Hacking Xmas
Day 14

jakec / dec 2020

While most of us spent the late aughts and early-to-mid teens finding new ways to perform for our friends online, marketers and black hat hackers were lapping it up. Suddenly there were hoards of new information available for potential targets that one barely had to work for. It was given out for free all in the name of Web 2.0: user-created content, openness, connectivity. If it sounds like I'm naysaying that idealism, I actually feel the opposite. That ethos of togetherness and online community should be what the web is all about. We should celebrate and protect those ideals. But without some extra perspective, it was all too easy for others to take advantage of it. That's what today's challenge covers, trying to dig up as much info on Rudolph as we can using OSINT.

OSINT, or open-source intelligence, used to involve dumpster diving for discarded mail or investigating public records to gain more information about a target. Now it's expanded to involve social media and all the detritus you've scattered across your years on the web. Once you're in the security mindset, it's hard not to think about OSINT at all times. When I'm sharing photos near my house, I'm thinking about visible street signs or identifiable landmarks. When I write about work, I'm thinking about how to share expertise or commentary without mentioning specific software or hardware that would make an attacker's recon that much easier. Even in places like certain messageboards where I'm completely pseudonymous, where not even my friends know my account name, I try not to give too much away. Not that I'm a person of particular interest, but if I ever become so to anyone for whatever reason, I'd rather protect what spaces I can. Stans have become proficient at uncovering this stuff. Lorde couldn't even keep her onion ring-reviewing blog a secret for long. And they do it for free; what about paid investigators like Ashley Feinberg who made a beat out of uncovering politicians' secret social media accounts. You never know when someone is going to pull at a thread and unravel your whole alter ego.

So on to Task #1:

While hunting and searching for any hints or clues
Santa uncovers some details and shares the news
Rudolph loved to use Reddit and browsed aplenty
His username was 'IGuidetheClaus2020'

So right away we know Rudolph has a reddit account called IGuidetheClaus2020. If we go to his profile we can start answering questions. His birthplace? Chicago. His creator's name? Robert L May. Also he mentions that "Some days I love Twitter." So let's search for his reddit username on Twitter and see what turns up.

Sweet. We can answer some more questions. Reading his tweets, we find out his favourite show is The Bachelorette and that he took part in a recent parade. Where was it?

In one of the photos, there's a sign that looks like a company sponsoring the parade, "Thompson Coburn". Since companies tend to do more for their PR than just put a sign next to a float, there's probably an article or press release about this somewhere. Searching for "thompson coburn parade" turns up this article: "Thompson Coburn 'floats' down Michigan Avenue in first Magnificent Mile Lights Festival appearance." Which would place the parade in Chicago.

Now we need to find the latitude and longitude of where the photo was taken. When most cameras take a photo, they embed the photo with a bunch of neat metadata: the camera model, f-stop, ISO, a timestamp, things like that. Sometimes it also uses the camera or phone's GPS receiver to store location data. It's called Exif data and it should be a matter of uploading Rudolph's photo to one of many Exif data extraction tools and finding the latitude and longitude. Unfortunately, when you upload a photo to Twitter (or Facebook or many other sites), the Exif data is stripped for privacy reasons, e.g. so people can't do exactly what we're trying to. Fortunately, Rudolph linked to an external site with a higher resolution version of the photo. Plugging it into this site gives us the lat and long of where the photo was taken as well as some extra info: a special flag to answer the next question.

Next, the challenge asks Has Rudolph been pwned? What password of his appeared in a breach? A "breach" is a database of passwords which have been stolen from a website. Mostly they're sold or distributed privately, but a lot of them are aggregated and indexed by security researchers for people to search. (This is why it's so important to have a strong, unique password.) Rudolph's Twitter bio lists his email as "rudolphthered@hotmail.com". By plugging that into a public breach database like Scylla, we can see one password associated with that email has been hacked: "spygame". Hopefully he's changed his password since then!

Finally, we need to find the address of the hotel Rudolph was staying in. He mentioned it was right across the street from where the parade photo was taken. If we just paste our coordinates from the photo's Exif data into Google Maps, it'll take us to the location.

And the closest hotel? Chicago Marriott, 540 North Michigan Ave, Chicago IL. It's that easy. So next time your favourite celebrity, like that guy who played Sherlock in Netflix's Enola Holmes, comes to your town, you know just what to do.