FBStalker/OSINTstalker DIY-NSA tool (and John Young on telepathy, understanding human nature)

First of all… my analysis yesterday was incorrect.

The overarching principle behind the sentence is not just responsibility, but also a sort of enhanced mirroring. (Responsibility-oriented persuasion frequently appears in concert with this stuff, but you can make a good argument it’s a separate thing.)

You know how executive coaches and self help gurus tell you to mirror people’s body language when negotiating? Well, apart from being really fun to catch people following this advice… it does have a point.

A number of items in that “persuasion sentence” from encouraging dreams to throwing rocks at common enemies cements the persuader as someone “going your way.”

There’s also the point that all of the listed items define a very supportive person, even if not helpfully so.

Anyway, the upshot is when evaluating people using these principles, it’s too broad to look for the principles alone. Watch for a “hook point” — to go back to the body language mirroring mentioned earlier, at some point the mirror-er will try and start *LEADING* with their body language. Crossing their arms and seeing if you follow, etc.

That’s when the exercise changes from simply appearing as “someone like you” to active persuasion.

No, I don’t mean to discourage you from forming a rapport or trying to understand others… but you don’t need to mirror body language or confirm their suspicions to do it. On a list a while back, I recommended the following as an exercise to better empathize with people:

Next time you’re walking through a crowd, try putting yourself “in the head” of random people in quick succession. Try and see what they see, feel what they feel. Your subconscious will go off their body language and expression, and in the process you’ll learn a lot about other people. And — if you were otherwise, usually due to technical distraction — start seeing them more as fellow humans.

(There is one potential hazard. I tried this on a crowded subway once, and all of a sudden this bald-headed dude shoots me the kind of look that would kill small animals. Given that he was flanked by two burly heavy-metal types, and that the three of them were dressed for a gothic mobster convention, I was glad when they got off before I did. To this day I’m not sure whether I’d let something creep into my face, or what.)

Right then…

Since the NSA still hasn’t fixed their “internal error” — they said it would be fixed “Friday night,” but nooope — the red-white-and-blue-blooded American citizens among you have a problem. How to ensure a proper level of metadata collection on your fellow countrymen, friends, and enemies alike?

Take matters into your own hands and put the power of private enterprise to work, naturally!

Let me introduce you to the OSINTstalker suite. It’s like your very own PRISM! At last, you can map out who’s talking to who, what they do, and experience the power of metadata analysis using a convenient plugin built right in to your NSA-approved Google Chrome browser!

Just add apple pie.*

Well, OK, there is one downside. It only works on data that people have voluntarily shared. “Fortunately,” that’s pretty much everything these days. By interfacing with Facebook’s DIY-NSA Graph Search, privacy settings are almost history… the tool slices through pesky “privacy” wishes by looking at that which IS public to reconstruct things like friends lists.

Here’s a classic use case. High-profile public figure with decent security… how do you get his passwords?

The red team goes to Facebook, finds his wife, and discovers she runs a pilates studio. While the main man may be security savvy, his wife is only too eager to click an email attachment “video” that’s ostensibly from a job applicant demoing pilates.

And… the red team is only too happy to find the wife uses a hand-me-down laptop from her husband. A hand-me-down with the husband’s passwords in its Apple keychain.

Mission complete.

The software authors have noted a similar principle is broadly applicable: though a particular target may be security aware, the people around them often over-share everything on every social network known to man. If I remember correctly, something similar was true for Brazilian then-candidate Rousseff as she fell under Fort Meade’s microscope — she herself was careful with technology, but the people around her weren’t.

* Oh, by the way most of Europe is playing NSA now too. I guess even if the NSA goes down there’s still international redudancy watching out for the terrists. http://www.itworld.com/government/380167/eu-parliament-says-other-countries-spy-not-much-uk-or-us

And before anyone sends me an xkcd link — yes, I know, it’s a poster, etc. But this is just too good.

