How GDPR affects OSINT

The introduction of GDPR was a shock to many. While there are limitations, it doesn’t prohibit OSINT work completely. Find out what you can or cannot do when conducting investigations.

activity-board-game-connection-613508.jpg

In almost all OSINT activities, we process (e.g. collect, store, analyse, reproduce) personal data including names, addresses, user names, phone numbers, IP addresses and much more. However, the new data protection legislation introduced in the European Union in May 2018, the General Data Protection Regulation (GDPR), restricts the processing of personal data. Therefore, OSINT researchers need to have good understanding of how the GDPR applies to their situations, if only to stay on the legal side with their work.

In this blog post, we will discuss GDPR basics for OSINT researchers. We will not look at the exceptions. Processing personal data for household use or for journalistic purposes are for the most part exempted under the GDPR. Of course, the devil is in the details with respect to when these exemptions actually apply and this blog post will not go into those cases. Also, we will not look at OSINT for law enforcement use, as that has a different legal framework for dealing with personal data.

Hence, we will aim at OSINT in a commercial setting, where the researcher is dealing with matters such as background investigations, third party assessments and pre-employment screenings. Furthermore, this article will only discuss those GDPR aspects which are most relevant for OSINT work as we see it now. The GDPR is an extensive regulation with numerous aspects, which we cannot fully discuss in a single blog post.

Also please keep in mind: We are not lawyers and the implementation of the GDPR can differ between EU countries in numerous details. If you are reading this to seek legal advice, you should consult your friendly lawyer instead.

Summarising the GDPR, the aspects relevant for OSINT work are:

  1. You need a legal basis for processing personal data;
  2. You need to apply certain principles in the processing of personal data;
  3. The data subject of whom you process personal data has specific rights you need to understand, anticipate and honour.
  4. Understand if you are the data controller or the data processor.

Legal basis

Data protection regulation was never meant to render the processing of personal data impossible. Instead it is meant to balance the need for data exchange in our society on the one hand, and the fundamental right of privacy for citizens on the other. It is  therefore important to note that privacy is not an absolute right. The GDPR balances this right with other rights by restricting the processing of personal data to instances where there is a legal ground (Article 6). It lists six different grounds, of which three are potentially relevant for OSINT work: consent (Article 6a), legal obligation (Article 6c) and legitimate interest (Article 6f). We will discuss these three in detail.

Article 7 of the GDPR sums up the conditions for consent. Consent is tricky because the GDPR states that the data subject should have free choice when giving consent. However, for example, free choice in an employer/employee relationship does not really exist. Consent can – according to the GDPR – also be withdrawn at any time. So what happens when a data subject withdraws his or her consent halfway into an investigation? Or when it turns out afterwards, that the consent cannot be regarded as given freely?

Due to this ambiguous legal nature of consent under the GDPR, we believe that for OSINT investigations the use of consent should be avoided whenever possible. The risk that the data subject could afterwards argue that he or she had no choice than to give consent because of the consequences at risk, is simply too large. Moreover, often it is practically not possible to obtain consent especially if you, for example, are examining social media of the circles around your subject.

The second potential ground for processing personal data, that may be relevant for OSINT work, is legal obligation. This could be the case when your client has the obligation to identify their customers and the source of their funds under Anti Money Laundering (AML) regulations. Especially if you are instructed by a financial institution, this may likely be the overall legal basis for your OSINT work.

The third ground for processing personal data that may be relevant for OSINT work is a legitimate interest of your client.

What is legitimate interest? This is a tricky question, as it does not directly relate to any other law or regulation. Imagine the following scenario: A large stock-listed fashion company is in the process of hiring a new CEO. A final candidate is presented and the company puts him through a pre-employment screening. The company is known for their strong stance against animal cruelty and has supported many awareness campaigns in this regard. It has become their corporate identity. During the pre-employment screening pictures are found on social media, showing the CEO-candidate participating in annual fox hunts. If this information would leak when the CEO is already in position, it would surely cause a major scandal, possibly decreasing the stock value of the company and causing job layoffs.

The scenario described above could be a legitimate interest, as the financial situation of the company and thus the prosperity of many employees could be affected be the actions of one person. Nonetheless, pre-employment screenings are frowned upon in certain EU-countries.

