by Unknown
phone numbers, assets, licenses, court documents, employers, etc.)
http:/ www.masterfiles.com (Master Files: phone numbers, unpub-
lished numbers, reverse cell phone numbers, social security number
verification, etc.)
http:/ www.usinterlink.com (database of addresses, phone numbers,
social security numbers, assets, etc.)
Competitive Intelligence
Corporate spying or organizational investigation may involve acquiring
trade secrets, a political opponent’s weaknesses, or industrial espionage.
Competitive intel igence involves gathering small pieces of the puzzle, putting
Internet and Database Open Sources
195
them together to get the big picture, and gaining a tactical or strategic advantage or edge. This can be accomplished with spies or moles, dumpster diving or surveillance, or through good research from open sources in documents
or on the Internet. Some sources of information for the web spook include the following:
http:/ www.sunsite.unc.edu/patents/intropat.html (patent searches by
class, subclass, patent number, patent titles and abstracts, etc.; also
listed under fact checking intel ectual property)
http:/ www.sec.gov/edgarhp.htm (free Securities and Exchange
Commission information on public companies)
http:/ www.edgar-online.com (a subscription service to access the
SEC’s EDGAR database; can create a watch list to monitor specified companies)
http:/ www.dnb.com/ (D&B credit reports on companies worldwide)
http:/ www.netvalue.com/netvalue/form.htm (a free report, based
upon a search of words and phrases, on your competitors)
http:/ www.scip.org/ (news, events, case studies, software reviews,
and other information from the Society of Competitive Intelligence
Professionals)
http://smallbusiness2.dnb.com/14827054-1.html?tsalp=options&cm_
mmc=Google-_-tsa_pd-_-GO000000111662737s_dun_AP-_-GO8
140706952&refcd=GO000000111662737s_dun_AP&tsacr=GO8
140706952&gclid=CNXqxaefzKkCFUPBKgodMWjaMg (Dun &
Bradstreet background checks and security reports U.S. companies)
http:/ www.fuld.com (the Fuld & Company guide to data acquisition,
analysis, and production of an intelligence product)
http:/ www.techstocks.com/investor (high-tech stock with graphs and
chart patterns)
Internet Intelligence and Spyware
When consuming Internet-based intelligence, it is not only important to
know something about hacking, viruses, and worms, but spyware, adware,
POP mail packages. Hacking, of course, is unauthorized access and tam-
pering, and viruses and worms are programmed theft and vandalism. POP
spam will be discussed in a moment. Related to these are adware and spy-
ware. Adware is software that displays unsolicited advertisements on your computer by a pop-up when searching for something else. Spyware is related but worse; it sends information from your computer to a third party without notice or permission. Both adware and spyware become installed on your computer covertly by either coaxing the user to click on a link that installs it
196
Advanced Criminal Investigations and Intelligence Operations
or from freeware that installs it with the free software. Cookies are another matter but can be removed by using Internet options in your control panel.
It is worth mentioning at the outset a few things about spam (junk mail).
This is a little difficult to grasp for those of us who have to ask our teenagers to explain high-tech things like Facebook and Twitter, but I once attended a training session that explained this as simply as possible. We all receive e-mail messages and, when we reply to ask them to stop sending it or remove us from their e-mail list, find that replies are undeliverable—the address does not exist. This occurs when the sender of spam uses pop client e-mail or a third-party mail relay. The best defense to this is to understand how this works.
The pop client e-mail may be easier but is more restricted (depending upon your ISP), so we will discuss this first. You may be able to do a simple reconfiguration of your pop e-mail client, for example, Outlook Express
(from Internet Explorer) or Eudora.
For Outlook Express, (1) open your Outlook Express (in Internet
Explorer), (2) click on “Tools” and “Accounts” to select your ISP account, and (3) click “Properties.” A dialog box should appear with the heading “Mail Account Properties” and five options: (a) General, (b) Servers, (c) Connection, (d) Security, and (e) Advanced. You can leave the mail account line (the first line in the box) as is or name it whatever you choose (for the mail server connection). Under User Information (the next four lines in the box), do the fol owing:
• Make the “Name” whatever (whoever) you want (e.g., “ John” or
[email protected]). This is the name that the receiver
will see in the “FROM” field.
• You can leave “Organization” blank or make something up.
• For “E-mail address,” you can use the same address that you used in the “Name” field.
• In the “Reply address,” you can put a legitimate address in order to
see the reply.
For Eudora, (1) open Eudora, (2) click on Tools, (3) Options, and (4) Getting Started and a dialog box should appear with the heading “Options” and
five fields:
• Under “Real name” fill in whatever (whomever) you want (e.g., “ John”
or [email protected]).
