 It's my great pleasure to introduce to you Mustafa Al-Basam. He's going to talk about uncovering bridges by his web of sock puppet social media personas. Mustafa is a PhD student at the University College in London, studying information security and focusing on decentralized systems. Mustafa was a co-founder of LALSEC, a hacker activist group some of you might have heard of. And with that, please give a warm applause to Mustafa. Hey, so it seems that over the past year, we've had a lot in the media about this kind of idea that the people that you interact with on Twitter and Facebook and other kinds of social media are not necessarily who they say they are. And sometimes they might not even be people at all. They might be bots. And we've heard about how this might be used to manipulate people into believing certain things or certain ideas. And this has become quite a big topic recently, especially after the US presidential election in 2016, where according to one study, up to one in five election-related tweets weren't actually from real people. And apparently it's such a big problem that even the president is being manipulated by Twitter bots. But this has been a kind of activity that has been going on for a very long time and not just from Russia or China. The West also engages in these kind of activities, including the UK and the US, but in other regions. So today I'm going to be talking about how what Britain does in this regard. So in the UK, we have an NSA-enquivalent intelligence agency called GCHQ, or Government Communications Headquarters. And their job is basically the UK's version of the NSA to collect as much information as possible through wiretaps and mass surveillance systems. But they also have a subgroup, or sub-team within GCHQ, called the Joint Threat Research Intelligence Group, or JTRIG for short. And what these guys basically do is basically a fancy name for sitting on Twitter and Facebook all day and trolling online. What they do is they conduct what they call human intelligence, which is kind of like the act of interacting with humans online to try to make something happen in the real world. And in their own words, one of their missions is to use dirty tricks to destroy, deny, degrade and disrupt enemies by discrediting them. And we've seen JTRIG having been involved in various campaigns and operations, including targeting hacktivers groups like anonymous and logic, and also protests in the Middle East, during the Arab Spring, and also the Iranian protests in 2009. So a bit of a context to what led me to uncover this stuff and to actually research this stuff. So in 2011, I was involved with the hacktivers group, Dalsek, and to refresh your memory. Dalsek was a group that existed during the summer of 2011 and hacked into a bunch of U.S. corporate and government organizations like the U.S. Senate, FBI affiliates, and also Sony and Fox. And same year, I was arrested and a year later, I was officially indicted on the court indictment. But the thing that struck me about this indictment was that there was absolutely no mention in this court document about how they managed to demonetize me and my co-defendants or how they managed to actually link our online entities with our offline entities. And I thought this was suspicious because our U.S. counterparts, actually their court indictments had a very lengthy sections on how they were caught. For example, when the FBI arrested Jeremy Hammond, his court indictment had very detailed information about how the FBI sexual engineered him and managed to track him through his IP address and through TOR and whatnot. But then, fast forward a year later, Ed was starting to start leaking documents about the NSA and GCHQ. And then in 2014, one of those documents, or some of those documents were released at NBC, that showed that GCHQ was targeting hacktivist groups like anonymous and logic. And that made a lot of sense in my head because if GCHQ was involved in the anonymization process, then they wouldn't want to have that in the court indictment because it would reveal the operational techniques. And this is one of the leaked slides from GCHQ talking about some of the hacktivist groups they targeted. One of the people they targeted was someone who went by the nickname of Perk who was chatting in an IRC channel, a public chat network. And this was a public chatting channel where people from anonymous and other kinds of activists kind of sit and chat about various topics and also plan operations. And this person, Perk, was chatting on this channel and posted that they had a list of 700 FBI agents, emails and phone numbers and names. And then it turned out that a GCHQ agent was covertly in this channel observing what people were saying. And then the GCHQ agent initiated a private message with this person to kind of get more information and to try to build a relationship with this person. And the agent asked them what was the site? And then they just gave that information up and they even gave them a sample of some of the leaked information. So it turns out that actually GCHQ was active in these IRC networks and chat networks for months, if not years. And they were in up to several hundred channels at a time. They were just sitting there