Welcome back to my series of setting up Virtual Machined to do OSINT. I’m setting up an OSINT investigation system based on Michael Bazzell’s 7th Edition OSINT book, but I’m using Xubuntu instead of Ubuntu. Remember, this series is about the differences I found between the walkthrough in the book and setting up my environment on a different Distribution.
In this post, I’ll be talking about the personalization steps covering the differences between Michaels’s text and the steps to do the same in Xubuntu. As I stated in the last post, I’m building a new OSINT Investigations VM based on Michael Bazzel’s book. In the previous post, I covered the differences between his book and my choice of using Xubuntu instead of Ubuntu.
In the latest edition of his book, Michael Bazzell has decided to teach OSINT investigators to be self-sufficient when it comes to their tools. Gone is his OSINT powerhouse VM Buscador. Gone are the free tools he used to host. Instead, because things change and disappear, he has decided to teach people to build their own tools.
He uses Ubuntu as the base for the Virtual Machine in the walkthroughs. I didn’t care for Ubuntu, mainly because I’m not too fond of the default desktops. Honestly, I prefer running Debian with XFCE. But for quick installations, I go with Xubuntu. I say quick installs because it usually works out of the box, whereas Debian usually takes me days of tweaking to get it right.
In the past, before his old investigation image, and it’s replacement Buscador, I would build my own VMs based on either Debian or Xubuntu, and replicate the things he had done in his builds. This time around, I decided to build my own Xubuntu image, following his guide for the tools.
Here are the things I had to change to get Xubuntu based system set up.
While catching up on SANS’ Internet Storm Center Storm Cast during my drive, I heard this episode. In it Johannes Ullrich was mentioned this article about using DRM Decloaking TOR users. Short version, users running the Tor Browser Bundle click a link, and Microsoft Windows launches the media player not using the TOR network, exposing the user’s real IP address.
This attack could be mitigated by using TAILS or something else that forces all traffic through TOR. Which made me think I should share all the ways I use TOR.
The other day I mentioned Sailing the Sea of OSINT. Then in a Facebook group I’m in, they posted the BBC article about Ambulances Jamming car radios. In the group we made some speculations. But having a bit of a radio background, HAM Radio, CB Radio, and Broadcast Radio in college. I know how some of systems work.
So I went and dug up several articles on their pilot program. None however said how they worked. Just that they worked with the RDS radios in some cars. So I went and looked up RDS. Radio Data Systems, and the similar Radio Broadcast Data Systems in North America, is a protocol for sending data over the airwaves along with an FM signal.
In this case of both, they use PTY tags to associate what the data is. This is the same system that displays the radio system call sign and song title on some radios. It can do more like say what type of music station it is based off the tags they use. This would allow people to search by genre.
However when they made the protocol they included a tag for Alarms (in the EU) / Emergency (in North America).
Reading up on the receivers with the RDS protocol / system built in they are designed to switch to the frequency broadcasting the Alarm / Emergency tag. Even if the radio is playing a “cassette” (which tells you how old this protocol is), a CD, connected via Bluetooth. Basically, if an RDS equipped radio is turned on it will tune to the station for the frequency the ambulance is broadcasting to.
The neat parts of this, the goal is to make it 10 to 15 seconds of alert, based on the speed of the ambulance. Which tells me the broadcast switch is tied to the Light and Siren switch, as well as either the ambulances GPS or ODB-II port, and the broadcast power is associated off that.
The people that came up with the idea said because Ambulances are getting stuck in traffic and or people are having accidents trying to get out of the way.
This is probably one of the items that really should be considered in Autonomous cars.
Just read, or re-read “Sailing the Sea of OSINT in the Information Age” by Stephen C. Mercado from the Studies in Intelligence Volume 48, number 3. I’ve had this for a while, I bought it 2013. Which is part of why I don’t remember if I read it before. It’s available from the CIA’s Library. It’s an article from the CIA’s Peer Reviewed Journal.
