Category Archives: Thinking

Political Spearphishing

If you’ve ever visited my LinkedIn you know that I admit to working for a “nameless detective agency” in Los Angeles. I haven’t displayed any of the stuff I’ve been doing, but this week I got something where I can make my findings public, a broad political spearphishing campaign.

 

The origin of the emails were obfuscated, but all anchored at mesrv.com. Using Maltego I found dozens of subdomains.

Many Mail Servers

Many Mail Servers

The Whois lookup for the domain was completely useless, a proxy registration intended to thwart diggers.

mesrv.com Current Whois

mesrv.com Current Whois

But this particular operator didn’t register clean at the start of this game. Hello, Mohammed Benyahia.

mesrv.com by Mohammed Benyahia

mesrv.com by Mohammed Benyahia

The other 21 domains associated with his name were available:

Mohammed Benyahia domains

Mohammed Benyahia domains

Domains are registered to mohamed.benyahia@tersea.com, and a quick scan shows that mesrv.com and tersea.com are quartered in the same place today. This gives me the sense I’ve got the right guy, it’s not like someone picked up the mesrv.com domain at random and put it to work using Benyahia’s business as a cover.

mesrv.com & tersea.com

mesrv.com & tersea.com

I visited tersea.com’s site and they conveniently revealed the @tersea Twitter account. It only took moments to find @Salutismo, Benyahia’s personal account, and then from there the rest fell out quickly.

@tersea & @Salutismo Common Contacts

@tersea & @Salutismo Common Contacts

Some of those are big media accounts, stripping those, it appears we’ve found some possible associates:

Benyahia's Probable Associates

Benyahia’s Probable Associates

Among them, I most like Dany Tech aka Omar Salhane, since he’s locked down and that sounds like a Moroccan name, same as Benyahia. Small accounts like these, particularly long abandoned, are absolutely treasure, they’re a candid admission of how things were in the past, and only a really experienced player will know to clean up, or to salt their trail with fake stuff.

Omar Salhane's One Mention

Omar Salhane’s One Mention

 

So that’s some initial recon. We’re looking for someone who can pick out who is important in a specific left leaning political organization and go at them hard. A Moroccan living in Paris with rented servers in Ireland? That doesn’t add up, so at this point I guess this guy is a service provider to many activities, perhaps some shady, and I change direction a bit.

 

If found thirteen IPv4 and two IPv6 addresses active for the twenty one domains.

Active IPs

Active IPs

tersea.com & Friends

tersea.com & Friends

The tersea.com domain is hosted within AS36884 Wana in Morocco. There are some other servers within AS8560 1 & 1 in France.

1 and 1 Servers

1 & 1 Servers

I thought it would be interesting to employ ThreatCrowd, a Maltego transform that queries Alien Vault’s Open Threat Exchange. Two of the fifteen IPs came back hot – involved in malware campaigns. Notice the number of German domains here? All of Benyahia’s contacts are French speakers, so this looks like a generalized place for bad actors.

ThreatCrowd Results

ThreatCrowd Results

And the main teasea.com domain came back hot, too.

tersea ThreatCrowd Results

tersea ThreatCrowd Results

 

I think Benyahia is a fraudster, a spammer, but he doesn’t read like someone who goes hunting in the American political space. He probably sold some services to someone who did, and that’s a deeper level of digging required to expose the truth. I haven’t seen the details on the attempts so I can’t predict if I’ll be able to display them here, or if they’re specific enough to identify the target.

This sort of work is fun for me, like doing a puzzle where there’s a scavenger hunt for the pieces before I can even start.

 
masecretaireprivee.com
meilleuregarantie.com
hotlineprivee.com
hotline-privee.com
clickconsulte.com
groupe-tersea.com
clikconsulte.com
clicconsult.com
clikconsult.com
clicconsulte.com
updatemybox.com
abdellahyacoubi.com
satisfaction-tui.com
pescallness.com
tercea.com
cozact.com
tersea.net
tersea.com
tersalia.com
mesrv.com
monrdvpro.com

Cascadia’s Inevitable Tsunami

The Cascadia subduction zone is the most dangerous fault on the west coast, running seven hundred miles from California’s Cape Mendocino to the middle of British Columbia. Unlike the noisy faults of California, this one saves its energy, unleashing individual, massive quakes every two hundred to nine hundred years. The most recent event was in 1700 and the average over the last 18,000 years has been a quake about every two hundred fifty years.

Projections show that another event like the historic full fault slips of the past will take out pretty much everything west of I-5 in Oregon and Washington.

Oregon Quake & Tsunami

Oregon Quake & Tsunami

I’ve been looking for something that would illustrate what will happen to major coastal cities. There are long, fairly boring simulations and plenty of videos with people yelling in Japanese, but nothing that quickly conveys what might happen here.

