SA: Maltego Learnings

In this blog, I will document my progress in learning and researching Maltego, and link what I learn with real-life applications. I aim to look at a new exploit each week until the deadline.

Week 3

Introduction

https://www.youtube.com/watch?v=sP-Pl_SRQVo&t

Maltego is an open-source intelligence and forensics tool. Maltego opens up a myriad of possibilities for finding and representing information about targets. Maltego is included in Kali Linux. Maltego can gather a plethora of information about your target for you using web-scraping (and lots of other kinds of) tools. Yay data mining!

The different versions of Maltego (see below) essentially just allow you to work with a different amount of data and transforms (explained later). I’ve got the free version, so won’t have access to everything.

At its basis, Maltego is essentially a graphing tool. You add nodes representing people, websites, locations etc... You can connect them and change the “view” to analyse the relationships between nodes. This is called “link-analysis”.

Think of each graph as an investigation (or part of an investigation). 

Week 4

https://www.youtube.com/watch?v=zemNLx0-LRw

Transforms are the heart of Maltego. They are how we mine data. 

Basically, a transform is the stalking. You can put in an IP address, and click on the transform that finds all sites linked to that IP address. Maltego has many (paid and unpaid) transforms that allow one to gather a plethora of information in seconds that would take days manually.

Notes on Transforms 

- Another way to put data in and mine data  - manage > transform hub - can install new types of data to visualise them (e.g. movies…) - Add an item and right click on it to run a transform        o e.g. add “Mad Max” as a note > right+click > search for movie o query all results to find the top actors in them - Bubble view does graph analysis        o finds the most connected node        o This would be super useful if you’re trying to wreak havoc… You can find the central IP address that lots of websites are connected to…        o https://www.youtube.com/watch?v=hPIhItC-Vr8        o 15:55-17 - Put in a bunch of URLS in, can find all the IP addresses etc…

Week 5

https://www.youtube.com/watch?v=VExg83LzZ1Q

- find employees who have been involved in a data breach…  - perform transforms (extrapolations from a website) 1. put website in 2. find email addresses associated with that domain 3. look up email addresses in open source data breach databases

This makes it so easy for attackers to find targets! You can literally pick a target company and find which employees are a weakness to that company. Maltego will literally hand you the hashes of their passwords if they’re available. Frightening! Most people don’t know for a while if their information has been compromised in a data breach. All the more reason to never re-use passwords.

Week 6

https://www.youtube.com/watch?v=FceN0T_a_uM

- social engineering - can use Maltego to find targets - Let’s say our targets are a company’s employers 1. Take the company’s website 2. Transform: find the email address of corresponding employees using the domain and IP address 3. Transform: find all social media of all email addresses a. This is a paid transform I don’t have access to 4. Get all friends from all the social media accounts found 5. Change view to see mutuals… these are good targets because they can be manipulated to manipulate the targets

Mutual friends can be seen in the middle, connecting the subgraphs.

This relies on some information being public (like one’s Facebook friends). Again, Maltego is brilliant for helping attackers identify good targets. Even though it’s such a technical tool, it can greatly assist preparation for social engineering attacks.

This is another great example of how privacy matters even if you have nothing to hide. You might have nothing to hide, yet by being well connected on Facebook (and thus in this graph), you become a target for manipulation. 

Advertising companies could easily use this sort of analysis to work out what to advertise to who...

Week 7

https://www.youtube.com/watch?v=cjCQBYld_wM 

- Combine Maltego results with google earth to locally plot the results - Use phone record analysis to locate phone towers      o NOT triangulation… 

https://www.youtube.com/watch?v=tC_mUgn5b-c - Search people by name, company, job position, visited places, likes, education.

Similar analysis to last week, but great to see more methods of searching for people with different transforms.

Towards the end, I was unable to follow some of the tutorials myself on Maltego since they required paid transforms :’(

But still awesome to see the demos!!!