John Young on telepathy. Scroll down, it’s the second part. A really good piece.

I wonder if he has studied the more obscure leaked materials from Scientology — “Buckwhupistan” — or managed to finagle quasi-official access while doing architectural work. http://cryptome.org/2013/10/nsa-love-math.htm

I guess Iron Sky said it best… “who DIDN’T arm their spaceships?” (https://www.youtube.com/watch?v=uimh2EBB1yQ)

Speaking of Nazis… if you’re interested in understanding human nature, the following Reddit thread is fascinating:

One of the founders of the US skinhead movement even shared the draft of his book: https://app.box.com/romanticviolence

My notes while reading it–

Hate – correlation to stupidity? Building up barriers in the mind that keep thoughts from sloshing around naturally?

Note lure of power, but ideology is about blaming others — actually giving them the power.

Candy Jones (c.f. Bain, “The Control of Candy Jones”) was taught to hate in order to make her more manipulable.


“”We found out through Facebook who his wife was,” said Jonathan Werrett, a managing consultant for Trustwave’s SpiderLabs in Hong Kong. “We found out through her likes — her public likes — that she ran a pilates studio. We could then send a phishing email to her based around the fact that she ran a pilates studio that was hiring.”

The man’s wife opened an email with a video demonstration of the bogus job candidate conducting a class. The malicious attachment infected her computer with malware, which gave Trustwave’s analysts access, known as a spear-phishing attack.

The computer she was using was a hand-me-down from her husband. The passwords he wished to protect were in the Apple computer’s keychain, so the hacking exercise “turned out to be a lot easier than we otherwise expected,” Werrett said.

Mining small details from Facebook has become even easier with Graph Search, the site’s new search engine that returns personalized results from natural-language queries. Graph Search granularly mines Facebook’s vast user data: where people have visited, what they like and if they share those same preferences with their friends.[…]

For penetration testers as well as bad guy hackers, Facebook is invaluable for spear-phising attacks. But Werrett and his colleague, SpiderLabs security analyst Keith Lee in Singapore, wanted an automated way to quickly amass information using Graph Search.

So Lee wrote “FBStalker,” a Python script he and Werrett debuted Thursday at the Hack in the Box security conference in Kuala Lumpur. In its current form, FBStalker runs in the Chrome browser on OS X, entering queries into Facebook’s Graph Search and pulling data. They used FBStalker in the attack against the man in Hong Kong.

Even if a person’s profile is locked down to strangers, their friends’ open profiles can be examined, giving an indication, for example, who the person may be close with. FBStalker uses Graph Search to find photos in which two people are tagged in, comments on profiles and more.

An analyst could do that by manually using Graph Search, but it would require going through hundreds of pages of comments, Timelines and photos, Werrett said.

“It’s basically not feasible for a human to go to the depths that FBStalker script does,” he said.[…]

FBStalker showed places where Sullivan had been and infer who some of his friends are based on pages he had liked and commented on. Some of the information collected by FBStalker is plainly visible on Sullivan’s page, but his friends list is not visible to outsiders.

Werrett and Lee also introduced at the conference “OSINTstalker,” another Python script that Lee wrote which can be used for remote site reconnaissance as part of physical security tests.

GeoStalker takes an address or a set of coordinates and searches for any data geotagged with the same values, such as photos from Instagram or Flickr, messages on Twitter, FourSquare data and even wireless networks indexed by the Wigle database. It also pulls usernames for social networking accounts linked to the location.

When TrustWave is doing a Red Team test “it gives us a whole bunch of stuff that is quite useful,” to mount an attack, Werrett said.

“No one is going to turn back the tide of people posting things to Facebook that potentially could be valuable in somebody else’s hands,” Werrett said. “If you want to walk away with a lesson, the lesson is that even if you’re protecting yourself, what other people are doing with your information, your friendships, your comments and things like that can still be leaked.””

%d bloggers like this: