-
34c3 intro
-
Herald: All right, it's my great pleasure
to introduce to you Mustafa Al-Bassam.
-
He's gonna talk about uncovering British
spies' web of sockpuppet social media
-
personas. Mustafa is a PhD student at the
University College in London, studying
-
information security and focusing on
decentralized systems. Mustafa was a co-
-
founder of LulzSec, an hacker activist
group some of you might have heard of, and
-
with that, please give a warm applause to
Mustafa.
-
applause
-
Mustafa Al-Bassam: Hey. So it seems that
-
over the past year we've had a lot in the
media about this kind of idea that the
-
people that you interact with on Twitter
and Facebook and other kinds of social
-
media are not necessarily who they say
they are, and sometimes not even be, they
-
might not even be people at all. They
might be bots. And we've heard about how
-
this might be used to manipulate people
into believing certain things or certain
-
ideas. And this has become quite a big
topic recently, especially after the U.S.
-
presidential elections in 2016, where
according to one study, up to one in five
-
election related tweets weren't actually
from real people. And apparently it's
-
it's such a big problem that even the
president is being manipulated by, to say,
-
bots. But, this has been a kind of
activity that has been going on for a very
-
long time, and not just from Russia or
China.
-
The West also engages in these kind of
activities including the UK and the US,
-
but in other kinds, in other regions. So,
today I'm talking about what Britain does
-
in this regard. So, in the UK we have a
NSA-equivalent intelligence agency called
-
GCHQ or Government Communications
Headquarters. And their job is basically
-
like the UK's version of the NSA: to
collect as much information as possible
-
through wiretaps and mass surveillance
systems. But they also have a subgroup or
-
subteam within GCHQ called the Joint
Threat Research Intelligence Group or
-
JTRIG for short. And what these guys
basically do is, its basically a fancy
-
name for sitting on Twitter and Facebook
all day and trolling online. What they do is
-
they conduct what they call Human
Intelligence, which is kind of like the
-
act of interacting with humans online to
try to make something happen in the real
-
world. And in their own words one of their
missions is to use "dirty tricks" to
-
"destroy, deny, degrade and disrupt
enemies" by "discrediting" them. And we've
-
seen JTRIG has been involved in various
campaigns and operations, including
-
targeting hacktivist groups like Anonymous
and LulzSec, and also protests in the
-
Middle East, during the Arab Spring and
also the Iranian protest in 2009.
-
So, a bit of context to what led me to
uncover this stuff and to actually
-
research this stuff. So in 2011, I was
involved with the with the hacktivist
-
group LulzSec. And to refresh your memory,
LulzSec was a group that existed during
-
the summer of 2011 and hacked into a bunch
of US corporate and government
-
organizations, like the US Senate, their
affiliates and Sony and Fox. And in the
-
same year I was arrested, and a year later
I was officially indicted on a court
-
indictment. But the thing that struck me
about this indictment was that there was
-
absolutely no mention in this court
document about how they managed to
-
deanonymize me and my co-defendants. Or
how they managed to actually link our
-
online identities with offline identities.
And I thought it was suspicious because
-
our US counterparts, actually, their court
indictments had a very lengthy sections on
-
how they were caught. For example, when
the FBI arrested Jeremy Hammond, his court
-
indictment had a, had very detailed
information about how those guys social
-
engineered him and managed to track him
through his IP address and through Tor and
-
whatnot. But then, fast forward a year
later, Edward Snowden started leaking
-
documents about the NSA and GCHQ, and then
in 2014, one of those documents or some of
-
those documents were released on NBC that
showed that GCHQ was targeting hacktivist
-
groups like Anonymous and LulzSec. And
that makes the a lot of sense in my head.
-
Because if GCHQ was involved in this
denanonymization process, then they
-
wouldn't want to have that in the court
indictment, because it would reveal the
-
operational techniques.