SA: Cheap Flights Using a VPN

I learned about VPNs (Virtual Private Networks) and how you can use them to benefit yourself. A VPN is a basically a tunnel between your device and the internet. You can download software to connect you to a VPN from another country, and thus simulate that you’re actually overseas in order to get different flight prices. 

I downloaded ExpressVPN and experimented with flight prices myself. I found that prices fluctuated greatly and frequently. 

I created this video to document the price changes for a return flight from Madrid to Sydney.

This video shows:

1. From Sydney, we find a flight for AUD$2871 2. From Madrid, we find the same flight for €1579 ~= AUD$2521 This is $350 cheaper! 3. Try find the same flight from Sydney 10 minutes later and it has dropped to pretty much the same price that we saw from Madrid. Makes me wonder if the website has detected I’m using a VPN 4. 15 minutes later, I try again from Sydney, and the cheapest flight price has dropped by over $700

Conclusion: You can certainly find cheaper flights using foreign VPNs. Flight ticket websites are doing dodgy things.

Is it unethical to charge different countries different amounts? 

We seem to have no problem with it in other places. A Big Mac in Switzerland is 1.5 times the price of a Big Mac in Australia so maybe expensive flights aren’t so bad!

Lecture Reflection: Week 8

This week, we focused on ERRORS.

For me, the main takeaway is that:

Solutions to errors must be systematic

When something goes wrong, we can blame humans, or the culture, but generally, this scapegoat-blaming is just masking a more fundamental flaw in the system. Rather than blaming human error or culture error, we should blame system error.

Complex Systems Break

It’s inevitable. So rather than focusing on making the system unbreakable (which is near impossible in a complex system), we should:

1. Identify what is most important and protect it 2. Design the system in a way such that if it breaks, the impact is minimal.

Case Study: Snoop

Reflection

The main topic of discussion stems from the questions:

Should governments collect data about us? Should we be able to choose what information they have?

For me, the issue always comes back to repurposing. The government might have great intentions, but the issue is that other parties may access the information, and use it for different purposes.

For example, in Nazi Germany WWII, the Dutch had such good records about where the Jewish population lived, which they had collected without malicious intent. However, when this information was repurposed (after it was demanded by the Nazis), millions of Jews died.

When it comes to repurposing, it’s not about if, but when.

Notes on Readings

(week 7)

Spot the Fake

Module 7: Spot the Fake

After John Mayer tickets sold out earlier this year, I tried to buy a second hand ticket. I spent over $100 on it, and the seller emailed me the ticket below. 

I was super excited for the concert! 

I was careful about being scammed, so paid through PayPal; you can claim money back through PayPal’s “buyer protection” system if you get scammed.

I was a bit suspicious when the seller asked me to pay through PayPal and select “Sending to a friend” rather than “Paying for an item or service”. He claimed it avoids him being charged a small percentage for the sale by PayPal, which is true. I said “I am willing to pay you that extra amount, but I’m not sending to a friend”.

He started being manipulative, saying things like “Why don’t you trust me?”, but eventually agreed that I could choose paying as an item or service. At this point, I suspected he was dodgy, but I figured “I have nothing to lose, since I have buyer protection, so I sent the money, and he emailed me the ticket.

I took a look at the ticket to see if it looked legit. Wasn’t long before I noticed the text below the barcode: “ABC123...″. Wow. 

Nice fake ticket.

I claimed the money back through PayPal, and received it in a few days.

I told this story to some friends, and asked them “Why would the attacker make the ticket so clearly fake with such an obvious code?”

One friend raised an interesting point: They want the ticket to be obviously fake, because they want to attract careless/unintelligent people. If they send a better fake to smarter people, they will end up wasting more time before the smart person realises that the ticket is fake, and claims their money back.

For example, if they email the ticket to the buyer before the buyer pays them, a careful buyer will notice it is probably fake and use buyer protection (or not buy at all), whereas a careless buyer won’t notice, and probably will send the money without buyer protection.