Another example can be a simple fraud investigation, where you are tasked with identifying possible assets belonging to a person suspected of fraudulent actions. Your client claims to be defrauded and would like to initiate legal action. As such, the client has a legitimate interest to instruct you identifying possible assets of the perpetrator.

In sum, as an OSINT investigator, you should always understand and document the legal basis to process personal data before conducting your research. In a commercial setting, that will most often be either be a legal obligation or a legitimate interest of your client. We advise to always properly document the legal basis, for example, by explicitly detailing the situation in an engagement letter or contract for the work. More in general, and from an ethical point of view, we believe that you should always want to understand what the purpose of your work is and the interest of the client.

Principles

Regardless the exact legal basis, Article 5 of the GDPR imposes a number of principles for the actual processing of personal data. Each of these are relevant for OSINT work and therefore we will discuss them all.

  1. Lawfulness, fairness and transparency

Lawfulness is self-explanatory: You need a legal basis to process the personal data. This should be one of the six legal bases as provided in Article 6. Furthermore, you should not hack, steal or lie to get the data and to prove this, you need to document the sources – which a professional OSINT researcher would do anyway. Not only are these actions unfair and unethical, they may as well be illegal in many cases. Fairness also relates to proportionality. Is the amount of personal data you collect on the data subject proportional to the task at hand? Transparency is touched upon in more detail in Article 14 of the GDPR (situations where the data is not collected from the data subject), we will discuss this further along.

  1. Purpose limitation

Again, pretty easy. What you collect for one purpose, shouldn’t be used for another incompatible purpose.

  1. Data minimization

You should minimise the amount of personal data to what you really need. As much as necessary, as little as possible. So when you scrape gigabytes of data, only the information relevant to your task should be retained.

  1. Accuracy

You have the obligation to make sure that data is of good quality, thus do not use outdated information or data of which you know it is incorrect. Especially when working with people search engines, you will stumble upon a lot of old or false info (false flags) on individuals. You are responsible for verifying the data where possible before further processing or reporting.

  1. Storage limitation

How long do you retain your records? The GDPR states that it should not be longer than needed. In an ongoing litigation that could be years, but often not more that general data retention obligations such as in civil or tax law should be followed. Again, this can differ per country.

  1. Integrity and confidentiality

You are responsible for keeping the personal data you process secure. The fact that you may have collected it from open sources is completely irrelevant, it shouldn’t be publically disclosed from your side. The adagio here is: If you cannot protect it, don’t collect it.

  1. Accountability

The basically means that when processing data you should not only adhere to the previous principles, you should also be able to demonstrate afterwards that you did. The GDPR has shifted the burden of proof to those processing personal data, so you need to document!

A most efficient solution to document on how you comply with the GDPR is to draft an investigation protocol in which you describe how you process personal data and how you apply these principles to your work. In any assignment or when you get questions from the Data Protection Authority (DPA), you can refer to the protocol.

Data subject rights

The third category of GDPR provisions relevant for OSINT, is the data subject rights. According to GDPR, a data subject has rights of:

  • Notification

Every data subject shouldbe notified which personal data is processed by whom, why and where. GDPR Article 13 and 14 state that no matter if collected from the subject itself or without knowledge of the data subject, they must be informed in order to be able to contest this data collection and processing. Again, this proves to be tricky, especially when conducting investigations against a certain subject.

In some cases, the notification might be disproportional in regards to effort that has to be made in order to inform the data subject.

  • Every data subject has the right of access, right to rectification, right to erasure, right to restriction

If informed, a data subject has the right of access to all data stored on him- or herself, the right to restrict further dissemination (if not necessary by law), and last but not least the right to have all data deleted. Of course, this must be weighed against the legal basis or legitimate interests upon which the investigations took place.

There is also an exemption on these rights possible under article 23 of the GDPR which states that Member States can limit the obligations and rights under the GDPR in certain instances. This has to be done by law and every Member State may have implemented this provision differently. The Netherlands have Article 41 of their national implementing law which fully integrates Article 23 GDPR.  Does your country have the same?

Of course, if you would use an exemption, you need to document the circumstances and considerations on why you think that this exemption is justified. Be careful with this and understand the local implementation of the (conditions for) exemptions before you apply them.

Are you the controller?

A final important point relevant for OSINT work is whether you are the data ‘controller’ (the one who determines the purposes and means of the processing of the personal data) or the data ‘processor’ (the one who processes personal data on behalf of a controller).

