Posts Tagged ‘Cyber’

Google Analytics Update

Wednesday, August 29th, 2012

Last year I wrote about taking apart a MySpace cookie.  Included in that posting was some discussion on Google analytics tools found within the cookie.  It was interesting and I got some good feedback about the blog entry.  I was contacted by Jim Meyer of the DoD Cyber Crime Center about some further research they had done on the Google analytics within cookies and a presentation they were preparing at the time for the 2012 DoD Cybercrime conference (if you saw the presentation at DoD let me know how it went).

They were able to determine more information about the specific pieces of the Google analytics cookie placed on a user’s computer when they go to a webpage that contains Google Analytics.

The Google Analytics Cookie collects stores and reports certain information about a user’s contact with a webpage that has the embedded Google analytics java code. This includes:

  • Data that can determine if a user is a new or returning user
  • When that user last visited the website
  • How long the user stayed on the website
  • How often the user comes to the site, and
  • Whether the user came directly to the website,
    •  Whether the user was referred to the site via another link
    • Or, whether the user located the site through the use of keywords.

Jim Meyer and his team used Googles open source code page to help define several pieces of the code and what exactly it was doing when downloaded. Here is some of what they were able to determine (The examples are the ones I used in my last posting with a little more explanation about what everything means. I explained how I translated the dates and times in my last posting). For a complete review of their findings contact Jim at the DoD Cyber Crime Center.  

Example

Cookie:            __utma

102911388.576917061.1287093264.1287098574.1287177795.3

__utma This records information about the site visited and is updated each time you visit the site.
102911388 This is a hash of the domain you are coming from
576917061 This is a randomly generated number from the Google cookie server
1287093264 This is the actual time of the first visit to the server
576917061.1287093264 These two together make up the unique ID for Google track users. Reportedly Google not track by person information or specific browser information.
1287098574 This is the time of the previous visit to the server
1287177795 This is the time last visited the server
3 This the number of times the site was been visited

 Example

Cookie:            __utmz

102911388.1287093264.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none) 

__utmz This cookie stores how you got to this site.
102911388  Domain hash
1287093264 Timestamp of when the cookie was last set
1 # of sessions at this time
1 # of different sources visitor has used to get to the site.
utmcsr Last website used to access the current website
=(direct) This means I went direct to the website, “Organic” would be from a google search, “Referring link” may show link coming from Search terms may.
|utmccn=(direct)  Adword campaign words can be found here
|utmcmd=(none) Search terms used to get to site may be in cookie here.

 Example

Cookie:            __utmb

102911388.0.10.1287177795 

__utmb This is the session cookie which is only good for 30 minutes.
102911388 This is a hash of the domain you are coming from
0 Number of pages viewed
10 meaning unknown
1287177795 The last time the page was visited

Remember though all of this can be different if the system deletes the cookies or the user runs an application that cleans the cookies out.  Also, it is all relative and depends on system and user behavior and when and how many times they have visited a particular site.

You can also go to find out more about the description of the cookies http://code.google.com/apis/analytics/docs/concepts/gaConceptsCookies.html#cookiesSet

Google Analytics can set four main cookies on the users machine:      

__utma Unique Visitors
__utmb Session Tracking
__utmc Session Tracking
__utmz Traffic Sources

Optional cookies set by Google Analytics:

__utmv Custom Value
__utmx Website Optimizer

Google Analytics creates varying expiration times for its cookies: 

__utma The information on unique user detection expire after 2 years
__utmz The information on tracking expire until 6 months).
__utmv The information on “Custom Tracking” will expire after 2 years
__utmx The information on the “Website Optimizer” will expire after 2 years
  The information about a current visit (visits) will expire after 30 minutes after the last pageview on the domain.

The original code schema written by Urchin was called UTM (Urchin Traffic Monitor) JavaScript code. It was designed to be compatible existing cookie usage and all the UTM cookie names begin with “_utm” to prevent any naming conflicts. 

Tracking the Urchin- from an investigative point of view

Okay so for some additional new stuff on Google analytics when examining the source code of a webpage. What is the Urchin? Google purchased a company called Urchin who had a technology to do traffic analysis. The technology is still referred in the cookies Urchin’s original names.

