This post on hackernews  got my attention. It’s a IoT based visualization showing your activities and health metrics. It’s very flashy and interesting looking, like you’re going to see it in an episode of CSI Cyber. The term “actionable” I’ve usually applied to government types discussing the latest threat intel but we can also take it to apply with our visualizations.

Actionable visualizations, should provides the viewer with brand new information that could not have been easily concluded before. This was a common problem with threat intel practices in years past. You would collect tons and tons of information and render it into a beautiful graph and then look at it and go, “Yup, there’s a graph of all the stuff I already knew.”

Street Corners

Along the lines of circular information collection, I’ve always thought that one of my generation’s problems is how easy it is to never have to listen to disparate positions. I’m able to hide in my corner of the Internet and learn about only the things that I need, and you sit in your corner and we never have to interact. It’s a perspective I took away from the book, Amusing Ourselves To Death.

In my city, like your city, there are lots of different meetup groups and interest meetups and meetups related to meetups. We have programming languages, maker group, security groups, whatever, and they all operate in their own “silos” to take a corporate reference. There are a few outliers that will cross-pollinate by visiting each of the groups when possible and we consider them community advocates.

Where am I going with this?

I’m part of a few groups that will often throw events. We’ll do classes or social events that are open to the public and we want to get the word out but you know what, I just end up telling my own silo about an event that they already knew just like the IoT visualization that tells me what time I ate dinner. How do I stop telling people (and myself) about information that we already know?

Thus, my tryst into visjs to attempt to apply some of the threat intel type relationship modeling (like Maltego) to community outreach. The goal being: (just like how social media analysts and intelligence operatives) try to identify “key influencers” in the area. I’m trying to identify various active communities to make sure that they’re involved when trying to do outreach.

Silo Sociogram

To self-criticize using my beginning premise, this is far from actionable at this point. I haven’t learned anything that I did not already know. I’ve sent out a comment to a few friends to try to expand this to get their perspective on relationships and see if 2600, Interlock, and other community groups might be able to try to break out of their own circular communications.

If you’re like me, you’re probably getting inundated with posts about how the latest revelations show that NSA specifically tracks Tor users and the privacy conscious. I wanted to provide some perspective of how XKeyscore fits into an overall surveillance system before jumping out of our collective pants. As I’ve written about before, the Intelligence Lifecycle (something that the NSA and other Five Eyes know all to well) consists more-or-less of these key phases: Identify, Collect, Process, Analyze, and Disseminate. Some of us are a bit up-in-arms, about Tor users specifically being targeted by the NSA, and while that’s a pretty safe conclusion, I don’t think it takes into account what the full system is really doing.

XKeyscore is part of the “Collect” and “Process”  phases of the life cycle where in this case they are collecting your habits and correlating it to an IP address. Greenwald and others will show evidence that the NSA’s goal is to, as they say “collect it all” but this isn’t a literal turn of phrase. It’s true there is a broad collection net, but the NSA is not collecting everything about you. At least not yet.  As of right now, the NSA’s collection initiatives lean more towards collecting quantifiable properties which have the highest reward and the lowest storage cost. That’s not as sexy of a phrase to repeat throughout your book tour though.

 

The conclusion may be (and it’s an obvious one) what you’re seeing of XKeyscore is a tiny fraction of the overall picture. Yes they are paying attention to people that are privacy conscious, yes they are targeting Tor users, yes they are paying attention to people that visit the Tor web page. But as the name implies, this may contribute to an overall “score” to make conclusions about whether you are a high value target or not. What other online habits do you have that they may be paying attention to. Do you have a reddit account subscribed to /r/anarchy or some other subreddit they would consider extremist. Tor users aren’t that special, but this section of the code is a great way to get people nervous.

As someone who has worked on a collection and analysis engine at one time, I can say that one of the first steps during the collection process is tagging useful information, and automatically removing useless information. In this case, tagging Tor users and dropping cat videos. It appears that XKeyscore is using a whitelist of properties to what they consider suspicious activity, which would then be passed on to the “Analysis” phase to help make automated conclusions. The analysis phase is where you get to make predictive conclusions about the properties you have collected so far.

Take the fact that your IP address uses Tor. Add it to a list of extremist subreddits you visit. Multiply it by the number of times you searched for the phrase “how to make a bomb” and now you’re thinking of what the analytics engine of the NSA would look like.

My point is this: If you were the NSA, why wouldn’t ‘you target the privacy aware? People doing “suspicious” (for some definition of the word) activities are going to use the same tools that a “normal” (some other definition) person would. We don’t have a good understanding of what happens to the information after it’s been gathered. We know that XKeyscore will log IP’s that have visited sites of interest or performed searches for “extremist” things like privacy tools. We know that there have been cases where someone’s online activities have been used in court cases. But can’t connect the dots.  XKeyscore is just the collection/processing phase and the analytic phase is what’s more important. I think the people of the Tor Project have a pretty decent perspective on this. Their responses have generally just re-iterated that this is exactly the threat model they’ve always planned for and they will keep working on ways to improve and protect its users.

