BlackhatEU : Unveiling Maltego 3.0
By Roelof Temmingh
Maltego 3.0 will be a major upgrade. The first upgrade that shows is in terms of the visual representation. The Windows based GUI no longer looks like a port from a Unix application to Windows, but has a far more Windows look and feel to it and supports dynamic graphing. The user interface is now fully interactive in all views.
Enhancements include:
• Dynamic graphs
• Manual object linking
• Infinite transfors (e.g. to follow tweets as they occur)
But is not just user interface changes, Maltego v3 will also handle so called “Dead End Entities” entities that currently don’t have transforms.
Roelof showed us a demo that showed the interlinking of companies based on the South African equivalent of the Chamber of Commerce register. This converts previous dead end entities to non-dead en entieites, but based on Named Entities Recognition (NER) other dead entities can also be investigated.
Using a Google translation of a South-African news article, Roelof demoed extracting persons and locations from text, which can then be used in Maltego transforms. Maltego supports transforming URL’s (HTML, PDF and Office type documents) to text and then recognizing named entities in it. In the end this can be used to answer the question: “Who/what/where is connected to phrase X?”
The demo showed correlation for “Uranium Enrichment”; going from the phrase, via Google to the sites, to PDF documents, to places and ultimately people. AQ Khan being one of the people mentioned most. Naturally this information can be applied to things like whois records as well. Because whois info is not structured you need NER to make sense of it.
Another demo is about using Maltego with facebook. This is only shown as a demo, because scraping the site is against the TOU of facebook this will not be released, but it is a nice demo to show the power of Maltego.
In order to get the information from facebook, the Maltego had to apply quite a bit of tricks, some of which are not very “nice” and already plugged by the facebook team.
Combining facebook and NER really gives interesting results. Roelof showed that from the web coverage of the phrase “Blackhat briefings” and extracted the 10 most frequently occurring people. According to Google this is Jeff Moss, but according to Yahoo its Dan Kaminsky. Using facebook and the relationships between them you can weed out all the false positives and make a circle of connectedness.
The NER demos really show how powerful the Named Entities Recognition feature is.
As in the keynote, people and intelligence are key weapons of the defender and attacker.