The 7 habits of highly successful intelligence analysts

I just love these kinds of lists, that boil things down to the essentials: In a September 11 post in the Digimind blog, Orlaith Finnegan let Monica Nixon of NICS and “Bob A.”, ex Navy intelligence, put down the following 7 habits of highly successful intelligence analysts:

1) Be Organized and Disciplined
2) Communicate with Confidence, Clarity and Credibility
3) Find Meaningful Patterns in Meaningless Noise
4) Adopt a Patient, Methodical Approach
5) See the Bigger Picture
6) Be Flexible and Responsive to Change
7) Learn from Mistakes

For each point in this list, read the full description in the original article:
http://digimind.com/blog/market-industries/the-7-habits-of-highly-successful-intelligence-analysts/

Make your sources talk: elicitation, motivation, provocation… investigative journalists do it too

If you understand Swedish, you must listen to this presentation titled “The ABC of investigative journalism”, by Nils Hanson from Swedish national television (SVT). It was made during the 2012 seminar on the topic of investigative journalism held in Malmö, Sweden, during the week-end of March 23-25. This was the 16:th time Nils Hanson made this presentation.

The interesting thing here is that Nils Hanson represents the community of investigative journalists and reporters, who think of them selves as being among “the good guys”, revealing the truth to the public, uncovering what corrupt politicians hide and even sometimes shedding light on dodgy activities of government intelligence and security organizations.

However, when listening to Nils Hanson, you will hear him describe to his audience of journalists how they should go about in order to make an unwilling human source talk, how they should go about in order to make an unwilling private person agree to becoming the subject of a news story and so on.

If you have government or military intelligence training in the field of HUMINT, you will immediately notice that the methods recommended by Nils Hanson are spot-on similar to the methods used by government and military intelligence operators. The key words are elicitation, motivation, provocation, flattery, favors and favors in return and so on:

– Build trust and rapport by starting out talking about something irrelevant non-sensitive and/or slightly humouristic
– Reduce tension in a situation where the source is refusing to talk by asking for something trivial like a cigarette, and then a match and so on
– Motivate the source to talk by providing gifts without asking for anything in return and by making considerable and noticeable efforts. This will build confidence, and also a sense of indebtedness.
– When a source is refusing to be the subject of a news story or refusing to being interviewed in television, tell the source that full control is with him/her, and start moving in small steps while telling the source that he/she can back out at any time. Having committed to a recorded interview, where several people spent a lot of time, the source will seldom back out and tell them all that their efforts and work have been for nothing.

All of these methods push well-known and simple psychological buttons and leverage mechanisms of human nature such as our reluctance to jump of the band wagon once we have been on it for a while. Normal people have a strong inner voice that talks about commitment, promise, responsibility, duty, gratitude, debt, payback, fairness etc.

I am sure not many of the journalists at the Gräv 2012 seminar would feel comfortable to think of them selves as working with the same toolbox as an intelligence officer managing his human assets.

http://bambuser.com/v/2494983

Ex MI5 Annie Machon become whistleblower talks about disinformation and media manipulation

The Swedish association for investigative journalism today terminated their annual weekend event of seminars and presentations, in Malmö, Sweden: http://www.grav12.se

Among the more colorful  – and from an international perspective more relevant – presentations was the one made by British Annie Machon, ex MI5 operator and whistleblower, currently in involuntary exile. The topic of her talk was disinformation and the manipulation of the media. She talked on Friday, March 23.

She started her talk by mapping up the different bodies of the UK intelligence community (MI5, MI6, GCHQ etc), before going on to describe her way into the MI5, and back out again. She spent six years in the MI5, including 2-year postings in T-branch and G-branch.

Having decided to blow the whistle – partly due to MI6 financing of Libyan terrorists and unjustified MI5 registration of UK citizens – she found herself being hunted pray with UK police, MI5 and MI6 on her trail.