 

 

For a few years now, I’ve been stating my plans for the rest of the year, and reviewing how the previous year went. Here’s the review:

Last Year

Major Con Presentation

One of my goals was to be accepted into a “Major Con” for some definition of that word. This year I presented at Derbycon, GRRCon, Defcon Skytalks, BSides Detroit, and the Rochester Security Summit. I will say that my moon shot was to be accepted into 30C3 but I was aptly turned down.

Intel/OSINT/OPSEC Project

This intel/OSINT/OPSEC topic has bugged for a few years now and thanks to Edward Snowden, I think I chose a good year to work on it. I put a ton of research time into formalizing what an intelligence gathering campaign would look like, and even implementing it. I even wrote some tools to help me get the job done. I presented my research at GrrCon, RSS, and BSides Detroit. I’ll admit, it’s a bit of a fluffy, opaque subject to talk about, which is why I really wanted to do the research and be done with it. The output from the research is just some new tools in my aresenal.

Hardware Hack into a PCB

Last year, although I was messing around with my hardware hacking project (that I was asked to take down), I never moved it from a proof-of-concept breadboard, to my own custom circuit. This year, I was able to build a couple circuits and get the fab’d. But I didn’t design them so I still think that’s cheating. Going through the process of loading an Arduinio with AVR software was a big enough step.

iButton Door System

This was a failure. Some of us still talk about it but I didn’t build an iButton door system. I have all t he hardware and Raspberry Pis to do it, I just haven’t put the time in.

Mannequin

My poor mannequin has been around for years. I’ve chopped her head open and loaded her up with an xbee controlled arduino, I’ve made her my T-Shirt model for BSides Rochester, but this was to be the year of her demise. I accomplished this in a fantastic fashion though using Tannerite – an explosive that we packed inside of her.

3D Printing A Model

This was just a fail. I didn’t print anything really. We used a 3D printer to make the badges for BSidesROC this year, but I never actually went through the process myself.

Unplanned Accomplishments

There have been some interesting unplanned accomplishments this year:

• Becoming a minister and performing in someone’s wedding ceremony
• Going to Korea, twice
• Building a silicone brain
• Having a thermite party to destroy all of my old media
• Operating a back hoe
• Receiving my first DMCA request

Next Year

Grown-up Things

This is the year I know I’m going to have to and want to do some what I would call Grown-Up Things. Things that aren’t necessarily about completely full blow chaos and fun. One being learning about how businesses work, forming an LLC, and paying attention to financials. There’s some other things but where’s the fun in discussing that. I just know that this year will be filled with a lot of “Adult” opportunities.

 Crypto

Although I have a decent understanding of crypto, I’d like to put some time in and develop this into a skill. A friend of mine is taking the Stanford Cryptography class and I’m hoping we can learn that together. But beyond that, I’d like to apply it to some actual research. Maybe doing some basic crypto audits of something like BitMessage. I’ll never be a cryptographer, but I’d like to be able to identify and exploit poor cryptographic implementations.

Development

I’m have a decent ability to make something in Python, but it’s all scripting. I’ve never taken a class or anything that would give me any kind of structured development style. My goal for this coming year is to further build my development skills beyond just scripting and hacking things together. Ideally I’d like to join a development team on a project of some kind.

Bitcoin

Gah – Bitcoin… when I say it out loud it sounds so stupid. But this year I’ll be putting time into learning how the bitcoin protocol works, the community that supports it, and slightly riding the roller coaster as it goes up and down. Last year I was doing intelligence when Edward Snowden released all his intel, this year I may be doing Bitcoin when we watch the first crypto currency become regulated.

Hardware RE

This year hasn’t taken me into much hardware reverse engineering lately. I’ll be looking for an interesting project to spend some time on.

These links are meant to go along with my recent OSINT presentation. They’re provided to get you started if you wanted to start learning the craft.

Meta

• Giant list of OSINT tools and methodology
• Iron Geek’s OSINT class

Tools

• Maltego – relationship mapper
• FOCA – fast metadata extraction and analysis
• Recon-ng – OSINT framework
• Geostalker – fun geo-tracking tool

Sites:

• Shodan – computer search engine
• CheckUsernames.com – check which sites use a username
• Yandex – great for custom specific searches
• Nerdy Data – search source code of web sites
• Jigsaw – business directory

 

Quick blog post — thought it would be funny to make an Instagram script that will download all the locations of a user account. You can find the details on how to use it on Github. Pretty straightforward:

You’ll need to sign up for the InstagramAPI which you can do here: http://instagram.com/developer/

And you can find your friend’s InstagramID using this handy tool here: http://jelled.com/instagram/lookup-user-id

Download the code from Github here: https://github.com/antitree/instastalk

Here’s me keeping track of Berticus:

 

Panopticlick is a project run by the EFF that highlights the privacy concerns related to being able to fingerprint your browser. It suddenly popped back up in /r/netsec like it was a  new project. The site works by showing you the results of a full fledge browser fingerprint tool, letting you compare how similar or dissimilar you are to other visitors. This is done in a variety of ways. By looking at the user agent, screen resolution, fonts installed, plugins installed, versions of those plugins, and much more. You can read the Panopticlick whitepaper if you want to understand more about how it works.

