Winding up with his keynote at Hacktivity event, Jeff Bardin provides tips on validating the collected data and provides a general summary on the topic.
Another thing I’m going to mention is that you need to validate your sources. This can be kind of difficult. Sometimes you find that everybody’s saying the same thing, and as you take this down, you find that it really came from just one source. That’s not enough; you need more than one source. You need to be able to rate your sources and determine: are they valid; are they credible; is this something I can bet on; and how do I rate these types of sources out there?There is a reliability and validity rating scale that you can use (see image). Some of it starts with a bottom – you know, it’s kind of ok, it’s relative to a certain degree. But they are largely unreliable; there’s great doubt, so I need to reference that, because as you analyze, you need to make sure that you’re referencing information that is something you can stand behind.
As you go up the scale, it gets better and better as you move towards the top, so you can use this reliability scale from usually reliable – completely reliable – to improbable, doubtful, confirmed and validated. There are some sources out there. How many people here have heard of the hacker called The Jester? If you follow the folks from SecureNinja, they’re actually doing a Q&A online off their YouTube site. They opened this up lately; you can actually ask questions online, they will organize this and have a little contest.
But a lot of people wonder: “Is The Jester real? Is he reliable?” And usually, if you look at what he says, he follows it up by knocking down the sites that he says he’s going to knock down; so I would look at him as definitely a very reliable source and someone you can trust: if he says he’s going to do something, he’s going to do it. If it’s targeting against you, then you’d better shut your site down and run, because he’ll definitely hit you.
But take a look at the SecureNinja folks, because they’re starting this: if you want to have this conversation with them, they’ve got a video out there that Alicia Webb has actually done, and you can actually have this conversation. But the source reliability is something you need to really take a look at, because if you’re actually doing your targeting and analysis for a policy maker, or a boss, or some manager, you’ll need to prove that in fact what you’re providing is valid and true to stand behind it.Now, in the past, several years I have had direct communications; so now you’re into the cyber spying side, you’re using your sock puppet, you’ve established yourself, and you want to start having direct conversations with your target. In this case I use the tool called Mojahedeen Secrets v.2, which is an encryption tool that they created based on a lot of US or RSA-type encryption keys. They actually posted it, and I believe it’s still out there at gimfmail.blogspot.com (see left-hand image).
There is a public key that you can plug into this tool, share with them your public key, and start having conversations with them if they choose to respond back to you. So, here are some of the things that they say. Here’s Asrar al-Mujahideen v.2, or Mojahedeen Secrets, sometimes it’s hard to find nowadays; if anybody wants the tool, just send me an email, and I’ll send it to you if you’d like it. It’s fairly easy to use, it’s like PGP on steroids; it’s a really good tool.
But you can have these conversations with them, and again, you need to be careful with it, but you need to represent one of your sock puppets and explain to them what you’re after when you send it. There’s their public key that’s been out there. It’s changed a few times, but it’s available for you to use and copy and load it right up into your tool. It was in the Inspire magazines, although I was warned at one point not to email any of these accounts. There’re some 3-letter agencies in the United States you may have heard of that said: “Don’t email to these accounts, it’s probably a bad thing to do.” Most likely that’s because they’re watching these accounts. Regardless, you can go in and start this conversation with them.So, this is the Mojahedeen Secrets tool here (see right-hand image). I imported their key, shared my public key with them, and we started having conversations through my Hushmail account, and that was actually the email address at the time; it was about 2.5-3 years old, the email is no longer valid. But we started having conversations. These conversations is where they started vetting me to find out who I was. So, they started asking some of those questions that I talked about earlier on the cultural, linguistic, historical, religious backgrounds to validate that I was who I was. This took about 2 or 3 months to go through that vetting to prove that I was, in their mind, one of them. As I went further in these conversations, they handed me off to another person; I made it to the next level. And in this next level of conversations we started talking more, and what they were really after is they wanted me to provide funding to them, funding for the folks in Palestine to help out their play.
This conversation continued on back and forth; this first started all in English, then it was Arabic and English, and then the third person was all Arabic. And as we had these conversations, we kept swapping new public keys back and forth to have these conversations. And again – patience, it takes time.
So, after about 120-150 days they offered me up the fourth level that said: “Ok, now it’s time to start paying us money, and we’re going to send you information on how to transmit the money.” Well, I certainly didn’t deliver the money, or else I would be in Guantanamo right now. What I did do is I turned this over to authorities; I gave them all my information; I gave my sock puppets, I gave my public key information, and gave that to them so they had all this information, so they could take it over from there.
But it shows that if you really want to do this, if you’re patient, if you know your target as you know yourself, that you can really get into these areas and take that physical tradecraft and penetrate into their environments to a point where you actually are fairly trusted. The next point is then to commit the dollars, or the money, to them, which, typically in the Unites States, when you give information over to law enforcement, nothing comes back; it’s just a one way street.Another gentleman here; this is an Iranian person from Ashiyane Digital Security Team, Behrouz Kamalian (see right-hand image). Behrouz is known for many different things, primarily back in the Green movement of June 2009. He took a bunch of pictures of protesters on the street, posted them up on Facebook, infiltrated Facebook, and all those people disappeared, so the European Union is now looking at this gentleman here for these violations.
Regardless, he was one of the targets I was after to find out information about Behrooz. And he’s got different Ashiyane forum sites, so I was able to get in and get all this information about them: their names, their handles, their ages, their titles, by becoming a sock puppet in their forums. Information intelligence can be used later on if I know who they are; I need to find who these people are. In addition, I have his phone number, his address, his fax number. If you want to go visit him, call him up, give him a jingle if you’d like. But this is the information that you can gather on your targets to give you an idea.Now, from an analysis and assessment perspective – again, this is looking at the quality of information and validating your data, not so much the source – but there’re different ways out there to look at it, whether it’s above standards or if it’s below standards, the type of information you can use. And there’re several things that you need to look at with the intelligence you provide: timeliness around it, the accuracy, the usability, relevancy of your information based on the targeting that you’re giving or that you’re after. This particular chart here will give you some guidance on how to validate that information and go forward with it (see image to the left). So, in summary on this: if you really want to be a cyber spy, whether it’s to your kids or to an adversary out there, there’s a series of things you need to do, from creating your sock puppets, maintaining anonymity, knowing how to use these open source tools, knowing the cultural, historical, linguistic, religious backgrounds of your targets and who they are, so you can apply that craft to them before you actually go to source validation, direct communications out there with these folks, and gathering this information.
There’re a lot of great tools out there that you can use on this. Hackers want to take down the sites; people like me want to get in and become resident on these sites. And I’ve been in sites before that have been hacked; I’ve actually been live in those sites before they’d actually been taken down with DDoS tools from The Jester. So, every once in a while I send him a direct message: “Could you at least give me a heads up?”
With that said, I thank you very much for the opportunity to speak to you, and to kick off this conference here in Budapest.
Read previous: Open Source Intelligence 5: The Applicable Tools