The big take-away of this lecture from an open source intelligence point of view are the challenges related to source credibility and source valuation. Annie Machon testifies about the regular use of agents of influence: people in the media who are on the payroll of the intelligence services, as well as the existence of i-ops departments (i-ops – information operations).  Basically, this is plain and simple a reminder that there is no such thing as an unbiased news article. However, the thing you don’t regularly suspect is that the editor of the paper you are reading has a strong personal bond and strong sympathies with some government intelligence organization with an agenda not necessarily in keeping with the actual truth.

http://bambuser.com/v/2494752

Mathematics is the infrastructure required by all branches of science

Chalmers Technical University in Gothenburg, Sweden, publish a magazine called “Chalmers magasin”, with the purpose of marketing the university.

In issue n:o 1 2012, assistant professor of mathematics Torbjörn Lundh is interviewed. He makes a number of notable statements:

“Mathematics is a support science, the infrastructure required by all branches of science.”

“When people from the industry are asked what the require of recently graduated engineers, they often reply: ‘They should have taken a lot of maths’. What kind of maths? ‘It doesn’t matter’. What they want is the logical thinking, the ability to read struktures and create arguments and models of their own. They are supposed to break new ground”, says Lundh.

“It is hard to tell which kind of mathematics that will be needed in the future. 40 years ago, nobody could foresee that algebraic geometry would become so central to the encryption industry as it is today.”

“The mathematics picked up by the industry [for commerical application] is often ‘old’, not uncommonly one or a couple of hundred years old.”

“Mathematics take a long time to learn and the subject has a long time to maturity before it is applicable in other sciences and in the industry. Therefore there are no shortcuts. If we want sustainable development in scientific research in Sweden we have to start thinking more long-term”, says Lundh. “Other countries have already understood this requirement, like the USA, Germany and South Korea.”

http://www.chalmers.se/sv/om-chalmers/alumni/cm/Documents/CM-1-12webb.pdf

(pages 28-29)

 

Guide for Anonymous Blogging contains bad advice adding security risk

Since two years, Global Voices Online publish a guide titled “Anonymous Blogging with WordPress & Tor”:

http://advocacy.globalvoicesonline.org/projects/guide/

The guide was recently (2011-11-15) linked to from a Wired.com article by Andy Baio on the topic of reverse Google Analytics ID lookup as a method for revealing the identity of people blogging anonymously while tracking several websites with the same Google Analytics account: http://www.wired.com/epicenter/2011/11/goog-analytics-anony-bloggers/all/1

The guide from Global Voices Online, last updated in March 2009, contains a a lot of good advice and useful information, but also one serious flaw: It claims webmail services that do not provide an HTTPS connection are safe as long as you access them via TOR. This is wrong. This usage scenario adds a risk. I quote:

“Hotmail and Yahoo don’t offer secure HTTP (https) interfaces to webmail – again, this doesn’t matter so long as you use Tor every time you use these mail services. ”

In fact, the opposite is more true: Using TOR when accessing a web mail service that does not run under HTTPS – or any web based service running with regular HTTP where you submit a private username and password – poses a greater risk than not using TOR. The reason is that when using TOR, your internet traffic passes through a large number of TOR servers, all of which are set up and run by volunteers. There is no qualification mechanism for running a TOR server: anyone can set up a server, and anyone can volunteer to let their particular TOR server function as a so called Exit Node. An Exit Node is a TOR server where the TOR user’s internet traffic finally leaves the chain of TOR servers and goes out to its destination. The owner of a TOR exit node server can sniff, inspect and copy any of the data packages going out to the internet through that machine. No internet traffic from other internet users will pass through another internet user’s PC – but running a TOR server is an easy way of  “pulling in” other people’s internet traffic to pass through your machine . This opens for sniffing personal information such as email usernames and passwords – or at least email message content. Only if the webmail service is using HTTPS in all parts will the TOR exit node server be unable to read what the webmail user is receiving  and sending, since the data will be encrypted between the webmail server and the user’s browser.

