NO MORE SECRETS MARTY

Your life online:

Introduction Roelof Temmingh (roelof@paterva.com) Just Google

Not the classical music crowd (but family)

Paterva / Maltego? Just Google www.paterva.com

CE version is free for non-commercial use Be sure to check out the TDS – to extend Maltego

capabilities and share transforms

Agenda

Introduction – what is Maltego really?

Stalking – a case study An evil government could... Counter Intelligence

PreventionDetection

Who are you anyway?

Maltego introduction Web browser is a tool to navigate web pages Web sites are connected by hyper links Links are ‘man made’

Can we build a tool to navigate chunks of information?

Links could be Rigid - man made Flexible - implied

Links are determined in real time by software / plugins / transforms

Stop the Zen right now!

Example (rigid / man made): DNS Name -> IP Address

Mail.abc.com -> 100.100.100.100The ‘link’ here is DNS

Example (implied / fuzzy): Telephone number -> Email address

202 555 1234 -> dave@domain.comThe ‘link’ here is some webpage where these are

mentioned in close proximityNo context, no certaintyVery fuzzy like

Maltego concepts... Entities: ‘things’

DNS Name / Person / Phone number / more... Can be extended with custom entities

Transforms: convert data types DNS resolving / Searching / Database access / Deep web Can be extended with TDS / local transforms

Why is this really cool? What are the private email addresses of people

working at XXX agency? How? Assume all phone numbers for agency starts with the same

digits Someone that gave out work number and their private

email address – that appears in the same snippet

Man & Machine Machines are good at automation

Transforms Humans are good at pattern

recognition Visualization and Graphs

Let’s work together Maltego

Google network*

* Only a small part of it

Live demo

Let me show you how...

Please stop me if I spend too much time on this slideThere are still 30 slides to go...

No kidding...for real !

Case Study Given name and email address Name is common, email address at Gmail No references to email address on the web Name too common to search for Email address used on LinkedIn, high ranking military

official Email address also on Facebook, but completely closed

profile Email address used in the past with Flickr (thnx Rapleaf) Flickr profile has NO info, photos, only an alias But alias is very unique Alias hits on 2 porn sites – one has DOB, corresponds in

year to LinkedIn info, but no other information Other has very compromising photos User’s photo is blurred Seems unlikely, so have to be verified with other

information

Case StudyProfiling took 7 hoursProfile:

Full names (x 5) Work and private email addresses Physical location Work and education history (x 2) Phone numbers – both work, home and mobile I.M. Details Children names, hobbies, interests Photos of all Friend lists

Why would we want a profile?And what’s next?

When worlds collide

Digital but not online Things you own

Property (public, commercial) Transport (car, bike, boat, plane) Money - bank account(s)

Things you use Internet (proxy logs, RADIUS logs from ISPs) Mobile phones (CDR), fixed line Credit card, ATMs Utilities (water, power etc.) Travel info – passports

Things you are Director, member of trust Records

○ Major retail details○ Criminal / court○ Education○ Tax○ ID number

An evil government could... Have to assume that .gov has all of the

above information Gets scary when combining real world

with cyber worldNo concept of ID number on the InternetMostly linked to email addressCan hope for phone number but unlikely

What can they do?Example 1: Geo location to social netExample 2: Tracking forum members

Demo (video)

Challenges we suspect they may have Format of data across tables

083 448 6996 != (0)83448 6996Temmingh R != RW Temmingh

Typos, bad captures Multiple email addresses

roelof@paterva.combenbrand@gmail.com

Scaling the solution with new sourcesE2 – E problemCool problems to solve here..

Use it to your advantage!

Entering your details in (digital) forms44B vs 44b vs 4 4 b vs 44 B0834486996 vs 083 448 6996 vs

08344869961Roeloftemmingh vs roelof.temmingh

Catch all addressesRoelof-govform1@myowndomain.com

For non-digital formsWrite like your doctor

Preventing data mining Infrastructure / networks:

Use generic address to register domains or use domain registration services

Keep your fwd DNS zone as generic as possible

Make sure you control zone transfers! Keep your rev DNS zone as clean as

possible. Keep as much away from your real network

- NS/MX/www

Preventing data mining

Photos Reverse image search is possible (TinEye) so don’t share

photos Getting tagged on other people’s photos! Don’t geo tag photos Beware of identifiable objects (car, bike, house, office,

logos) in photos EXIF info on photos

Email addresses May not be used outside organization - policy Don’t use firstname.lastname when registering (I.M. too) Make sure your mail server does not allow verifying (!