idling. They weren't really saying much or actually participating in conversation, except that every few months, you might notice them say hey or hello well in the chat, even though it might be out of context, the conversation that was going on, presumably so that they won't get kicked off the network because some networks kick you off if you're idling there for too long. And then often what they would do is they would private message people in chat rooms to try and corroborate information about activities that were going on and being discussed or try to entrap people by getting them to admit to things as we saw with poke. And it seemed to be quite a common theme that these undercover feds and agents were sitting in these chat rooms. In the Europol meeting in 2011, where 15 European countries were discussing what they were doing to tackle anonymous and lawsuit, apparently there were so many undercover cops in these channels that they had an issue with undercover cops investigating each other. So the GCHU agents that was targeting poke sent them a link to a BBC news article about hacktivists. And according to this leaked slide, this link enabled GCHU to conduct signal intelligence to discover pokes, real name, Facebook and email accounts, et cetera. It doesn't say exactly how they did that, but it's not that hard if they have your IP address and user agent. Back then, in 2011, most websites weren't using HTTPS, including Facebook. So if they look up your IP address in SQL or the dragonate surveillance systems, they can easily see what all the traffic is originating from the IP address and what the IP address is, what Facebook accounts are connected to the IP address, for example. But in this slide leaked by NBC, the URL was redacted, but it wasn't very hard to actually find that URL because these were public channels that GCHU agents were talking in and people hadn't been targeting themselves, including myself, and we were able to find out what that URL shortener was. I mean, what that website was, but which turned out to be a URL shortener. So the website that was sent to poke, to click, was lurl.me. And according to archive.org, this is a snapshot from lurl.me in 2013, just before it went offline, that basically showed it was a URL shortening service, like a very, it looks like a generic URL shortening service. One of the things I noticed, it actually, the main name sounds like lurme, which is basically what they were doing, because Jtrig had this internal wiki where they listed all of the tools and techniques that they use in the operations. And one of the categories that they have is shaping and honeypots. And in that category, they have a tool that is codenamed Deadpool, which is described as a URL shortening service. And that's what lurl.me was. lurl.me was, we first saw that in 2009. The domain name was registered in 2009. And almost immediately, it was linked to tweets about Iranian protests. And then it went offline in 2013, shortly after it was suddenly leaked in November. But the interesting thing, if you look up all of the instances of this URL shortening being used in social media and Twitter, there's probably about 100, 200 instances of it being used. And every single one of those instances where it was used, it was associated with political activities laid in the Middle East or Africa, usually to protests. And the majority of them were coming from default Twitter accounts with no avatar, with very few tweets, and they were accounts that were active for only a few months between 2009 and 2013. One of the techniques, or some of the techniques that JTRIG used in their own words to conduct the operations, is includes uploading YouTube videos containing possessive messaging, establishing online aliases with Facebook and Twitter accounts, blogs on forum memberships for conducting human intelligence or encouraging discussion on specific issues, sending spoof emails and text messages as well as providing spoof online resources and setting up spoof trade sites. And this is exactly what we're gonna see over the next few slides. And one of the examples that they use for the operations is they actually targeted the entire general population of Iran, which is a pretty big target audience of 80 million people. According to them, they had several goals in Iran. The first goal was to discredit the Iranian leadership on this nuclear program. The second goal was to delay and disrupt online access to materials using the nuclear program. The third goal was conducting the online human intelligence, and the fourth goal was the most interesting goal, in my opinion, counter censorship. It might sound great, it might sound like almost like GCHQ is kind of aligned with the motives of the internet freedom community by helping these Iranian activists to evade censorship. But we're gonna see, it's not really the case. The main kind of Iran, the main kind of stockpocket account on Twitter that JTrick was running during his campaign in 2009, was called 2009 Iran Free. This was the most active Twitter account that they had, and it had 216 tweets. And they also had a bunch of other accounts that were less active, that had default avatars, probably just to kind of build up their social network, that mostly retweeted