When examining a live webpage that contains Google analytics code embedded in the website you will come across code that looks similar to this:

<script type=”text/javascript”><!–var gaJsHost = ((”https:” == document.location.protocol) ? “https://ssl.” : “http://www.”);document.write(unescape(”%3Cscript src=’” + gaJsHost + “google-analytics.com/ga.js’ type=’text/javascript’%3E%3C/script%3E”));// –></script><script type=”text/javascript”><!–try {

var pageTracker = _gat._getTracker(”UA-9689708-5″);

pageTracker._trackPageview();

} catch(err) {}

// –></script> 

Search the source code for “getTracker” and you will find the following line: var pageTracker = _gat._getTracker(”UA-9689708-5″); which contains the websites assigned Google analytics account number “UA-9689708-5”. So what does this mean and how can it be of value to me when I am investigating a website? Let’s identify what the assigned number means: 

UA Stands for “Urchin Analytics” (the name of the company Google purchased to obtain the technology)
9689708 Google Analytics account number assigned by Google
5 Website profile number

How can I use this Google analytics number in an investigation? First you can go to http://www.ewhois.com/ to run the UA # and identify the company/person assigned the number.

The reponse you will get is something similar to this:

google analytics

Then run the Google Analytics number through Reverseinternet.com:

urchin

This is a little more of investigative use in that it is showing domains that use the same Google analytics Id, the Internet Protocol addresses assigned to the domains and the DNS servers used by the domains.

Using Reverseinternet.com allows you to identify any webpage where this Google Analytics Id has been embedded in the source code.  This can be of investigative value if the target has used the same Id on more than one webpage they control or monitor. Why would this occur? Google allows the user to monitor data from multiple sites from a single control panel.

So how does Google analytics work?

Google is probably a better place to find this out. You can go to http://code.google.com/apis/analytics/docs/concepts/gaConceptsOverview.html for a complete overview of how it works.

In short Google Analytics java code embedded in the webpage you visit collects information from the following sources when you connect to a webpage:

  • The HTTP request of the visitors browser
  • Browser/system information from the visitor
  • And it sends a cookie to the visiting system

All of this gives the webpage owner the ability to track persons going to their webpage. From an investigative point of view there is a certain amount of exposure due to the browser tracking that occurs and the fact that a cookie is placed on your investigative system. But there is the possibility from examining the page source code to tie the website through the Google Analytics Id to other webpages of interest.

So you thought Tor was bad enough. Check out Tor’s Hidden Web Services.

Monday, July 25th, 2011

Recently and article appeared at NPR titled “Senators Target Internet Narcotics Trafficking Website Silk Road”. I only bothered to hit the link because I saw it mentioned on the website Anit-forensics.com. The short article complained of drugs blatantly sold on the Internet and something needed to be done about it and Congress is going to solve that one for us. Although selling drugs on the Internet is nothing new, the place on the Internet “openly” selling drugs was on the Tor network through the use of Tor’s “Hidden Services” function.  The “Silk Road” is an online market open for the sale of goods and named after the ancient road used to bring goods from the orient to the west.

For the power user of the Tor network Hidden Services is probably nothing new. For the average online investigator though you may have heard of Tor and may have even tried to use it (especially of you read my last article on using Tor in your investigations). But were you aware that webpages can be hidden within the Tor network? Have you ever seen a .onion domain name? if you haven’t then read on.

Hidden services were introduced to the Tor network in 2004. Tor’s Hidden Services are run on a Tor client using special server software. This “Hidden Service” uses a pseudo top-level-domain of “.onion”. Using this domain, the Tor network routes traffic through its network without the use of IP addresses.

To get to these hidden services you must be using the Tor Network and have your browser enable to use Tor.  How do you find sites using the hidden services? Start at the core…

http://eqt5g4fuenphqinx.onion/ 

Welcome to .onion Welcome to .onion

Core.onion according to its hidden services site has been in the network since 2007.

Once in the Core.onion you find a simple directory to start exploring Hidden Services on the Tor network.

TorDir TorDir

TorDir is a directory of Hidden Services. It gives you access to a variety of sites that offer instant messaging services, email, items for sale, social media type sites and marketplaces.

Black Market Black Market

 

In the markets a variety of things are for sale, most look to be illegal though. File sharing also looks to be popular and can be found in several .onion sites.

