370 likes | 540 Views
Your life online:. No more secrets Marty. Introduction. Roelof Temmingh (roelof@paterva.com) Just Google Not the classical music crowd (but family) Paterva / Maltego ? Just Google www.paterva.com CE version is free for non-commercial use
E N D
Your life online: No more secrets Marty
Introduction • Roelof Temmingh (roelof@paterva.com) • Just Google • Not the classical music crowd (but family) Paterva / Maltego? • Just Google • www.paterva.com • CE version is free for non-commercial use • Be sure to check out the TDS – to extend Maltego capabilities and share transforms
Agenda • Introduction – what is Maltego really? • Stalking – a case study • An evil government could... • Counter Intelligence • Prevention • Detection • Who are you anyway?
Maltego introduction • Web browser is a tool to navigate web pages • Web sites are connected by hyper links • Links are ‘man made’ • Can we build a tool to navigate chunks of information? • Links could be • Rigid - man made • Flexible - implied • Links are determined in real time by software / plugins / transforms
Stop the Zen right now! Example (rigid / man made): • DNS Name -> IP Address • Mail.abc.com -> 100.100.100.100 • The ‘link’ here is DNS Example (implied / fuzzy): • Telephone number -> Email address • 202 555 1234 -> dave@domain.com • The ‘link’ here is some webpage where these are mentioned in close proximity • No context, no certainty • Very fuzzy like
Maltego concepts... • Entities: ‘things’ • DNS Name / Person / Phone number / more... • Can be extended with custom entities • Transforms: convert data types • DNS resolving / Searching / Database access / Deep web • Can be extended with TDS / local transforms Why is this really cool? • What are the private email addresses of people working at XXX agency? How? • Assume all phone numbers for agency starts with the same digits • Someone that gave out work number and their private email address – that appears in the same snippet
Man & Machine • Machines are good at automation • Transforms • Humans are good at pattern recognition • Visualization and Graphs • Let’s work together • Maltego
Google network* * Only a small part of it
Live demo Let me show you how... Please stop me if I spend too much time on this slide There are still 30 slides to go...
Case Study • Given name and email address • Name is common, email address at Gmail • No references to email address on the web • Name too common to search for • Email address used on LinkedIn, high ranking military official • Email address also on Facebook, but completely closed profile • Email address used in the past with Flickr (thnxRapleaf) • Flickr profile has NO info, photos, only an alias • But alias is very unique • Alias hits on 2 porn sites – one has DOB, corresponds in year to LinkedIn info, but no other information • Other has very compromising photos • User’s photo is blurred • Seems unlikely, so have to be verified with other information
Case Study Profiling took 7 hours Profile: • Full names (x 5) • Work and private email addresses • Physical location • Work and education history (x 2) • Phone numbers – both work, home and mobile • I.M. Details • Children names, hobbies, interests • Photos of all • Friend lists Why would we want a profile? And what’s next?
Digital but not online • Things you own • Property (public, commercial) • Transport (car, bike, boat, plane) • Money - bank account(s) • Things you use • Internet (proxy logs, RADIUS logs from ISPs) • Mobile phones (CDR), fixed line • Credit card, ATMs • Utilities (water, power etc.) • Travel info – passports • Things you are • Director, member of trust • Records • Major retail details • Criminal / court • Education • Tax • ID number
An evil government could... • Have to assume that .gov has all of the above information • Gets scary when combining real world with cyber world • No concept of ID number on the Internet • Mostly linked to email address • Can hope for phone number but unlikely • What can they do? • Example 1: Geo location to social net • Example 2: Tracking forum members
Challenges we suspect they may have • Format of data across tables • 083 448 6996 != (0)83448 6996 • Temmingh R != RW Temmingh • Typos, bad captures • Multiple email addresses • roelof@paterva.com • benbrand@gmail.com • Scaling the solution with new sources • E2 – E problem • Cool problems to solve here..
