Lightning Talk – Be careful what you OSINT with

My lightning talk from this year’s BSides København on the potential dangers of using unvetted software in OSINT investigations.

How many of us actually vet the software we use? Do we always know who’s behind the software? Can we be sure that there aren’t any back doors implemented? A while back some friends and I had a deeper look at an upcoming OSINT tool. It turns out the software wasn’t from the company and country it claimed to be, and direct links to one of Russians largest surveillance companies (and maybe even the FSB) were found. I’ll take you along the process of this investigation and show how traffic analysis, reverse engineering, OSINT and a little HUMINT shed light on this case. The original blog post can be found here.

Social Media around the World

When most people speak of social media, the have the ‘Big 3’ in mind: Facebook, Instagram & Twitter. But social media is so much more than just these three platforms, especially when it comes to OSINT on intelligence targets that don’t speak English.

In OSINT investigations we often end up scavenging social media to find information on our intelligence targets. Who are they connected to? Where have they been? What are their interests? These and many more questions can be answered by having a look a person’s profile. However, social media is constantly evolving and platforms that were relevant yesterday may not be relevant tomorrow. When I ask my daughter about Facebook, she says: “Facebook is for old people”. Thus, she does not have an account there. You would most likely find her dancing in TikTok videos, as with many other Generation Z youths. So age clearly defines which social media platforms are used. Another defining factor is the cultural background someone has. Maybe Facebook was never that big in that person’s country. The following graphic shows the evolution of social media worldwide and how Facebook became the most used platform. However, in some countries other platforms still have the upper hand and not all ‘legacy’ platforms overtaken by Facebook have been shut down. In this article I would like to give a brief overview of some of the lesser known platforms that may be useful for OSINT investigations.

VKontakte & Odnoklassniki

If your intelligence target is from a Russian-speaking country or has a Russian cultural background (or is a right-wing idiot that thinks he is being censored on Facebook), chances are high you might find this person on one of the Russian Facebook clones. The platforms VKontake (‘in contact’) and Odnoklassniki (‘classmates’) are very similar to Facebook when it comes to the functionality offered and the basic OSINT research techniques that can be applied here.

Above you can see a VKontakte profile. A profile picture, some more detailed information including a birthdate and current residence city, a friend list as well as posts and pictures. Pretty much what you can find on an average Facebook profile. As with other social media platforms, a user can choose to alter the privacy settings to hide information, so some profiles may not have an open friend list or may not share all posts with the overall public. An interesting feature on VKontakte is in the top right of the image: information when the profile was last active. In OSINT this is really helpful to figure out if a user is still active on the platform, even if no current content is posted. In many cases this last activity will lead back to the use of VKontakte as a messenger. People might not post content anymore, but will stay В Контакте (in contact) with others through this platform. The search functionality of VKontake is in some ways superior to what we now have on Facebook. At the top of the page is a search box. Filling in a search term here will enable us to browse through different categories of results and narrow these down by adding additional filters.

As you can see, you can filter people by age range, birth date information and even their views on smoking an alcohol. Posts can be sorted by the number of likes or the mentioning of specific links. All in all, there are some pretty neat filters in here.

Odnoklassniki is very similar, having friend lists, a date of birth on most profiles and information when the user was last active. The good thing with both VKontakte and Odnoklassniki, is that they accept multiple language settings, so you can use the platform in English and also a couple of other languages. If you search for names in Latin script, it will also show you corresponding results in Cyrillic script.

The last activity is right underneath the profile name and the searches in Odnoklassniki offer filters just like in VKontakte. They even allow users to add holiday destinations, which are also a filter criteria.

As I mentioned, this article is just a quick overview of some foreign social media platforms. There lots of other cool OSINT techniques that can help research here, including third-party sites to search by profile pics or sites that help with geo-referenced searches. But let’s leave that for future blog posts. Another example I want to show is very popular in the Persian-speaking community.

Facenama

Facenama is a big social media platform mainly used in Iran. At quick glance on SimilarWeb shows that this site is also accessed from other countries, as there are Iranian communities throughout the world.

Facenama looks very much like Facebook. Even the coloring scheme is identical (to the old Facebook UI).

Unfortunately, there is no way to change the language settings, but luckily the Google translate browser extension works quite well here.

The search bar in the top right of the page will enable you to search for user profiles. Just remember that the default language is Farsi, so most profiles will be in Arabic script (including profile names) and typing will occur from right to left.

The profiles will have the same type of information we have seen in the Russian sites: date of birth, friends, posts and much more (if these aren’t hidden due to privacy settings). Remember that dates will be shown in Persian, so you’ll probably have to use a calendar converter to make sense of these dates.

I could go on for hours listing and showing social media platforms: Gab for right wing nut jobs, Stayfriends for old German people, NK for Polish people and don’t even get me started on Chinese social media. The bottom line is, that there is more out there than just the ‘Big 3’ (Facebook, Instagram, Twitter). Before you start investigating someone, you should figure out where you might find these people online. Their age, culture, language, country of origin and personal taste will affect their choice of which web platforms they use and these might not always be in English. So, in the ongoing discussion of what I would like to get better at in OSINT, I didn’t choose to learn programming languages such as Python to automate tasks. I’d rather get a better grasp of languages (Arabic, Farsi, Russian, etc.) in general and master tools that help translate to help bolster by research efforts.

