The Haystack Principle of Counterintelligence – Anyone who knows me or follows me online knows that I’m a pretty open person. I share almost everything I’m up to. Anyone I know (or any stranger for that matter) can experience with me my lunch, thoughts on a number of odd topics, and even what I’m doing with my dog, Chauncey. In fact, right now you can click any link on the right of this page and learn a plethora of details about my exploits, both past and present. You may say that this is bad for someone in the investigative profession. You are not alone. Overwhelmingly, security professionals of a certain level preach this concept as gospel. I’m here to tell you that, in the 21st century, “security by obscurity” is the most ludicrous method of keeping secrets. Continue reading
I have recently been asked several times by clients and colleagues about the dark web. When I began writing this article I was still debating whether I should use capitals when addressing the dark web. After a few thoughts, I decided that it does not warrant its own title. The dark web is as much a proper place as a dark alley. Before I discuss my reasoning here, I should give you all a quick synopsis of what the dark web actually is, and it isn’t what you may think. The Internet, as we know it, is a network of millions of servers that connect to one another and, as a result, catalog one anothers’ contents. This enables search engines like Google and Bing to index the information for free and resell it to their consumers for a profit, financed by advertisers. Continue reading
Domain Valuation – When someone goes about buying a car, there is a valuation model to follow. If a car is brand new, the value is set by the manufacturer, which allows for their margin plus a margin for the dealer. Once a vehicle is driven off of the lot the depreciation begins. That is, unless the vehicle’s value appreciates. Take, for example, the greatest car ever constructed, the Shelby Mustang GT500 of the late 1060s and early 1970s. When the 1971 model starred in the film classic Gone in 60 Seconds, it changed the world of movie car chases. The 2000 Nicholas Cage remake of Gone in 60 Seconds used a 1967 model of the same vehicle, and revitalized the world’s fascination with “Eleanor” (the code name given to the sumptuous steel vixen). That particular model was recently sold at auction for over one million dollars. If you’re lucky, you’ll find a fix-er-upper for $100,000. That’s a far cry from the original sticker price of $8,000 when it was sold right off of the assembly line.
This same story can be told about domain valuation. There are websites out there giving ‘valuations’ of domain names but, as well-meaning as they may be, only take into account simple factors such as keyword popularity, selling price of similar names and very little else. Domain valuation is never that simple. When we first receive a request from a client to inquire about the purchase of a domain we first investigate the owner. This allows us to take into account factors such as their initial intention, other uses, their tech savvy and even their financial bracket. Typically there are two kinds of domain owners out there. The first is the ‘domainer’, who valuates the domain using a cold formula then awaits a reasonable price and moves on to the next domain. No emotion is tied to the deal. It’s just a number. Then there’s the individual who purchased it with a vision in mind, went to the trouble to register the same name on other social networks and sees the name’s potential in a way that only a parent can with its own child. With the latter person, it doesn’t matter if the project is dead or alive; whether they are in need of funds or not. To them, the name is priceless.
This does not mean there isn’t a number that could greenlight this sale. It just means that the owner of the name values it in such a way that ‘they’ can’t put a price on it. There is always a price. It is our job to begin a negotiation that welcomes a dialogue. This means to get to know the individual and build rapport. It also means we need to come up with a starting price that does not turn them away. If I offered you $500 for Eleanor, you’d likely not return my call and, even more likely burn me for future contact. Our approach has shaved millions off of domain name selling prices. This doesn’t mean we’ll be able to buy you a domain for a fraction of its potential price. What we guarantee at IPCybercrime will provide honest, respectful treatment of both sides and the best possible outcome for you, the buyer.
Whenever a legal incident that begins online comes to notice there is a very small window to manage the collection and preservation of the data. If you’ve ever watched the popular A&E documentary television series entitled “The First 48“, you have been exposed to the importance placed into the actions that take place within first couple of days after the discovery of the crime. Just as in the physical world, a “CSI” team must be the first to step in to ‘freeze’ that moment in time for later analysis. No one else involved should touch anything until it has been preserved by their trained evidence collection team. Popular culture has conditioned us to accept this process in the physical world. Over the last decade, we have been introduced to the concept of computer forensics where a computer or smartphone may contain important data and must be preserved. But what happens when that case begins online? Online cases far outnumber both physical crimes and also crimes that start with a device that is in your custody. In these cases, the collection of data must be handled with much more care and finesse.