File Sharing File Sharing

 

To make purchases bitcoin seems to be the most popular virtual currency and is regularly mentioned throughout the .onion sites.

Bitcoin Bitcoin

 

Another good location to start finding out about what Tor’s Hidden Services have to offer is a wiki located at:

http://xqz3u5drneuzhaeo.onion/users/hackbloc/index.php/Mirror/kpvz7ki2v5agwt35.onion/Main_Page

 

Also, if you are an IRC fan Tor hidden services can be used there also. The Freenode website gives the instructions on how to access Freenode IRC servers on Tor’s Hidden Services.

If you are interested in learning more about Tor’s Hidden Services here are a few sites that can get you on your way:

http://www.onion-router.net/Publications/locating-hidden-servers.pdf

http://www.irongeek.com/i.php?page=videos/tor-hidden-services

http://www.torproject.org/docs/tor-hidden-service.html.en

 

Not to make it any worse but if you have not heard Ip2 (another anonymizing network that is becoming increasingly popular) also has its own “eeepsites” similar to the Hidden Services offered in Tor that a user can post content to like a website.

Hidden Services are going to increasingly become a location that will be misused by many. It will also become a place on the Internet that investigators will need to become increasingly familiar with if they are to further their online investigations.

Tor and its use during online investigations

Monday, July 18th, 2011

When investigating crimes on the Internet the investigator needs to consider how much information that he presents to servers and webpages that he may be investigating.  Hiding oneself on the Internet used to be the purview of hackers. However, technology changes and so has the ability to easily implement the same techniques hackers use to hide themselves during your investigations. There are many techniques for eluding identification on the Internet. Proxies have been used for years for this purpose. Proxies act as just that a “Proxy” or a go between. It’s a computer that acts on your behalf and forwards to the server you are looking at any requests you make. The server you are investigating only sees the “Proxy”.

Another significant tool in the “I need to hide on the Internet” world is the venerable tool “Tor”. Tor (The Onion Router) was developed from a concept originally written about by the U.S. Navy. According to the Tor website,  “Tor protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location.”

Using Tor during online investigations is much easier now that it has been in the past. This is due to the increase in most users Internet bandwidth, the constant upgrading and improving of the Tor software and it easy integration into the popular browsers. So how does the investigator implement Tor during his investigations? Well the simplest method is to use the Tor network to hide browsing activity. If you are investigating a webpage or website we know that there is certain information that our browser tells that server or website about who we are and potentially where we are. Our browsers can reveal our IP addresses what kind of browser we are using and its version. We can use Tor to prevent a suspect webpage from identifying us.

Let’s take a look at how to install and implement Tor so we can us it during our investigations. Installation for Tor is pretty starting forward now. Go to the Tor project website and download the current “Vidalia” (like the onion) Windows installer. Click on the executable file and the project installs. The trick to using Tor is setting the proxy setting in your browser to use the Tor network. Your browser normally makes a call out through your Internet Service to servers on the Internet. These servers easily identify who you are by your Internet Protocol (IP) address so they can communicate back with you.  This exposure of your IP address is what can tell the bad guy who you are and possible who where you are in the world. The Tor network in its simplest description strips that information out and only provides the end user with an IP address belonging to the Tor network and not you. Thus you have effectively hidden from the end website you are visiting or target user that you may be communicating with through the Internet (Please note this is an over simplification of the process and exact details of how the Tor network works can be found on the project website).

So once Tor is installed your next actions are to set up your browser to use the Tor network as its proxy (proxy being a server acting as your entry point to the Internet and in this hiding your real IP address). Using Windows Internet Explorer version 8 go to Tools|Internet Options|

Changing Internet Explorer Settings

Changing Settings in Internet Explorer

 The select “Connections” and click on “LAN Settings”.

Image 2 -Tor IE LAN settings

IE LAN Settings

 

IE LAN Settings Address and Port IE LAN Settings Address and Port

In the Local Area Network (LAN) Settings box you need to click on the box “Use a Proxy server for your LAN” in the address box add 127.0.0.1 and add in the Port box 8118. Click OK twice to exit and you are now able to use the Tor network.  You will continue to use the Tor network as your proxy until you uncheck the “Proxy server” box. This will then return you to your normal web access.

