Archive for August, 2010


August 10, 2010

So the other day I somewhat audaciously tweeted that I disagreed with @marcusjcarey and @itza11hYp3 regarding the statement that OSINT (open source intelligence) was basically a new name for something intelligence analysts have always done. I say audacious because I am not, in fact, an intel analyst by trade, whereas they have a stint at NSA and long experience in the federal sphere, respectively. Now, I know a lot of people have theorized that I work for the NSA – and I am quite proud of my hat, which came straight from the (classified!) gift shop at Ft. Meade – but I don’t. My skills are focused on obtaining information rather than analyzing it.

Still, I think there are a few reasons why modern OSINT is different from traditional methods. Whether that qualifies as something really new or not is semantic. To clarify, OSINT refers to gathering intelligence from “open sources” – newspapers, court records, web sites, etc. Certainly, analysts have always done this, and obviously it has gotten easier since PCs and the Internet became more widely used. Not only can you search a lot of archives from a distance, and quickly, but also people and organizations are just publishing more information about themselves.

The first reason why I think it’s substantially different is the collection method. It’s not just a matter of reading online versus reading paper. Part of it is being able to Google well (and use Lexis / Nexis, etc.) but part is being able to find relevant information in a very large haystack without wasting time on false positives. The only way to do this in a timely manner is algorithmically. The only way to implement such complex algorithms is in software. Example: say you have a suspected domestic terror group whose known members have purchased warehouse space in 3 cities. It might be useful to search all the real estate purchases in the U.S. for other purchases matching similar criteria to ferret out other cells. Given the amount of real estate transaction data available online, this should be doable, but the analyst is going to have to be able to carefully delineate the parameters for such a search – not just what to look for, but what to exclude. Or, perhaps, more likely, they’ll explain the general idea to an IT person who will codify it.

Reason 2: Correlation. A big benefit of having so much digital data available is being able to correlate it. Forget those scenes in cop shows where they have all their clues written on pieces of paper and tacked to a cork board. I’d be spidering craigslist, twitter, etc., and running the data through something like Splunk to look for unforeseen correlations. Merely by doing math, software can point out possible correlations that might never occur to a human. Given the number of job postings at NSA for people with experience in data mining over the past decade, you can be sure this is happening. (Hey, I just deduced what the NSA is doing from their public job postings. OSINT!)

Reason 3: Meta-data. Analysts are no longer limited to the “published” data in a record. We’ve all heard the stories of info being leaked in the meta-data of a Word doc, EXIF data in an image, geo data in a tweet, ID3 tags in MP3s, whatever. Being able to access, search and understand this information is critical and, again, requires either a technically minded analyst or a resident techie to write the tools.

Reason 4: The so-called “deep web”. Not every bit of information on the Internet is indexed by Google; in fact, a great deal of it doesn’t even use HTTP. Even “innocuous” protocols like ICMP and DNS can transport extra data around. If nmap can figure out an operating system by looking at administrative data, what can we figure out at the semantic level. E.g., if you’re monitoring a server that you suspect of storing malware being used by a certain group, and every time one of the group members walk in to a cafe with a laptop, the ping time to that server increases, it stands to reason that they’re doing something that’s increasing the load on the server.

Fifth and final reason: There are more different types of data now: pictures, videos, audio, etc., due to the advent of cheap digital cameras and other devices. I know for a fact that certain (probably all) intelligence agencies examine the pictures that suspected terrorists post on Facebook, Flickr, etc., to try to identify their location, associates, etc. In the past, pictures and video were generally only available if a HUMINT operator was surveilling the suspect already. Of course, all of the aforementioned reasons also apply to multimedia, too.

I’m not writing this to defend my position or anything, just to point out things I find interesting about the process. Certainly, as someone who doesn’t want “Johnny Cocaine” to be associated with his real identity, I consider these avenues of attack and attempt to mitigate them, as I’ve discussed previously. Not that I need to keep it secret from nation-state level adversaries – although I feel confident that I could do so – but it’s just fun. Anyway, hats off to @marcusjcarey and @itza11hYp3 for making me think about this and replying to me. I’ll buy you guys a drink at the next spook convention.