The easiest situation is where you are the data processor and you process data under responsibility of the data controller. In those instances, most of the legal obligations are  mainly the responsibility of the data controller, which usually is your client.

However, the determination on whether you are the processer depends on the level of freedom you have in choosing the purpose and methods of processing the data. If you determine the purpose, types of data and methods applied, you cannot argue that you are just the processor, as you in fact ‘control’ the data processing.

Having a data processing agreement with a client – or adding a section on data processing to your existing agreement – is an important prerequisite to be regarded as the processor. To be regarded as the processor, the agreement should clearly show that you are instructed for a specific purpose, looking at specific types of data and applying specific methods (and excluding anything else) and reporting in a specific way. Once more, consult your friendly lawyer for more details.

There is limited jurisprudence on GDPR issues and this means, that in many instances it is not exactly sure how the GDPR will be interpreted exactly. The principles should give some guidance, nonetheless, in high profile cases make sure you discuss these matters with your client and (their) inhouse legal counsel.

We have given a general overview of the most relevant aspects of the GDPR for OSINT work. However, we realise that we are not complete in that matter. The GDPR has a number of other relevant articles, for example on processing of special categories of personal data, but there are limits to what we can cover in one blog post.

So, get your copy of the GDPR today as well as a copy of the implementing law in your country, read it, seek advice, understand it and most important: Comply with it!

Ludo Block & Matthias Wilson (I just chipped in a little)/ 11.06.2019

Tracking a Hacker with OSINT

My blog has been hacked! Someone defaced the page and looking into the technical details didn’t provide any leads to the culprit. Maybe OSINT can help in this case.

1

Today’s article will look into cyber attribution and how OSINT can help identify the perpetrator of a cyberattack or other hacking exploits. Keep in mind, as long as the perpetrator does not make any mistakes it will be hard to track him down. Even if the actual person behind an attack cannot be found, hints on the hacker’s background may help narrow things down to a specific target group or origin. Let us have a closer look at the defacement shown above.

As stated, looking into technical details (IP-address, code, etc.) did not reveal anything useful. So we have to take a closer look at the tag and handle that was placed on our site. A reverse image search was conducted and did not show any results. The hacker goes by the name “drag0nw1ng١٩٨١”, this exact search-term also came up inconclusive. The Arabic numbers in the handle may be an indicator for the hacker’s cultural background. Next up, we will search for the handle in different variations, including a “standardized” one:

2

Not many results to look at here, so we can easily go through each and every page. Next to a Russian PlayStation profile named Dragonwing1981, we stumble upon some interesting results that might be related to our case.

3

Several data-breaches and leaks show an email address using the exact name. Dragonwing1981@yahoo.com was registered to a member of an internet forum called Kataib Hezbollah. This forum in Arabic language no longer exists and was used to disseminate terrorist propaganda. Since our hacker used Arabic numbers in his handle and the handle seems quite unique (based on the low amount of Google results), the email address might be linked to our guy.

The oldest mentioning of “dragonwing1981” came from another internet forum. In August 2004, the forum was hacked by someone with the email address we found before:

4

Research done by the forum members linked the perpetrator to Iraq:

5

Looks like things are coming together. There is one more approach we can try, in order to back our claims further. When using the password reset function in Yahoo, it gives you parts of the phone number (without the country code). Let us see what happens, when we try to reset Dragonwing’s password:

6

07 is the operator code used by Iraqi mobile networks and the length of the number also fits Iraqi mobile phone numbers. Luckily, Yahoo (unlike Google) displays the exact amount of digits of a phone number.

Let us review the evidence we have collected so far:

  • Use of Arabic numbers in the handle
  • Unique handle, not found often on the internet
  • Username and a related email address found in an Arabic internet forum
  • Email address used in a hack in 2004, identified as possibly originating from Iraq
  • Phone number linked to the email address possibly an Iraqi mobile phone number

Can we be sure that all these pieces of evidence are really linked to each other? Not really, but that is why we use words of estimative probability in intelligence analysis. Cyber attribution is not always about tradecraft, infrastructure or the malware/attack itself. Digging into individual actors may help shed light upon the origins of cyber-attacks and the OSINT process shown above should always be incorporated into any research effort as soon as “personal data” (e.g. tags, names, handles) is involved.