So, is this big news? No. It has been well know for many years. The most famous case is from 2007, namely that of the Swedish security consultant Dan Egerstad who set up five servers, volunteering them as TOR exit node servers, and collected a massive amount of usernames and passwords, many of them from various foreign government bodies:

http://searchsecurity.techtarget.com.au/news/2240022106/Embassy-hacker-Dan-Egerstad-and-the-Tor-network

Evesdropping on TOR traffic: http://lwn.net/Articles/249388/

Researchers at Kaspersky very recently demonstrated that this kind of evesdropping goes on all the time: http://www.kaspersky.com/images/Sambuddho%20Chakravarty-10-108180.pdf

Regards, Kjell A.

How much is it worth for you to keep Wikipedia? Donate today!

Most of us rely on Wikipedia for step-in level information on all kinds of topics, several times a day, from our computers and smart phones. Wikipedia is free of commercial messages. Wikipedia does not charge you money.

But Wikipedia cannot run on air.

Read this message from Wikipedia founder Jimmy Wales, and consider donating a few dollars per year.

Flickr picture uploads from 24 hours in print – HUGE amounts of photos

British Creative Review writes about an installation by Erik Kessels on display at Foam in Amsterdam. Kessels has printed out the amount of photos that are uploaded to Flickr during 24 hours, allegedly 1 million photos.

Creative Review writes: <<“We’re exposed to an overload of images nowadays,” says Kessels. “This glut is in large part the result of image-sharing sites like Flickr, networking sites like Facebook, and picture-based search engines. Their content mingles public and private, with the very personal being openly and un-selfconsciously displayed […] >>

What is most interesting about Kessels installation is that it turns this abstract number into something very concrete, that you can relate to physically: several rooms with piles of photos covering floor and walls.  That gets a different message though compared to the old million-billion-trillion rant.

Speaking of which, here are some more interesting figures about photos on the internet:

5 billion – Photos hosted by Flickr (September 2010).
3000+ – Photos uploaded per minute to Flickr.
130 million – At the above rate, the number of photos uploaded per month to Flickr.
3+ billion – Photos uploaded per month to Facebook.
36 billion – At the current rate, the number of photos uploaded to Facebook per year.

(Source: http://royal.pingdom.com/2011/01/12/internet-2010-in-numbers/ )

The article in Creative Review, with photos (!) showing the massive amounts of photo print-outs in the installation:

http://www.creativereview.co.uk/cr-blog/2011/november/24-hours-in-photos

This installation by Erik Kessels is on show as part of an exhibition at Foam in Amsterdam that looks at the future of photography. It features print-outs of all the images uploaded to Flickr in a 24-hour period…

Knowing where the action is, where the crowds are going

We all have our personal, inner conception or mental map of the Internet: which are the important places, where can you find what you are looking for, what are people doing when using the web and so on.

It is safe to say that each of us has a false image – or at least a very far from complete image. We are guided by habit, hazard and home: you are socialized IRL into the understanding and inner image you have of what there is and what is going on – on the world wide web.

Let’s stop for a minute and rethink this. Imagine you heard about the WWW for the first time just now. Someone tells you that it is a network that thousands of millions of people fill with text, images and video 24-7. And searching that content works pretty good thanks to various tools at hand.

If you were to take in that information and assess the possibilities offered by such a source, would you then not want to get a birds-eye view of where the users are hanging out? Which parts of this network that see a lot of activity, that get a lot of attention from the users? Think of it like looking up the number of book volumes in the different topic departments of a library – it is useful to know where there are a lot of sources, and where there are fewer.

Whether you agree or not, here is where you can check out which the top 100, top 1000 and top 1 000 000 websites are based on number of visitors during a month (visitors from the United States):
http://www.quantcast.com/top-sites
As the numbers will tell you, the top 3 sites generate on average 10 times more visitors than sites ranked 101-103, which gives a hint that the distribution of visitors follow a Power Law curve:
http://en.wikipedia.org/wiki/Power_law

One point to consider is also that there is a world outside of the United States, which means that the list would likely change considerably if internet users in India and China were also measured.