The social engineering dust up

August 3, 2010

And while we’re on the subject of corporate rights being somehow more important than individual, I have thoughts on the social engineering contest and the minor furor it created. So companies and even the FBI, were worried that people at DefCon were trying to social engineer them? I mean, first of all, maybe you should be worried about the real bad guys who are trying to do it, not people at a con who are acting under certain rules.

Second, HELLO? How many times has some telemarketer called you and tried to trick you in to divulging information and even buying crap, often under false pretenses? Not just telemarketers: sales people, snail mail, web sites, service personnel, customer support – most companies are less than honest when they’re trying to make sales. Indeed, many of them have lying as their primary business model. They depend on riding just on the legal side of fraud to get you to buy something and depend on their byzantine phone trees and laborious return procedures to get you to keep it. Who cares if you swear to never buy from them again, as long as they meet their numbers for this quarter? By the time your contract expires or your gadget needs replaced, the officers will have moved on to a new company anyway.

So I don’t feel too bad when people try to trick them back.

Yes, I’m grouchy. I need a smoke.

Security Pro Hypocrits

August 3, 2010

Well, we all know that last week was the 18th revision of the largest “hacker” conference in the world, DefCon, and its spin-offs Black Hat and BSides. I had a great time and met a lot of awesome people. And, as I’ve mentioned, lined up 3 new jobs. 🙂 But, I have an issue.

It won’t be news to anyone who’s been going for a while that DefCon has gotten more, well, corporate, especially since the inception of Black Hat. More and more of the speakers are well groomed “security researchers” from various software companies who are trying to drum up business. More and more of the attendees seem to be the type that do their 9-5 job and go home to watch a ball game rather than spending all night coding or using a soldering gun. That’s okay; I want anyone who is interested, in the tech or the culture, to be welcome.

But with the shift comes an apparent shift in, well, philosophy that disturbs me. To whit: all these corporate and government folks go on and on about how to Assure the Confidentiality, Integrity and Availability of their employers’ data, while openly claiming that individuals have no right to or expectation of such protection.

I can’t tell you how many times I heard speakers claim that “Privacy is dead” or “If you put anything on a social network, you should assume it’s public” or “Allowing anonymity is too dangerous.”

What. The. Fuck.

So it’s perfectly okay – indeed, expected (“due diligence”) – for big companies to keep what they’re doing secret, but practically a crime for individuals? Standard practice for a corporation to rely on authorization / access controls, but too much of a burden for a consumer service? A horrendous crime to copy a Lady Gaga song without permission, when people assume they have carte blanche to copy others’ images, blog posts, tweets, or documents and put them in their Power Points for Black Hat?

One speaker – it won’t take you long to figure out who – spoke of the dangers of using so-called “darknets”, including Tor. (In fairness, he mentioned that Tor was not technically a “darknet”, whatever that is, but he applied all the same lessons to it.) It’s true – using Tor or P2P or mesh networks, etc., has risks. There’s the risk of being pwned, or DL’ing malware, etc., and the risk of legal action, both for what you do and what you enable others to do. His conclusion? “Don’t use them.” Essentially, he seemed to think they were only for bad guys.

Oh, and his reason for believing this was partly based on having examined the traffic on Tor exit nodes, which is pretty clearly a violation of federal wiretap laws.

That aside, did he ever think there were legit reasons for using Tor? Like, journalists / activists? Legally gathering corporate intelligence? Law enforcement and counter terrorism? To get around national censors in countries like China and Iran? To not get harassed? Keeping controversial viewpoints from being associated with, say, your LinkedIn account? And what about penetration testing?

The same goes for Bit Torrent, Freenet (why were you surprised that I’d heard of Ian Clarke, dude??), Gnu Net, etc.

People: information security is not only the right of wealthy corporations (I include most governments in that class). It’s the right of anyone who chooses to take advantage of it (like any right). Frankly, I think a neo-con government data mining everyone’s email is a bigger threat to our democracy than a hacker joy riding a corporate network.

The problem is that A) few people are paying infosec pros to protect the data of individuals and B) it’s hard. If an employee violates rules on protecting data, you can fire, sue or jail them. What are you going to do if a Facebook friend reposts one of your pictures? At most, you’ll ask them to take it down – by which time it’s probably been shared, Liked, downloaded, saved, emailed and cached a million times.

That doesn’t mean we should just write it off.