I found it very informative, even for something originally written in 2007. While today, I think most of us in IT, think of OSINT as mainly tracking social media accounts (what some call SOCINT), it really goes beyond it.
The main points that were brought up:
- OSINT has been there for a very long time, since the beginning of Intelligence programs in the United States. It just hasn’t ever been formally given a department like others.
- It’s based off public media like magazines, books, news papers, radio and TV broadcasts.
- There are not enough people who understand foreign language / culture to get proper use out of OSINT.
There is things in the public space where OSINT lives that comes out better than in some of the other sources of intelligence. An example was information gathered by the Japanese about a former KGB officer. “The resulting book and Levchenko’s press conferences were, according to a US intelligence officer, more revealing than his CIA debriefing”.
So I’m curious, do we as a mono-langauge culture really have the skills we need to do intelligence. How many data leaks are found on foreign language hacking forums?
The article is worth the read, and brings up some good questions. I liked Mercado’s recommendation on making the Foreign Broadcast Information Service an intelligence service again, put OSINT under it, like how the NRO has IMGINT, and create incentives for people to study things like language and culture to increase the ability of the agency.
I’ve mentioned Justin Seitz’s Automating OSINT before, talking about the Python course. I recently signed up for the Master Course. I only had the money for it due to work reimbursing for me for UMUC CSEC620, and I decided to use a little of that money for self study, not just the next CSEC course.
A few months ago, a friend and co-worker asked if I had seen Automating OSINT. I hadn’t, so I went and checked it out and end up signed up for the free webinar. Turns out I had just missed the previous one by a few hours. And had some time to wait before the next one.
I’ve been wanting to expand beyond just bash scripting for most of my career. I tried learning Perl, and then I tried Python. The Google Python class, the MIT Python Class, Learn Python the Hardware, Think Python, Automate the Boring stuff with Python, and buying Python courses from Boing Boing. Problem is I never finished any of them. I think because I lose interest, and have other things to do.
I’ve stumbled around with Shodan.io for a while now. It’s a great tool, but using it effectively has always eluded me. John Matherly has given me some great advice on twitter, and I like Daniel Miessler’s Shodan Primer. But I never really find the information I need at the time.
While I know it is great to find webcams and spying Super Gnomes, that is just something I don’t use Shodan for. A lot of the reason I use Shodan lately is for work. Usually someone in management asks will if anyone knows what Shodan knows about the company. Which of our systems are listed on there.
Today while stumbling around trying to look up the company name and the netblocks, and using Dan’s cheatsheet (linked above), I noticed a new link on the page. Book.
This link goes to Lean Pub’s “The Complete Guide to Shodan” by John Matherly. It is a pay what you want book. They suggest just under $5.00 USD, for the 60 page booklet. I’m saying it’s worth more than that. I paid $10.00, which I still think is too low for this book.
The book can be delivered to your Kindle or downloaded as a pdf, an Epub, or Mobi file. I grabbed the PDF and Kindle copies of the file (too small to read on my phone and never figured out how to get it to show up in the Kindle Cloud reader).
This book is divided up in to Web Interface, External Tools (like the linux command line), Developer API, Industrial Control Systems, Appendices, and Exercise Solution.
There are exercises at the end of the Web Interface, External Tools, and API sections. Not all of them worked the way they were described in the book. For example I couldn’t find the Rastalvskarn Powerplant, even though it shows up with the link in the solution section.
I’ve read some documents on the API and struggled to get them to work. After reading the book, while I still have some questions, I know I can write the Network Alert that management wants.
Get this book, it’s worth more than anything you’ll pay for it. While it is only just over 60 pages, the content is great! Especially especially the Filter list in Appendix B.
p.s. It is worth getting an account, and paying for access.
For the last several weeks, I’ve been working with three other students from Eastern Michigan University’s Information Assurance program researching and mapping the Campus’ Crime Stats. If people take the time to look, they can find a map of the last 60 days and the daily crime logs for the last 60 days. We’re looking beyond those, but it’s interesting none the less.