34c3 intro Herald: All right, it's my great pleasure to introduce to you Mustafa Al-Bassam. He's gonna talk about uncovering British spies' web of sockpuppet social media personas. Mustafa is a PhD student at the University College in London, studying information security and focusing on decentralized systems. Mustafa was a co- founder of LulzSec, an hacker activist group some of you might have heard of, and with that, please give a warm applause to Mustafa. applause Mustafa Al-Bassam: Hey. So it seems that over the past year we've had a lot in the media about this kind of idea that the people that you interact with on Twitter and Facebook and other kinds of social media are not necessarily who they say they are, and sometimes not even be, they might not even be people at all. They might be bots. And we've heard about how this might be used to manipulate people into believing certain things or certain ideas. And this has become quite a big topic recently, especially after the U.S. presidential elections in 2016, where according to one study, up to one in five election related tweets weren't actually from real people. And apparently it's it's such a big problem that even the president is being manipulated by, to say, bots. But, this has been a kind of activity that has been going on for a very long time, and not just from Russia or China. The West also engages in these kind of activities including the UK and the US, but in other kinds, in other regions. So, today I'm talking about what Britain does in this regard. So, in the UK we have a NSA-equivalent intelligence agency called GCHQ or Government Communications Headquarters. And their job is basically like the UK's version of the NSA: to collect as much information as possible through wiretaps and mass surveillance systems. But they also have a subgroup or subteam within GCHQ called the Joint Threat Research Intelligence Group or JTRIG for short. And what these guys basically do is, its basically a fancy name for sitting on Twitter and Facebook all day and trolling online. What they do is they conduct what they call Human Intelligence, which is kind of like the act of interacting with humans online to try to make something happen in the real world. And in their own words one of their missions is to use "dirty tricks" to "destroy, deny, degrade and disrupt enemies" by "discrediting" them. And we've seen JTRIG has been involved in various campaigns and operations, including targeting hacktivist groups like Anonymous and LulzSec, and also protests in the Middle East, during the Arab Spring and also the Iranian protest in 2009. So, a bit of context to what led me to uncover this stuff and to actually research this stuff. So in 2011, I was involved with the with the hacktivist group LulzSec. And to refresh your memory, LulzSec was a group that existed during the summer of 2011 and hacked into a bunch of US corporate and government organizations, like the US Senate, their affiliates and Sony and Fox. And in the same year I was arrested, and a year later I was officially indicted on a court indictment. But the thing that struck me about this indictment was that there was absolutely no mention in this court document about how they managed to deanonymize me and my co-defendants. Or how they managed to actually link our online identities with offline identities. And I thought it was suspicious because our US counterparts, actually, their court indictments had a very lengthy sections on how they were caught. For example, when the FBI arrested Jeremy Hammond, his court indictment had a, had very detailed information about how those guys social engineered him and managed to track him through his IP address and through Tor and whatnot. But then, fast forward a year later, Edward Snowden started leaking documents about the NSA and GCHQ, and then in 2014, one of those documents or some of those documents were released on NBC that showed that GCHQ was targeting hacktivist groups like Anonymous and LulzSec. And that makes the a lot of sense in my head. Because if GCHQ was involved in this denanonymization process, then they wouldn't want to have that in the court indictment, because it would reveal the operational techniques. And this is one of the leaked slides from GCHQ talking about some of the activist groups they target. One of the people they targeted was someone who went by the nickname of "p0ke", who was chatting in an IRC channel, a public chat network. And this was a public chatting channel where people from Anonymous and other kinds of hacktivists kind of sit and chat about various topics and also plan operations. And this person "p0ke" was chatting on this channel and boasted that they had a list of 700 FBI agents' emails and phone numbers and names. And then it turned out that a GCHQ agent was covertly in this channel observing what people were saying. And then the GCHQ agent initiated a private message with this person to kind of get more information and to try to build a relationship with this person. And the agent asked them what was the site and then they just gave that information up and they even gave them a sample of some of the leaked information. So it turns out that actually GCHQ was active in these IRC networks and chat networks for months if not years and they were in up to several hundred channels at a time. They were