This post on hackernews  got my attention. It’s a IoT based visualization showing your activities and health metrics. It’s very flashy and interesting looking, like you’re going to see it in an episode of CSI Cyber. The term “actionable” I’ve usually applied to government types discussing the latest threat intel but we can also take it to apply with our visualizations.

Actionable visualizations, should provides the viewer with brand new information that could not have been easily concluded before. This was a common problem with threat intel practices in years past. You would collect tons and tons of information and render it into a beautiful graph and then look at it and go, “Yup, there’s a graph of all the stuff I already knew.”

Street Corners

Along the lines of circular information collection, I’ve always thought that one of my generation’s problems is how easy it is to never have to listen to disparate positions. I’m able to hide in my corner of the Internet and learn about only the things that I need, and you sit in your corner and we never have to interact. It’s a perspective I took away from the book, Amusing Ourselves To Death.

In my city, like your city, there are lots of different meetup groups and interest meetups and meetups related to meetups. We have programming languages, maker group, security groups, whatever, and they all operate in their own “silos” to take a corporate reference. There are a few outliers that will cross-pollinate by visiting each of the groups when possible and we consider them community advocates.

Where am I going with this?

I’m part of a few groups that will often throw events. We’ll do classes or social events that are open to the public and we want to get the word out but you know what, I just end up telling my own silo about an event that they already knew just like the IoT visualization that tells me what time I ate dinner. How do I stop telling people (and myself) about information that we already know?

Thus, my tryst into visjs to attempt to apply some of the threat intel type relationship modeling (like Maltego) to community outreach. The goal being: (just like how social media analysts and intelligence operatives) try to identify “key influencers” in the area. I’m trying to identify various active communities to make sure that they’re involved when trying to do outreach.

Silo Sociogram

To self-criticize using my beginning premise, this is far from actionable at this point. I haven’t learned anything that I did not already know. I’ve sent out a comment to a few friends to try to expand this to get their perspective on relationships and see if 2600, Interlock, and other community groups might be able to try to break out of their own circular communications.

PhantomJS is a headless browser that when you use Selenium, turns into a powerful, scriptable tool for scraping or automated web testing in even JavaScript heavy applications. We’ve known that browsers are being fingerprinted and used for identifying individual visits on a website for a long time. This technology is a common feature of your web analytics tools. They want to know as much as possible about their users so why not collect identifying information.

Attack (or active defense)

The scenario here is you, as a privacy conscious Internet user, have taken the various steps to hide your IP, maybe using Tor or a VPN service, and you’ve changed the default UserAgent string in your browser but by using your browser and visiting similar pages across different IP’s, the web site can track your activities even when your IP changes. Say for instance you go on Reddit and you have your same 5 subreddits that you look at. You switch IP’s all the time but because your browser is so individualistic, they can track your visits across multiple sessions.

Lots of interesting companies are jumping on this not only for web analytics, but from the security point of view. The now Juniper owned company, Mykonos, built it’s business around this idea. It would fingerprint individual users, and if one of them launched an attack, they’d be able to track them across multiple sessions or IP’s by fingerprinting those browsers. They call this an active defense tactic because they are actively collecting information about you and defending the web application.

The best proof-of-concepts I know of are BrowserSpy.dk and the EFF’s Panopticlick project. These sites show what kind of passive information can be collected from your browser and used to connect you to an individual browsing session.

Defense

The defense to these fingerprinting attacks are in a lot of cases to disable JavaScript. But as the Tor Project accepts, disabling JavaScript in itself is a fingerprintable property. The Tor Browser has been working on this problem for years; it’s a difficult game. If you look through BrowserSpy’s library of examples, there are common and tough to fight POC’s. One is to read the fonts installed on your computer. If you’ve ever installed that custom cute font, it suddenly makes your browser exponentially more identifiable. One of my favorites is the screen resolution; This doesn’t refer to window size which is separate, this means the resolution of your monitor or screen. Unfortunately, in the standard browser there’s no way to control this beyond running your system as a different resolution. You might say this isn’t that big of a deal because you’re running at 1980×1080 but think about mobile devices which have model-specific resolutions that could tell an attacker the exact make and model of your phone.

PhantomJS

There’s no fix. But like all fix-less things, it’s fun to at least try. I used PhantomJS in the past for automating interactions to web applications. You can write scripts for Selenium to automate all kinds of stuff like visiting a web page, clicking a button, and taking a screenshot of the result. Security Bods (as they’re calling them now) have been using it for years.