And this is one of the leaked slides from
-
GCHQ talking about some of the activist
groups they target. One of the people
-
they targeted was someone who went by the
nickname of "p0ke", who was chatting in an
-
IRC channel, a public chat network. And
this was a public chatting channel where
-
people from Anonymous and other kinds of
hacktivists kind of sit and chat about
-
various topics and also plan operations.
And this person "p0ke" was chatting on
-
this channel and boasted that they had a
list of 700 FBI agents' emails and phone
-
numbers and names. And then it turned out
that a GCHQ agent was covertly in this
-
channel observing what people were saying.
And then the GCHQ agent initiated a
-
private message with this person to kind
of get more information and to try to
-
build a relationship with this person. And
the agent asked them what was the site and
-
then they just gave that information up
and they even gave them a sample of some
-
of the leaked information. So it turns out
that actually GCHQ was active in these IRC
-
networks and chat networks for months if
not years and they were in up to several
-
hundred channels at a time. They were just
sitting there idling. They weren't really
-
saying much or actually participating in
conversation, except that every few months
-
you might notice them say "hey" or "lol"
in the chat even though it might be out of
-
context of the conversation that was going
on, presumably so that they wouldn't get
-
kicked off the network because some
networks kick you off if you're idling
-
there for too long. And then often what
they would do is they would private
-
message people in rooms to try and
corroborate information about activities
-
that were going on and being discussed or
trying to entrap people by getting them to
-
admit to things as we saw with p0ke.
And he seemed to be quite a common theme
-
that these undercover feds and agents were
sitting in these chat rooms. In the
-
Europol meeting 2011, where 15 European
countries were discussing what they were
-
doing to tackle Anonymous and LulzSec,
apparently there were certainly undercover
-
cops in these channels that had an issue
with undercover cops investigating each
-
other.
laughter
-
So the GCHQ agent that was targeting p0ke
sent them a link to a BBC news article
-
about hacktivists. And, according to this
leaked slide, this link enabled GCHQ to
-
conduct signal intelligence to discover
p0ke's real name, Facebook and email
-
accounts etc. It doesn't say exactly how
they did that, but it's not that hard if
-
they have your IP address on user agent.
Back then, in 2011, most websites weren't
-
using HTTPS, including Facebook, so if
they look up your IP address in XKeyscore
-
or the dragnet surveillance system, they
can easily see what other traffic is
-
originating from that IP address, and what
Facebook accounts are connected to that IP
-
address for example. But in this in this
slide leaked by NBC the URL was redacted,
-
but it wasn't very hard to actually find
that URL, because these were public
-
channels that GCHQ agents were talking in,
and people haven't been targeted in
-
themselves including myself. We were able
to find out what that URL shortener was
-
I mean what that website was but
which turned out to be a URL shortener so
-
the website that was sent to p0ke to click
was "lurl.me" and according to
-
archive.org, here is a snapshot from
"lurl.me" in 2013, just before it went
-
offline, that basically showed it was a
URL shortening service, it looks like a
-
generic URL shortening service. One things
I noticed is, the domain name sounds
-
like "lure me" which is basically what
they were doing,
-
because JTRIG had this internal wiki
where they listed all the tech tools and
-
techniques that they use in the operations
and one of the categories that they have
-
is "shaping and honey pots" and in that
category they have a tool code named
-
Deadpool which is described as a URL
shortening service and that's what
-
"lurl.me" was. We first saw "lurl.me" in
2009 - the domain name was registered in
-
2009 - and almost immediately it was it
was linked tweets about Iranian protests,
-
and then it went offline in 2013, shortly
after (every sudden) leaks in November,
-
but interesting if you look up all of the
instances of this URL shortener being used
-
in social media and Twitter there's
probably about 100-200 instances of it
-
being used and every single one of those
instances where it was used it was
-
associated with political activities late
in the Middle East or Africa usually to
-
protests. And the majority of the most
common were coming from the default
-
Twitter accounts with no avatar, with very
few tweets and they're accounts that were
-
active for only a few months between 2009
and 2013.