just sitting there idling. They weren't really saying much or actually participating in conversation, except that every few months you might notice them say "hey" or "lol" in the chat even though it might be out of context of the conversation that was going on, presumably so that they wouldn't get kicked off the network because some networks kick you off if you're idling there for too long. And then often what they would do is they would private message people in rooms to try and corroborate information about activities that were going on and being discussed or trying to entrap people by getting them to admit to things as we saw with p0ke. And he seemed to be quite a common theme that these undercover feds and agents were sitting in these chat rooms. In the Europol meeting 2011, where 15 European countries were discussing what they were doing to tackle Anonymous and LulzSec, apparently there were certainly undercover cops in these channels that had an issue with undercover cops investigating each other. laughter So the GCHQ agent that was targeting p0ke sent them a link to a BBC news article about hacktivists. And, according to this leaked slide, this link enabled GCHQ to conduct signal intelligence to discover p0ke's real name, Facebook and email accounts etc. It doesn't say exactly how they did that, but it's not that hard if they have your IP address on user agent. Back then, in 2011, most websites weren't using HTTPS, including Facebook, so if they look up your IP address in XKeyscore or the dragnet surveillance system, they can easily see what other traffic is originating from that IP address, and what Facebook accounts are connected to that IP address for example. But in this in this slide leaked by NBC the URL was redacted, but it wasn't very hard to actually find that URL, because these were public channels that GCHQ agents were talking in, and people haven't been targeted in themselves including myself. We were able to find out what that URL shortener was I mean what that website was but which turned out to be a URL shortener so the website that was sent to p0ke to click was "lurl.me" and according to archive.org, here is a snapshot from "lurl.me" in 2013, just before it went offline, that basically showed it was a URL shortening service, it looks like a generic URL shortening service. One things I noticed is, the domain name sounds like "lure me" which is basically what they were doing, because JTRIG had this internal wiki where they listed all the tech tools and techniques that they use in the operations and one of the categories that they have is "shaping and honey pots" and in that category they have a tool code named Deadpool which is described as a URL shortening service and that's what "lurl.me" was. We first saw "lurl.me" in 2009 - the domain name was registered in 2009 - and almost immediately it was it was linked tweets about Iranian protests, and then it went offline in 2013, shortly after (every sudden) leaks in November, but interesting if you look up all of the instances of this URL shortener being used in social media and Twitter there's probably about 100-200 instances of it being used and every single one of those instances where it was used it was associated with political activities late in the Middle East or Africa usually to protests. And the majority of the most common were coming from the default Twitter accounts with no avatar, with very few tweets and they're accounts that were active for only a few months between 2009 and 2013. One of the techniques, or some of the techniques that JTRIG used, in their own words to conduct their operations is includes uploading YouTube videos containing persuasive messaging, establishing online aliases with Facebook and Twitter accounts, blogs on foreign memberships for conducting human intelligence, or encouraging discussion on specific issues, sending spoof emails and text messages as well as providing spoof online resources, and setting up spoof trace sites and this is exactly what we're going to see in the next few slides and in most examples that they use for the operations is they actually targeted the entire general population of Iran which is a pretty big target audience of 80 million people. According to them, they had several goals in Iran: the first goal was to discredit the Iranian leadership and its nuclear program Second goal was to delay and disrupt on- line access to materials used in the nuclear program. Third Goal was conducting online Human Intelligence and the fourth goal was the most interesting goal my opinion: Counter censorship. It might seem might sound great it might sound like almost like GCHQ is kind of aligned with the motives of the Internet freedom community by helping these Iranian activists to evade censorship. But we're gonna see it's not really the case. The main kind of Iran the main kind of sock puppet accounts on Twitter that JTRIG was running during this campaign in 2009 was called "2000 Iran 2009 Iran free". This was the most kind of active Twitter account that it had and it had 216 tweets and they also had I kind of like a bunch of other accounts that were less active that had default avatars probably just to kind of, kind of build up their social network that mostly retweeted things, retweeted the same things as a display account but slightly rewarded or even with them. And