Transcript Your life online:

Your life online:
Introduction


Roelof Temmingh ([email protected])
Just Google
 Not the classical music crowd (but family)
Paterva / Maltego?


Just Google
www.paterva.com
 CE version is free for non-commercial use
 Be sure to check out the TDS – to extend Maltego
capabilities and share transforms
Agenda
Introduction – what is Maltego really?
 Stalking – a case study
 An evil government could...
 Counter Intelligence

 Prevention
 Detection

Who are you anyway?
Maltego introduction





Web browser is a tool to navigate web pages
Web sites are connected by hyper links
Links are ‘man made’
Can we build a tool to navigate chunks of
information?
Links could be
 Rigid - man made
 Flexible - implied

Links are determined in real time by
software / plugins / transforms
Stop the Zen right now!
Example (rigid / man made):
 DNS Name -> IP Address
 Mail.abc.com -> 100.100.100.100
 The ‘link’ here is DNS
Example (implied / fuzzy):
 Telephone number -> Email address
 202 555 1234 -> [email protected]
 The ‘link’ here is some webpage where these are
mentioned in close proximity
 No context, no certainty
 Very fuzzy like
Maltego concepts...

Entities: ‘things’
 DNS Name / Person / Phone number / more...
 Can be extended with custom entities

Transforms: convert data types
 DNS resolving / Searching / Database access / Deep web
 Can be extended with TDS / local transforms
Why is this really cool?
 What are the private email addresses of people
working at XXX agency? How?
 Assume all phone numbers for agency starts with the same
digits
 Someone that gave out work number and their private email
address – that appears in the same snippet
Man & Machine

Machines are good at automation
 Transforms

Humans are good at pattern
recognition
 Visualization and Graphs

Let’s work together
 Maltego
Google network*
* Only a small part of it
Live demo
Let me show you how...
Please stop me if I spend too much time on this slide
There are still 30 slides to go...
No kidding...for real !
Case Study













Given name and email address
Name is common, email address at Gmail
No references to email address on the web
Name too common to search for
Email address used on LinkedIn, high ranking military official
Email address also on Facebook, but completely closed
profile
Email address used in the past with Flickr (thnx Rapleaf)
Flickr profile has NO info, photos, only an alias
But alias is very unique
Alias hits on 2 porn sites – one has DOB, corresponds in year
to LinkedIn info, but no other information
Other has very compromising photos
User’s photo is blurred
Seems unlikely, so have to be verified with other information
Case Study
Profiling took 7 hours
Profile:









Full names (x 5)
Work and private email addresses
Physical location
Work and education history (x 2)
Phone numbers – both work, home and mobile
I.M. Details
Children names, hobbies, interests
Photos of all
Friend lists
Why would we want a profile?
And what’s next?
When worlds collide
Digital but not online

Things you own
 Property (public, commercial)
 Transport (car, bike, boat, plane)
 Money - bank account(s)

Things you use






Internet (proxy logs, RADIUS logs from ISPs)
Mobile phones (CDR), fixed line
Credit card, ATMs
Utilities (water, power etc.)
Travel info – passports
Things you are
 Director, member of trust
 Records
○ Major retail details
○ Criminal / court
○ Education
○ Tax
○ ID number
An evil government could...
Have to assume that .gov has all of the
above information
 Gets scary when combining real world
with cyber world

 No concept of ID number on the Internet
 Mostly linked to email address
 Can hope for phone number but unlikely

What can they do?
 Example 1: Geo location to social net
 Example 2: Tracking forum members
Demo (video)
Challenges we suspect they may have

Format of data across tables
 083 448 6996 != (0)83448 6996
 Temmingh R != RW Temmingh
Typos, bad captures
 Multiple email addresses

 [email protected]
 [email protected]

Scaling the solution with new sources
 E2 – E problem
 Cool problems to solve here..
Use it to your advantage!