Use it to your advantage! • Entering your details in (digital) forms • 44B vs 44b vs 4 4 b vs 44 B • 0834486996 vs 083 448 6996 vs 08344869961 • Roeloftemminghvsroelof.temmingh • Catch all addresses • Roelof-govform1@myowndomain.com • For non-digital forms • Write like your doctor
Preventing data mining • Infrastructure / networks: • Use generic address to register domains or use domain registration services • Keep your fwd DNS zone as generic as possible • Make sure you control zone transfers! • Keep your rev DNS zone as clean as possible. • Keep as much away from your real network - NS/MX/www
Preventing data mining • Photos • Reverse image search is possible (TinEye) so don’t share photos • Getting tagged on other people’s photos! • Don’t geo tag photos • Beware of identifiable objects (car, bike, house, office, logos) in photos • EXIF info on photos • Email addresses • May not be used outside organization - policy • Don’t use firstname.lastname when registering (I.M. too) • Make sure your mail server does not allow verifying (!VRFY!) • Keep your email address off PGP key rings
Preventing data mining • Websites/blogs • Links to your site, links from your site • No staff lists, internal phone lists, email list • Use generic email addresses for things like sales/info • Also consider generic addresses for domain registration • Keep XLS, DOCs away from the site (duh) • All in PDF. Clean meta information ! • Robots.txt / sitemap.xls (?) • Javascript phone numbers and email addresses or make them images
Preventing data mining • Phone numbers • Use a generic number for office, never direct lines • Don’t answer your phone with your name • Listing of company phone numbers on public sites (ads) • Javascript or image phone numbers where possible • Common sense • Friends and family is your weakest link • Never mention your DOB online / star sign • Bios, interviews and videos – ‘Jane said...’ Everything ends up on the ‘net. • Be careful with who you leave your CV • Don’t use unique aliases • Guest books and blog comments • Do them a favor and name your children ‘Bob’ and ‘Mary’
Detecting data mining • Infrastructure • Monitor your DNS servers for signs of brute force / zone transfers • Check your web server logs for mirroring & look at User Agents • Inspect the referrers in your web server logs for referral from search engines...and the search term.
Detecting data mining • Personal • How do I know if someone has a Google alert on me? • Setting up fake blogs, social network profiles • With CAPTCHAs and email alerts • Cannot make the jump too obvious • Perfect place for counter intelligence • Referrer • IP address • User Agent • Browser exploits ? • Analytics on websites, blogs • Listing ‘red’ phone numbers on 2nd jumps.
Think outside the box • How do I know when people Google for something? • I run a super secret project called Sookah. • I don't ever want people to know about it. • When someone search for the word Sookah I want to know it leaked out somehow • I don't want them to find out that I know I register an Adword...isn't Google wonderful?
Trick question • Which is better: • No Internet profile at all / Closed profile • Open, Full blown Internet profile? • None / closed == open for impersonation • Open / Full == open for stalking • Impersonation • Competing with real person • Complete new, fake • Easy, ask Robin Sage
The Curious case of Eugene Eugene Gregoria Location: Singapore Industry: Telecommunications Employer: Pacnet (formerly Asia Netcom) • Last Facebook status: On basketball: 'I liked the choreography, but I didn't care for the costumes.' ~Tommy Tune, on why he never considered playing basketball • Last 2 Tweets: • German school reports 30 cases of A/H1N1 flu [link] • I saw this nice web site on poker called "Bill's Poker Blog" [link] • Blog: I like watching western movies. We watched 'Giant' directed by George Stevens. I really enjoyed it. I found this really interesting: It was the highest grossing film in Warner Bros. history until the release of Superman (1978).
WYSIWYG? Not always... Investigator /target will follow the crumbs… …but nothing is real on the Internet (Eugene is made up from many different people, algorithms, headlines and snippets from the Internet)
Mandatory ‘Profound’ quote “If we assume that only a small percentage of the Internet consists of unique information then creating acceptable content and human-like behavior becomes no more than a complex copy and paste process. If we acknowledge the existence of a single fake identity on the Internet an entire automated community should soon be within our reach. “
How to make friends and... • So what’s the big deal? • Manipulate ratings of anything • Sway public opinion • Influence political polls • Alter stock prices – directly or indirectly • Perform social denial of service Keep in mind that people are flock animals – you just need to be the initial catalyst and get critical mass
Thus in conclusion • The gap between the real world and the online world is closing every minute... • ...So is the gap between your online profile and your actual life • Information itself is a vulnerability • Network->OS->Application->Information->People • It feels like the 90s again! • Think of the children...
Questions? Eric (the iPhone guy) threaten me already so let’s grab a beer / coffee..