the same things as a disparate account, but slightly rewarded, or even retweeted them. And what this Twitter account essentially did was, in quick succession, over a period of like one or two weeks, tweeted a bunch of links from this URL shortener for various purposes, to various articles and blogs online. And they also had actually a blog spot website with like one article to kind of expand the network, I guess. One of the activities that 2009 Iran Free and the other stockpockets were doing was they were kind of trying to spread the same IP addresses as proxies to Iranians to use as counter censorship. So for example, you can see that they have a list of IP addresses here, with the hashtag Iran election that they can use for protests, and they might sometimes tweet links to those proxies using that URL shortener. And this is quite concerning, because one of the tools used by JTrick is also a code named Molten Magma, which is basically a HTTP proxy with the ability to log all traffic and perform HTTPS band in the middle. Because again, they were spreading exactly the same IP address. All of these stockpocket accounts were spreading exactly the same IP addresses, and same links to Iranians to help them to, or to allegedly help them to evade censorship. And they were even claiming that these were the same proxies used by the Iranian government to get around their own firewalls. So apparently, if they block these proxies, they will block their own access to the outside world. And this is essentially what they're doing here. In this kind of context, GCHQ is kind of acting like the big bad wolf from Red Riding Hood. They might seem like they're helping me, but they're also causing you harm in the process. And this is a list that contains a list of some of the techniques that JTrick used. This was also a leaked document. And this essentially kills two brazen ones turns, because what they do is, at the bottom, it says one of the techniques is hosting targets online communications for collecting signal intelligence as we saw with POC, and which is why they tweet these links using URL shortener so that they can conduct signal intelligence on people who are interested in clicking these links, and also providing online access on sensitive materials. And sending instant messages to specific individuals, giving them instructions for accessing and sensitive websites. One of the forums that these proxies were posted in was whyweprosers.net. And someone actually kind of almost got it right. Someone asked, why does the government use proxies? That doesn't make any sense. They wouldn't need any proxies. And then someone replied, the Iranian government allegedly has set up proxies to monitor connections from within Iran to be able to pinpoint the people who are trying to bypass these blocks. So they're almost right, because it wasn't the Iranian government that was actually monitoring connections within Iran. It was GCHQ. They would also set up like really basic websites that basically acted as RSS feeds to English websites about Iran, presumably also for counter censorship reasons. One of the strange things they did was mimic government officials. So for example, they might post on forums saying, attention users outside Iran, you can call the president at this number to just cast the elections direct. And they were hesitant that you should not call this number if you are in Iran. And then they will also give an email address for the vice president on the Twitter. This is also matches up with another technique that GCHQ uses, again, according to their leaked documents, where they send brief emails and text messages from a fake person or mimicking a real person to discredit, promote distrust, dissuade, deceive, deteriorate, or disrupt. Whatever the purpose was, it certainly managed to promote distrust because one of the replies to this post was, this can't be the president's number because if it were the second, the second the call will be answered by Iranian intelligence services. Still these are strange days, I suppose anything could happen at this point. So that was most of the activity that we saw in 2009. There was a bunch of other Twitter accounts with default egg, default avatars associated with these things. You can find them if you search LUR.me with quotation marks in Google with site-twitter.com. In 2010, there was absolutely no activity on Twitter or social media associated with this URL shortener. Then in 2011, we saw some activity in Syria for this URL shortener. For a similar purpose of conducting censorship resistance in Syria, and they were essentially doing the same thing, same techniques, giving people IP addresses to connect to that are probably MIT-M'd. But one of the interesting things they did here as well is they didn't just tweet stuff, they also posted a YouTube video, like a very poorly made YouTube video with only 300 views, to try to get people to watch that. Now, they didn't really try very hard here because if you actually look at the times on one of these accounts tweeted, all of the accounts in Syria associated with Syria tweeted, they only tweeted between 9 to 5 p.m. UK time, one day to Friday. I mean, I think, I don't know, I think they were lazy or they weren't just, they