Entering your details in (digital)
forms
 44B vs 44b vs 4 4 b vs 44 B
 0834486996 vs 083 448 6996 vs
08344869961
 Roeloftemmingh vs roelof.temmingh

Catch all addresses
 [email protected]

For non-digital forms
 Write like your doctor
Preventing data mining

Infrastructure / networks:





Use generic address to register domains or
use domain registration services
Keep your fwd DNS zone as generic as
possible
Make sure you control zone transfers!
Keep your rev DNS zone as clean as possible.
Keep as much away from your real network NS/MX/www
Preventing data mining

Photos
 Reverse image search is possible (TinEye) so don’t





share photos
Getting tagged on other people’s photos!
Don’t geo tag photos
Beware of identifiable objects (car, bike, house,
office, logos) in photos
EXIF info on photos
Email addresses
 May not be used outside organization - policy
 Don’t use firstname.lastname when registering (I.M.
too)
 Make sure your mail server does not allow verifying
(!VRFY!)
 Keep your email address off PGP key rings
Preventing data mining

Websites/blogs
 Links to your site, links from your site
 No staff lists, internal phone lists, email list
 Use generic email addresses for things like
sales/info
○ Also consider generic addresses for domain
registration
 Keep XLS, DOCs away from the site (duh)
○ All in PDF. Clean meta information !
 Robots.txt / sitemap.xls (?)
 Javascript phone numbers and email
addresses or make them images
Preventing data mining

Phone numbers





Use a generic number for office, never direct lines
Don’t answer your phone with your name
Listing of company phone numbers on public sites (ads)
Javascript or image phone numbers where possible
Common sense
 Friends and family is your weakest link
 Never mention your DOB online / star sign
 Bios, interviews and videos – ‘Jane said...’ Everything ends
up on the ‘net.
 Be careful with who you leave your CV
 Don’t use unique aliases
 Guest books and blog comments
 Do them a favor and name your children ‘Bob’ and ‘Mary’
Detecting data mining

Infrastructure



Monitor your DNS servers for signs of brute
force / zone transfers
Check your web server logs for mirroring &
look at User Agents
Inspect the referrers in your web server logs
for referral from search engines...and the
search term.
Detecting data mining

Personal


How do I know if someone has a Google alert on
me?
Setting up fake blogs, social network profiles
○
○
○
With CAPTCHAs and email alerts
Cannot make the jump too obvious
Perfect place for counter intelligence






Referrer
IP address
User Agent
Browser exploits ?
Analytics on websites, blogs
Listing ‘red’ phone numbers on 2nd jumps.
Think outside the box

How do I know when people Google for
something?




I run a super secret project called Sookah.
I don't ever want people to know about it.
When someone search for the word Sookah I
want to know it leaked out somehow
I don't want them to find out that I know
I register an Adword...isn't Google wonderful?
Trick question

Which is better:
 No Internet profile at all / Closed profile
 Open, Full blown Internet profile?
 None / closed == open for impersonation
 Open / Full == open for stalking
 Impersonation
○ Competing with real person
 Complete new, fake
○ Easy, ask Robin Sage
The Curious case of Eugene
Eugene Gregoria
Location: Singapore
Industry: Telecommunications
Employer: Pacnet (formerly Asia Netcom)

Last Facebook status: On basketball: 'I liked the choreography, but I
didn't care for the costumes.' ~Tommy Tune, on why he never
considered playing basketball

Last 2 Tweets:
 German school reports 30 cases of A/H1N1 flu [link]
 I saw this nice web site on poker called "Bill's Poker Blog" [link]

Blog: I like watching western movies. We watched 'Giant' directed by
George Stevens. I really enjoyed it. I found this really interesting: It
was the highest grossing film in Warner Bros. history until the
release of Superman (1978).
WYSIWYG? Not always...
Investigator /target will follow the
crumbs…
…but nothing is real on the Internet
(Eugene is made up from
many different people,
algorithms, headlines and
snippets from the Internet)
2 of 2:fakes
;
Mandatory ‘Profound’ quote
“If we assume that only a small
percentage of the Internet consists
of unique information then creating
acceptable content and human-like
behavior becomes no more than a
complex copy and paste process.
If we acknowledge the existence of a
single fake identity on the Internet
an entire automated community should
soon be within our reach. “
How to make friends and...

So what’s the big deal?





Manipulate ratings of anything
Sway public opinion
Influence political polls
Alter stock prices – directly or indirectly
Perform social denial of service
Keep in mind that people are flock animals –
you just need to be the initial catalyst and
get critical mass
Thus in conclusion
The gap between the real world and the
online world is closing every minute...
 ...So is the gap between your online
profile and your actual life
 Information itself is a vulnerability

 Network->OS->Application->Information-
>People

It feels like the 90s again!

Think of the children...
Questions?
Eric (the iPhone guy) threaten me
already so let’s grab a beer / coffee..