Of course, we could just send Dragonwing1981 an email and congratulate him on his defacement. However, unlike other stories on my blog, this one is completely made up and is based on a CTF-task I created for the OSINT courses I instruct. As far as I am concerned, Dragonwing1981 is innocent…

Matthias Wilson / 02.05.2019

Intelligence Collection on the Train

Sometimes I miss my SIGINT days: Listening into my target’s phone calls and getting juicy intelligence out of this. However, you don’t always need SIGINT to eavesdrop on interesting conversations.

The company that I work for offers a broad variety of security products. When it comes to securing valuable data and information, most of our customers rely on technical solutions. However, the best firewalls and security suites will not help, if information is continuously disclosed outside of hardened IT-environments by careless employees. As a former SIGINTer I was always astonished about how much information my intelligence targets would openly share over non-secure lines. Now that I left SIGINT behind, I still have the chance to eavesdrop on conversations every once in a while.

I have a one-hour commute to work each day and the time I am on the train has proven to be a valuable social engineering and OSINT training ground. Two weeks ago, I was sitting on the train when a gentleman sat down next to me and immediately started making phone calls.

1https://unsplash.com/@jcgellidon

The second phone call went to a woman named Kelly Adams. I know this because I could see her name on the screen of his phone. I could hear everything he said and since his volume was cranked up, I could also hear parts of what Kelly had said. Curious as I am, I immediately googled Kelly. Based on what I had heard, I could narrow it down to three individuals. One woman working for a large German defense company and two others in IT firms. The topic of the conversation was a pretty significant retention bonus that Kelly would receive, if she decided to stay with the company and move to Munich. It turns out the company was currently relocating its headquarters to Munich.

As soon as the gentleman ended this conversation, he started writing emails on his phone. Again in plain sight and did I mention that I am very curious? It turned out his name is Andreas Müller. Searching for the combination “Kelly Adams” and “Andreas Müller” led to the exact company. Dr. Andreas Müller was the head of the research and development department of a large German defense company and Kelly was one of the leading project managers for a specific branch. I did not need any sophisticated OSINT skills here, a simple Google query and LinkedIn search was enough. Dr. Müller then sent the details of the retention bonus to someone named Alfred, whom I assume was in HR. If I would have been working for an opposing company, I could have easily used this information to counter the offer Kelly received. But wait, it gets even better!

Next up, Dr. Müller opened spreadsheets depicting the budget of certain projects. Dr. Müller was sitting on my right and I held my phone to my right ear, simulated a conversation and managed to get a couple pictures of his screen. As of now, I had seen enough and it was time to approach him.

“Excuse me, Dr. Müller. May I ask you a question?”

You should have seen the look on his face. Surprised and shocked, as he was clearly not expecting this. I asked him if the conversations and the emails he had looked at were sensitive. I told him what I had picked up from his conversation with Kelly and showed him a picture of the spreadsheet. Still shocked, he did not really know how to react. I explained my line of work and handed him a business card. Dr. Müller can consider himself lucky, usually I charge customers for this kind of consulting and I think he learned a valuable lesson.

Remember: No matter how good your cyber security measures are, the most important aspect is minimizing human error and taking security serious at all times. I have often read that there is no patch for human stupidity. I do not agree and I am sure that Dr. Müller has been “patched” after our train ride.

I guess I never will be able to let the SIGINT side of me go. I just love eavesdropping in on people, so be careful what you say in public or on your phone, you never know if someone is  listening!

Matthias Wilson / 26.03.2019

Building a Hells Angels Database with Hunchly

Today I will teach you about Hells Angels and Hunchly and how one of these two is useful when looking into the other.

In the past year, I have worked two cases in which I stumbled upon links to Hells Angels while investigating individuals. I was surprised how much information people affiliated with this group shared publically on Facebook and other social media sites. Whether they were just supporters or full members, it became quite clear that they did not care about data privacy. Most profiles had open friend lists, some of them displaying thousands of friends. Hells Angels affiliates are not hard to find. You will likely stumble across one of the following acronyms and/or terms on their profiles: AFFA (Angels forever, forever angels), HAMC (Hells Angels Motorcycle Club), Support 81 (8 = H, 1 = A), SYL81 (Support your local Hells Angels), Eightyone.