-
One of the techniques, or some of the
techniques that JTRIG used, in their own
-
words to conduct their operations is
includes uploading YouTube videos
-
containing persuasive messaging,
establishing online aliases with Facebook
-
and Twitter accounts, blogs on foreign
memberships for conducting human
-
intelligence, or encouraging discussion on
specific issues, sending spoof emails and
-
text messages as well as providing spoof
online resources, and setting up spoof
-
trace sites and this is exactly what we're
going to see in the next few slides and in
-
most examples that they use for the
operations is they actually targeted the
-
entire general population of Iran which is
a pretty big target audience of 80 million
-
people. According to them,
they had several goals in Iran:
-
the first goal was to discredit the
Iranian leadership and its nuclear program
-
Second goal was to delay and disrupt on-
line access to materials used in the
-
nuclear program. Third Goal was
conducting online Human
-
Intelligence and the fourth goal was the most
-
interesting goal my opinion: Counter
censorship. It might seem might sound great
-
it might sound like almost like GCHQ is
kind of aligned with the motives of the
-
Internet freedom community by helping
these Iranian activists to evade
-
censorship.
But we're gonna see it's not really the
-
case. The main kind of Iran the main kind
of sock puppet accounts on Twitter that
-
JTRIG was running during this campaign in
2009 was called "2000 Iran
-
2009 Iran free".
This was the most kind of active Twitter
-
account that it had and it had 216 tweets
and they also had I kind of like a bunch
-
of other accounts that were less active
that had default avatars probably just to
-
kind of, kind of build up their social
network that mostly retweeted things,
-
retweeted the same things as a display
account but slightly rewarded or even with
-
them.
And what this Twitter account essentially
-
did was in quick succession, over a period
of like one or two weeks tweeted a bunch
-
of links from this URL shortener for
various purposes for to various articles
-
on blogs online and they also had actually
a blogspot website with like one article
-
to kind of expand their network I guess.
One of the activities that 2009 Iran free
-
and the other sock puppets were doing
was they were kind of trying to spread the
-
same IP addresses as proxies to Iranians
to use as a counter cencorship. So for
-
example you can see that they have a list
of IP addresses here that will hash like
-
Iran election that they can use for
protests and they and they might sometimes
-
feed links to that to to this proxy is
using that URL shortener and this is, this
-
is quite concerning because well one of
the tools used by JTRIG is also called
-
codenamed Molten Magma which is basically
HTTP proxy to with the ability to log all
-
traffic and perform HTTPS man-in-the-
middle because, again, they were they were
-
spreading exactly the same IP address all
of these all these sock puppet accounts
-
were spreading exactly the same IP
addresses and same links to Iranians to
-
help them to or to allegedly help them to
a evade common cencorship. And they were
-
even claiming that these for the same
proxies used by the Iranian government to
-
get around their own firewalls so if they,
apparently if they block these proxies
-
they will block their own access to the
outside world.
-
And this is essentially what they are
doing here. In this kind of context GCHQ
-
is kind of acting like the big bad wolf
from Red Riding Hood. We might seem like
-
they're helping me but they're also
causing you harm in the process.
-
And this is a, this is a list that
contains a list of some of the techniques
-
that JTRIG used. This was also a leaked
document and this essentially kills two
-
birds in one stone because what they do is
at the bottom it says one techniques is
-
hosting targets' online communications for
collecting signal intelligence as we saw
-
with p0ke and which is why they tweet
these links using URL shortener so they
-
can conduct signal intelligence on people
who are interested in clicking these
-
things and also providing online access
uncensored materials and sending instant
-
messages to specific individuals giving
them instructions for accessing uncensored
-
websites.
One of the forums that these proxies were
-
posted in was whyweprotest.net and someone
actually kind of almost got it right.