This is where Social Discovery comes in. The most common methods of preserving a moment of time online are: 1) Taking a screenshot using software like TechSmith’s Snagit, 2) printing to PDF, or 3) downloading the entire website using an offline browsing tool such as HTTrack. All of these methods are good, but they do not present data in a forensic fashion that can be scrutinized later by an expert. A screenshot can be taken of a doctored web page. The same can be done with a PDF printout. Files can be manipulated in an offline browser after download. In all of these cases the case is relying only on the testimony and the credibility of the individual who collected the data. There is no benchmark with which to measure his/her accuracy by an outside expert. Social Discovery, a very recent specialty introduced in the last couple of years, has made it possible for online acquisition of data to be held to the same standard as blood evidence and computer forensics. Let’s face it. More crimes are taking place in the cloud than known locations. This requires a tried process that has been tested in court. Social Discovery is a process that ensures all data is not only collected properly, but preserved with the proper forensic properties including a hash value that can be compared to the original. This will be the difference whether or not your online evidence stands the scrutiny of the opposing counsel’s expert.
At IPCybercrime, all of the common techniques are included in every service we provide. We also recommend that you request our additional Social Discovery service. For an additional fee, we can deliberately collect every tweet, Facebook post, Youtube video, or anything else that can be published online. Social Discovery also includes forensic collection of web-based emails such as GMail, Hotmail and Yahoo! (if credentials are provided by deponent). Whatever you do, make sure you have your bases covered. Social Discovery is the way to go.
Below is an example of what I observed:
elementId = Math.floor(Math.random() * 10001); document.writeln('‘); document.getElementById(‘block’ + elementId) .style.display=’none’; <a href=”http://xxxxxx.com/db-gestion/pmd/styles/default/images/ icons/brandname/brand-name-products.php”>brand name products</a>
Now I’m going to finish my coffee.
During one of my strolls through the dark alleys of the web I came across another interesting black hat search engine optimization technique: branch offices for counterfeit luxury goods installed within legitimate sites. At first observation, the website I saw selling counterfeits looked like any other. But, after a closer look, the URL appeared to be much longer than the typical domain-based URL like fakestuffseller.com. Instead it looked like this: http://legitimatesite.com/includes/ice/ _vti_cnf/lib/ brand/boots/brand-boots.php. I noticed an extra directory ‘/includes/‘ that looked out of place and perhaps would not be in the normal structure of this particular legitimate website. My next step was to test my theory and delete the extra crap (/includes/ice/ _vti_cnf/lib/brand/boots/brand-boots.php) from the URL, leaving it to be simply legitimatesite.com. As I has suspected this led me to a perfectly legitimate university website.
The two questions you are asking right now are “how?” and “why?”. Allow me to enlighten you. The “how” is similar to what I explained in another recent article I wrote regarding black hat search engine optimization techniques where hackers find weaknesses (like unlocked doors) in websites whose security software is not up to date. Once that vulnerability is detected, the hacker can install thousands of his own websites within your website without your knowledge and, perhaps, for years before you even notice anything is strange. The reason they do it is so that they can create tens of thousands of websites selling counterfeits. Since this is done on a mass scale, the criminal is only minimally affected when your lawyer takes down poor old legitimatesite.com. He has an unlimited supply. Now I’m going to finish my coffee.
In the era of telecommuting and coffee shop branch offices, Facebook has replaced the watercooler, LinkedIn is the new resume and Skype is the new boardroom. Let’s face it. Your online ‘brand’ has become your most public persona. Along with the vast benefits that social media bring a new world has opened up for fraud, misinformation and brand abuse. Holmes is not only a top brand protection investigator. He is also the one-man marketing department for his firm. Combining his two passions of trademark investigations and social media, he will take you on his journey from creating his first blog, designing his firm’s website, and planning a social media strategy and then arm you with brand protection tactics that he employs for his clients. Rob gave this talk, entitled Brand Protection and Social Media in June 2012 in Dallas, Texas.
The two most important things when conducting undercover contact is obtaining sensitive data and, yes, not blowing your cover. If a subject were to examine the source code (header) of an email I sent them, it may reveal my IP address. If I were to access a subject’s website, my IP address will be revealed. Without a subpoena, anyone can use your IP address to determine the name of your Internet Service Provider and the general region of the terminal that connected to the web during your contact. This is why it is important to use a service that specializes in masking IP addresses. I use a pay service that is completely legal, inexpensive, fast and convenient. The service I use allows me to choose IP addresses from all over the world at the drop of a dime.
If the subject is offering fashion goods, I am sure not to use an IP address from NY, CA, UK, France or Italy because the legal departments for many of these brands are located in these regions. If I am investigating a software counterfeiter I will steer clear from IP address located in CA, WA or MA. A paranoid counterfeiter will block customers from those regions, or at least notice that they are being monitored. So My first advice in masking IP addresses is to choose an IP address that is not in a state/country your client’s industry or headquarters is based. Then you must discipline yourself to never check these emails from your phone or an unfamiliar computer terminal. No matter how curious you are, the email can wait until you are at your PC with the ability to mask the same, consistent IP address region you have previously used. Just as we are watching for bad guys to make mistakes, they are waiting for us to do the same.
Now I’m going to finish my coffee.