With their strategy, they get quick money from careless people. That makes sense! They’ve identified their target audience...

The Moral of the (true) Story

- Build your scam to target your audience; dumb scams are not dumb.

- Even simple scams require a lot of work. The attacker had a fake Facebook account, with fake likes and comments on his profile... A lot of effort to sell some fake tickets!

- You can’t really tell if a second hand ticket is real or not, because the ticket vendors won’t confirm that the ticket is real anyway (they don’t want you buying second hand tickets, so they don’t want to hear from you...). So if you’re going to buy a second hand ticket, you need a reason to trust the seller.

Identifying Block Modes

Background info: Block Modes

Module 7: determine which type of encryption is used for each message in this activity.  

Identifying ECB

1. Find out how many bytes are in a block. By typing random stuff here, we can see we’re working with blocks of 16 bytes (16 characters).

2. Write a block-sized phrase twice to see if repeats

Notice that cipher 1 and 5 repeat halfway, thus are encrypted using ECB :)

Identifying CBC

Changing 1 character will change all encrypted output after the changed character. For example, try change the first character to “2″. In cipher 3 and 4, the current and following blocks change.

Thus, cipher 3 and 4 are encrypted using CBC.

Identifying CTR

The encrypted text increases with the size of the plaintext (because we’re working with a stream of blocks). Thus cipher 2 is CTR.

Something Awesome Proposal (Updated)

The original: Something Awesome Proposal (Original)

A few days into conducting research my Something Awesome (week 3), I came to realise that my intention to web-scrape social media sites using regex had a small problem: 

It’s illegal.

Websites like Facebook make it clear that you will be banned if you “engage in Automated Data Collection without Facebook’s express written permission”.

For this reason, I decided in week 3 to adjust my proposal to focus on combining legal tools and publicly available information to investigate privacy

My Something Awesome proposal updates from week 3 are below. Please note, I have only re-written the parts I am updating, not the whole thing.

Topic: Investigating Privacy Combining Legal Tools with Public Information

Topic: Investigating Privacy Using Internet Scraping

What’s my idea? A legal stalking service: combine legal tools with public information to exploit privacy. A stalking service: a program where you can search someone’s name, and it’ll display publicly accessible information about them based on scraping the internet.

Goals

2) Learn to interact with privacy-related tools (e.g. maltego), also involving some API-interaction (e.g. Google Maps API)

2) Learn/practise web-scraping (and API-interaction if necessary)

6) See how one can advantage oneself by faking privacy-related information (e.g. using a VPN)

Plan

Here are the key things I will look into:

1) Maltego: Kris recommended that I can master a tool called Maltego, which is a visual analysis tool for intelligence and forensics. 2) VPNs: I’d like to experiment with VPNs to see how I can advantage myself by pretending I am somewhere else - i.e. what if they get your privacy information wrong? 3) Stalker tool: Based on what I have learned, I would like to build my own stalking tool - something that uses public information to stalk someone in some way.

Extension

Create a website to have a nice interface for the tool that I build.

Create a website to have a nice interface in which you can search someone’s name and have information about them displayed neatly.

Marking Guideline /10

9-10

Completes all stages including the extension with detailed progress logging.

7-8

Completes all stages except for the extension with good progress logging.

5-6

Well researched plan as well as some progress on technical internet scraping.

0-5

Falls asleep from week 3, wakes up in week 7 and does minimal research but not much technical work.

Authentication in Ancient Mesopotamia

On Wednesday, I went to a museum and was fascinated to find the artefact pictured below.

What is it?

This is a cylinder seal, used in Ancient Mesopotamia to authenticate people. Essentially, it is an ancient version of a signature. 

