This week in the Sunday Briefing, tools to research terrorism and radicalisation, techniques on investigating the rising, and leading, social media platform TikTok, and a discussion on the importance of ethics relating to a politically charged attempt at prosecuting a journalist.
(Main image: The source code for the OSINT Editor site. Oops, I am a hacker now! Keep reading for context).
Terrorism and Radicalisation Research Dashboard by Loránd Bodó
Terrorism of all kinds, unfortunately, remains an international problem. OSINT researcher Loránd Bodó created a comprehensive Terrorism and Radicalisation Research Dashboard on Start.me that provides both tools and updated research on global extremism. Aside from being a plethora of information, the page exemplifies a great way to organise and make use of Start.me.
Loránd’s geographic page to map and monitor potential, and actual, terrorist attacks, is particularly helpful from a visual and practical standpoint. Several databases, such as the BAAD Database, are helpful resources for identifying networks and alliances, while there are plenty of conflict maps to choose from, with topics ranging from Islamic terrorism, to far-right and far-left anarchist terrorism. The resources page is particularly helpful for anyone interested in researching terrorism. There is a fantastic section of recommended reading regarding remaining anonymous and OPSEC, as well as the legality and ethics of researching terror. Several tools also feature how to mitigate and de-radicalise people. The resources receive timely updates, making this a very invaluable start.me to the OSINT research community.
OSINT Investigations on TikTok by Sinwindiefrom SecJuice
TikTok is rapidly growing in popularity and use; it will not go anywhere anytime soon as the userbase is generally younger. The services have an addictive pattern of (potentially) turning any one-person into an internet celebrity (for better and worse). TikTok has expanded their product services by offering an online shopping mall based on the same algorithm that led users to start selling products on the store.
TikTok’s popularity thus makes it a rich OSINT resource. Although this intro article into TikTok is a bit dated (two-years-old), Sinwindie did an excellent job providing an introduction on the possibilities of TikTok OSINT. Usernames, profiles, reverse searching images all have quirks based on the social media engine being investigated, and all the bases are covered. If you (like me) have never ventured into the strange world of TikTok, this is a great place to start before using any OSINT TikTok tool. Video URLs, Hashtags, descriptions, and comments are fantastic, if underutilised, OSINT tools. Sinwindie also created a flowchart for investigating TikTok for those who prefer visualisations to trace and follow.
The Missouri Governor’s Fictional Cyberlaw
The Venn Diagram between those interested in CyberSecurity and those interested in OSINT is not a perfect circle, but there is general overlap. Notably, one of the tasks that professional OSINT practitioners and CyberSecurity both do is responsible disclosure. Responsible disclosure is critical to the ever-evolving mark of ensuring a safe Cyber environment. OSINT practitioners do not always disclose cyber risks, but there are other ways to disclose risks (physical security, personal information vulnerabilities, etc.). The modern consensus has not always been in favour of responsible disclosure, but finding someone who does not celebrate responsible disclosure is now rare.
One of those
people, however, is Governor
Mike Parson of the State of Missouri. The story is straightforward: The St.
Louis Post Dispatch journalist Josh Renaud found that some Missouri
State teachers had their Social Security Numbers publicly accessible upon
inspection of the source code of the website. All it takes to inspect a web
source-code is clicking
F12 (or Opt, CMD, U for Mac users). Renaud and the St. Louis Post Dispatch reported
this vulnerability to authorities, who fixed the error and removed SSN numbers.
The story then ran with a modicum of interest in Missouri; it was not a
national and surely not an international incident. Even more so because authorities
determined that the data had not been obtained or utilised by nefarious actors
(although, it may be more difficult to determine if bad actors had obtained the
data, considering how public it was).
However, Governor Parson then took the entire episode personally; or politically personally. In a press conference, and later statements, Parson declared he would use “full legal authority” to prosecute Renaud and the St. Louis Post Dispatch for hacking. The linked clip also shows how awful the reporting on this is, as KMBC 9 runs the headline, “MO Education Website Hack,” when there was no hacking involved. His Political Action Comitte doubled-down on his claim in a video published that also suggests this is an extremely bi-partisan move. Prosecuting Renaud under the Computer Frauds and Abuse Act and suing the St. Louis Post Dispatch would be costly, time-consuming, and ultimately will lead to nowhere (there also may be a legitimate counter-suit possibility on behalf of Renaud and the St. Louis Post Dispatch for defamation, but I am not a lawyer, and you probably are not either). Not only is F12 not hacking, but the Computer Frauds and Abuse Act relies on defining hacking as using a computer in excess of authorisation, or without authorisation; the data accessed was fully public.
As suggested, this is likely a political opportunity for Governor Parson, a noted Republican, who will be using this pending prosecution as an opportunity to vilify the ‘liberal press’ to win points with his audience. The story in all actuality, and after having typed this, is inane and dumb.
However, there are additional, more abstract, lessons for the cybersecurity and OSINT world. First, ethics and integrity. The most boring part of OSINT is also probably too often underdiscussed in the community due to the material we are potentially handling. OSINT is a de-centralised working space (there is no oversight board), and to a certain degree, so is cybersecurity. Thus, having personal or team ethics is critical to ensuring reporting, not speculation or rumour-mongering. Reporting a fake video is really embarrassing, especially when being a fact-checker is intrinsic to the community. Being first is not nearly as important as double-checking sources and being a good fact-checker. Social media is a gift for OSINT research, and really a bane for sharing our work. Pick an ethics guide, learn where the red-line is, and keep the white-hat on. (I will not touch on when it might be appropriate to put on the grey-hat, but it will likely be needed at some point, pending on the subject matter. An ethics guideline to walk into that precipice with is critical.)
Second, document every step in the research process. Renaud likely did not expect legal pushback on responsible disclosure, and fortunately, his case is not too complicated. Yet, it could have been a lot more technical and complicated. Documenting every step is not only important to having integrity (allowing additional researchers to verify your findings, the OS is for open-source anyways), but important for a hyper-legal world. Furthermore, having a framework that allows for the documentation of every-step makes the research process entirely more efficient, direct, and clean.
Third, work with, or have, a trusted team. Lone-wolf OSINTing is vastly overrated. Yes, some researchers conduct investigations alone, and there is not always a need to do collaborative projects. However, having a trusted network to double-check work with, verify results, and fall back upon when there is pushback is important. Moreover, a team learns and grows together. OSINT practitioners should always be on the cutting-edge of research tools, and getting there without a team is much more difficult.
Is there going to be a stark rise in disgruntled authorities coming after whistle-blowers and responsible disclosures? In most democratic countries, no; there are laws to protect such people. Yet, there is a trend towards authoritarianism; and authoritarians usually do not celebrate responsible disclosure or recognise ‘open-source’ resources as ‘open’. That trend is worth paying attention to as OSINT techniques seep into journalism across the globe.
As I finished writing this, a 6.5 earthquake, followed by a 5.4 and one hour later a 4.2 hit Taiwan. They were deeper earthquakes (all over 60km deep), but were over 30 seconds and hard to ignore. Taipei’s MRT system evacuated the station and halted all trams out of safety. Fortunately, there seems to be no damage.
Taiwan is very seismically active. In July, Hualien County was rocked by over 30 earthquakes in a day (I counted 36); that many are unusual. Taiwan is a massive rock formed quite recently in geological time (four to five million years ago) by seismic activity. Appreciating the seismic activity is quite something to behold on a map.