The Tor Project has a page you can go to that will verify that you are using the Tor Network or you can go to one of the websites on the Internet that grabs your IP address like http://whatismyipaddress.com/

In the Windows taskbar a little Onion symbol when opened will show you the “Vidalia” Control Panel. The control panel lets you know you are connected to the Tor network  and can change the IP address you are coming from by clicking on the “Use new identify” button.

Tor Control Panel

Control Panel

Once connected click on the setting button in the control panel. For our investigative purposes click on “Run as client only”.  This will ensure that other users of the network are not using your system as a relay server on the network (Tor data would actually be passing through your computer). 

Tor Settings Tor Settings

To see the other computers, and their description, on the Tor system click on the “View the Network” button.

We are no ready to go online and start our investigation without being identified.

Things to note here, the online application being used by the tor network in this configuration is Windows Internet Explorer. If you send an email to the target from your normal email client on your desktop, use another browser, instant messaging, or use P2P software you will potentially expose who you really are by your IP address. To use any other applications through the Tor network you need to set them up to use the Tor proxy settings.

Other things to consider in your Browser set up that need to be turned off.  Turn off running scripts, ActiveX and cookies. Also block pop-ups. But “I can’t access all the good content on the Internet”. Correct you can’t but then the end user can’t identify you either. Each of these features enhance our web surfing experience, but they also require code be downloaded through your browser and run on your machine. This can allow for the code to default to a port it use that is not being redirected to the Tor network, thereby exposing who you are. This may not be important in all the cases you work, but be aware of it. If you lock down your browser and don’t get the content you want you can always relax the controls and go back and look at the site, but at least you are aware then of the risks and make that decision based on the investigation.

Using WebCase with Tor requires just installing Tor as described above. WebCase collects web –based evidence through Internet Explorer even when piped through the Tor Proxy. The collection times will be extended because of the way Tor functions and has nothing to do with WebCase.

Social Media, Travel, Speeches and FourSquare

Thursday, April 29th, 2010

As much as I try to avoid business travel anymore, the more I seem to do.  Although travel is not bad it can get overwhelming at times and seems to just put me further behind. I did recently in my travels have the opportunity to speak, on an as of late favorite topic, and that is the use of Social Media by law enforcement. Specifically I was speaking on the lack of policy by agencies starting to use Social Media, not only as a community policing tool, but as an investigative tool.

Recently I was asked to present at the first annual SMILE conference or Social Media in Law Enforcement conference in Washington DC. This was a great gathering of various law enforcement professionals interested in Social media and its implementation within law enforcement. My specific piece was on the policy decision behind using social media as a law enforcement tool.  I spoke about the need to have policy to protect the law enforcement officer as much as the agency. I was able to speak with some great talent in the field that are adapting social media for investigative and communicative reasons.

I also had the opportunity to speak at the Massachusetts Attorney Generals Cyber crime Initiative quarterly meeting. The Mass AG sponsors a meeting quarterly on various cybercrime topics. She brings in investigators from all over the state to discuss cybercrime. I was lucky enough to speak on the investigation of social media, and of course hit the topic of policy for law enforcement.  The crowd of over 200 Massachusetts law enforcement investigators was eager to understand more about investigating social media especially as it applied to Cyber bullying cases.

During the two weeks I was gone, connecting to so many investigators in person, I wanted to be sure not to lose touch with my online contacts — not just customers and prospects who email me, but also Twitter and Facebook followers. So, as a smartphone user, I downloaded a new app and signed up for a new program called “Foursquare”. The use of FourSquare allowed me to stay connected on the road from my phone.  I could and did update my Facebook page and my twitter account from my phone with a few clicks of the keyboard.

I found this to be a simple and easy use of the media and received numerous comments back regarding my updates. Many were interested in my travels and found the topics I was speaking on of interest.

Why am I mentioning this? When I talk to groups like these, I want to be sure they understand the value of social networking in their professional lives — not just from an investigative standpoint, but also from the standpoint of being able to network and share ideas with one another. Our increasingly interconnected world makes this an absolute necessity.

Are you on Foursquare, Twitter, Facebook or LinkedIn? Please feel free to connect with me.