“These seals were worn by their owners on strings of  leather or other material around the neck or wrist or pinned to a garment. Their purpose was to serve as a personal signature on a document or package to guarantee authenticity or legitimize a business deal as one signs a letter or form in the present day. The seal was rolled onto the moist clay of the document as an official, binding signature.” - https://www.ancient.eu/article/846/cylinder-seals-in-ancient-mesopotamia---their-hist/

These certainly seem very intricate! I imagine it’d be harder to fake one of these signatures than one of our modern signatures. However, you can steal someone else’s cylinder which is guaranteed to give the same seal whereas you can’t really steal a modern signature. You can only copy it as best as possible

I am Ho.

HE’S DONE IT AGAIN. This was for the bug bounty presentation Kahoot. 

The name “Ho” was a hurried misspelling of “hi” which was the best I could come up with when the speakers said “we’re starting the Kahoot” 0.5 seconds after I opened the kahoot website.

I guess I am Ho now.

Week 7 Lecture Notes

This week, it is my tutorial’s (Thu11am) week to take lecture notes. And here they are :) 

I have already compiled them into the google doc with the rest of my tutorial class.

Notes

SA: Google Maps API Research

In geometry, trilateration is defined as the process of determining absolute or relative locations of points by measurement of distances, using the geometry of circles, spheres or triangles.  (https://robertheaton.com/2018/07/09/how-tinder-keeps-your-location-a-bit-private/)

I should be able to use Google Maps APIs to design a visualisation website (in Javascript) that demonstrates trilateration/triangulation.

Instructional Resources 

https://developers.google.com/maps/documentation/javascript/examples/circle-simple https://developers.google.com/maps/documentation/javascript/shapes#circles https://www.youtube.com/watch?v=kWncnBBxoJ4 https://developers.google.com/maps/documentation/javascript/heatmaplayer

A Chat with Adam

Adam Smallhorn came to chat with the privacy group which I am a part of. He told us about some of the awesome research he did. Here is a report on the coolest ideas he mentioned:

Collect Personal Information

Legally, Google has to give you some of the information they have stored about you if you request it. This includes location services information and browser history. With these 2 bits of information alone (I think), Adam was able to piece together a day from many years ago that he didn’t even remember. He was able to work out where he went in the morning, who he saw in the afternoon etc.

He also constructed a heat map based on the location services data he collected. You could also gauge location from tracing your wi-fi connections. In red, it showed the route between his home and UNSW. Wow! Who knew Google could pick up on your daily trends so trivially?!

Similarly, he requested personal information about his text activity, and graphed the frequency with which he texted people. The graph showed the decline in texting his ex-partner. Again, we’re able to make assumptions on one’s personal life based on data trends!

What other data trends could you use to draw conclusions about people? Adam suggested maybe analysis who they follow on instagram (often public) or what music they listen to (also often public) to draw conclusions about their sexuality. Something like that...

The Holocaust (WWII)

Collection of personal data is scary! When Nazi Germany invaded the Netherlands, they were able to find where the Jewish population lived trivially, due to the well documented Dutch records.

The government might be collecting this information innocently, but if the information falls into the wrong hands, the results were calamitous.

If you look today in Australia, we have this sort of record keeping as well. Almost all government My Health Record documents seem to ask you if you are Aboriginal/Torres Strait Islander...

Trilateration/Triangulation

Triangulation allows us to stalk the physical location of someone, by only knowing “how far away are they?”

Suppose you go to points A, B and C, and from all of them, you are given the distance from point D. From this information, we can construct a circle around A, a circle around B and a circle around C, describing where D could possibly be. The overlap between these circles is where D is.

Applications: Dating applications like Tinder and Grindr often give location information like how far away this person is. I wonder how precisely you could find where they really are based on triangulation! The more distance readings used, the more likely we find where they are accurately.

UNSW Wi-Fi Data

UNSW was caught for being creepy... They were able to use wi-fi data to find out more than they wanted to know about people’s bathroom time.