To create a simple web page screen scraper , it’s as easy as a few lines of Python. This ends up being pretty nice especially when your friends send you all kinds of malicious stuff to see if you’ll click it. 🙂 This is very simple in Selenium but I wanted to attempt to not look so script-y. The example below is how you would change the useragent string using Selenium:

Playing around with this started bring up questions like: Since PhantomJS doesn’t in fact have a screen, what would my screen resolution be? The answer is 1024×768.

This arbitrarily assigned value is pretty great. That means we can replace this value with something else. It should be noted that even though you set this value to something different, it doesn’t affect the size of your window. To defend against being “Actively Defended” against, you can change the PhantomJS code and recompile.

This will take a few extra screen resolutions every time a new webdriver browser is created. You can test it back at BrowserSpy.

Old:

New:

And so on…

And we’ve now spoofed a single fingerprintable value only another few thousand to go. In the end, is this better than scripting something like Firefox? Unknown. But the offer still stands that if someone at Juniper wants to provide me with a demo, I’d provide free feedback on how well it stands up to edge cases like me.

 

If you’re like me, you’re probably getting inundated with posts about how the latest revelations show that NSA specifically tracks Tor users and the privacy conscious. I wanted to provide some perspective of how XKeyscore fits into an overall surveillance system before jumping out of our collective pants. As I’ve written about before, the Intelligence Lifecycle (something that the NSA and other Five Eyes know all to well) consists more-or-less of these key phases: Identify, Collect, Process, Analyze, and Disseminate. Some of us are a bit up-in-arms, about Tor users specifically being targeted by the NSA, and while that’s a pretty safe conclusion, I don’t think it takes into account what the full system is really doing.

XKeyscore is part of the “Collect” and “Process”  phases of the life cycle where in this case they are collecting your habits and correlating it to an IP address. Greenwald and others will show evidence that the NSA’s goal is to, as they say “collect it all” but this isn’t a literal turn of phrase. It’s true there is a broad collection net, but the NSA is not collecting everything about you. At least not yet.  As of right now, the NSA’s collection initiatives lean more towards collecting quantifiable properties which have the highest reward and the lowest storage cost. That’s not as sexy of a phrase to repeat throughout your book tour though.

 

The conclusion may be (and it’s an obvious one) what you’re seeing of XKeyscore is a tiny fraction of the overall picture. Yes they are paying attention to people that are privacy conscious, yes they are targeting Tor users, yes they are paying attention to people that visit the Tor web page. But as the name implies, this may contribute to an overall “score” to make conclusions about whether you are a high value target or not. What other online habits do you have that they may be paying attention to. Do you have a reddit account subscribed to /r/anarchy or some other subreddit they would consider extremist. Tor users aren’t that special, but this section of the code is a great way to get people nervous.

As someone who has worked on a collection and analysis engine at one time, I can say that one of the first steps during the collection process is tagging useful information, and automatically removing useless information. In this case, tagging Tor users and dropping cat videos. It appears that XKeyscore is using a whitelist of properties to what they consider suspicious activity, which would then be passed on to the “Analysis” phase to help make automated conclusions. The analysis phase is where you get to make predictive conclusions about the properties you have collected so far.

Take the fact that your IP address uses Tor. Add it to a list of extremist subreddits you visit. Multiply it by the number of times you searched for the phrase “how to make a bomb” and now you’re thinking of what the analytics engine of the NSA would look like.

My point is this: If you were the NSA, why wouldn’t ‘you target the privacy aware? People doing “suspicious” (for some definition of the word) activities are going to use the same tools that a “normal” (some other definition) person would. We don’t have a good understanding of what happens to the information after it’s been gathered. We know that XKeyscore will log IP’s that have visited sites of interest or performed searches for “extremist” things like privacy tools. We know that there have been cases where someone’s online activities have been used in court cases. But can’t connect the dots.  XKeyscore is just the collection/processing phase and the analytic phase is what’s more important. I think the people of the Tor Project have a pretty decent perspective on this. Their responses have generally just re-iterated that this is exactly the threat model they’ve always planned for and they will keep working on ways to improve and protect its users.

 

 

Last year, I was bit by the idea of intel as a research project. I presented at BSidesDetroit on the topic of corporate espionage and the contrast between HUMINT and TECHINT. My Defcon Skytalk was titled “Bringin Intelligence Back To The Hacker Community” and I did a GRRConCon talk on the capabilities and structure of a normal private intelligence campaign. The research had a side-affect of replacing a generally apathetic outlook on the topic, with a more specific abhorrence toward the intelligence community as a whole — specifically private intelligence groups working under the auspices of the U.S government and other nation states.

