11 Aug 2023
How I Found Your Password, and Other Advanced Data Hoarding Techniques
"Research & Destroy (RaD) is a private security research group with big dreams. We are driven to impact the hacker community in big ways, by publicly releasing valuable research and forming relationships within the community. We strive to inspire those around us and encourage others to join our efforts in advancing our community's understanding and capabilities. DEF CON, being the epicenter of the culture that spawned us, we are highly motivated to give back to the community." --unixnerd
"Our goal is to normalize Breach Data Research in the hacker community. So much of this research happens under our noses without mention beyond the existing taboos associated with the origin of this data. Through our research, we’ve determined a method by which any US based company and/or independent researcher can work with their legal team or a lawyer to create a policy for curating publicly breached data to be utilized in Red Team operations and Penetration tests. We want to change the narrative as to how we utilize breach data in our daily lives within the industry. The more we talk about it, the more normalized it becomes. We cannot keep ignoring the elephant in the room. DEF CON is the cornerstone of the hacker culture; the masthead of a community where hackers gather to be with each other and learn from one another. We’re grateful to be part of such a vast community of brilliant minds and the opportunity to share our research." --M4x 5yn74x
Breach Data Research (BDR) Legal Policy Guidance:
Our aim is to dispel misinformation and normalize BDR for security professionals. While researching this topic we were preparing to seek legal council at work. Along the way we discovered guidance outlined by the federal government that spells out how to keep BDR legal. Armed with this guidance, we drafted a charter document along other artifacts to bring to our legal council. After our legal discussion we met with our CISO to ensure that we conform with company policy. We are currently in the final stages of approval with this initative.
DorXNG (pronounced "Dorks NG") is a next generation solution for harvesting OSINT data using advanced search engine operators through multiple upstream search providers. On the backend it leverages a custom, containerized, privacy focused meta-search engine called "SearXNG". The DorXNG client application is written in Python3. It interacts with SearXNG's API to issue search queries concurrently and stores resulting search results in a SQL database.
Deliverables: Template BDR charter documentation, DorXNG tool release