Hipster Tor: Privacy before it was cool

The issue was discussed years ago at Defcon XV where I first got interested in the project. They identified browser fingerprinting as concern that needed to be addressed in Tor. Their answer at the time was to use something they had just released called “TorButton.” TorButton, back in the day, was a Firefox plugin that when enabled, changed all the settings in your Firefox browser to stop leaking private information like those that Panopticlick checks.

TorButton (Mike Perry) soon realized that this was a loosing battle with Firefox who were trying to compete with sexy new browsers by adding in all kinds of automatic, privacy blind, features like live bookmarks. These things would just constantly query your bookmarks for updated content and had no way of reliably forwarding through a SOCKS proxy and anonymized, making it a major concern. This lead to the advent of the Tor Browser bundle which is a forked version Firefox, compiled specifically with privacy in mind, and the recommended way of using Tor today.

Panopticlick v. Tor

Back to Panopticlick: Tor’s Browser bundle (along with integrated TorButton) tries to defend you against this type of attack. It changes the user agent to the most common one at the time, disables JavaScript completely, spoofs your timezone, and more. Take a look at the comparison between the Tor Browser bundle, Chrome, and Chrome for Android:

Feel safer? Don’t.

The EFF’s project has been really good at increasing the public understanding of the risks of browser fingerprint style attacks, but risks definitely remain. One of the nastier ones, which has yet to be fully addressed, has been only theorized until last year. The scenario is that someone watching a user’s activities, can fingerprint their online activities. A presentation at last year’s 28C3 highlighted this issue. In it, they discussed how a user will usually go to the same groups of websites pretty consistently: Reddit, Google News, Wikipedia. Those activities can be used as a fingerprint for your online identity. Tor is coming up with an answer to this with their Moduler Transports initiative which allows Tor users to customize the traffic footprint using plugins.

My next post will highlight how to use Panopticlick for some operational security measures. 🙂

Spicy Mango is a project that Chris Centore started and presented on at Derbycon this year. It’s difficult to describe completely but in essence, it is an intelligence collection and analysis engine that helps you parse large amounts of data to extract items of interest. For example, say that you wanted to keep track of your nym and how it was used on the net. You could do something like a Google Alert that sends you an email every time “AntiTree” appears in the search engine. With Spicy Mango, you can search multiple sources (such as forums, blogs, news outlets) for relevant data and then carve out what is actionable. You probably don’t want to see Tweets that you sent yourself but you might want to see them referencing your account.

Overview of Spicy Mango

Here’s a quick overview of how the framework is setup:

• Modules are used to collect relevant information. Some examples of modules right now are an RSS reader, IRC client, Facebook and Twitter, scraper.
• The data collected from these modules is saved into a database
• The database provides the back-end to a web interface
• The web interface controls how to present the data either High, Medium, or Low relevancy. This is done by searching for keywords in the database and applying a weight based on that keyword.

Maltego It Is Not

I’m not going to say that Spicy Mango is an amazing tool that fits into every intel gathering/recon/OSINT job you can think of. In fact, in many ways it starts overlapping with an already mature tool, Maltego. The latest version of Maltego supports “Machines” which is in someways the same idea as Spicy Mango. These machines are a recurring query for live data such as Tweets, Facebook posts, etc and is then collected in the beautiful Maltego interface that tries to visualize relationships between different pieces of intel. Very cool. But not really what I’m personally looking for.

The Best Case Scenarios

At its most usefulness, Spicy Mango would be an intel gathering tool that collects large pools of information from obscure locations on the net, and cuts down on the amount of time needed to find actionable intelligence. It could help be an operation security tool to help notify you of upcoming threats that were discussed over IRC. It could be a persistent stalking machine that keeps track of your friends.

WHY?

The “But, why?” question is the most common one I get when talking with my friends. First, I think that there is not an open-source tool today that aims to do what Spicy Mango tries. In fact, there are a bunch of secretive tools used for operation security and OSINT but we don’t know about them and they’re often a very custom design. Mostly because, the first rule of OPSEC is that you don’t talk about OPSEC.

Secondly, hackers are usually pretty proud about their doxing skills. “I can find your real name and home address in 15 minutes!” Usually they’re not wrong but their skills are based on tools that they’ve developed themselves otherwise they’re just using some site that does the work for them. I would find it interesting if the playing field was leveled so that every person had the same tools to stalk someone. In that case, real skills would have to be developed to excel passed the baseline.

Lastly, (or primarily) it’s fun to hack on. The modules are simple to develop and the code is straight-forward.

Future Opportunities

Since I started to help develop this framework, I’ve thought of some improvements it that would help take it from just a collection engine, to a more serious intelligence tool. I can see an advanced analysis engine that would take it above just keyword searches to support a modular framework in the same way that the collection phase works. I’ve been working on supporting natural language processing to help be able to support n-gram structured searches and implementing spam style text analysis to automatically strip out useless information. This is all based on my goal to better normalize the content that is collected.