Of course this research project came at an opportune time with the recent NSA revelations substantiating many of the claims, the recent articles about the JTRIG program really has hit home.

https://firstlook.org/theintercept/2014/02/24/jtrig-manipulation/

https://firstlook.org/theintercept/document/2014/02/24/art-deception-training-new-generation-online-covert-operations/

http://investigations.nbcnews.com/_news/2014/01/27/22469304-snowden-docs-reveal-british-spies-snooped-on-youtube-and-facebook?lite

http://www.nbcnews.com/news/investigations/war-anonymous-british-spies-attacked-hackers-snowden-docs-show-n21361

http://www.nbcnews.com/news/investigations/snowden-docs-british-spies-used-sex-dirty-tricks-n23091

Each of these articles released by Glen Greenwald  and NBC News reference JTRIG – a program designed to manipulate the hearts and minds of Internet users. Targeting individuals, organizations, and in some cases just the general ideas with the goal of destroying them. Programs like SQUEAKY DOLPHIN, for example, were designed to analyze social networking patterns of all users be it Youtube or Blogger or Facebook. We can all agree that the use-case of this capability has some positive implications like infiltrating Al-Qaeda training forums or the like.

Not even mad

There’s definitely part of me that can sit back and just say “I’m not even mad. That’s amazing” from a purely technological standpoint. Part of my presentations on the subject of OSINT came to the conclusion that small-time intel groups pale in comparison to well funded private organizations like HBGary and Palantir. I talked about how HBGary would pull stunts on forums and IRC, specifically targeting ideas and individuals that they were hired to attack — protesters for a large company in one example. JTRIG and the other programs above, are examples that this is not just HBGary or Palantir but the entire intelligence community.

I even found myself, falling down the rationalization stairs, convincing myself that this is what’s expected. They’re the U.S., and they’ve realized that the Internet is powerful, and they want to use it as a weapon. In fact, the U.S has realized a gap in their capabilities to collect information on the Internet in a paper from 1998 which first defined the problem of the “Intelligence Gap” — the increasing ratio of the number collection sources to actionable intel.  And you can see my disillusionment in my presentations. The Defcon Skytalks version of “Bringing Intelligence Back To The Hacker Community” was generally a fun, optimistic look at intelligence capabilities and even a structure for collection and analysis. Where the GRRCon talk generally had a conclusion of “Yeah that was nice, but you are all fucked in comparison to private intel groups.”

*Shrug*; infosec.

The most depressing result that all of this new information has had on the public and the Information Security community is… nothing. Either the Infosec professionals I’ve talked to lately have withdrawn themselves from the situation out of hopelessness, they’ve generally become jaded, or they actually work in the intelligence community. I’ve heard the tongue-in-cheek comments of “Well it’s good for us” in that it’s our job to now provide security solutions to a the new reasonable threat of a global adversary. I know people who are now signing up to become military intelligence operatives, seeing the career path of working for the government and then leaving to a private-sector, high-paying, intelligence career. People have even admitted to me that the government has called them up and asked to snatch their idea stating they would pay him millions of dollars. And how can you blame him? Morality, ethics, and not-being-a-dick-ism is difficult to maintain when faced with piles of money. Maybe this is where Info-Sec and Hacker will further fraction off. Maybe I’m just being naive.

For a few years now, I’ve been stating my plans for the rest of the year, and reviewing how the previous year went. Here’s the review:

Last Year

Major Con Presentation

One of my goals was to be accepted into a “Major Con” for some definition of that word. This year I presented at Derbycon, GRRCon, Defcon Skytalks, BSides Detroit, and the Rochester Security Summit. I will say that my moon shot was to be accepted into 30C3 but I was aptly turned down.

Intel/OSINT/OPSEC Project

This intel/OSINT/OPSEC topic has bugged for a few years now and thanks to Edward Snowden, I think I chose a good year to work on it. I put a ton of research time into formalizing what an intelligence gathering campaign would look like, and even implementing it. I even wrote some tools to help me get the job done. I presented my research at GrrCon, RSS, and BSides Detroit. I’ll admit, it’s a bit of a fluffy, opaque subject to talk about, which is why I really wanted to do the research and be done with it. The output from the research is just some new tools in my aresenal.

Hardware Hack into a PCB

Last year, although I was messing around with my hardware hacking project (that I was asked to take down), I never moved it from a proof-of-concept breadboard, to my own custom circuit. This year, I was able to build a couple circuits and get the fab’d. But I didn’t design them so I still think that’s cheating. Going through the process of loading an Arduinio with AVR software was a big enough step.

iButton Door System

This was a failure. Some of us still talk about it but I didn’t build an iButton door system. I have all t he hardware and Raspberry Pis to do it, I just haven’t put the time in.

