BEGIN:VCALENDAR
PRODID:-//vBulletin 6//EN
VERSION:2.0
CALSCALE:GREGORIAN
BEGIN:VEVENT
UID:0c0f6db3-a30a-4975-a945-1ee95259e2d3
DTSTAMP:20260422T063635Z
SUMMARY:(Beginner) No Question: Teamviewer\, Police and Consequence
DESCRIPTION:Title: (Beginner) No Question: Teamviewer\, Police and Conseque
 nce\n\nDescription:\nIn the summer of 2019\, I attended DEFCON for the fir
 st time and spent my days lingering around the Blue Team Village. Two week
 s after I returned\, our largest client was breached. A malicious actor re
 motely installed keyloggers on over a hundred computers.\n\nAfter a marath
 on of logs and OSINT\, I traced the bad guy to his house. I offered a doss
 ier with everything I’d found to the local Cyber Crime unit\, leading to
  a full confession and finally\, the release of the suspect for circumstan
 ces I’m not authorized to know.\n\nThis talk discusses an internal breac
 h of a non-profit organization. A delicate mix of politics\, technical cha
 llenge and pressure\, this event fundamentally shifted my career.\n\nA str
 ange log file triggered a closer look at some servers. Within minutes\, we
  had realized a massive breach had taken place.\n\nWe found a keylogger in
 stalled on over a hundred computers. After a little digging\, we found an 
 unknown username referenced in a handful of Teamviewer connection logs.\n\
 nTeamviewer was uninterested in helping us without an international warran
 t of some kind. Through a day of parsing log files (no\, we don’t have S
 IEM\, IDS or IPS at this client)\, OSINT and the confidence I’d gained f
 rom finding a tribe at the BTV\, I was able to identify the person respons
 ible and gain insight into a real-world breach.\n\nA search warrant was ex
 ecuted\, devices were nabbed for forensics and the detective secured a ful
 l confession. I was told there was ‘No Question'\, this was the person r
 esponsible\, a client from the very organization that had been hit.\n\nSom
 e time later\, after some political meetings between the parties involved\
 , it was determined that a charge would not be levied against the maliciou
 s actor for reasons I have yet to be told. The organization is still activ
 ely under attack via weekly spear-phishing and whaling. After six weeks\, 
 the organization allowed the confirmed suspect back into the fold\, access
 ing programs within the umbrella of the agency and within reach of the ver
 y systems he used to gain his foothold.\n\nThis is a vital topic to Blue T
 eamers. The real-world implications of a breach aren’t clear or fair and
  it’s all up to you.\n\nSpeaker(s): corvusactual\n\nLocation: Blue Team 
 Vlg / Blue Team Vlg - Talks Track 1\n\nDiscord: https://discord.com/channe
 ls/708208267699945503/732454317658734613\n\nEvent starts: 2020-08-07 12:30
  (12:30 PM) PDT (UTC -07:00)\n\nEvent ends: 2020-08-07 13:00 (01:00 PM) PD
 T (UTC -07:00)\n\nFor the most up-to-date information\, please either visi
 t https://info.defcon.org\, or use HackerTracker\, which is available for 
 iOS and Android. This is an automated message\, and this data was last mod
 ified 2020-08-02T22:54 (UTC).
URL:https://forum.defcon.org/node/234090
DTSTART:20200807T203000Z
DTEND:20200807T210001Z
LOCATION:Blue Team Vlg / Blue Team Vlg - Talks Track 1
END:VEVENT
END:VCALENDAR