-
Someone asked: 'Why does the government use
proxies? That doesn't make any sense, they
-
wouldn't need any proxies." And then
someone replied: "The Iranian government
-
allegedly has set up proxies to monitor
connections with from within Iran to be
-
able to pinpoint the people who are trying
to bypass these blocks." So they're almost
-
right because it wasn't the Iranian
government that was actually monitoring
-
connections in Iran. It was GCHQ.
There were also set up, I agree, basic
-
websites, that basically acted as RSS
feeds to English websites about Iran to
-
presumably, but also for counter
censorship reasons. One of the same
-
things they did was mimic government
officials. So for example they might
-
post in a forum saying: "Attention users
outside Iran, you can call the president
-
at this number to discuss the elections
direct." And they were hesitant that you
-
should not call this number if you are in
Iran. And then they will also give an
-
email address for the vice president on
the Twitter.
-
This also matches up with another
technique that JTRIG uses, again according
-
to the leaked documents, where they send
spoof emails and text messages from a fake
-
person or mimicking a real person to
discredit, promote, distrust, dissuade,
-
deceive, deter, delay or disrupt. Whatever
the purpose was, they certainly managed to
-
promote distrust because one of the
replies to this post was: "This can't be
-
the president's number because if it were
the second call would be answered by
-
Iranian intelligence services. So these are
strange days. I suppose anything could
-
happen at this point."
So that was most of the activity that we
-
saw in 2009. There was a bunch of other
Twitter accounts with default egg, default
-
avatars associated with these links. You
can find them if you search lurl.me with
-
quotation marks and Google with sites
-twitter.com. In 2010 there was absolutely
-
no activity on Twitter or all social media
associated with this URL shorter. Then, in
-
2011, we saw some activity in Syria for
this URL shortener for a similar purpose
-
of conducting censorship resistance in
Syria. And they were essentially doing the
-
same thing, same techniques, giving people
IP addresses to connect to, that you
-
thought that they probably are MITM'd.
But one of the things they did here as
-
well was they didn't just tweet stuff they
also posted a YouTube video, like a very
-
poorly made YouTube video with only
300 views to try to get people to watch
-
that. They didn't really try very hard
here because if you actually look at the
-
times on when these accounts tweeted,
all the accounts in Syria actually should
-
have tweeted. The only tweet between 9 to
5 p.m. UK time Monday to Friday.
-
laughter, applause
I mean, I think, I don't know I think
-
they were lazy, or they were just, they
didn't really bother or weren't motivated.
-
But one of the limitations that JTRIG has,
they actually had one in the leaked
-
documents, that they had was they had a
list of limitations that the staff have
-
when conducting its operations. And one of
them is that they have difficulty in
-
maintaining more than a small number of
unique multi-dimension active aliases
-
especially with doing online human
intelligence. Which is why we only see
-
like one main twitter account for these
events and then like a bunch of other kind
-
of default expat accounts, usually like
five or six. We didn't tend to see
-
hundreds of them you only see about less
than 10, because this was back in 2009,
-
2011. They weren't doing it in an
automated way. And they also said the lack
-
of continuity in maintaining an alias or
communicating via an alias if a staff
-
member is away and his or her work is
covered by others and also the other one
-
was lack of photographs, visual images, of
aliases which is why we always see like
-
egg or default avatars for these
sock puppet accounts because they can't
-
unless they have like a full fledge
graphics team or have faces of people to
-
put in there and they can't really put
anything as avatar. They also apparently
-
had a lack of sufficient number and varied
cultural language advisors eg in Russian,
-
Arabic and Pashto which is why we see
here on these Twitter accounts they're
-
basically tweeting the same thing over and
over again with no variation. Here's the
-
same text over and over again because they
don't have lots of translators to
-
translate that.
