cyber.egd.io

privacy

Those that follow me may know that I was raised Mormon but no longer practice in the religion. As such, I participate in quite a few online forums with other people in various places of the Mormon spectrum. In these forums, private text messages or social media posts from believing and orthodox family or friends are often shared as a way to vent frustration. Most of these forums that I participate in are private, but a few are public. Nevertheless, I'm always shocked at how little the person sharing these things does to redact the text in order to protect the privacy of the other party. The most common situation is that a name is redacted but a profile picture is not. Occasionally, nothing will be redacted at all. It is rare that I see a post that meets what I personally consider as acceptable. I thought I'd take the time to share that personal criteria in hopes that it can catch on and make the internet a safe place for everyone. After all, I have some experience in doxxing.

Why does it matter?

You may be thinking why should you care. The answer is, for a lot of reasons. While your intentions in sharing may not be malicious, but rather therapeutic or cautionary, there is always the risk that the comments shared will be triggering to someone in your audience. If there is information that can be used to potentially identify this person, it could be maliciously exploited to find further information. A good example is in the aftermath of Charlottesville, many of the white supremacists were identified via the photography at the event. Subsequently others around the Internet were able to track down many of their employers, contacted them, and advocated for the person's termination. Now, I'm not arguing that this situation is or isn't justifiable, but simply use it to illustrate the possibilities. If your friend makes one ignorant statement that you can get passed but someone else can't, and you don't redact their information sufficiently, that person could get fired or otherwise have their life ruined. This is a very important topic. For more information, I suggest reading the Wikipedia entry on doxxing. Please also note my disclaimer in the footnotes here.

The Criteria

Screenshots of social media posts (ie, Facebook, Instagram, Twitter, etc)

The most common form of sharing these posts I have seen is to post screenshots. It is typically of something that the person sharing completely disagrees with or finds offensive. In order for it to be acceptable to share, I believe the screenshot must have the following things redacted completely:

  • All names (except your own if you don't care)
  • All identifying pictures
  • Any other identifying information such as phone number, address, neighborhood and possibly even city and state.

To illustrate, I will use screenshots of a couple recent public Facebook posts I have made. For the sake of demonstration, imagine these are being posted to a private forum by a friend of mine.

Total fail

The example below is a total fail because absolutely nothing is redacted. This should almost never happen.

Nothing is redacted. Absolutely not acceptable.

Better than nothing

The next example is only slightly better because of the redacted name. However, you'll notice my profile picture is still exposed. This is still very identifying, especially because it is so close up.

Better than nothing. Profile picture is still unredacted.

Not much better

The only difference between this example and the previous is that my eyes are redacted. This isn't much different because there are still other identifying features in my profile pic such as my hat, beard, and smile. Somebody that was friends with me on Facebook could easily identify me. I know this for a fact because this exact scenario happened to me personally.

Not much better. Still identifying.

Perfect

The below example is the only acceptable way to redact a public social media post and reasonably protect the anonymity and privacy of the person involved. Notice that the exposed names of those that have liked or otherwise reacted to the post have also been redacted. This is important as well, especially if the post is particularly controversial and could potentially spread to outside the group for which it was originally intended.

Perfect. Do this every time!

Also note, that if the post had contained my location, address, phone number, or anything else potentially identifying, that should also be redacted.

Post with comments

Lastly, if the comments of a post are shared, apply the same principles outlined above to the comments section as well.

Apply same principles to comment section.

*Note: This post contains a link to my personal blog. For the sake of demonstration, assume that it's to a normal media outlet. Otherwise, it is very identifying.

Text and other private messages

Another fairly popular thing to share is Facebook and Twitter direct messages or text messages. Often times these are conversations that did not necessarily go the way the person sharing them had expected and the other party probably said some things they regret. In my example, I simply engaged in a generic conversation with one of my Facebook friends. This is the extent to which these conversations should be redacted.

Name, profile picture, address, phone number, and time of meetup all redacted.

Note the following things that were redacted:

  • Name of the conversation at the very top of screen
  • Time of the meeting
  • Address
  • Phone number
  • Name in line with conversation
  • Profile picture (in multiple places)

It is crucial to redact all these things in order to protect the person's identity. The exact same rules should be applied to text messages as well.