• The “Return address” is (the same as the reply address in Outlook)
a legitimate address in order to see the reply.
The original address is on a different dialog box and the server information is supplied by your ISP. Some ISPs, however, have restrictions, such as only allowing you to send outbound e-mail if you have been POP authenticated by
Internet and Database Open Sources
197
the server. Additionally, the server may only accept outbound e-mail from its own domain. In each of these examples, you should receive an error message stating these restrictions.
A third-party mail relay is where a mail server processes e-mail where neither the sender nor the receiver is a local user. The mail server is a third party that is unrelated to the message transaction and the message should not even pass through the third party’s server. Although rarely used today, in the past, network administrators have sometimes used third-party relays to legitimately debug mail connectivity and route around mail problems.
A third-party mail relay has also been used illegitimately by mail hijackers or spammers (junk e-mailers), when large volumes of e-mail messages are relayed through a server, to spread their unwanted messages over the
Internet. These are sometimes referred to as Spamhaus operations. Relays can also be used illegitimately to send individual messages anonymously by concealing the sender’s identity. To counter this prolific problem, network administrators have initiated filtering of network connections and instituted blockade measures. Hijackers and spammers have countered these countermeasures laundering their spam through third-party relays to evade spam filters. They access high-speed mail hosts to relay their messages through several servers in parallel. Spammers can conceal their identity from network administrators and evade having their connection traced and blocked.
By concealing their identity, they can avoid complaints themselves and
deflect them toward the hijacked hosts. This is often facilitated by the use of fake headers.
Mail relays are conducted using telnet, which is a program and a part of the TCP/IP protocol suite allowing remote access to a computer. Mail
(SMTP) run on port
25 can be accessed using telnet to interact manually.
Using UNIX, type the telnet hostname or IP address and
Mail servers usually reside on port 25, so telnet to port 25 of the host that is relayable using SMTP commands to communicate with the server. The RFC
821 (SMTP commands) shows what commands can be used and what they
mean. Once connected, the screen should display something like this:
220 relay.com ESMTP Sendmail 8.87/8.8.7; Sat, 11 Sep 2012 23:45:00 -0500 (EST) Note the message transfer agent (MTA) and its version number, then type
HELO somesite.com to identify the sender SMTP to the receiver SMTP.
(The first command must include the HELO command.) The argument field contains the host name of the sender SMTP, but you can use any domain
198
Advanced Criminal Investigations and Intelligence Operations
name you want, as long as you can differentiate it when received. This value will appear in the “Received” header that the site generates, so the domain name selected is only seen when viewing the e-mail header.
Next, type “mail from: [email protected]” (make up a name and address or use someone’s who you want to appear as if it is from). This is the address that will appear in the “From” field when it is received as e-mail.
Now, type “rcpt to: [email protected]” (the e-mail address the system should send mail to) or to multiple addresses at once.
Then, type “DATA” and hit Enter and enter your e-mail message, including
a subject header with a space after colon and separating the headers from the body with a blank line.
Finally, type a period at the start of a line and again hit Enter. If all of this works and the server return an acceptance message, the server apparently will relay from your IP address. To end the session with the telnet host, simply type
“QUIT” and hit Enter.
To detect forged e-mail messages, IT managers look at the e-mail header to find the IP address that is unique to each PC (computer). Some hijackers or spammers use multiple third-party e-mail relays to try to cover their tracks. If this stil sounds like Greek to you, ask your IT security manager to walk you through this or ask your teenager (they may have already done this). Remember, technology is ever evolving and so are hacks, cracks, countermeasures, and counter-countermeasures. Things change; be adaptable and stay as up to date as possible.
Net Spying and Web Surveillance
Monitoring chat rooms and inappropriate web surfing can be a surveil ance concern to anyone from employers to parents. Fingering is the term used for monitoring e-mail accounts (usual y for e-mail addresses or e-dresses ending in
.org, .net, or .edu but usual y not .com). Using a finger command, it is possible to find the target’s login name, real name, location and phone number, login times, idle time, times mail was read, and other information. Plan files are text files that contain the information the person wants to include. On America Online, use the menu bar to select “Locate a Member Online” or Control F and type in the member’s screen name. (This may be a “Friends List” or an IM screen.) To monitor web surfing (where someone goes on the Internet), there are
several useful web pages to help. These include the following:
http:/ www.cyberpatrol.com (monitor, filter, and blocker software)
http:/ www.cybersitter.com/ (monitors Internet activity and attempts to
access blocked material; filters phrases and bad sites defined by the user) http:/ www.netnanny.com (parental controls that shuts down systems
when violated)
Intelligence Files
and Analytical
12
Investigative Methods
Intelligence Cycle
The intelligence cycle is used in the intelligence, military, and law enforcement communities to describe the cycle of intelligence activities, which
denotes that each step is a continuous and ongoing process, rather than
individual, terminal steps. The five steps in the cycle are (Figure 12.1) 1. Plan ning and direction
2. Collection
3. Processing
4. Analysis and production
5. Dissemination and feedback
Planning and Direction
Intelligence requirements are determined by a decision maker to meet
organizational objectives, sometimes called essential elements of intel igence (EEI). All other data are referred to as other intelligence requirements (OIRs). Directing intelligence requirements involves the following: (1) determine intelligence requirements (EEIs and OIRs), (2) determine indicators, (3) determine specific items of information required, (4) select collection agencies, (5) issue orders and requests, and (6) follow-up.
