Tom Fox-Brewster writes: “Our choice isn’t between a world where either the good guys spy or the bad guys spy. It’s a choice of everybody gets to spy or nobody gets to spy.” So said the security luminary Bruce Schneier at BBC Future’s World-Changing Ideas Summit in October. He was considering a world in which the metadata zipping around us and the static information sitting on web servers across the globe is accessible to those with the means and the will to collect it all.
With so many cheap or free tools out there, it is easy for anyone to set up their own NSA-esque operations and collect all this data. Though breaching systems and taking data without authorisation is against the law, it is possible to do a decent amount of surveillance entirely legally using open-source intelligence (OSINT) tools. If people or organisations release data publicly, whether or not they mean to do so, users can collect it and store it in any way they see fit.
That is why, despite having a controversial conviction to his name under the Computer Misuse Act, Daniel Cuthbert, chief operating officer of security consultancy Sensepost, has been happily using OSINT tool Maltego (its open-source version is charmingly called Poortego) to track a number of people online.
Over a few days this summer, he was “stalking” a Twitter user who appeared to be working at the Central Intelligence Agency. Maltego allowed him to collect all social media messages sent out into the internet ether in the area around the CIA’s base in Langley, Virginia. He then picked up on the location of further tweets from the same user, which appeared to show her travelling between her own home and a friend or partner’s house. Not long after Cuthbert started mapping her influence, her account disappeared.
But Cuthbert has been retrieving far more illuminating data by running social network accounts related to Islamic State through Maltego. By simply adding names to the OSINT software and asking it to find links between accounts using commands known as “transforms”, Maltego draws up real-time maps showing how users are related to each other and then uncovers links between their followers. It is possible to gauge their level of influence and which accounts are bots rather than real people. Where GPS data is available, location can be ascertained too, though it is rare to find accounts leaking this – only about 2% of tweets have the feature enabled, says Cuthbert. [Continue reading…]