How Ken Westin jailed at least two dozen people using software, social media, and a few snappy search tools

420Ken-Westin-5x7x300[1]

Ken Westin is an online stalker. He follows people through social media sites, Internet community forums, online maps and emails. He digs out secrets locked up in digital photographs, and uses them to build alarmingly complete pictures of his targets. Luckily for the likes of you and I, those targets are criminals, and he uses his skills for good.

Westin, who is senior security analyst for the Office of the CTO at security firm Tripwire, is one of the speakers at this year’s SecTor conference. In his presentation, Confessions of a Professional Cyberstalker, he’ll be talking about the tools and techniques that he uses to find his mark.

His started professional life as an administrator, configuring servers, before working with a security company that made a device fraud detection system. This got him interested in USB Trojans, and he began developing his own USB security research tools, including USB Switchblade, a tool that ran from a USB key and extracted password hashes and browser histories from a host machine.

“Around that time I started working on my masters and had to pick a product for my dissertation,” he said. He decided to create a system that would make a stolen device send information back to the person that it had been stolen from. “I was the first person to help recover a stolen iPod,” he said.

From there, he developed laptop and mobile software to do the same thing, and turned it into an advanced device recovery tool called GadgetTrak.

A treasure trove of stolen goods

This path paved the way for Westin to get involved in criminal investigations, and he now works regularly with law enforcement to recover more than just stolen laptops.

“Rarely does one laptop get stolen and that’s it,” he points out. The types of people that steal computers and mobile phones often have other things going on. “The device turns into a Trojan horse that highlights other activities like drugs, illegal firearms, and carjacking by organised crime groups.”

In one case, computer tracking software took a photo of the person using a stolen laptop. When the positioning system told Westin where the computer was, cops visited the location. The user of the stolen machine was the owner of a tattoo parlour, and in the back of the place was a treasure trove of other stolen stuff.

“Sometimes we have so much evidence, even if the person wasn’t in control of the laptop at the time, we can prosecute for all of the other stolen property,” he said.

Passive fingerprinting

For Westin and the law enforcers that he works with, tracking a stolen device is often only one component of an investigation. He has become an expert at passive fingerprinting, in which he gathers information about individuals through publicly accessible online clues. This ‘light leakage’ reveals facts that Westin can piece together, leading him straight to the perpetrators – usually armed with probable cause.

“There is lots of data out there, and sometimes it seems like one piece of information may not map back to us, but when I start drawing connections then I can tie fragments of data back to you,” he said. “I can develop a rich profile of an individual – who they are, where they are, where they’ve been, what their personalities are like, and how much money they make.”

Westin will touch on this during his talk at SecTor 2015, explaining some of the tools and techniques that he uses to track a criminal down. They have led him down some interesting paths.

Follow the clues

Often, the clues begin when a thief tries to reconfigure a computer that they have stolen. When they change their username on a computer, the tracking software would notify him, and more often than not, they will use their real name. At this point, the software has typically also given him a photo of the person, and their city.

“That’s where it starts. With a name and a city I could identify a person. I could find their Facebook profile and then learn a lot about them,” he said.

He might also be able to find any usernames that they are using, and see if they use them somewhere else. This helped him when he tracked a stolen laptop from Portland to Missouri, where he had the perp’s name.

 

“I was able to get a lot of information about him. He was selling used car parts on eBay, and I also found he participated in Scion forums,” he said. He had posted pictures of his own car. “So then, I had the license plate numbers. From that, we had the address.”

Smile for the camera

Photos play an important part in Westin’s investigations. He developed a system called CameraTrace, which he describes as a “giant search engine of images”. It indexed all of Flickr, along with several other social media sites, and extracted information about camera serial numbers, which higher-end cameras often embed into the digital photographs that they take.

One pro photographer, John Heller, lost $9,000 of equipment in 2010, after a thief snatched it from the Egyptian theater in Los Angeles. A year later, he searched for his camera using the service and got a hit – via an image posted to another photographer’s Facebook page. The photographer had purchased it from an online seller, and this information eventually led them to the thief. Heller got his camera back.

Losing the battle for privacy

The opportunities for passive fingerprinting are only getting larger, believes Westin. New technologies such as the Internet of Things are creating a larger digital footprint in new and worrying ways.

“A lot of manufacturers are creating devices that connect to others, and there are unique identifiers in there, such as usernames or IDs that map to a running web site,” he said, adding that this data – including location information – may be misused, either intentionally or unwittingly.

“There is a lot of information out there that can be tied to an individual or an activity,” he warned. “I don’t worry so much about the devices themselves being vulnerable. I worry about the data that they’re sending to third party devices. As we’ve seen, organizations aren’t good at securing that data.”

That marriage of data ubiquity and institutional insecurity is creating a perfect storm, worries Westin. “We’ve opened Pandora’s box. Everything is imprinted to digital,” he warns. “Just look at the OPM and IRS breaches. You don’t have control over those. You never gave anyone permission.” But even though the 7% of US citizens exposed by these breaches didn’t do anything to leak their data, it is still out there with the attackers.

Now, people are on the grid by default, even if they have never used the Internet or owned a cellphone, he concludes. “There really isn’t a 100% way to protect your privacy.”

At SecTor this October, he’ll explain how anyone with an interest can use his cyberstalking techniques to stalk their targets – and talk about some steps that people can take to at least mitigate the damage.

Interested in finding out more? Register at SecTor, which takes place at Metro Toronto Convention Centre in downtown Toronto on October 20-21, with a training day on October 19.