Wi-fi connection strength can also be used to ascertain user-location (i.e. distance from modem...)

https://www.itnews.com.au/news/unsw-winds-back-wi-fi-data-collection-on-staff-and-students-491357

Wireshark

Essentially, Wireshark allows you to find out information about the people on your network, including search history and device metadata. More details:

Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education.

Wireshark lets the user put network interface controllers into promiscuous mode (if supported by the network interface controller), so they can see all the traffic visible on that interface including unicast traffic not sent to that network interface controller's MAC address. However, when capturing with a packet analyzer in promiscuous mode on a port on a network switch, not all traffic through the switch is necessarily sent to the port where the capture is done, so capturing in promiscuous mode is not necessarily sufficient to see all network traffic

Thanks Adam :)

Tempest Attack

This is basically the NSA’s method of spying on information systems using side-channel attacks. 

What’s that? 

A side-channel attack is any attack based on information gained from the implementation of a computer system, rather than weaknesses in the implemented algorithm itself.

The exact specification is classified, but the idea is to use electromagnetic emanations such as sounds and mechanical vibrations. For example, it is possible to log a user's keystrokes using the motion sensor inside smartphones.

Block Modes

What is a block cipher?

A block cipher is a deterministic encryption algorithm (always gives the same output for a the same input) using a symmetric key (same key for encrypting and decrypting).

For example, XOR.

What is a block mode?

A method of encryption involving block ciphers for extra security.

Here are a 3 examples:

Electronic Codebook (ECB)

Divide a message into evenly split sizes, encrypt them all and concatenate them back together.

Disadvantage: Doesn’t hide data patterns well because the original message was split evenly. 

For example, if you’re encrypting an image, similar looking blocks will map to similar looking encryptions! All the white parts will map to the same result. 

See the image below!

Cipher Block Chaining (CBC)

Each block of plaintext is XORed with the previous ciphertext block before being encrypted. This conceals data patterns, since each ciphertext block depends on all plaintext blocks processed up to that point.

To make each message unique, an initialization vector must be used in the first block.

Counter (CTR)

We get a stream of blocks (e.g. the numbers from a counter - 1, 2, 3...) and also an initialisation vector such as a nonce. Combine them together with some symmetric method (e.g. XOR, concatenation, addition etc.).

The result is the key, which we XOR with the plain text.

Dank Penguin Piccies

Lots of this info is from: https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation

Threat Models

This is how we formally assess and document risk.

There are lots of different options for modelling, such as Threat/Attack Trees, DREAD, STRIDE...

Threat/Attack Trees

Represent attacks against a system in a tree structure, with the goal as the root node and different ways of achieving that goal as leaf nodes.

Example:

Credit: https://www.schneier.com/academic/archives/1999/12/attack_trees.html

Hashing Attack Examples

This is a response to module 5: hashing

Using The NSHA-1 Hash (just strip the vowels)

Pre-Image Attack

Problem: Given the hash bk find a pre-image. Solution: book

Second Pre-Image Attack

Problem: Given the hash bk and the pre-image book, find another pre-image that hashes to the same result. Solution: beak

Collision Attack

Problem: Find 2 messages which hash to the same thing Solution: book & beak

How advanced are the NSA?

It’s hard to know, really. I’ve heard estimates that they’re 15 years ahead of industry right now. That sounds pretty crazy. But if we look into history, maybe it’s not so crazy. 

Here is a brief dive into encryption algorithms between WWII and RSA:

The discovery of differential cryptanalysis is generally attributed to Eli Biham and Adi Shamir in the late 1980s.

According to author Steven Levy, IBM had discovered differential cryptanalysis on its own, and the NSA was apparently well aware of the technique. In 1994, a member of the original IBM DES team, Don Coppersmith, published a paper stating that differential cryptanalysis was known to IBM as early as 1974.

It seems the NSA was over 10 years ahead of industry regarding differential cryptoanalysis.

What does the NSA know now that we will only hear about in over 10 years?