So, where people are going when using the Internet is one thing – but there is more.  Royal Pingdom tells you how many the user are, how much content they consume, how much content they create etc etc…

http://royal.pingdom.com/2011/01/12/internet-2010-in-numbers/

http://royal.pingdom.com/2013/01/16/internet-2012-in-numbers/

Videos of presentations at DerbyCon 2011 – a must-see for anyone in information security or intelligence

During the weekend of September 30 – October 2, the DerbyCon took place in Louisville, Kentucky, at the Hyatt Regency hotel. During those three days, a number of extremely skilled and knowledgeable speakers presented on different topics in three parallel tracks. All the presentations were video recorded and are now available online.

There is a very high likelihood that you will learn valuable things from watching these videos, either from an information security standpoint, or from an open source intelligence standpoint.

http://www.irongeek.com/i.php?page=videos/derbycon1/mainlist
http://www.derbycon.com/

Use Google to search. No really.

In over 80% of all search queries made, less than five words are used.

According to the Internet monitoring company Hitwise,  the distribution of number of words used in search queries looked like this by January 2009. The statistics cover searches made, not people doing searches, which is important. Still, in over 80% of searches, less than 5 words are used in the search query. The most common search query length is 2 words.

Now, we all make a lot of searches, and in some cases we have learnt that typing one or two specific words will give us the site we are looking for on the first page of search hits. Also, a lot of people have learnt that putting a single word XYZ directly in the address field of the browser will take them to http://www.XYZ.com. Doing the same thing in Google Chrome will deliver a search on that word. People are a combination of lazy, practical, and smart – they quickly learn what works and repeats that. When they search for something for real, the more word-rich queries come in to use.

For anyone looking for something specific on the web, the chances of finding it increase if you have the knowledge to utilize the full power of the search engines. Think of it as shifting from first gear of search engine usage to second, third, fourth and fifth.

There are two dimensions to this:

1) Make sure you use the most appropriate and adequate search engine for the information you need to find. This is treated upon further in a separate article.
2) Make sure you know how to tell the search engine exactly what you are looking for, instead of throwing in a bunch of keywords in random order. This is all about making use of search operators and special characters which allows you to specify alot more complex conditions than “I want to see pages that contain these words”.

Searching more effectively with Google

There is a reason why Google is the dominating search engine: they index more, they index quicker, and they are good at understanding what results people are interested in. In fact, Google’s ability to index web content in combination with the powerful search operators specific to Google, has given birth to Google Hacking. Google hacking has nothing to do with breaching Google security. It is about using advanced searching with Google as part of the research and reconnaissance phase of a network system penetration attempt for the purpose of a) spotting targets or b) finding possible points of attack against a target.

Apart from leveraging the advanced search operators of Google in the hunt for exploit opportunities, you will of course benefit greatly in your search for information from being skilled at pushing the right buttons of the Google search engine.

Below is a list which cover what you need to know in order to make Google do a better job for you when searching. Roughly, these search operators can be put in three groups:

1) those that say what to search for, i.e. what words and numbers to match, and

2) those that say where to search, i.e. operators that limit the scope of the search or specify where the match should be,

3) those that are specialized information lookup operators, which make Google return results of a certain kind only

Operators that say WHAT to search for

1) “What” operators	Result / Effect / Meaning
secret information	Will find content that contain each of the words anywhere in the text, but not necessarily side by side
“secret information”	Will match the exact phrase and word order
~secret	Includes synonyms, alternative spellings and words with adjacent meaning
secret information OR intelligence	Will find content that contain the word secret plus either one of the words information and intelligence
intelligence -information	Will find content that contains the word intelligence while not containing the word information
intelligence +secret	Will search for content that contains intelligence and secret, with secret as required content
intelligence-community	Will find content where the two words exist separated, or written as one piece, or hyphenated
“central * agency”	The * character serves as wild card for one or more words Note! When the * character is used between two numbers in a search with no letters, it will function as a multiplication operator, returning the mathematical result multiplying the two numbers.
“US” “gov”	Google automatically includes synonyms and full-word versions of abbreviations. Putting each term in quotes assures that the search is made for exactly those terms.
“coup d’etat” 1945..1969	Will find pages that contain any number in the range 1945-1969 and the phrase “coup d’etat”