Gangs on the Internet

Wednesday, September 16th, 2009

Everyone engaged in technology today is using some form of social media. Law enforcement is learning to deal with it and so are the criminals. Gang members have found it to be a great communication source and are regularly using social media to keep in contact. MySpace, Facebook and especially Bebo, have become popular places for gang members to hang out.  The term used to describe gang members activity online is Cyberbanging. Cyberbanging isn’t a brand new term, but it is probably not widely known outside of its gang member users.

General intelligence collection is a task that the web can offer gang investigators. Blogs, social media pages, tweets can all give the law enforcement gang investigator valuable information about the goings on in a gang and potential strife between varying factions.

Law enforcement generally identifies a criminal street gang by having 3 or more members, common symbols or leadership, and gathering together to commit crimes or a continuing criminal conduct (or enterprise). They also generally classify gang members according to one of four criteria: 1) self admission, 2) a reliable informant confirms membership, 3) an unreliable informant confirms, and a second source corroborates, and 4) via confirmed law enforcement source.

The Internet can help identify gang affiliation by finding the members’ self admissions, i.e. photos of gang activity, comments indicating gang activity and being the corroborated source of information. A member’s MySpace page can contain significant information about them and their activities.

Those investigating gang members need to look on the Internet for potential members of their local gangs. Failing to do so could potentially overlook threats or trophy shots of criminal behavior that could prevent or solve crimes. In the worst cases, they may find the evidence to support a murder as a gang related crime as in the Jamiel Shaw case in Los Angeles. By many reports Jamiel was a star athlete. The dark side of his life was his Cyberbanging as a member of the Bloods.  His MySpace page tells a very different story of his life then many people thought. There he allegedly proclaimed his gang membership and flashed gang signs.

Documenting this kind of online activity easily supports a law enforcement agency’s investigation into gang activity.

Surprise!!! The White House Acting Cybersecurity Czar Resigns

Monday, August 3rd, 2009

A not so good announcement today from came from Washington, about the resignation of Melissa Hathaway as Acting Cyberczar. This certainly isn’t a surprise given the inability for the White House to find a candidate. As reported a few weeks ago on Forbes.com the Whitehouse has had some difficulty in recruiting the significant high level Industry executive it’s wanted.

So what does this do for cybersecurity and cybercrime investigation in the U.S.? Nothing, but that is what has been happening for some time now. The direction of the past two administrations has focused in other issues (Bush the War in Iraq and Obama the Economy). Both important distractions but multitasking should the name of the game. The Federal government employs enough people to be able to focus on more than one politicized problem. Simplifying the problem and involve multiple stakeholders in addressing the core issues would be of some help. Unfortunately as an outside observer I’ll I see is a waiting game. Wait until the Czar is appointed and wait until he/she develops a plan, and wait until it is reviewed and wait until we can get the plan funded and wait until congress approves the funding and wait until we can build a bureaucracy to support the project and wait and wait and wait….

Obama may shortly appoint his Cyberczar and we might get some progress on cybercrime but, we also may have to wait awhile.

Threat of Cyber Crime Continues to Increase

Friday, February 13th, 2009

Jim Kouri, formerly the Chief of Police of the New York City housing project in Washington Heights, wrote recently in MensNewsDaily.com about Cyber Crime and its increasing popularity as a criminal endeavor. He rightfully identified that there is a difference between critical infrastructure protection (Cyber security threats) and Cyber crimes (traditional crimes committed through the use of technology). This is far too often overlooked at the national level and appropriate consideration given to both areas. Threats to our critical infrastructure are not the same as Cyber criminals stealing from our citizens. However, from the initial look at a crime, say a “Phishing” scam against a bank, a law enforcement investigator does not know if this criminal act is a foreign state attacking our economic system by trying to make the bank fail, or a teenager from one of the old eastern block countries simply scamming unsuspecting customers out of their funds.

Law enforcement from the outset often ignores these crimes due to the investigative complexity of the crime and the lack of training and tools to effective pursue the evidence. The current economic situation is making things even worse for those agency’s who do attempt to address Internet based crime. In California High Tech Crime Task Forces are being shut down due to the budget crisis. The Northern California Computer Crime Task Force has shut down and the San Diego area CATCH Team will shut down on February 16th. Both of these task forces have made a significant impact on criminals using the Internet to commit crimes. Yet, we are allowing them to close and very little is being done to stop it.