The San Juan de Fuca plate has been sliding beneath the North American plate at a rate of 4cm for 317 years. Oregon and Washington are going to lunge westward forty feet in a matter of four or five minutes, sinking three to six feet in the process. Predictions are all over the board as far as tsunami height but the 1700 wave in Japan reached fifteen feet.

I tend to focus on things that are global rather than local and incremental rather than situational, but I keep coming back to this. It’s enormous, it’s inevitable, but since we don’t get periodic education the way California does the area doesn’t even have appropriate building codes.

Hacker, Hoaxer, Whistleblower, Spy: The Many Faces Of Anonymous

Hacker Hoaxer Whistleblower Spy

Hacker Hoaxer Whistleblower Spy

Hacker, Hoaxer, Whistleblower, Spy: The Many Faces Of Anonymous

 

I just completed a final dash through Gabriella Coleman’s marvelous book on Anonymous during the raucous years, roughly from Operation Payback in support of Wikileaks in 2010, through the downfall of LulzSec and related events in 2012.

Chaper 7, Revenge of the Lulz, covers the HBGary intrusion, the episode with which I am most familiar. I downloaded the torrent, like every other spectator, but then wrote a white paper that was circulated on Capitol Hill, leading to eighteen House offices calling for hearings.

Part of what stirred me was this bit of good news – Barrett Brown will be released in about ninety days. I tolerated a couple of years of snitch jacketing, primarily from white trashionalist Robert Stacy McCain. I get the feeling that a bunch of outstanding business is going to get resolved in the first few months after the election.

A Place Of My Own

I have a public presence that is maintained, this blog, LinkedIn, @nrauhauser, a zombie FaceBook account, and a bunch of other stuff like Github that gets used more to read than to publish. There are literally dozens of services where I have claimed my name, poked around a bit, and then walked off, never to return.

But stuff like this keeps happening … free WordPress blogs don’t permit dynamic content, and more and more I find things I want to do that require this.

GristEmbed

This latest random site comes atop two other things I use that pretty much demand iframe.

I just claimed nealr on Tableau Public but I can only show screen shots of things there that are much better as dynamic content, which I hinted at in Tableau: Benefits & Limitations.

There are a lot of maps on this site associated with mostly foreign policy and a smattering of environmental issues. Seems like there isn’t a way to get a count of total images any more, but I’ve used 15.5% of 3 gig of space.

NealRauhauserWordpressMaps

 

They don’t turn up much here (yet), but I have a couple Mapbox accounts and I’ve produced various things with them. Like live links to Tableau, this requires iframe access.

It’s always amusing to me to see what condition I’ve left DNS in for rauhauser.net. Looks like most recently I was clowning around with Cloudflare and redirects. I should probably dust that off, fire up a VPS somewhere, and actually install WordPress.

 

 

Foreign Policy Collectives: @LobeLog

Earlier this year I examined the social networks of a number of foreign policy oriented groups including Wikistrat and e-International Relations. This included probing their Twitter and LinkedIn usage. I also laid hands on RightWeb’s content and produced Militarist Influence On Foreign Policy, an exploration of the static profiles for over 300 militarists maintained by a watchdog organization.

Near the end of that process I subscribed to LobeLog, which I’ve found to be very good. Today I noticed that eight of their authors have Twitter profiles so I turned my system loose on them.

3,508 DIscussion Peers For Eight Authors

3,508 DIscussion Peers For Eight Authors

400 Frequent Discussion Partners

400 Frequent Discussion Partners

Forty Four Accounts To Watch

Forty Four Accounts To Watch

So these final forty four are people who are important to the discussion – I recognize some of them from foreign policy reading and I assume the rest are academics and policy people. The criteria here were those mentioned fifty or more times in the last 3,200 tweets.

@LobeLog Authors Influencee Network

@LobeLog Authors Influencee Network

I pasted the eight seed names into Maltego and then let my @Klout transforms work. I am a little surprised by the result – the only loop in here is the one I created in order to keep the original accounts near the center of the graph. This is an indication that the foreign policy discussion space is large. When we examine astroturf efforts we find self-referential loops by the second generation.

There were over 1,400 hashtags referenced.

1,400 Hashtags

1,400 Hashtags

My parser has improved quite a bit since the last time I did this and I quickly narrowed down to just thirty three key hashtags that were being used.

Thirty Three Key Hashtags

Thirty Three Key Hashtags

What have we learned here?

I typed eight names into a text file, issued a single command, and fifteen minutes later I had the data used to produce these graphs. We can tell which other accounts they talk to, weighted by frequency, and we can determine who they influence according to Klout. We can also tell which topics concern them based on hashtag use weighted by frequency.

What can we do next?

I recognized some of the names as I was filtering the large list and in the final I see one person I know in real life and another that I know from a mailing list. These people are richly interconnected in a fairly transparent fashion.

I think the next step will be doing this for the much larger group listed on RightWeb, but that’s taking a while as I am having to dig for their Twitter accounts. Once I have that I will do some sort of composite graph, putting in all the foreign policy people and organizations I have identified, and I’m going to try to sort them into cliques.