Collection
In response to requirements (EEIs), the intelligence staff develops an intelligence collection plan to task available sources and methods and request intelligence from other agencies. Sources may include ELINT (electronic
intelligence), SIGINT (signals intelligence), EMINT (emanations intelli-
gence), IMINT (imagery intelligence), HUMINT (human intelligence), and
OSINT (open-source or publicly available intelligence).
199
200
Advanced Criminal Investigations and Intelligence Operations
Planning and
direction
Requirements
Plannin
Dissemination
g a
Dissemination
nd dir Collection
ec
A
ti
n
o
a
Active
n
lys
collaboration
is and
C
p
o
r
e l
od
c
u
toi
ct
n
ion
Processing and exploitation
Processing
Analysis
and production
Figure 12.1 The intelligence cycle (FBI, left; CIA, right).
Processing
Once collection is accomplished and raw information is available, it is processed for exploitation. This involves the translation of raw materials contained in a foreign language source, evaluation of its relevance and reliability, and collation of the raw data in preparation for exploitation.
In combat intelligence, there are four methods commonly used to docu-
ment tactical intelligence: (1) the unit journal, (2) the situation map, (3) the S2 workbook, and (4) intelligence files (see Figures 12.2 and 12.3). The S2
workbook is a temporary record for systematically recording information
by subject groups for ready reference and used for the preparation of estimates, summaries, and reports. Another document, the intelligence sum-
mary (INTSUM), is a brief report of significant information developed or
received by the unit or organization during a specified time period (see
Figure 12.4). A situation report (SITREP) is prepared by the operations
officer (see Figure 12.5). Other intelligence reports may include the supplemental intelligence report (SUPINTREP); the intelligence appraisal (sued at higher echelons to determine courses of action open to the opposition); the periodic intelligence report (PERINTREP), which is a summary of the intelligence situation covering longer periods than the INSUM; and other special reports, such as “shelling, motoring, and bombing reports”
and “meaconing, intrusion, jamming, and interference (MIJI) feeder reports.” (Meaconing is the interception and rebroadcast of navigation signals.)
Intelligence Files and Analytical Investigative Methods
201
Figure 12.2 Daily staff journal or duty officers log with S2 journal entries (DA Form 1594).
Analysis
Analysis integrates information by combining pieces of data with collateral information and patterns that can be interpreted to identify the significance and meanings of processed intelligence.
202
Advanced Criminal Investigations and Intelligence Operations
Figure 12.3 S2 workbook (a temporary record for systematically recording information by subject groups for ready reference and used for the preparation of estimates, summaries, and reports).
Dissemination and Feedback
Finished intelligence products are of little value if they do not meet the needs of the decision makers and intelligence consumers. Because the intelligence cycle is a closed loop, feedback is received from the decision maker or consumer and revised requirements (EEIs) are issued.
Because intelligence is confidential and of less value once its awareness is made known, it is important to restrict access to a need to know basis.
Intelligence Files and Analytical Investigative Methods
203
Figure 12.4 Format for an INTSUM.
When distributing intelligence products, know the receiver and document
this with an audit trail. Confirm the need to know and deny secondary distribution (the receiver should be aware that they are responsible for this information and for not redistributing it to undocumented and unauthorized sources). Intelligence may be restricted to consumers with a need to
204
Advanced Criminal Investigations and Intelligence Operations
Figure 12.5 Operation SITREP.
know and a security clearance of the appropriate level. It may be classified by its sensitivity and importance as
• CONFIDENTIAL (sensitive information of importance)
• SECRET (high sensitivity and importance)
• TOP SECRET (extremely high sensitivity and importance)
Intelligence Files
Despite what one hears in movies or from bar flies pretending to be a secret agent, intelligence files and those who have security clearances to access such information are classified as either CONFIDENTIAL, SECRET, or TOP