The new administration is due to announce the appointment of its new Cyber Czar. I don’t have a hope for the near future with the President saying one thing before his inauguration:

“As president, I’ll make cyber security the top priority that it should be in the 21st century,” … “I’ll declare our cyber-infrastructure a strategic asset and appoint a National Cyber Adviser who will report directly to me.” (from a speech at Purdue University last July)

And doing another, which is by most accounts putting the new Cyber Czar post several layers down in the Department of Homeland Security. If it does end up in DHS it will be another function unable to deal with the national problem, because the appointee will have to facilitate conversations with the FBI and other organizations outside of DHS responsible for Cyber crime investigation. In addition the new Cyber Czar would have to fight for funding within his or her own organization.

As with the intelligence collection and review issues, as determined by the 911 commission, Cyber crime is another area not coordinated nationally with the many different stake holders in the arena. The better model would be to have the Cyber Czar in the White House with positive control over budgets and agency actions responding to the problem. The National Intelligence Director’s position is the best model for this issue. The problem is not for a single agency to try and solve but it should be the responsibility of a single entity to coordinate the response nationally. Cyber crime is dealt with at all levels of law enforcement in this country, from the City police investigator looking into Vice crime on Craig’s list to International Child Porn rings investigated by the FBI. Yet with all this crime occurring there is no coordination of cyber criminal intelligence or investigations from the bottom to the top.

Lastly, the person selected as Cyber Czar should have a concept of operational response to both the Infrastructure Protection space as well as the Cyber crime arena. They are two different animals and require different skill sets, but complementary responses. We will have to wait and see if the President’s pick is up to the challenge and given the proper authority and resources required to accomplish the mission.

Technorati Tags: ,,,,,,

Administration to establish major office for cyber matters

Friday, February 6th, 2009

Shortly after taking office President Obama announced that there would be a “Cyber Czar” (my term not his) named “…who would report directly to the president, greatly increase funding for interoperable first responder communications and spend $5 billion in global counterterrorism cooperation…”

They are addressing Cyber threats and Cyber infrastructure so where in the new administration’s proposals is the part where we as a country deal with the problem of Cyber Crime? Well for the first time an emphasis, albeit small is noted in the Homeland Security Agenda that says:

“Develop a Cyber Crime Strategy to Minimize the Opportunities for Criminal Profit: Shut down the mechanisms used to transmit criminal profits by shutting down untraceable Internet payment schemes. Initiate a grant and training program to provide federal, state, and local law enforcement agencies the tools they need to detect and prosecute cyber crime”

This is significant in that it is a change in direction from the previous administration’s plan that did not address the Cyber Crime problem. The Bush plan was focused on Infrastructure protection and did not effectively address the overall issue of Cyber Crime. Although many of the items described in Obama’s plan are similar to recommendations previously made to and by the Bush administration.

I have been arguing for some time that there needs to be a comprehensive national plan to deal with Cyber Crime. There is currently no clear understanding of how much Cyber Crime is being committed in the U.S. To complicate that there is no requirement for U.S Law Enforcement agencies to collect and report (in the FBI Uniform Crime Reporting-UCR system) on any Cyber Crime that is committed against our citizenry. So exactly how do we know the magnitude of the crime committed and where to apply the resources?

A comprehensive national plan needs to include several things:

  • A clear definition of Cyber Crime.
  • A reporting mechanism for law enforcement to identify the amount and nature of the Cyber Crimes committed.
  • National Stake holder input. This is not just a federal problem it involves law enforcement at all levels including the judiciary and each levels issues need to be addressed.
  • Sufficient funding must be provided to clearly address the problem at multiple levels.
  • Tools to deal with Cyber crime investigations MUST be common and available.
  • Encourage the reporting of Cyber Crime to local law enforcement agencies.
  • Develop better communication on Cyber Crime and its investigation between Federal, State and local LE
  • Development of an interoperable international legal framework to assist in the investigation of cyber related crimes.
  • And lastly, we need to make cyber investigations an everyday policing event for law enforcement.

We will have to wait and see what the Obama administration will do with this proposal in the DHS agenda. The need has not gone away with the “Change”, it will only continue to grow.