what this Twitter account essentially did was in quick succession, over a period of like one or two weeks tweeted a bunch of links from this URL shortener for various purposes for to various articles on blogs online and they also had actually a blogspot website with like one article to kind of expand their network I guess. One of the activities that 2009 Iran free and the other sock puppets were doing was they were kind of trying to spread the same IP addresses as proxies to Iranians to use as a counter cencorship. So for example you can see that they have a list of IP addresses here that will hash like Iran election that they can use for protests and they and they might sometimes feed links to that to to this proxy is using that URL shortener and this is, this is quite concerning because well one of the tools used by JTRIG is also called codenamed Molten Magma which is basically HTTP proxy to with the ability to log all traffic and perform HTTPS man-in-the- middle because, again, they were they were spreading exactly the same IP address all of these all these sock puppet accounts were spreading exactly the same IP addresses and same links to Iranians to help them to or to allegedly help them to a evade common cencorship. And they were even claiming that these for the same proxies used by the Iranian government to get around their own firewalls so if they, apparently if they block these proxies they will block their own access to the outside world. And this is essentially what they are doing here. In this kind of context GCHQ is kind of acting like the big bad wolf from Red Riding Hood. We might seem like they're helping me but they're also causing you harm in the process. And this is a, this is a list that contains a list of some of the techniques that JTRIG used. This was also a leaked document and this essentially kills two birds in one stone because what they do is at the bottom it says one techniques is hosting targets' online communications for collecting signal intelligence as we saw with p0ke and which is why they tweet these links using URL shortener so they can conduct signal intelligence on people who are interested in clicking these things and also providing online access uncensored materials and sending instant messages to specific individuals giving them instructions for accessing uncensored websites. One of the forums that these proxies were posted in was whyweprotest.net and someone actually kind of almost got it right. Someone asked: 'Why does the government use proxies? That doesn't make any sense, they wouldn't need any proxies." And then someone replied: "The Iranian government allegedly has set up proxies to monitor connections with from within Iran to be able to pinpoint the people who are trying to bypass these blocks." So they're almost right because it wasn't the Iranian government that was actually monitoring connections in Iran. It was GCHQ. There were also set up, I agree, basic websites, that basically acted as RSS feeds to English websites about Iran to presumably, but also for counter censorship reasons. One of the same things they did was mimic government officials. So for example they might post in a forum saying: "Attention users outside Iran, you can call the president at this number to discuss the elections direct." And they were hesitant that you should not call this number if you are in Iran. And then they will also give an email address for the vice president on the Twitter. This also matches up with another technique that JTRIG uses, again according to the leaked documents, where they send spoof emails and text messages from a fake person or mimicking a real person to discredit, promote, distrust, dissuade, deceive, deter, delay or disrupt. Whatever the purpose was, they certainly managed to promote distrust because one of the replies to this post was: "This can't be the president's number because if it were the second call would be answered by Iranian intelligence services. So these are strange days. I suppose anything could happen at this point." So that was most of the activity that we saw in 2009. There was a bunch of other Twitter accounts with default egg, default avatars associated with these links. You can find them if you search lurl.me with quotation marks and Google with sites -twitter.com. In 2010 there was absolutely no activity on Twitter or all social media associated with this URL shorter. Then, in 2011, we saw some activity in Syria for this URL shortener for a similar purpose of conducting censorship resistance in Syria. And they were essentially doing the same thing, same techniques, giving people IP addresses to connect to, that you thought that they probably are MITM'd. But one of the things they did here as well was they didn't just tweet stuff they also posted a YouTube video, like a very poorly made YouTube video with only 300 views to try to get people to watch that. They didn't really try very hard here because if you actually look at the times on when these accounts tweeted, all the accounts in Syria actually should have tweeted. The only tweet between 9 to 5 p.m. UK time Monday to Friday. laughter, applause I mean, I think, I don't know I think they were lazy, or they were just, they didn't really bother or weren't motivated. But one of the limitations that JTRIG has, they actually had one in the leaked