Operators that say WHERE to find a match between search term and content

2) “Where” operators	Result / Effect / Meaning
define:	Will look for the search term in word list, dictionary and glossary type of pages, e.g. define:secret
define	Alternative syntax for define:. Will look for the search term in word list, dictionary and glossary type of pages, e.g. define secret
intelligence ~glossary	Will find the word intelligence on pages that are of a glossary or dictionary or encyclopedia type
site:	Will limit the search to include only the internet domain specified, which can be a top domain, a main domain, a sub domain and so on. Examples:site:mil (combine several with the OR operator between them: site:mil OR site:gov) site:groups.google.com
inurl:	Will limit the search to only look for the search terms in the page URL. This example will show results where either one or both of wiki and sigint are part of the URL:inurl:wiki sigint
allinurl:	Very similar to inurl: but with the difference that all of the words specified must be found in the URL.
intitle:	Will limit the search to only look for the search terms in the title of pages. Title in this context means the web document HTML title, which is what you see written in the browser tab or browser window top frame.
allintitle:	Very similar to intitle: but with the difference that all of the words specified must be found in the page title.
inanchor:	Will limit the search to only look for the search terms in the anchor text of hyperlinks on pages. The anchor text is the text that was turned into a link to some page by the page creator. The anchor text may reveal something about what the page creator thinks about the page linked to, for example “Useful information on security”.
allinanchor:	Very similar to inanchor: but with the difference that all of the words specified must be found in the anchor text.
intext:	Will limit the results to include only pages where the search term was found in the text of the page.
allintext:	Very similar to intext: but with the difference that all of the words specified must be found in the text of the page.
filetype:	Will limit the results to include only files with the file extension specified, e.g. filetype:pdf to get only PDF documents
ext:	Short-hand version of filetype: that provides the exact same result
cache:	Will show the Google cache version of a web site if available, e.g. cache:cia.gov Note! This cannot be combined with additional search terms or operators
related:	Will show pages that have something in common with or are related to the site you specify, e.g. related:cia.gov Note! This cannot be combined with additional search terms or operators
link:	Will show pages that contain a link pointing to the URL you specify, e.g. link:www.cia.gov/library

Special search operators – valid only on specific Google sites

3) Special operators	Result / Effect / Meaning
location:	news.google.com – presents news search results related to the location, e.g. location:kabul
source:	news.google.com – presents news search results from the source specified, e.g. source:times
author:	groups.google.com – presents posts written by the author specified, e.g. author:einstein
group:	groups.google.com – presents posts made in the group specified, e.g. group:publicintel

When looking for information where you only have a vague idea what you should search for, only have parts of a name or only an approximate date range, advanced queries combining several such bits and pieces, involving both the OR operator, phrase quotes, and the * wild card will let you cover all bases and perform one single search that returns all possible matches.

Here are a few interesting examples that apply several of the operators listed above.

 

• PDF-files published by FBI that talk about interrogation, methods, and deception:

site:fbi.gov ext:pdf +interrogation +methods +deception

• We pages under the .mil top domain where the page title contains the word “staff”, and the page contains a link with the word “login”, excluding PDF-files as well as word documents:

site:mil intitle:staff inanchor:login -ext:pdf -ext:doc

• Excel files published with the word “internal” as part of the URL, with the phrase “internal use only” in the file:

inurl:internal ext:xls OR ext:xlsx “internal use only”

 

Learn more about how to search with Google:

http://www.googleguide.com

http://www.google.com/support/websearch/bin/answer.py?hl=en&answer=136861&rd=1