VRFY!) Keep your email address off PGP key rings

Preventing data mining

Websites/blogsLinks to your site, links from your siteNo staff lists, internal phone lists, email list Use generic email addresses for things like

sales/info○ Also consider generic addresses for domain

registrationKeep XLS, DOCs away from the site (duh)○ All in PDF. Clean meta information !

Robots.txt / sitemap.xls (?)Javascript phone numbers and email addresses

or make them images

Preventing data mining

Phone numbers Use a generic number for office, never direct lines Don’t answer your phone with your name Listing of company phone numbers on public sites (ads) Javascript or image phone numbers where possible

Common sense Friends and family is your weakest link Never mention your DOB online / star sign Bios, interviews and videos – ‘Jane said...’ Everything ends

up on the ‘net. Be careful with who you leave your CV Don’t use unique aliases Guest books and blog comments

Do them a favor and name your children ‘Bob’ and ‘Mary’

Detecting data mining Infrastructure

Monitor your DNS servers for signs of brute force / zone transfers

Check your web server logs for mirroring & look at User Agents

Inspect the referrers in your web server logs for referral from search engines...and the search term.

Detecting data mining Personal

How do I know if someone has a Google alert on me?

Setting up fake blogs, social network profiles○ With CAPTCHAs and email alerts○ Cannot make the jump too obvious○ Perfect place for counter intelligence

Referrer IP address User Agent Browser exploits ?

Analytics on websites, blogs Listing ‘red’ phone numbers on 2nd jumps.

Think outside the box How do I know when people Google for

something? I run a super secret project called Sookah. I don't ever want people to know about it. When someone search for the word Sookah I

want to know it leaked out somehow I don't want them to find out that I know

I register an Adword...isn't Google wonderful?

Trick question Which is better:

No Internet profile at all / Closed profileOpen, Full blown Internet profile?

None / closed == open for impersonationOpen / Full == open for stalking

Impersonation ○ Competing with real person

Complete new, fake ○ Easy, ask Robin Sage

The Curious case of Eugene

Eugene Gregoria

Location: Singapore Industry: TelecommunicationsEmployer: Pacnet (formerly Asia Netcom)

Last Facebook status: On basketball: 'I liked the choreography, but I didn't care for the costumes.' ~Tommy Tune, on why he never considered playing basketball

Last 2 Tweets: German school reports 30 cases of A/H1N1 flu [link] I saw this nice web site on poker called "Bill's Poker Blog" [link]

Blog: I like watching western movies. We watched 'Giant' directed by George Stevens. I really enjoyed it. I found this really interesting: It was the highest grossing film in Warner Bros. history until the release of Superman (1978).

WYSIWYG? Not always...

Investigator /target will follow the crumbs…

…but nothing is real on the Internet

(Eugene is made up from many different people,

algorithms, headlines and snippets from the Internet)

2 of 2:fakes;

Mandatory ‘Profound’ quote

“If we assume that only a small percentage of the Internet consists of unique information then creating acceptable content and human-like behavior becomes no more than a complex copy and paste process.

If we acknowledge the existence of a single fake identity on the Internet an entire automated community should soon be within our reach. “

How to make friends and...

So what’s the big deal? Manipulate ratings of anything Sway public opinion Influence political polls Alter stock prices – directly or indirectly Perform social denial of service

Keep in mind that people are flock animals – you just need to be the initial catalyst and get critical mass

Thus in conclusion The gap between the real world and the

online world is closing every minute... ...So is the gap between your online profile

and your actual life Information itself is a vulnerability

Network->OS->Application->Information->People

It feels like the 90s again!

Think of the children...

Questions?Eric (the iPhone guy) threaten me

already so let’s grab a beer / coffee..