documents, that they had was they had a list of limitations that the staff have when conducting its operations. And one of them is that they have difficulty in maintaining more than a small number of unique multi-dimension active aliases especially with doing online human intelligence. Which is why we only see like one main twitter account for these events and then like a bunch of other kind of default expat accounts, usually like five or six. We didn't tend to see hundreds of them you only see about less than 10, because this was back in 2009, 2011. They weren't doing it in an automated way. And they also said the lack of continuity in maintaining an alias or communicating via an alias if a staff member is away and his or her work is covered by others and also the other one was lack of photographs, visual images, of aliases which is why we always see like egg or default avatars for these sock puppet accounts because they can't unless they have like a full fledge graphics team or have faces of people to put in there and they can't really put anything as avatar. They also apparently had a lack of sufficient number and varied cultural language advisors eg in Russian, Arabic and Pashto which is why we see here on these Twitter accounts they're basically tweeting the same thing over and over again with no variation. Here's the same text over and over again because they don't have lots of translators to translate that. The other thing we saw in 2011 was a very targeted attack during the Bahrain protests. They had a twitter account called 'Freedom4Bahrain' and this, it just sent two tweets, mentioning two accounts "14FebTV" and "14FebRevolution", and these were two accounts that were, like, really big kind of social media outlets in Bahrain that were covering the protests that were going on there. And these were targeted mentions of the kind that we saw with P0ke, so, presumably also here, they were using that to conduct Signal Intelligence, to discover who was running these two accounts. In 2012 you also saw no activity associated with that URL shortener. During 2013 I managed to find one tweet related to Kenya, to the Kenyan imposed national politics and this person isn't an education sock puppet, this person is a research assistant at the Human Rights Watch. So this, but that begs the question of how did he actually get this URL? Probably a similar message to P0ke, they probably sent him a link through a private message found that interesting and tweeted it, so not only are they targeting protesters, they are also targeting NGOs. Then, in 2013, all of the infrastructure associated with URL-shortener was shot offline, this was in 2013, which was a few months after the Edward Snowden leaks, so they had a bit of delay of doing it, but it must have been a real pain in the arse for them to have to renew all their infrastructure, but I did do some digging into some of other host names that were hosted on this lurl.me server. Between 2009 and 2013, most of these host names seem to be random alphanumeric, the main names, and some of them are using publicly the DNS providers like DynDNS or DNSAlias, I wasn't able to find any websites archived for these domains, so it doesn't seem that there was any websites there, but if you have any ideas let me know, because one of the things that I suspect is that these might have been malware endpoints or command control servers, that they were using, so if you have any and monitoring tools or logs then maybe you should look up some of these host names. But one of the interesting domain names that I thought was interesting there was dunes adventures.net and this is the archived page for Dunesadventures which was another website based in Kenya. They were up to something in Kenya and it claimed that they were having this was a very basic one page website that was kind of very poorly made and they claimed that they were having site problems and apparently "we have noticed problems with our booking system, this has been taken offline until our techs find the problem - we apologize for any inconvenience". but there was never any booking system in the first place, this was just pretty much a ruse to make it look like if you go to this website, a legitimate company was hosting there. So if you mind anything about that, then I'd be curious as well. I also if there's any GCHQ agents in the room and then I'm happy to get drink with you as well. That's all I have for today, does anyone have any questions? applause (Herald) asks for questions (Mic Question): OK, IRC asks: Deceiving a target into trusting you and leaking any form of infos is used everywhere right now, IRC, Twitter and Facebook and so on. How would you advise people to distinguish between a genuine identity and an undercover agent? (Speaker): "I think that's a very good question because- (H.): So just just a quick second, if you really have to leave the room right now, people, please do so quietly, we still have a talk going on and it's really unrespectful if you make that much noise and interrupt this whole thing. applause I know a lot of people are interested in the talk afterwards but we'll all get you in and sorry. (S.): So I think I was very good question because if you're conducting, if you're doing activism online and you need to be anonymous and you dont want to meet up with people in person, then