There are a couple more, but this article is not about the Hells Angels per se. Since these individuals have so much open information on Facebook, their profiles are the perfect playground to try out Michael Bazzel’s Facebook tool on IntelTechniques.

I had just finished working on the first case and subsequently erased all the data linked to that case, when a second case soon revealed links to Hells Angels as well. If only I had saved some data from my first case. I roughly knew where I could start off, but most of this knowledge came off the top of my head and was sketchy. Before I started the second investigation, I made sure I wouldn’t make the same mistake again and decided to use Hunchly to save my findings. That way, if a third case with the same links should ever occur, I will have a great starting point. For those of you who do not know, Hunchly is a web capture tool. It automatically collects and documents every web page you visit. The best part is that it indexes everything, so you can search within the data afterwards. Using this amazing tool allowed me to create a fully searchable Hells Angels database!

First off, I created a new casefile and then let Hunchly collect Facebook friends lists of people affiliated with my target or any Hells Angels in the area my target originated from. As some of the profiles had thousands of friends, I used a little Chrome extension (Simple Auto Scroll) to automatically scroll down friends lists, so they would be captured in whole. Whenever I looked at profiles and found information that could not be automatically indexed, I would take notes in Hunchly or tag (caption) pictures. I have learned that a lot of intelligence can be obtained by closely looking at pictures on social media. In the following example, one Hells Angels member had obscured the tags on his vest. Based on the information in his profile, it became clear that he must belong to the Aarhus chapter in Denmark. I tagged this picture, meaning it would pop up if I ever searched for “Aarhus” in Hunchly.

1

I ended up tagging all pictures that included chapter names, functions, nicknames or general indications on the location. If I am interested in finding the security chiefs and weapons masters, all I have to do now is search for “Sergeant at Arms” or known abbreviations. Looking for “arms” gives me several results in Hunchly.

2

The first two are displayed because I manually tagged these pictures and added a caption. The third result is from a webpage that Hunchly captured, in which the person actually listed “SGT At Arms” as his current occupation. Hunchly also allows you to refine searches. I can narrow these results down and, for example, only search for Sergeants at Arms in a specific chapter. Searching for “arms + sacramento” only reveals one result, which I had captioned with the information I saw in the picture. As you see, the picture is actually mirrored.

3

All collected data is saved offline. Should the online profile ever change, be locked down or deleted, I still have a version to work with. By using Hunchly and remembering to tag pictures with captions and also take notes on webpages, I have created a useful database on Hells Angels Facebook profiles. From here on, it is also always possible to go to the live versions of webpages, so any updates can also be captured within the same casefile.

If you are not using Hunchly yet, I suggest you have a look at it. The use case described above is just one of many. Furthermore, if you ever come across friendship requests from people named “AFFA” or “HAMC”, you might want to think twice before accepting them. Or else you might wind up in my Hells Angels database.

Matthias Wilson / 07.03.2019

Hijacking WhatsApp without Hacking

You don’t have to be a hacker to hijack a WhatsApp account. Simple mistakes made by your target can easily give you access to WhatsApp and other messaging apps on their phones.

When I participate in meetings, I notice that some people place their phones face-up on the table. As a curious person, I always tend to glance over at their phones whenever they light up, for instance if they receive messages. Many people actually have messages displayed on the lock screens. That means they do not have to pick up their phones and unlock them to read incoming messages. Unfortunately, this also poses a serious security threat. Not only can curious people like me read these, displaying the full content of messages on your lock screen can lead to your instant messaging accounts being hijacked. No sophisticated hacking skills are required to do so!

Imagine the following scenario:

A company CEO mainly uses WhatsApp to communicate with business partners. An attacker first obtains the phone number that is linked to his WhatsApp account. People search engines, such as Pipl, are helpful to identify a target’s mobile phone number. Using an Android VM, the attacker can then setup a fully functional Android phone on his computer, including the installation of WhatsApp. WhatsApp on the VM is then registered with a burner phone. The CEO’s phone number is added to the contacts and WhatsApp will provide a profile picture, username and status. This information is saved, as the attacker will need it later when hijacking the actual account.

As an alternative, we could also use a real burner phone or a little gimmick called WhatsAllApp to obtain the aforementioned information. WhatsAllApp is a Chrome extension, that enables you to gather WhatsApp profile pictures, statuses and usernames based on any given phone number, even without adding these to your contacts.