Mannequin

My poor mannequin has been around for years. I’ve chopped her head open and loaded her up with an xbee controlled arduino, I’ve made her my T-Shirt model for BSides Rochester, but this was to be the year of her demise. I accomplished this in a fantastic fashion though using Tannerite – an explosive that we packed inside of her.

3D Printing A Model

This was just a fail. I didn’t print anything really. We used a 3D printer to make the badges for BSidesROC this year, but I never actually went through the process myself.

Unplanned Accomplishments

There have been some interesting unplanned accomplishments this year:

• Becoming a minister and performing in someone’s wedding ceremony
• Going to Korea, twice
• Building a silicone brain
• Having a thermite party to destroy all of my old media
• Operating a back hoe
• Receiving my first DMCA request

Next Year

Grown-up Things

This is the year I know I’m going to have to and want to do some what I would call Grown-Up Things. Things that aren’t necessarily about completely full blow chaos and fun. One being learning about how businesses work, forming an LLC, and paying attention to financials. There’s some other things but where’s the fun in discussing that. I just know that this year will be filled with a lot of “Adult” opportunities.

 Crypto

Although I have a decent understanding of crypto, I’d like to put some time in and develop this into a skill. A friend of mine is taking the Stanford Cryptography class and I’m hoping we can learn that together. But beyond that, I’d like to apply it to some actual research. Maybe doing some basic crypto audits of something like BitMessage. I’ll never be a cryptographer, but I’d like to be able to identify and exploit poor cryptographic implementations.

Development

I’m have a decent ability to make something in Python, but it’s all scripting. I’ve never taken a class or anything that would give me any kind of structured development style. My goal for this coming year is to further build my development skills beyond just scripting and hacking things together. Ideally I’d like to join a development team on a project of some kind.

Bitcoin

Gah – Bitcoin… when I say it out loud it sounds so stupid. But this year I’ll be putting time into learning how the bitcoin protocol works, the community that supports it, and slightly riding the roller coaster as it goes up and down. Last year I was doing intelligence when Edward Snowden released all his intel, this year I may be doing Bitcoin when we watch the first crypto currency become regulated.

Hardware RE

This year hasn’t taken me into much hardware reverse engineering lately. I’ll be looking for an interesting project to spend some time on.

I’ve been putting some time into trying to improve my intelligence gathering capabilities. Normally we would call this recon during a pen test or OSINT gathering. But I’ve been thinking about it from the perspective of the CIA who refer to it as intelligence gathering. The ideas are basically same: collect information that provides you with some kind of insight into a target.

For a pen test, I want to know information about the subject I’m testing. Maybe it’s network information, or job openings, or list of employees, all this type of data can be used during later phases of the assessment. For your organization, you may want to know when Anon is going to be launching an attack on your network or an employee who is leaking company secrets on her Facebook account.

OSINT Meets OPSEC

For the CIA, intel operations are part of operational security. The intel may tell you when future attacks are planned, secret ways terrorist organizations are communicating, or weaknesses in your adversaries. These same types of operations can be applied into your own OPSEC model: Looking for discussion about future attacks on your organization, useful  information about your competitors that was accidentally leaked, potential vulnerabilities in your own systems that become publicly available.

This is what the cycle look like in the most generic form. There’s a lot of explanation that has to go into each phase but I think you can interpret each however you’d like.

This cycle has many different versions. It seems like different governments interpret it in different ways but they all basically stem from this image above. People have also been applying the intelligence lifecycle to APT (yes.. I said it…) because it directly applies to targeted network attacks. Here’s a good one from a hacker organization called “Dell”:

The CIA and You?

The Dell image is cute, but is meant to only highlight a small portion of the potential sources that the CIA documents. But in general, some books say there are four primary sources of intelligence:

1. HUMINT: Information collected from a human source
2. TECHINT: Information collected by technical means (APT OMG!)
3. OSINT: Open source intelligence gathering
4. Direct Action: Hiring an effing milita to take the data.

This is from the CIA’s point-of-view so I’m not suggesting that people should go and steal intelligence from your friends by gun point, or hacking into their laptops, nor am I suggesting looking for human sources of intelligence to turn into spies for you. I’m trying to highlight a model of intel gathering that may improve your skills and capabilities especially when working in groups. Red-teaming for example. 

I also want to point out that whether it’s the CIA, malware writers, APT-OMGZ! hackers, or corporate spies, the same model basically applies to any types of people with similar goals. Target, collect, process, analyse, disseminate, repeat.

While I’m not talking out-of-my-ass on the subject, I admit I have a lot to learn especially compared to those that are in the intelligence community now. I’ll be giving a presentation about the subject at the next Rochester 2600 meeting this week.