Scope: public vs. private posts

Often, people will argue that if someone makes a tweet, instagram, of Facebook post public for the whole world to see, that redactions are not needed. I tend to fall into this school of thought, but a valid counter point is the person could later regret the decision and either delete or make the post private. The forum or group in which you are participating may have specific rules around this topic and it is always good to check. One of the forums that I most frequent, the r/exmormon subreddit, does have rules specifically requiring the redaction of all shared social media posts whether public or not. If there are not rules specified, it is a personal decision, but may be better to err on the side of caution and follow the suggestions I outline above.

When making this decision, it is important to consider the scope of what you are sharing. When I say scope I mean it in two specific things: the scope of the privacy settings and the scope of the audience with whom it will be shared. For instance, if you can't believe what your cousin said about Trump's newest executive order in a post only shared with Facebook friends, it is probably ok to screenshot the post and share it with your sibling who is also this cousin's Facebook friend. Or if it's a public tweet of someone you don't know but you're only going to share it with a friend because it supports a point you made in a recent debate, that's also likely fine. But if ever you are explicitly sharing something set to a strict privacy setting with an audience that it obviously was not intended, it is crucial that you follow the suggestions above.

Please note that major media outlets will often share public tweets concerning a certain topic they are writing about, such as Buzzfeed in this hilarious article. In it, they are sharing tweets mostly of students from Brigham Young University the day the school finally allowed caffeinated beverages to be sold on campus. The article embeds the tweets in line with the rest of the text with the article rather than sharing an image of the tweet. This is important, because if the tweets were later deleted or made private, they would not longer appear in the article, thus respecting the user who initially made the comment. There are some instances when this is not necessary, such as when the person is a public figure. That said, think twice before saying something potentially controversial online. The Internet is typically not a forgiving place and not everyone has the same ethics as you or other respectable media organizations.[^1]

Conclusion

Please feel free to share this standard with your online forums and groups. The more these are implemented, the better the Internet will be. Also, don't worry about the redactions looking as clean as my examples here. As long as the sensitive information outlined above is obfuscated, whether by emojis, scribbles, or simply cropping it out, that is what matters. Lastly, please feel free to contact me via email or in the comment section below if you disagree or would like to see something added.

Thank you

egd

[^1]: The ethics and guidelines for doxxing are not nearly as black and white and clean cut as I make them out to be here. This article should not be used as an ethical guide, but rather be seen as suggestions for protecting the innocent when sharing private conversations outside of their intended audience. The example cited of Charlottesville brings attention to a fascinating ethical and moral debate about whether this sort of vigilante activity is justifiable in certain situations.

#doxxing #privacy

This article was originally posted on nullsecure.org and has been republished with permission.

I’ve been pretty busy lately with updating Tango to version 2.0 and working on threatnote, but, another project I started on recently was something @__eth0 and I are calling Gavel. Gavel is a set of Maltego transforms that query traffic records in each state. This project started out really ambitiously and we wanted to cover all 50 states, however, we ran into several problems. Our goal was to provide a way to look up certain data that are available in the traffic records, to include:

  • Address
  • Height
  • Weight
  • Age
  • License Plate Number
  • Car Make/Model

This is some great Open-Source Intelligence (OSINT) information available, and we wanted to make it easy to be obtained by researchers by using Maltego. As mentioned above, we ran into several problems that are preventing us from releasing it as a full blown set of transforms.

Roadblocks

The first problem we hit, was some states require you to pay for each query you make against the database. If we hosted this transform on a server, we wouldn’t be able to cover the cost of each of these queries, and even if we provided the code to the users, I’m not sure we could code out a good solution to facilitate the payment information for each query.

The next problem was some states are broken out by County. This would create so much extra work for us, and by the time we finished one county, another one might have changed their code, so it’s a ton of maintenance work to get them all working. Also, some states/counties used Captcha codes for each query, and I’ve had no experience getting around them.

