I’ve been putting some time into trying to improve my intelligence gathering capabilities. Normally we would call this recon during a pen test or OSINT gathering. But I’ve been thinking about it from the perspective of the CIA who refer to it as intelligence gathering. The ideas are basically same: collect information that provides you with some kind of insight into a target.

For a pen test, I want to know information about the subject I’m testing. Maybe it’s network information, or job openings, or list of employees, all this type of data can be used during later phases of the assessment. For your organization, you may want to know when Anon is going to be launching an attack on your network or an employee who is leaking company secrets on her Facebook account.

OSINT Meets OPSEC

For the CIA, intel operations are part of operational security. The intel may tell you when future attacks are planned, secret ways terrorist organizations are communicating, or weaknesses in your adversaries. These same types of operations can be applied into your own OPSEC model: Looking for discussion about future attacks on your organization, useful  information about your competitors that was accidentally leaked, potential vulnerabilities in your own systems that become publicly available.

This is what the cycle look like in the most generic form. There’s a lot of explanation that has to go into each phase but I think you can interpret each however you’d like.

This cycle has many different versions. It seems like different governments interpret it in different ways but they all basically stem from this image above. People have also been applying the intelligence lifecycle to APT (yes.. I said it…) because it directly applies to targeted network attacks. Here’s a good one from a hacker organization called “Dell”:

The CIA and You?

The Dell image is cute, but is meant to only highlight a small portion of the potential sources that the CIA documents. But in general, some books say there are four primary sources of intelligence:

1. HUMINT: Information collected from a human source
2. TECHINT: Information collected by technical means (APT OMG!)
3. OSINT: Open source intelligence gathering
4. Direct Action: Hiring an effing milita to take the data.

This is from the CIA’s point-of-view so I’m not suggesting that people should go and steal intelligence from your friends by gun point, or hacking into their laptops, nor am I suggesting looking for human sources of intelligence to turn into spies for you. I’m trying to highlight a model of intel gathering that may improve your skills and capabilities especially when working in groups. Red-teaming for example. 

I also want to point out that whether it’s the CIA, malware writers, APT-OMGZ! hackers, or corporate spies, the same model basically applies to any types of people with similar goals. Target, collect, process, analyse, disseminate, repeat.

While I’m not talking out-of-my-ass on the subject, I admit I have a lot to learn especially compared to those that are in the intelligence community now. I’ll be giving a presentation about the subject at the next Rochester 2600 meeting this week.

 

Quick blog post — thought it would be funny to make an Instagram script that will download all the locations of a user account. You can find the details on how to use it on Github. Pretty straightforward:

You’ll need to sign up for the InstagramAPI which you can do here: http://instagram.com/developer/

And you can find your friend’s InstagramID using this handy tool here: http://jelled.com/instagram/lookup-user-id

Download the code from Github here: https://github.com/antitree/instastalk

Here’s me keeping track of Berticus:

 

Browser fingerprint tactics, like the ones demonstrated in Panopticlick have been used by marketing and website analytic types for years. It’s how they track a user’s activities across domains. Just include their piece of JavaScript at the bottom of your page and poof, you’re able to track visitors in a variety of ways.

I don’t care much about using this technology for marketing, but I do care about using this type of activity for operational security purposes. Imagine using this technique as a counter-intelligence tactic. You don’t want to prevent someone from accessing information, but you do want to know who is doing it, especially if they have ill intentions in mind. IP addresses are adorable but hardly reliable when it comes to anyone that knows how to use a proxy, so using a fingerprint application, like Panopticlick, we can see who is visiting the site no matter what their locations appears to be.

Here’s a simple way of using Panopticlick’s JavaScript for your own purposes to gather fingerprint information about your browser. I’ll leave it up to you to figure out what you can do with this.

“More Worser”

Panopticlick’s informatino gathering techniques are very similar (see the same) as Browserspy except that they correlate the results to a dataset. If you really wanted to do all the browser fingerprinting without any of the reporting, you can take a look at the BrowserSpy code.

I’ve also worked on a technique years ago that attempts to verify your IP address using DNS. This was a pretty good technique especially for third party plugins like Flash and Java which were inconsistent when it comes to using proxies correctly. For more information about using DNS to extract an IP address and further gather information about a user, check out HD Moore’s now decommissioned Decloak project.

 

Panopticlick is a project run by the EFF that highlights the privacy concerns related to being able to fingerprint your browser. It suddenly popped back up in /r/netsec like it was a  new project. The site works by showing you the results of a full fledge browser fingerprint tool, letting you compare how similar or dissimilar you are to other visitors. This is done in a variety of ways. By looking at the user agent, screen resolution, fonts installed, plugins installed, versions of those plugins, and much more. You can read the Panopticlick whitepaper if you want to understand more about how it works.

Hipster Tor: Privacy before it was cool

The issue was discussed years ago at Defcon XV where I first got interested in the project. They identified browser fingerprinting as concern that needed to be addressed in Tor. Their answer at the time was to use something they had just released called “TorButton.” TorButton, back in the day, was a Firefox plugin that when enabled, changed all the settings in your Firefox browser to stop leaking private information like those that Panopticlick checks.

TorButton (Mike Perry) soon realized that this was a loosing battle with Firefox who were trying to compete with sexy new browsers by adding in all kinds of automatic, privacy blind, features like live bookmarks. These things would just constantly query your bookmarks for updated content and had no way of reliably forwarding through a SOCKS proxy and anonymized, making it a major concern. This lead to the advent of the Tor Browser bundle which is a forked version Firefox, compiled specifically with privacy in mind, and the recommended way of using Tor today.

Panopticlick v. Tor

Back to Panopticlick: Tor’s Browser bundle (along with integrated TorButton) tries to defend you against this type of attack. It changes the user agent to the most common one at the time, disables JavaScript completely, spoofs your timezone, and more. Take a look at the comparison between the Tor Browser bundle, Chrome, and Chrome for Android:

Feel safer? Don’t.

The EFF’s project has been really good at increasing the public understanding of the risks of browser fingerprint style attacks, but risks definitely remain. One of the nastier ones, which has yet to be fully addressed, has been only theorized until last year. The scenario is that someone watching a user’s activities, can fingerprint their online activities. A presentation at last year’s 28C3 highlighted this issue. In it, they discussed how a user will usually go to the same groups of websites pretty consistently: Reddit, Google News, Wikipedia. Those activities can be used as a fingerprint for your online identity. Tor is coming up with an answer to this with their Moduler Transports initiative which allows Tor users to customize the traffic footprint using plugins.

My next post will highlight how to use Panopticlick for some operational security measures. 🙂