RE: Another Killer Demo

From:azollman@palantir.com To: aaron@hbgary.com Date: 2010-08-31 19:04 Subject: RE: Another Killer Demo

Sounds good. Pick a time 2pm ET or later. Dropping by Bethesda would be on the way Thursday, too. _________________________________________________________ Aaron Zollman Palantir Technologies | Embedded Analyst azollman@palantir.com | 202-684-8066 ----- I get it on the breakout sessions. We would like to pursue the path to breakout with fingerprint data. That hasn't changed. So here is the dynamic I am working with right now. We have separate customers interested in our ability to do volume malware processing and threat intelligence (this is TMC, Fingerprint, and Palanatir). We have other customers, mostly on offense, that are interested in Social Media for other things. In the end both of these capabilities come together to build real threat intelligence marrying up malware data with social media data, just baby steps. The social media stuff seems like low hanging fruit, so lets have a phone conversation on that on Thursday to discuss what are the next steps and when. On the threat intelligence side we have some prep work to do. Greg told me that the data that he has is basically not available. Something about giving the TMC to HBGary Fed and dropping that because it was taking to many development resources and they need to focus. What does that mean, not a huge deal, but we need to rerun our malware through the TMC and then through fingerprint and then take that data into Palantir. Right now we are running at max speed the rest of the week to get our Pentest report done and out to the customer by Thursday. So on Monday next week we can regroup with Mark I think and talk about how to get the threat intel stuff going. We have a meeting with US-CERT on the 9th and it would be good to be able to tell them a little more than what we have right now, meaning we have a plan to execute. The stick here is in our hands. I will reread your last email, head is flooded, and we can readdress this on Thursday as well. Sound ok? Good thing is potential customers definitely interested. Lets do a webex on Thursday instead I can show you a few things I am working on. I will set it up. Aaron On Aug 30, 2010, at 9:18 PM, Aaron Zollman wrote: > > For the two breakout spaces, we're looking for an integration that > focuses more on technical data. While I'd like to talk through this proposed > workflow some more -- and it's certainly appropriate for the demo station > you guys will have at GovCon -- it may not be right for the breakout > sessions where Steckman and I have to focus our development energy. But > let's walk down the path a little further before we decide anything: > > Is the idea that we'd want to ingest all of Facebook's data, or just > a targeted subset for a few users of interest; possibly using helpers to > reach out to the API's? > > Pete Warden (petesearch.blogspot.com) ran into some issues with > their AUP, resulting in a lawsuit, when he crawled most of Facebook's social > graph to build some statistics. I'd be worried about doing the same. (I'd > ask him for his Facebook data -- he's a fan of Palantir -- but he's already > deleted it.) > > Aaron B, I'm available most of tomorrow and Thursday afternoon if > you want to build out the workflow a little. The new cyber ontology has an > "online account" type set up by default; we can start by preparing a > Facebook Account subtype and build outward from there. > > Phone call good enough, or should we set up shop somewhere with data > and laptops? > > > _________________________________________________________ > Aaron Zollman > Palantir Technologies | Embedded Analyst > azollman@palantir.com | 202-684-8066 > > > ----- > From: Aaron Barr [mailto:aaron@hbgary.com] > Sent: Monday, August 30, 2010 8:54 AM > To: Aaron Zollman > Cc: Matthew Steckman; Ted Vera; Mark Trynor > Subject: Re: Another Killer Demo > > I think you would be demonstrating something completely new from a security > standpoint. Twitter requires no authentication. Follow anyone you want. > Facebook requires an acknowledgement to be included. Peoples Facebook > friends lists are much closer to representing someones actual social circle > than just another source of information. This has huge security > consequences. My hypothesis is there is an immense amount of information we > can glean from this information. I have actually already proven this on a > small scale doing research manually. I have been able to determine people > who are employees of specific companies even though their profile was > completely blocked, except their friends lists. I correlated friends lists > across multiple people who I knew were employees of a particular company to > determine this. I also was able to cross this information with Linkedin > information and determine people that were in subcontracting relationships > to other companies. I think all of the facebook information in a Palantir > framework could result in some of the most significant security revelations > related to social media yet published. No more handwaving, but real data to > show the vulnerabilities. There is a huge social engineering /targeting > potential here as well. If I wanted to target a particular organization > what groups should I belong to, who are the influencers in the group, who > has the most connections, etc. > > Lets get together to discuss and I can walk you through some of the stuff I > am doing with persona development and social media exploitation. > > Aaron > On Aug 27, 2010, at 2:43 PM, Aaron Zollman wrote: > >> >> It'd be even easier with the graph APIs... >> http://graph.facebook.com/ ... JSON parser & an API key and we could knock >> it out pretty quick. (Someone else's facebook account, please, though!) >> >> What's the workflow we'd be shooting for, other than as a >> visualization front-end for an organization's structure? >> >> >> >> I think we've done a twitter presentation at Govcon in the past -- >> trying to hunt down the video -- so we wouldn't be demonstrating anything >> new just by expanding it to facebook. But that wasn't specifically in a >> pen-testing/cybersecurity context. An integration with this and some other >> pen-testing data -- known account identifiers, and data collected from > them, >> for example -- might be cool. If we could bring in some malware > fingerprint >> data too, and build a whole "here's how we pwned your network" >> exploration... >> >> I've got the OSVDB (vulnerability database integrated), if it'd be >> helpful. >> >> >> >> _________________________________________________________ >> Aaron Zollman >> Palantir Technologies | Embedded Analyst >> azollman@palantir.com | 202-684-8066 >> >> ----- >> From: Aaron Barr [mailto:aaron@hbgary.com] >> Sent: Thursday, August 26, 2010 11:43 AM >> To: Matthew Steckman >> Cc: Aaron Zollman; Ted Vera; Mark Trynor >> Subject: Re: Another Killer Demo >> >> On the social side here is what I would like to do. I think between Mark >> and Aaron this could be put together very quickly and would be powerful. >> >> start with a profile in facebook. >> >> http://www.facebook.com/profile.php?id=100001092994636 >> >> View the source of that page. There is all kinds of information we can >> collect and parse to build some very robust social maps. >> Those people that provide information and have their friends lists exposed >> provide an incredible social engineering and recon tool. >> >> Aaron >> >> >> On Aug 26, 2010, at 11:18 AM, Matthew Steckman wrote: >> >>> Brandon is a rockstar!!! Good call. >>> >>> Let us know if you want help on the demo, sounds like it could be really >>> interesting. We'd probably love to make a video of is as well to put up >> on >>> our analysis blog (with HBGary branding of course!). >>> >>> Matthew Steckman >>> Palantir Technologies | Forward Deployed Engineer >>> msteckman@palantir.com | 202-257-2270 >>> >>> Follow @palantirtech >>> Watch youtube.com/palantirtech >>> Attend Palantir Night Live >>> >>> >>> ----- >>> From: Aaron Barr [mailto:aaron@hbgary.com] >>> Sent: Wednesday, August 25, 2010 10:36 PM >>> To: Matthew Steckman >>> Cc: Aaron Zollman >>> Subject: Another Killer Demo >>> >>> Matt, >>> >>> I have been doing talks on social media, have a lot more scheduled, along >>> with some training gigs. In the process I am setting up a lot of > personas >>> and doing social media pen testing against organizations. >>> >>> What I have found is there is an immense amount of information peoples >>> friends lists as well as other social media digital artifacts can tell > us. >>> I think Palantir would be an awesome tool to present and use for > analysis. >>> We are just going to have to get someone to write a helper app. I am >> hoping >>> to be able to hire Brandon Colston soon. >>> >>> Aaron >> >