The next step must happen quickly and this is where it starts to get criminal. Our attacker steals the CEO’s phone and instantly registers a WhatsApp account on the Android VM (or burner phone), using the CEO’s phone number. Of course, this will only work if the CEO’s phone displays incoming messages on the lock screen. The SMS verification code is then used to register WhatsApp on the burner phone or in the VM. From now on, all incoming WhatsApp messages will show up on the attacker’s WhatsApp. This works with other messaging apps as well. Of course, the attacker cannot see the chat history, but he will be able to interact with the contacts from that point on and possibly gain vital intelligence.

Using this technique could give an attacker a 1-2 day timeframe to hijack WhatsApp and other messaging apps. As soon as the CEO notices his phone is stolen, he will obviously have his phone and SIM card locked. However, how many people would actually think about giving all their contacts a heads-up that they currently are not available? Quite a challenge without a phone.

So much for the theory behind such an attack. I have noticed that my colleague’s phone displays messages on the lock screen and his wife texts him quite often. I decided to hijack his phone this morning.

While he was in a meeting across the hall, he left his phone on the desk. I used his phone number to set up a WhatsApp account on my Android VM. The SMS verification was immediately visible on his lock screen, I didn’t even have to touch his phone.

1

After entering this code, his account was mine! Of course, I used his profile picture, username and status in the hijacked account. Shortly afterwards I received the first incoming message. It was sent by his wife, asking about their lunch plans for the day (she works nearby). I texted back and suggested pizza, upon which his wife named a meeting place and time.

2

When my colleague returned from his meeting, I was happy to inform him that he would be meeting his wife at 1230 in front of the mall and that they would have pizza.

There are several lessons to be learned here:

  1. DO NOT leave your phone unattended (especially around me)!
  2. DO NOT publically disclose your WhatsApp profile information (profile pic, username, status)!
  3. DO NOT enable your phone to display messages on the lock screen!
  4. If your phone is stolen, try to inform your contacts!

And as of now I will live in fear, because I am sure my colleague will retaliate this prank soon.

Matthias Wilson / 27.02.2019

 

Why Primary Sources Matter

Hurray! German company data is now available in OpenCorporates! Does this mean I don’t have to pay for the official company register access anymore?

This morning I confronted my boss Christian with a fact that I had found on the internet yesterday evening. Although he claimed to be the director of his company, I could not find him on OpenCorporates. For those of you who do not know what this platform does: OpenCorporates is the largest open database of companies and company data in the world. The site claims to have over 160 million companies indexed. As of yesterday, they added 5 million German companies to their database. Should I believe Christian or OpenCorporates in this matter?

When I conduct due diligence and background checks, OpenCorporates is among one of the first platforms I use. As good as it is, OpenCorporates is still a secondary source and when it comes to reliable and present-day information, I rather choose to trust primary sources.

Don’t get me wrong, secondary sources such as the aforementioned or compliance tools like LexisNexis are amazing and are really helpful to get an overview of what you are dealing with, but they all have little flaws. In some cases, the data is not as up-to-date as it should be, in other cases they are lacking essential information, such as the company shareholders. The worst-case scenario is when data is falsely aggregated during the import-process, linking the wrong entities to each other. Throughout my investigations, I have stumbled upon these issues more than once when using secondary sources.

Based on yesterday’s import of the German company data into OpenCorporates, I decided to check my own employer: Corporate Trust, Business Risk & Crisis Management GmbH. This is what OpenCorporates provided:

sources

There are some flaws in this dataset, because I am sure Christain would love to see his name in here as well. After all he founded the company and has been the director of Corporate Trust ever since. This is not just a problem within OpenCorporates, I have seen similar issues quite often in expensive commercial compliance databases as well. As you can see, the dataset is also missing information on the company’s shareholders. Even when this information is contained in compliance databases, it is sometimes outdated.

These are the reasons I always try to use primary sources, such as official government company registers, whenever possible. OpenCorporates is a great starting point to tell me where to look for more detailed information, especially since it offers the possibility to search for individuals (something that many government company registers lack), but the official company registers provides the real intelligence. This is where things can get challenging. Let us have a look at the company register in Germany, our Handelsregister. It requires a formal registration, which is only available in German. No credit card payments are possible, only direct debit. For many countries, this alone may prove to be an obstacle. On the bright side, once you have access to this database, you will gain access to the original company documents, including a list of shareholders for private limited companies.