just weren't really bothered or motivated, but one of the limitations that Dratric has, they actually have in the lead documents that they had was they had a list of limitations that the staff have on conducting operations. And one of them is that they have difficulty in maintaining more than a small number of unique multi-dimension active aliases, especially with doing online human intelligence, which is why we only see like one main Twitter account for these events and then like a bunch of other kind of default eggs with accounts, usually like five or six. We don't tend to see hundreds of them, we only see about less than 10 because this was back in 2009, 2011, and they weren't doing it in an automated way. And they also said that the lack of continuity in maintaining alias or communicating via an alias if a staff member is away and his or her work is covered by others. And also the other one was lack of photographs, visual images of online aliases, which is why we always see like egg of default avatars for these sub-puppet accounts because they can't unless they have like a full-fledged graphics team or have faces of people to put in there, then they can't really put anything as the avatar. And they also apparently had lack of sufficient number and varied cultural language advisors, e.g. in Russian, Arabic, and Pashto, which is why we see here on these Twitter accounts they're basically tweeting the same thing over and over again with no variation, exactly the same text over and over again because they don't have lots of translators to translate that. The other thing we saw in 2011 was a very targeted attack during the Bahrain protests. They had a Twitter account called Freedom for Bahrain and they just sent two tweets, mentioning two Twitter accounts, 14 Feb TV and 14 Feb Revolution. And these were Twitter accounts that were like really big kind of social media outlets in Bahrain that were covering the protests that were going on there. And these were targeted mentions of the kind that we saw with poke. So presumably also here they were using that to conduct signal intelligence to discover who was running these Twitter accounts. In 2012 we also saw no activity associated with this year or sooner. Then in 2013 I managed to find one tweet related to Kenya, to the Kenyan presidential politics and this person isn't a GCHU stockpocket, this person is a research assistant at Human Rights Watch. So that begs the question of how did you actually get this URL? Probably a similar message to poke. They probably sent him a link through a private message, found that interesting and tweeted it. So not only are they at find, not only are they targeting protesters, they're also targeting NGOs. Then in 2013 all of the infrastructure associated with the URL shortener was shot offline. This was never in 2013, which was a few months after the Snowden leaks. So they had a bit of delay of doing it but it must have been a real pain in the ass for them to have to renew all the infrastructure. But I did do some digging into some of the other host names that were hosted on this LUL.me server between 2009 and 2013. Most of these host names seem to be like random, often numeric, domain names and some of them are using probably DNS providers like Dyn DNS or DNS alias. I wasn't able to find any websites archived for these domains. So it doesn't seem that there was any websites there but if you have any ideas let me know because one of the things that I suspect is that these might have been malware endpoints or command control servers that they were using. So if you have any monitoring tools or logs then maybe you should look up some of these host names. But one of the interesting domain names that I thought was interesting there was dynsadventures.net and this is the archived page for dynsadventures which was another website based in Kenya. They were up to something in Kenya and it claimed that they were having, this was a very basic one page website that was kind of very poorly made. And they claimed that they were having site problems and apparently we have noticed problems with our booking system. This has been taken offline until the techs find our problem. We apologize for inconvenience. But there was never any booking system in the first place. This was just pretty much a ruse to make it look like if you go to this website a legitimate company was hosting there. So if you might know anything about that then I'd be curious as well. And also if there's any GCHU agents in the room then I'm happy to get a drink with you as well. That's all I have for today. Does anyone have any questions? Okay, ISE asks, does even the target into trusting you and clicking any form of info is used everywhere right now? ISE, Twitter, Facebook and so on. How would you advise people to distinguish between a genuine identity and an undercover agent? I think that's a very good question because... So just a quick second. If you really have to leave the room right now, people, please do so quietly. We still have a talk going on and it's really unrespectful if you make that much noise and interrupt this whole thing. I know a lot of people are interested in the talk afterwards, but we'll all get you in and... Sorry. So I think that was a