CEO of the company is, and her email address as well, so I forwarded the whole email chain to her, including attachments. Surprise, surprise. She was actually OOO 🙁 But… The automated reply indicated who her temporary replacement is… I forwarded the email chain to that ‘temporary replacement person’ immediately. I must make a note here that both the CEO and her replacement were based in a different country and timezone.

Next morning, 9:00am, I got a quick reply email from the aforementioned UK Country Manager – apparently, the person was unable to answer my earlier emails due to her busy traveling schedule, but given the circumstances (my escalation) she has committed to reply to me later on that very afternoon…

And that promised reply has arrived, in the afternoon, indeed!

By 4pm I got a lengthy response, where that Country Manager addressed all the issues I mentioned, apologized a lot, and then offered to give me a refund of 30% of the total price for our stay…

I was pretty happy to accept the offer and the case got closed.

What this example teaches us?

We, infosec professionals, are in a unique position to help our problems by utilizing OSINT techniques to bypass many of modern ‘customer-blocking controls’. We don’t need to talk to ‘bots’, click through gazillion of pointless links, and/or fill-in web forms that are never handled/actioned. We can, and should, still, find a way to communicate with real people and ensure our business is taken care of by them. And we can communicate these issues better than many other people, because we have a pretty developed understanding of corporate processes, including collection and presentation of forensic evidence, and basic security and privacy frameworks and laws…

I sometimes ask myself: did I just pull an infosec ‘Karen’?

I don’t think so. I fought for my rights and these rights have been eventually recognized. I didn’t try to pay less that I was supposed to — I just wanted to pay a fair price for a poor quality room offered in the greatest possible city location. And I eventually did.

In 2023, our enemies are not just Threat Actors…

10 years of IT SEC everything and nothing

In 2008 I joined a security consulting company in London trying to do something different. After working for an antivirus company for a while I wanted a change. I’ve been looking for a job in London for nearly a year… so…. when this magic consulting opportunity popped up I jumped on it, even if I had to sacrifice a bit of a salary cut. And… I have never done security consulting work prior to that, plus I am/was/will be always quite anti-social… so… understandably… I was  terrified.

In my new role I got to do work for two ‘branches’ of the company’s security team:

  • one that did pentesting, code reviews, and forensic work on credit card breaches (PCI) in a private sector, and
  • the other one that I would only occasionally support: the forensic team that did the ‘heavy on mind’ work for law enforcement.

Without going into details: I had to quickly learn a new set of soft and technical skills, fail miserably both in acquiring them and using them on my first IR gig, learn to appreciate the fact that I am not the smartest in the room, or that ‘technical knowledge alone’ doesn’t actually sell, and kinda by accident… eventually start adapting to this new, emerging DFIR market.

Having the reverse engineering skills helped a lot. I was able to quickly make some sort of impression on a number of people – both peers and clients; I was ‘flying’ through the samples they were sending my way and was providing them answers faster than anyone else could.

Good.

This helped, and became ‘my thing’ in the next consulting company I worked for as well; it helped the company win some brownie points with a number of customers, and organizations, and most importantly – the relationships I built at that time I still cherish today.

You may be wondering why am I writing this?

Mid-life crisis? Mental breakdown?

Hmm probably, but not really, I hope 🙂

10 years later I must admit I think of these times with a bit of a nostalgia, and, probably like many people in the industry who share a similar experience, I can’t think of it any other way than ‘what a crazy decade it was, but I loved it’… We all literally not only witnessed, but also helped to build a new industry!

Soon after I entered this forming ‘scene’ we had an avalanche of reports in the news: aurora and apt craze, stuxnet, a torrent of never-ending white papers about state-sponsored attacks, Snowden leaks, any leaks really, lulzec, anonymous, POS Malware, ATM malware, more ATM malware, lots of hacking stunts; even migration from old-school social media to new became a thing; blogs to Twitter, then random coding web sites migrated to Google code, github, the Usenet and CodeGuru/CodeProject to Stack Overflow, and so on and so forth… oh, and let’s not forget the ‘everyone is now coding in python’ bit – the coding lingua franca du jour replacing perl, bash, vbs, C and everything else, and then the decompilation magic of the Hex-Rays decompiler, the ‘wow’ effect of first iphone jailbreaks, superawesome pwn2own awards, Project Zero, the new security measures (ASLR, DEP, etc.), development of sandboxes, spy companies being hacked, doxed, then emergence of ‘new’ security industry branches: threat intelligence, EDR, and threat hunting, and tones of new reversing and forensic projects that completely changed the way we do things from manual to automation and conquering new platforms (volatility, plaso, SIFT, autopsy, xdbg64, radare2, remote forensics, etc.). Lots of new great & strong researchers and developers joined the community as well, plus, we even started sharing! And while a bit less related – we observed lots of company acquisitions — bye bye boutique companies. Welcome to big business taking over. And… yeah… imagine that 20 years ago… Windows now hosts Linux.

WTH?!

For me personally, the luck put me in the shoes of a programmer, localization engineer, writer, an investigator of early PCI DSS breaches, forced me to do some pentesting (not the biggest fan, for some reason it doesn’t click with me), and code reviews, then people management, project management, some compliance work, accounting, company secretary, and finally introduced me to a number of super smart individuals. And in the end these experiences helped to land more interesting jobs at a number of companies I would never dream of joining (ok, partially, because I didn’t even know they existed! :)).