In other countries, you can only gain access to the national company registers if you are a resident of that country and in most cases against payment. Unfortunately, nothing in life is free (except the amazing British Companies House). So when it comes to obtaining all relevant and up-to-date data, a bit more is required than just the access to (free) secondary sources.

Just to be sure about Christian, I checked our company in the official German company register. Turns out he is listed as director in the Handelsregister after all.

Matthias Wilson / 06.02.2019

How I Became Ted Mosby

Remember Ted Mosby from the sitcom How I Met Your Mother? This fictional TV character inspired a pretext for social engineering in an actual investigation.

Not all investigations can be conducted solely online. Sometimes, information that is discovered on the internet has to be verified in the real world. Many of these cases then require certain social engineering skills to obtain access to otherwise restricted areas. One of the most important aspects of social engineering is the pretext used to present oneself. This is more than just a quick and simple lie, it requires the creation of a complete identity to impersonate someone that will be able to gain the trust of whoever you are using it against. A large portion of the pretexting process is actually OSINT: Gathering the relevant information in order to appear credible.

A while back, I was working on a case in which I had to verify the location of a certain company and try to figure out if the company actually did business there or if this address was just used as a mailbox. Google Street View was not helpful, as in most cases in Germany, and a quick walk-by revealed the address was a large gated town villa. No information on the target company was visible on mailboxes at the gate. To be completely sure, I had to gain inside access and in this particular case, my customer asked for conclusive evidence of my findings. The challenge was finding a way inside that would enable me to snoop around and even take pictures. Further research revealed that the town villa also accommodated a law firm, an advertising firm and an investment management company. I initially thought of posing as a parcel courier to gain entrance and then use a hidden camera to document what I found. However, this pretext came with lots of downsides. I would require a uniform, have to deliver a fake parcel (which would surely strike attention as soon they opened it) and using hidden cameras has always proven tricky in the past when trying to get quality images.

I did a little more OSINT research and found out the estate itself was designed and built by a famous German architect. It was one of his early works. At the time, I was just watching some old episodes of How I Met Your Mother. In one of the episodes, the main character Ted Mosby was giving an architecture lecture as a professor, boring his students with architectural facts. That gave me the idea to pose as a young architecture professor preparing a course on the style of architecture the town villa was built in. Of course, I would also need pictures of the house to point out certain style elements of the villa. With this idea in mind, I spent the next couple hours doing research and preparing my pretext. I learned quite a bit about the German historicism architecture of the 19th century and of course about the famous architect himself.

villa

The next morning I approached my target. Rather than ringing a doorbell and trying to gain access through the intercom, I choose to linger around the house and initially take pictures from the outside during a period in which I assumed people would be entering the estate to commence work. I planned to approach the first person I saw, tell them my cover story and hope to gain full access to the estate without raising suspicion. After all, I was just there to take a couple of pictures of the building itself. At this point, luck was on my side. The first person I encountered turned out to be the owner of the villa, who was in fact a direct descendant of the famous German architect that had built the place. This gentleman was so excited that a young professor wanted to use his estate as an example in class, that he happily invited me inside and allowed me to take as many pictures as I wanted. I received a complete tour, inside and out. I was able to take pictures of mailboxes inside the villa, have a peak into the office spaces and he told me about the current tenants, as well as answering my questions.  During this phase, I used all the architectural terminology I had learned to keep my cover upright.

In the end, I did not find any direct trace of the company I was looking for, nor was any office space for rent or any tenant moving out. However, I did see and take pictures of the internal mailbox belonging to the investment management company. This mailbox listed around 15 additional company names. Subsequent research linked one of those companies to the CEO of my actual target company and this proved to be a starting point for a whole network of letterbox companies.

That is the story of how I became Theodore Evelyn ‘Ted’ Mosby for a day and of course I did not use that name for my character. When I was a child, I remember my grandmother complaining about how harmful TV was and that what I watched was useless in real life. This one time, I guess I proved her wrong.

(By the way: No need in geolocating the villa in picture, it’s not the one from the actual case. However, it does look very similar)

Matthias Wilson / 09.01.2019

Image: CC BY 2.0 @HaPe_Gera (image cropped)