I fought the law and the law lost” is a series of talks that aims to collect vulnerabilities in the field of Argentine Security forces. This chapter focuses on both Federal and Buenos Aires City Police, which according to the Head of Government Horacio Rodr√≠guez Larreta, has the ““most modern technology in the world””.
We will analyze four particular cases (two on the lightning talk version), all of them ending in national scandals:
- The leaking of the Police Reports database. Which led to the disclosure of private information of criminals, informants, involved police agents and even original reporters. This database contained cases related to drug trafficking and proxenetism.
- The leaking of Proyecto X, a joined intelligence task force composed by members of different forces.
- The leaking of the SNIC (Criminal Information National System), that led to the disclosure of intelligence information regarding criminal gangs undergoing federal investigation but not prosecuted/captured yet.
- The leaking of Buenos Aires City Police entire database, that led to the disclosure of every agents personal information, including religious and health related concerns, like STDs, clinical and psychological history, and more.
But we’ll do it having in mind a special requirement: passive action. We’ll use Recon & OSINT at it’s best in order to reconstruct how the leaks were carried from start to end. A police chief using his daughter’s name as a password? A Police CIO using his own National ID Number as recovery question? Public databases exposing too much information? Reused passwords across every site on the internet? Sure, but it’s not the worst. We’ll use hand crafted DIY tools and without compromising a single system, reveal a lot of bugs and vulns. This talk is heavily focused on obtaining OSINT from public sources (specially in countries with weak or ambiguous laws, like Argentina)
This talk aims to demonstrate various flaws with a critical, technical and impartial approach to bring to the public a prevailing reality: First, argentine law allows a lot of compromising data to be used as ““public”” (thus leaving the place for OSINT based attacks to occur), and second… we are not safe against computer threats, and those who take care of us, neither are.”