The other thing we saw in 2011 was a very
-
targeted attack during the Bahrain
protests. They had a twitter account
-
called 'Freedom4Bahrain' and this, it just
sent two tweets, mentioning two accounts
-
"14FebTV" and "14FebRevolution", and
these were two accounts that were,
-
like,
really big kind of social media outlets in
-
Bahrain that were covering the protests
that were going on there. And these were
-
targeted mentions of the kind that we saw
with P0ke, so, presumably also here, they
-
were using that to conduct Signal
Intelligence,
-
to discover who was running these two
accounts. In 2012 you also saw no activity
-
associated with that URL shortener. During 2013 I managed
to find one tweet related to Kenya, to the
-
Kenyan imposed national politics and this
person isn't an education sock puppet, this
-
person is a research assistant at the
Human Rights Watch. So this, but that begs
-
the question of how did he actually get
this URL? Probably a similar message to
-
P0ke, they probably sent him a link
through a private message found that
-
interesting and tweeted it, so not only
are they targeting protesters, they are
-
also targeting NGOs. Then, in 2013,
all of the infrastructure associated with
-
URL-shortener was shot offline, this was
in 2013, which was a few months after the
-
Edward Snowden leaks, so they had a bit of
delay of doing it, but it must have been a
-
real pain in the arse for them to have to
renew all their infrastructure, but I did
-
do some digging into some of other host
names that were hosted on this lurl.me
-
server. Between 2009 and 2013, most of
these host names seem to be random
-
alphanumeric, the main names, and some of
them are using publicly the DNS providers
-
like DynDNS or DNSAlias, I wasn't able to
find any websites archived for these
-
domains, so it doesn't seem that there was
any websites there, but if you have any
-
ideas let me know, because one of the
things that I suspect is that these might
-
have been malware endpoints or command
control servers, that they were using, so
-
if you have any and monitoring tools or
logs then maybe you should look up some of
-
these host names. But one of the
interesting domain names that I thought
-
was interesting there was dunes
adventures.net and this is the archived
-
page for Dunesadventures
-
which was another
website based in Kenya. They were up to
-
something in Kenya and it claimed that
they were having this was a very basic one
-
page website that was kind of very poorly
made and they claimed that they were
-
having site problems and apparently "we
have noticed problems with our booking
-
system, this has been taken offline until
our techs find the problem - we apologize
-
for any inconvenience". but there was never
any booking system in the first place,
-
this was just pretty much a ruse to make
it look like if you go to this website, a
-
legitimate company was hosting there. So
if you mind anything about that, then I'd
-
be curious as well. I also if there's any
GCHQ agents in the room and then I'm
-
happy to get drink with you as well.
That's all I have for today, does anyone
-
have any questions?
applause
-
(Herald) asks for questions
(Mic Question): OK, IRC asks: Deceiving
-
a target into trusting you and leaking any form
of infos is used everywhere right now, IRC,
-
Twitter and Facebook and so on. How would you
advise people to distinguish between a
-
genuine identity and an undercover agent?
-
(Speaker): "I think that's a very good
question because-
-
(H.): So just just a quick second, if you
-
really have to leave the room right now,
people, please do so quietly, we still
-
have a talk going on and it's really
unrespectful if you make that much noise
-
and interrupt this whole thing.
applause
-
I know a lot of people are interested in
the talk afterwards but we'll all get you
-
in and sorry.
-
(S.): So I think I was very good question
because if you're conducting, if you're
-
doing activism online and you need to be
anonymous and you dont want to meet up
-
with people in person, then how do you
know that the people you communicating
-
with, or if you are like in a public group
where you personally accept new members
-
into that group, how can you put, how do
you know or kind of differentiate between
-
who's actually there to harm your group or
who's actually there to contribute? I
-
think the answer there lies in, what you
share. Don't share information that comes
-
with anyone that could potentially put you
at harm, even with people that you trust,
-
so essentially don't trust anyone and
this is a basic OP Sec rule. This is
-
how Jeremy Hammond messed up a few years
ago, because they caught him, because he
-
was revealing too much information about
his life, like where where he eats or
-
something like that or his previous drug
records and they were able to use that to
-
kind of figure out who he was and that was
the same mistake that P0ke made he, was
-
too open and friendly to that agent for no
reason. So I think the kind of answer is
-
to do your operations in a way where you
dont have to trust people.