So, with those problems at hand, we decided to open-source this tool to the community with the hopes that any people that would benefit from this OSINT tool can code out their own county and/or state. We’re aware we may never have all the states and counties covered, however, we’d like to get as many done as we can.

Currently, only Maryland is complete, so if you live there, you’re in luck! The code isn’t that difficult, it just took a little bit working with the requests and getting the exact responses we needed. The worst part is trying to parse the HTML, which I have no problem saying….I suck at.

How It Works

To use Gavel, you’ll simply download the code we provide and import the transforms into Maltego. Once all the code is set up and in the right place, you would then just add a “Person” entity in your Maltego graph like so…

png

Next, you would right-click on the entity and run “Gavel — Get Names”. This transform searches through the states traffic records and gives you the names of individuals that match your search that it has records on. For example, if your name was John Smith, there would probably be a ton of case records for that name, that’s why we give you the names, since it’s easier to narrow to the specific person you are looking for. This step also adds properties to each entity of the case ID’s that it will need to query in the next step.

Next, you would right-click on the person of interest and select “Gavel — Get Addresses”. It will then iterate through those case ID’s in the entities properties and return location and vehicle entities based on the information it finds.

Here’s a screenshot of what the end result would be.

png

In the image above, you can see at the top is the original entity we added, “Brian Warehime”. Below that are the case records it found that match the name that will hold all the case ID’s in the properties. Below the name are all the addresses and vehicle information we could discover (This is made up data, since my last traffic stop was so many years ago, it aged out).

You’ll notice on the right-hand side in the “Property View” section, we added additional properties to the person entity. We added the height, weight and DOB for each target, which will help validate if this is your target.

With regards to the vehicle entities, we display the license plate number, however, you can select the entity and on the right-hand side in the properties area, you will find the year, make and possible body style for the vehicle. See below for a screenshot:

png

Looking at the screenshot above, we can see it’s a 2000 GMC with a possible body style/make of “05”. I’m not sure where we could look that number up to find what model it corresponds to, so if you know, please let me know!

Installation

On the github page, you’ll find a few files to download, a few Python scripts, the Maltego library we use and an .mtz file.

First up, place the Python scripts in a location on your computer, like /Users/<yourname>/Maltego/Transforms or wherever. Next, place the Maltego library in the same directory as the two Python scripts you just moved.

Next, open up Maltego. Click on “Manage” in the titlebar, followed by clicking on the “Import Config” button. Locate the .mtz file you downloaded and click next. Make sure the “Local Transforms” and “Transform Sets” buttons are checked and click next. Once installed, click on “Finish”.

To make sure these transforms run correctly, we’ll need to set up your environment. Click on “Manage Transforms” in the menubar and it’ll open the “Transform Manager”. Next, scroll down until you find the Gavel transforms. Click on the first one and look at the bottom right of the window. You’ll see a few options like so:

png

First up, make sure the “Command Line” points to your correct Python interpreter, for instance, I put /usr/bin/python for mine. Next, change the “Working Directory” to the location you saved the transforms earlier.

Repeat the steps above for both Gavel transforms and you should be all set. One last thing before you go though, I believe you need to download an Entity expansion pack to use one of the entities I added (the car), which can be found here. It’ll still work without this, however, it’ll show up as a chess piece if the entity type is not found.

That should cover it, however, if those instructions don’t work, please feel free to email me or reach out to me on Twitter or something.

Future Development

With Maryland being the only state, we definitely want to expand this as far as we can. We’ll try to do other states as time allows, but, that’s why we need your help!

@__eth0 has done a lot of work for Delaware, and just needs to do some minor tweaking, however, once that’s done, we’ll require users to add a property value of “State” when they create the person identity to know which state to query.

A minor thing that I’ll most likely complete this week is adding the date to each entity when it was for. So, each address and vehicle will have a month/year attribute so you can know how useful the data is. One thing we thought would be useful as well is to correlate this information against state property records for validation. Anyone can go into the state’s property records and look up an address to see the current owners, so this would be an excellent way to validate the data from the case records.

You can find all the code on my Github page for what we have currently, and if you have any comments or questions, please feel free to reach out to us on Twitter at @brian_warehime or @__eth0.

#osint #maltego #privacy #projects