very good question because if you're conducting... If you're doing activism online, and you need to be anonymous and you don't want to meet up with people in person, then how do you know that the people you're coordinating with or if you're in a public group where you personally accept new members to that group, how do you know or kind of differentiate between who's actually there to harm your group or who's actually there to contribute? And I think the answer there lies in what you share Don't share information with anyone that could potentially put you at harm, even with people that you trust. So essentially you don't trust anyone and this is a basic, abstract rule. And this is how Jeremy Hammond messed up a few years ago because they backcourt him because he was revealing too much information about his life, like where he eats or something like that, or his previous drug records. And they were able to use that to kind of figure out who he was. And that was the same mistake that Perk made. He was too open and friendly to that agent for no reason. So I think the kind of answer is to do your operations in a way where you don't have to trust people. What do you see these methods are? Because we've seen the number of followers on Twitter and the number of views on YouTube were very low. So how much people is affected by these kind of operations? So there was also a slide that I'm going to put in there that there was a leaked page, another leaked page from GTSQ that had a list of bullet points on what they considered to be an effective operation. And some of those bullet points include how many people clicked that link, how many people watched a YouTube video, et cetera. So it's pretty much the same way as you would measure it, how many people viewed a specific message. Now in those specific use cases, I don't think they were very successful on a large scale specifically in Iran protests because their Twitter accounts had only had very few followers and their YouTube videos only had a few hundred views. But they might have been more, they're obviously more successful in the more targeted cases when they're targeting specific individuals like during the Bahrain case or the Boat case. Over there, please. Sure, thank you. I was just curious if you were familiar with the work of Erin Gallagher. She's done work to try to figure out kind of quantitatively and make these visualizations to try to figure out if a particular Twitter account, for example, is a bot or whether it's a person and there's some rules of thumb regarding like, the bots just kind of interact with each other and don't interact with real people. I'm just curious what techniques you may know of to figure out what is a bot and what is not and whether you are familiar with those particular lines of research. I'm not familiar with their work but thank you, I'll check it out. In terms of what kind of metrics that you could use or to use to see if an account is valid or not, I mean, I think I guess they're tweeting kind of habits and when they tweet, for example, it could be indicative. So for example, we saw this person only tweet nine to five although obviously that's quite easy to make it so that it's on the case. Also, I think one useful thing that might be interesting to do is try to map the network of these accounts. If you like build off like a web of followers, then you might be able to very easily graphically detect very obvious clusters of accounts that are following each other to be each other's signal. Yeah, for sure, thank you. Switch over to mic six please. Thank you for the great talk. How would you compare the former British activities to the current Russian activities? Maybe a talk in itself, but... To be honest, I haven't been doing too deep into the details or following too much about the Russian activities, so I can't really comment about that. I don't know how prolific it is. I mentioned it briefly in the beginning of the slides because it was taking some context. So I'll have to research more into the Russian activities. Go to mic five again. Thanks. To continue from the person who spoke, that would have been my question. So just to add up on to that, did you stumble up on similar patterns coming from, say, Canberra or Washington, DC? So these accounts were very specific to the UK expressions. There was no kind of collaboration there with other countries within the Five Eyes like the U.S. on Australia. But I think they might have... GCHU, I think, has collaborated before on the NSA. JTRIG specifically, I think, has collaborated before with the NSA to de-analyze certain people. So, for example, we saw during a few years ago or last year, I think, there was a drone attack. Someone was illegally killed in a drone strike in Iraq. He was suspected to be an ISIS member. Junaid Hussain. And apparently the way that he was de-analyzed or the way they found his location is that the U.S., the FBI specifically, had an informant that was talking to this person and that informant sent them a link that was generated by GCHU and then, since that link, they were able to generalize them. So I think there's some collaboration there, but this is mostly UK activity. All right, last question. We are out of time. Thank you again, Mustafa.