As they teach you during MBA – people networking is the key. And it’s the people networking that I never believed in too much… that somehow happened accidentally! This decade was probably for the first time in my life I felt I was in a right place at a right time. The Hexacorn project was built upon all this sentiment and excitement, the ideas I sat on for a long time eventually finally had its outlet and I launched it in October 2011. Simultaneously, between 2011-2018, for 7 years, I held the FTE job at various fintech companies while spending private time cracking problems for my Hexacorn clients and doing researching. To be honest, I do hope I can come back to it in the future, but now I am taking a break (It actually feels good to just focus on one [new to me] thing and not having to work till 2-3am on the moonlighting projects).

Again, why the heck am I writing it?

As you throw yourself deep into one of these ‘specific’ infosec subjects, let it be reversing, forensics, log analysis, SOC, CERT function, threat intel, threat hunting, writing tools, or even less work-related events: attending conferences, doing networking and blogging…. the other trends in the industry progress with a really rapid pace!

You kinda know it, you feel it, and have it within your hand’s reach until one day you wake up to realize that other than the articles or their headlines…. you know nothing about new top 10 OWASP, CPU bugs, cryptominers, IoT, ICS, Cloud, 2FA standards and bypasses, Smartphones’ internals, and yes, even JavaScript – many of which you probably or kinda knew by heart back in a day(!), let alone new network protocols, new HTTP headers, new rules enforced by browsers, GDPR, introduction of web sockets, web assembly, completely new types of vulnerabilities, pentesting tricks, and tones of other things, including increasingly growing vendor offering, more and more bug bounty programs… and also – your knowledge about other stuff that is getting really old is actually… declining. Yup, while we are constantly looking at all ‘new’, who has the time to revisit these old RFCs?

The never-ending paradox of being in the middle of it, but also totally outside of it is… well… quite depressing.

We can’t forget about our progressing age either.

You now work with a new generation of security pros who know more, think faster, and know everything about the ‘current state of affairs’ more than you
+
I don’t know what they do, but they seem to know all the memes better than me!!!

Yet another reason to feel obsolete, redundant – I guess it’s time to give up and retire.

Right?

From ‘the youngest chap in the room’ a few years ago you suddenly become that ‘the oldest one’…

Ouch.

How the heck did THAT happen?

As you get engaged with the younger, and smarter, as you talk, as you read what they write, as you feel their excitement you will hopefully realize that your experience actually does have a bit of a benefit. First of all, you can quickly adapt. Secondly, you have ‘seen it all’ (okay, lots of it, at least). Thirdly, they are not against you, and may even see you as a teacher and friend – and on that note – you can learn a lot from them too! If you are lucky, they are actually like you, or better than you, greedy for knowledge, really fast, and just a bit younger. You may become their mentor, but also… their mentoree.

And with that… time for an explanation: why did I write all this…

Over XY years ago almost all my buddies at the uni were learning Java. It was the FUTURE.

While they were talking UML, Eclipse, etc. I was focused on x86 assembly language, the art of cracking games, bypassing protectors, and understanding how demoscene demos and viruses are made. Most of these guys were shrugging it off – I was just a weirdo and had my weird hobby… While they became unbeatable masters at Java, I got to skim through stuff, and learn and program some of that Java (my BSc project was Java-based!), I got to use my x86 / x64 asm skills a lot, I got to learn how to C, Pascal, Delphi, VB, VBA, VBS, unix, Windows, osx, basic Objective-C, use tools, build own tools, and face a lot of challenges they will never face (e.g. cracking a password for a very obscure private application), etc… And most importantly, I never learned _any_ of it fully. Yup. ended up being the sad Jack of all trades.

Is that wrong?

I don’t think so. I learn new stuff every day, I constantly ‘index’ interesting bits from every blog/twit I read, and while I am aware my knowledge is becoming obsolete every single day, no doubt, I know that I am also capable of things, given an opportunity.

I think we are forced more and more to be IT Security generalists. Ones with an interest and capability to deep dive if necessary, and in many topics new to us. We don’t actually build things anymore. We delegate. We try to understand the big picture, but more importantly – we try to understand it in a security context. And then in a business context. So that we can delegate with a guidance. Over and over again I learn that people outside of IT SEC don’t know what I am talking about and it always takes an effort to explain this stuff to others. No, they don’t know what you do. They don’t care/know/couldn’t be bothered. So, you need to explain, explain again, and then rinse and repeat. By the sole nature of being on this cutting edge we end up being preachers, educators, and yeah, as some describe themselves – evangelists or strategists.

One thing for sure, it’s not for everyone. It’s not comfy to know that 10-15% of it. ‘Real’ developers or architects won’t like it. ‘Real’ pentesters won’t like it. ‘Real’ compliance guys won’t like it. And ‘real’ hardcore forensics analysts or ‘firewall’ guys won’t like it either… The IT Sec is now a soup of everything else, an amoeba, and amalgamate, sometimes a bit of a mess that hits the fan – to deal with it you need to feel comfy with… the chaos.

Perhaps this post is my way of dealing with the impostor syndrome. Perhaps it’s just a fake infosec wisdom I am pretending to understand. One thing for me _IS_ sure, and I will preach it to everyone who dares to listen: never rest on the laurels. While I am looking back at my past I must honestly admit that in my own eyes I did commit this sin twice in my career and it took me a long time to catch up afterwards. Each time.

So… DO NOT REST ON LAURELS.

As long as you don’t rest on laurels, you are an impostor with a purpose – probably the only meaning of our infosec life…