how do you know that the people you communicating with, or if you are like in a public group where you personally accept new members into that group, how can you put, how do you know or kind of differentiate between who's actually there to harm your group or who's actually there to contribute? I think the answer there lies in, what you share. Don't share information that comes with anyone that could potentially put you at harm, even with people that you trust, so essentially don't trust anyone and this is a basic OP Sec rule. This is how Jeremy Hammond messed up a few years ago, because they caught him, because he was revealing too much information about his life, like where where he eats or something like that or his previous drug records and they were able to use that to kind of figure out who he was and that was the same mistake that P0ke made he, was too open and friendly to that agent for no reason. So I think the kind of answer is to do your operations in a way where you dont have to trust people. (Mic Question): "How effective do you think these methods are, because we've seen the number of followers on Twitter and the number of views on YouTube were very low so, how much people can, is affected by this kind of operations" (S.): Yes, so there was also a slide I meant to put in there, that was leaked page another leaked page from GCHQ that had a list of bullet points on what they considered to be an effective operation and some of those bullet points include how many people click that link, how many people, how many people watch the youtube video, etc, so it's pretty much the same ways that you would measure it how many people viewed a specific message. Now in their specific use cases I don't think they were very successful on a large scale, specifically in Iran protests because the Twitter accounts had very few followers and their YouTube videos only had a few hundred views but they might have been, obviously more succesful in more target cases when targeting specific individuals by doing the Bahrain case or the p0ke case. (H.): over there please. (Mic Question): Sure, thank you, so I'm just curious if you were familiar with the work of Erin Gallagher, she's done work to try to figure out, kind of quantitatively and make these visualizations, to try to figure out if a particular twitter account for example is a bot or whether it's a person and there's some you know rules of thumb regarding like, you know if the bots just kind of interact with each other and don't react, don't interact with real people im just curious what, what techniques you may know of to, to figure out you know what is a bot and what is not and whether you are familiar with those particular lines of a research. (S.): I'm not familiar with with their work, but thank you all check out. In terms of what kind of metrics that you could use or to use to see if a account is valid or not, I mean, I think, I guess they're, their tweeting kind of, habits and when they tweet for example could be indicative, so for example we saw this person only tweet at 9 to 5. Obviously that's quite easy to make that it's on the case and also I think one useful things might be might be interesting to do, is try to map the network of these accounts. If you like build up like a web of followers, that you might be able to very easy for graphically detect, very obvious clusters for accounts that are following each other, to be to be very signal. (Mic): Yeah for sure, thank you. (H.) Lets switch over to mic 6 please (Mic 6 question): Thank you for the- thank you for the great talk, how would you compare the former British activities to the current Russian activities, maybe a talk in itself, but... (S.) To be honest, I haven't been digging too deep in the details or following too much about the Russian activities, so I can't really comment about that, I don't know how prolific it is, I only mentioned it briefly in the beginning of the slides because it was to give some context, so I'll have to research more to the Russian activities. (H.) Go to mic 5 again (Mic 5 Question): Thanks, to continue from the person who spoke, that would have been my question. So, just to add up onto that, did you stumble upon similar patterns coming from say Canberra or a Washington DC? (S.): So these accounts were very specific to just to the UK expressions, there was no kind of collaboration there with other countries within the five eyes, like the US or Australia, but I think they might have, GCHQ I think has collaborated with the NSA JTRIG specifically I think has collaborated before with the NSA to delegitimize certain people. So for example we saw during a few years ago or last year I think there was a drone attack, someone was illegally killed in a drone strike in Iraq, he was a suspected to be an ISIS member, Junaid Hussain, and apparently the way that he was deanonymized or the way they found this location is that the US, the FBI specifically, had an informant that was talking to this person and that informant sent them and sent them a link that was generated by GCHQ and then since that link they were able to deanonymize them so I think there's some collaboration there but this is mostly UK activity. (H.): Last question, we are out of time. Thank you again, Mustafa. applause subtitles created by c3subtitles.de in the year 2019. Join, and help us!