What I really need here are a few foreign policy watchers who already pay close attention and who would be willing to either provide me API access to their account, or run a secondary account specifically to create who’s who lists. I have considered using a passive approach, just milking public lists, but for this to work I think there is an additional level required when classifying accounts. Lists made by users at this level tend to be inclusive – all experts on a given topic, rather than breaking them down to their viewpoints.

Reducing Infant Mortality With Social Network Analysis

My first experience with social network analysis was downloading the Maltego Community Edition software. I put in an email address, ran a transform, and it showed me the associated Twitter account. A few more clicks, and it showed me the account’s associates. I was immediately hooked – the system represented things on the screen the way I envision them in my head. That was November of 2010. Two years later I took the Social Network Analysis class from Coursera and I would say that this is now a pretty firm career direction for me. There are all sorts of things I have yet to learn, but the basics are in place.

One of the nice things with this course was that it got me out of viewing SNA as purely an opposition research tool. People use generalized network analysis for everything from protein structure to organizational analysis & development. This is the bright side of the SNA coin, and I just noticed Eva Schiffer’s work with Net-Map.

Their most recent project involves cutting infant mortality in rural Nigeria. SNA isn’t always poking around in social media – the practice got its start in the social sciences decades ago. People get trained in Net-Map and then they go out and collect information on organizations by hand, in this case visiting all the people who provide funds and deliver health services in the Nigerian state of Katsina.

Manual Net-Map

Manual Net-Map

This electronic drawing of the manual map shows what they are doing – identifying actors and the flows of money and influence that effect how health care is delivered.

Electronic Version Of Manual Net-Map

Electronic Version Of Manual Net-Map

The entire study is thirty one pages and it contained a lot of detail on how they sorted out the force vectors between nodes – in English, how they determined how much and what type of influence each of the various actors exerted on the others. The systems I am using right now have the ability to label, color, and weight links, and I have written a bit of code to include a time component to Twitter mentions, slowly aging them down to a minimal value, which produces a more accurate graph of current conditions.

A social network graph can save a mother and her child. Maybe next it can reduce the number of children she has from five to three, getting down towards replacement numbers. And another graph could help yield clean water, while a crop map made by a western built drone could identify troubles before they became food security problems. Many of the troubles on the maps I curate are related to having too many people and not enough water or arable land. If we can ensure the safety of infants and mothers that is a step towards ensuring the safety of whole societies. And that is a brighter future for all of us …

Organization, Relationship & Contact Analyzer

I am not sure where I noticed the Social Network Intelligence Analysis to Combat Street Gang Violence paper, as it’s sat on my desktop for at least a week. I read it last night and it’s an interesting take on applying social network analysis to gang membership.

The method employed requires three steps and they chose their own language to define them, avoiding standard terminology from SNA and graph theory. This appears to have been done both as a branding exercise, and to avoid offering a whole paragraph of industry specific word salad to law enforcement management when describing the concepts.

  • Determining Degree Of Membership
  • Identifying Seed Sets
  • Identifying Ecosystems

First, they have to identify members, and this is not like dealing with police officers, who are either active or retired. Gangs have hardcore members, associate members, and occasionally someone’s cousin from out of town is at the wrong party and gets arrested with some genuine bad guys. They used a pagerank like method, assigning a 1 to those who are avowed members (admissions, tattoos, etc) and a 0 to unknowns. Degree of membership was based on the number of arrests with known members.

Second, they seek to identify what they call ‘seed sets’, and this graphic shows a stepwise deconstruction of a network using the removal of low betweenness nodes, until there are a set of link free nodes. Like the membership calculation, there isn’t a pre-existing specific name for this process, but it’s instantly recognizable to anyone who has ever applied SNA to counter-insurgency. They use language from epidemiology to characterize the motivation – they’re not seeking fixers/facilitators, which is what high betweenness nodes can represent, they’re hunting the group of leaders who can plant a new tactic across the entire gang if all of them adopt it.

TIP_DECOMP Algorithim

TIP_DECOMP Algorithim

Third, they ‘map the ecosystem’ of the gang. This involves applying the Louvain partition to the network. I had never seen this name before, but the single parameter is similar to Gephi’s tuning, I checked, and Louvain is mentioned in their implementation.

Tunable clusters of algorithms like this began appearing in tools I use about a year ago – Maltego Radium provides ‘machines’, named collections of common tasks involved in certain sorts of profiling. The system also permits development of new machines. Gephi is an open, exploratory environment that permits plugin development but I haven’t seen any counter-insurgency type work being done with it. Sentinel Visualizer is specifically LE/counter-insurgency but the customization there happens via the open access to its back end database.

This is another piece of proof that there is a market for this sort of work – a mix of subject matter expertise, social science/statistician, and hackerish handler of data. I am going to keep an eye on the market progress of ORCA so I can better understand how an eight page paper evolves into a finished product.