-
(Mic Question): "How effective do you
-
think these methods are, because we've
seen the number of followers on Twitter
-
and the number of views on YouTube were
very low so, how much people can, is
-
affected by this kind of operations"
-
(S.): Yes, so there was also a slide I
meant to put in there, that was leaked page
-
another leaked page from GCHQ that had a
list of bullet points on what they
-
considered to be an effective operation
and some of those bullet points include
-
how many people click that link, how many
people, how many people watch the youtube
-
video, etc, so it's pretty much the same
ways that you would measure it how many
-
people viewed a specific message. Now in
their specific use cases I don't think
-
they were very successful on a large
scale, specifically in Iran protests
-
because the Twitter accounts had very few
followers and their YouTube videos only
-
had a few hundred views but they might
have been, obviously more succesful in
-
more target cases when targeting specific
individuals by doing the Bahrain case or
-
the p0ke case.
-
(H.): over there please.
-
(Mic Question): Sure, thank you, so I'm
just curious if you were familiar with the
-
work of Erin Gallagher, she's done work to
try to figure out, kind of quantitatively
-
and make these visualizations, to try to
figure out if a particular twitter account
-
for example is a bot or whether it's a
person and there's some you know rules of
-
thumb regarding like, you know if the bots
just kind of interact with each other and
-
don't react, don't interact with real
people
-
im just curious what, what techniques you
may know of to, to figure out you know
-
what is a bot and what is not and whether
you are familiar with those particular
-
lines of a research.
-
(S.): I'm not familiar with with their
work, but thank you all check out. In terms
-
of what kind of metrics that you could use
or to use to see if a account is valid or
-
not, I mean, I think, I guess they're,
their tweeting kind of, habits and when
-
they tweet for example could be
indicative, so for example we saw this
-
person only tweet at 9 to 5. Obviously
that's quite easy to make that it's on the
-
case and also I think one useful things
might be might be interesting to do, is
-
try to map the network of these accounts.
If you like build up like a web of
-
followers, that you might be able to very
easy for graphically detect, very obvious
-
clusters for accounts that are following
each other, to be to be very signal.
-
(Mic): Yeah for sure, thank you.
-
(H.) Lets switch over to mic 6 please
-
(Mic 6 question): Thank you for the-
-
thank you for the great talk, how would
you compare the former British activities
-
to the current Russian activities, maybe a
talk in itself, but...
-
(S.) To be honest, I haven't been digging
-
too deep in the details or following too
much about the Russian activities, so I
-
can't really comment about that, I don't
know how prolific it is, I only mentioned
-
it briefly in the beginning of the slides
because it was to give some context, so
-
I'll have to research more to the Russian
activities.
-
(H.) Go to mic 5 again
-
(Mic 5 Question): Thanks, to continue
-
from the person who spoke, that would have
been my question. So, just to add up onto
-
that, did you stumble upon similar
patterns coming from say Canberra or a
-
Washington DC?
-
(S.): So these accounts were very
specific to just to the UK expressions,
-
there was no kind of collaboration there
with other countries within the five eyes,
-
like the US or Australia, but I think they
might have,
-
GCHQ I think has collaborated with the NSA
-
JTRIG specifically I think has collaborated
before with the NSA to delegitimize
-
certain people. So for example
we saw during a few years ago or last year
-
I think there was a drone attack, someone
was illegally killed in a drone strike in
-
Iraq, he was a suspected to be an ISIS
member, Junaid Hussain, and apparently the
-
way that he was deanonymized or the way they
found this location is that the US, the
-
FBI specifically, had an informant that was
talking to this person and that informant
-
sent them and sent them a link that was
generated by GCHQ and then since that link
-
they were able to deanonymize them so I
think there's some collaboration there but
-
this is mostly UK activity.
-
(H.): Last question, we are out of time.
Thank you again, Mustafa. applause
-
subtitles created by c3subtitles.de
in the year 2019. Join, and help us!
