Quantcast
Toronto

Meet the Real-Life Mr. Robot

Confessions of a professional cyber stalker.

J.M. Porup

Photo: Ken Westin/Google Plus

Ken Westin is an online stalker. He writes malware, tracks his targets through their devices, and uses social media to gather intel on how to break into networks. He's good at it, too. Some even call him "Mr. Robot," a reference to the popular television show about a counterculture hacker.

"That was my nickname on Crimewatch Daily, where we hacked a $6m smarthome and baby monitors this past month," Westin said in an email.

But unless you're a criminal, you have nothing to worry about.

Westin uses his skills to help police agencies, including the LAPD, NYPD, and the FBI, solve criminal cases. A typical request might involve trojanning, or remotely taking control of, a stolen laptop or phone or tablet. On many occasions, the device led back to criminal groups, and police were able to gather evidence of other crimes being committed, including drugs, illegal firearms, and in one case, carjacking by organized crime.

He also created the CameraTrace search engine in response to a growing wave of high-end camera theft. These cameras embed their serial number, make, and model in the images they take. CameraTrace indexes all the photos on Flickr and other social media sites, hunting for the serial number that corresponds to the stolen camera.

For his day job, Westin is a senior security analyst at Tripwire, where he analyzes current and emerging threats and works with companies to better secure their infrastructure.

As part of his job, he stalks people based on their social media profiles. He calls this "passive reconnaissance."

"Using passive recon alone I've scared the crap out of companies," he said, explaining that, without hacking the corporate network, he was able to tell what databases, operating systems, and security applications the client was running.

Employee profiles on LinkedIn frequently list the current systems the employee is working on. Job postings are also useful in collecting intel on a corporate network.

"This is really helpful if you're an attacker," he said. "Everything on Facebook or LinkedIn, that information can be used against you."

He also uses social media profiles to do spearphishing campaigns that target system administrators.

Westin will share his story this year at SecTor, an IT security conference in Toronto, in a talk entitled Confessions of a Professional Cyber Stalker. It's a talk anyone interested in privacy and security might want to attend, since the same techniques Westin uses to stalk criminals can also be used to track you.

So how can you defend yourself against online stalkers?

"First, put tape over your web camera," Westin said. "Second, be careful of what apps you're installing, on either your laptop or phone. Pay attention to the permissions."

Smartphone permissions are often far in excess of what is really needed, he said.LinkedIn has privacy settings that let you hide certain information, for example. Use them, he suggested, and be careful who you connect with on the site.

"Third, read the privacy policy of apps," he said. "If you're not paying for the product you are the product. They're gathering information from you, and that can put you at risk."

Correction: An earlier version of this story identified Westin as "an offensive security researcher, or penetration tester ('pentester')." He is a senior security analyst and assists companies with preparing for attacks.