Matthias Wilson / 04.10.2020

The Impact of OSINT on Christmas

Proper intelligence is vital to prepare military and law enforcement operations or to provide information to political and business leadership prior to decision making. However, these are not the only people relying on good intelligence to get the job done. I had the honor of interviewing a very special person on his views of intelligence and how his organization utilizes it for one of the most challenging tasks known to mankind.

Sir, it is such an honor to have you here. Tell us a little about yourself. What exactly is your job and how does it involve intelligence work?

I go by many names, but please just call me Santa. I am in charge of a large organization tasked with bringing joy and fun to children worldwide on Christmas Eve. While I’m pretty sure you all know what I do during the Christmas night, not many people know what happens prior to this.

My organization and I have roughly 24 hours to deliver presents to children who deserve them. In order to accomplish this, a lot of planning is necessary and this planning is based on the information I receive from an intelligence agency within my organization. In Santa’s Secret Service, or S3, we mainly conduct GEOINT along with OSINT to make sure everything runs smooth on that one special night. Oh, and don’t confuse us with the Amazon web service.

Santa, while most of my readers are acquainted with terms such as GEOINT and OSINT, could you please explain what they are and possibly provide a use case from your organization.

Sure. I only have a limited timeframe to make sure I deliver everything to the right address. The route I take has to be carefully planned. The number of children on this world is steadily growing, more deliveries leave less room for mistkes. Even though my sleigh travels at an incredible speed…

How fast and how does that work?

I’m afraid that is classified. In order to properly plan the route, I rely on precise satellite imagery and maps. Imagery and maps from search engine providers are not up to date and commercial satellite imagery is not detailed enough. Keep in mind, my team has to figure out the best way into a chimney. We need a resolution of less than 0.3m to do so. Before Christmas, my sleigh is outfitted with an ultra high resolution imaging system and flies several sorties. While the actual collection of the imagery does not take that long, creating maps and the final route based on this is a bit more time-consuming. The whole process I just described is referred to as geospatial intelligence, or GEOINT.

Wow, that alone is probably a large amount of data collected each year. How do you process such massive amounts of data?

We have our own server infrastructure at S3. Located in vicinity of the North Pole, our energy consumption is lower than usual, because we have a natural cooling system.

 What happens after you have mapped the world?

I forgot to mention one thing. In order to plan the route, we need to know who will receive a delivery. Luckily, I have information on the address of each child from a classified source. But, does this child even deserve anything? We have to figure out who was naughty and nice. A lot of this is done through open source intelligence, or OSINT.

While we could use classic signals intelligence (SIGINT) to tap into communications and try to answer the question who is naughty or nice, we have found that OSINT provides the best “bang for the buck”. S3 has a very large team of OSINTers, who mainly monitor social media activities.

What exactly is your team looking into?

My OSINTers start off looking into profiles of the children, but not only to see how they behave. Depending on the region they live in, the platforms they use will differ. From Ask.fm to Weibo, there are many differnt sources to look at. We have seen TikTok blow up over the past months, but we also still obtain a lot of information from “older” platforms such as Facebook and Pinterest. These platforms also provide leads on the interests of our targeted subjects, which enables my organization to match them with the perfect present. We not only look at the children, but also monitor profiles of their family and friends, since relevant information is hidden here as well. As you can see, this is all a very deep intrusion into personal privacy. Therefore, we have very strict rules on how to handle this data, a massive auditing and compliance system and constant trainings for my team. If you thought GDPR was challenging, you wouldn’t want to know how much effort we put into protecting the privacy of our subjects!

Many children nowadays are active in closed communications, such as messengers, or they have restricted public access to their acounts by changing their privacy settings. How do you cope with this?

There are two different approaches we can take here. The first one is what you would call virtual HUMINT, or VUMINT. We try to place someone within a closed chat group using a false persona. For example, a group of friends has a WhatsApp channel with 20 participants. Using OSINT, we create a sock puppet credible enough to be invited into this group. In cases in which this works, we then can then instantly monitor 20 people. Of course, such actions are subject to much stricter rules and regulations that normal OSINT and are not performed often.

The second approach would be a classic computer network operation, or “hacking” an account. This is very rarely done and the methods and techniques are highly classified.

What about children who don’t have access to modern communications?

In this case, we rely on classic human intelligence, or HUMINT. Throughout the world, we have a network of sources directly providing us information. A lot of this is hearsay, so we try to confirm information with other sources before processing it. This actually also applies to data won through OSINT.

However, I would like to point out that at the end of the day we will never gather everything on everyone. Have you ever wondered why a spoiled and misbehaved child you knew received a nice present anyway? No matter how much effort we put into intelligence collection, there will always be a delta between what information is out there and which information we have obtained. I think that is the nature of intelligence work in general.

Circling back to OSINT, how does S3 ensure that they are up to date on new tools and techniques?

We do OSINT to enable OSINT. Of course, we follow #OSINT on Twitter and we also have someone monitoring osint.team as well as various blogs such as osintcurio.us and your blog.

Wow, I’m honored to have made it on S3’s reading list. I know you are quite busy, so we can wrap it up here. Is there anything else you would like to add?

Merry Christmas, happy OSINTing and I wish you all the best in 2020!

cropped-desktop-2.png

Matthias Wilson / 22.12.2019