Short term (Q1 '17) plans for Maltego

January 3, 2017, 4:34 am

≫ Next: Making Buzzfeed's TrumpWorld tables into a Maltego graph

≪ Previous: Christmas Special & State of the Nation. It's a thing!

Welcome to 2017. It's only the 3rd of January and we're all back at work. I thought I share some of the exciting things happening with Maltego in the short term.

Awesome documentation

Documentation was never our strong suit and so this year we're setting it right and putting a lot of effort into documenting Maltego. We started with the user guide - it's brand new and shiny and available [here].

We're redoing the transform guide on a wiki - so that other transform writers can also document their stuff a little - so far it's looking grand and useful. We're also doing a lot of maintenance on the developer portal to get that up to date. Let it never be said again that our documentation suck!

Maltego Data Server (MDS)

We're almost done with the MDS. It's currently (almost) in beta. If you want to play or get a copy of the user's manual [drop us a line]. Some time ago we've made a [sneak peek video] of the MDS:

The MDS is going to be 'the next big thing'.

Maltego GUI

In the spirit of making Maltego easier to work with your own data we have a two prong attack. We're doing a lot of work in terms of the tabular data import function for local data files. The partial screenshot below should give you a taste of what's coming:

Import speed has been optimized and we now load 200k records in a mere 11 seconds!

For work with big(ish) data in SQL databases and (Splunk/ELK) indexes we have the MDS (see above).

We are also planning to have a unified Maltego installer and lifelong license keys - meaning you can easily upgrade from CE to Classic to XL. It solves a lot of issues from us building new Maltego releases as well as solving a lot of licensing headaches (think renewal, different license keys every year etc. etc.)

Exciting times and more as it happens,
RT

↧

Making Buzzfeed's TrumpWorld tables into a Maltego graph

January 16, 2017, 2:46 pm

≫ Next: Visual link analysis with Splunk (or SQL) and Maltego using the MDS

≪ Previous: Short term (Q1 '17) plans for Maltego

Maltego 4.0.15 is on it's way, and with it a brand new interface for importing data into Maltego. With Buzzfeed's recent data dump of "TrumpWorld" we thought we would have some fun mapping out the data, whilst doing a walk-through of the new Tabular importer.

TL;DR

-----

With just a few easy clicks you can map out hundreds of links and entities. We can see the complex layout of Trump business empire, as well as how his social and business circles overlap.

Maltego provides a wide array of transforms to dig deeper into the information we have here. We'll leave that as an exercise for the reader ;)

Person - Company mapping

Person - Person mapping

Company - Company mapping

Just in case anyone was worried that we were getting too political (we're neutral, like Switzerland), here's a graph of Hillary Clinton's email infrastructure. What's the SSLVPN box by the way? ;)

Try It For Yourself

Here are all the Maltego graphs - feel free to open them in any version of Maltego as long as it starts with a 4. (including the free (4) CE version!).

Download Graph Files

Maltego 4.0.15's new tabular import (aka how we did it)

Start by clicking "Import Graph from Table" under the "Import|Export" section of the ribbon bar.

Click "Next" and select an Excel or csv file.

In this case we will be using "TrumpWorld Data — Public - Person-Org". Once you have selected your file click "Next".

The Hint at the bottom of the next dialogue explains the different connectivity options. We're going to pick "Sequential" because it's really a A->B mapping, but the other defaults are useful in other situations.

We have to tell Maltego which column represents which type of data. We have chosen to map column 1 to a "Company" entity (we've imported it using the CaseFile entity pack in the Transform Hub) and column 2 to a "Person" entity.

The information in the other two columns we won't be using to make entities, so we set them to "Unmapped".

Under the "Map Columns to Links" tab we can choose to use column 3 as the label for the connection between column 1 and column 2.

We can now see a visual representation of how each row will be imported by going to "Connectivity Graph". We see that a link will be made from the Person to the Company.

The final step is to check that all the settings are correct and click "Next" to import the data into Maltego.

You will then see a summary of what was imported.

↧

Visual link analysis with Splunk (or SQL) and Maltego using the MDS

January 19, 2017, 6:52 am

≫ Next: Maltego 4.0.15 is here!

≪ Previous: Making Buzzfeed's TrumpWorld tables into a Maltego graph

We're finally ready to release a public beta of the Maltego Data Server (MDS). The MDS is a server that allows you to trivially easy visualize data kept in SQL databases or indexes (such as Splunk) in Maltego - as a graph.

In the most simplest form you only need to write a query (SQL/Splunk) and a tell the MDS how to map the resultant data back to nodes on the graph.

In the most complex form you can write Python code around the query, mapping and nodes as well as use (global) replacement variables anywhere within the items above. With this we mean to say that the MDS can be as easy or as complex as you'd like it to become. The system can grow with your abilities and is very flexible.

With the very basic knowledge of SQL/Splunk and Maltego you can almost immediately get massive insight into the most mundane of logs. With two (basic AF) Splunk-based transforms and three of the standard OSINT transforms that ship with Maltego we can spot fake Googlebots almost instantly in our web server logs:

Keep in mind that the power of the existing Threat Intelligence transforms available in the Transform Hub is at your fingertips - making it possible to enrich your internal data to the max.

If you are interested to test drive the MDS *today* you can simply email us at mds-beta@paterva.com and we'll send you the server as an OVA to experiment with. You can read the comprehensive documentation for the MDS [here] right now.

We love to get your feedback on our new project.

PS: the commercial people just told us we should include that we're going to be selling this in future. Don't know why that's important...but ye.

↧

Maltego 4.0.15 is here!

February 14, 2017, 5:31 am

≫ Next: We loaded new certs on our servers

≪ Previous: Visual link analysis with Splunk (or SQL) and Maltego using the MDS

We're happy to announce that Maltego 4.0.15 (for XL and Classic) has just been released. With it comes a whole host of bug fixes, improvements and new features.

What's new:

New tabular import wizard

Much (much!) quicker to import large amounts of data
Connectivity matrix helps you connect the dots
Auto-detection of columns and column entity types saves you time
Import multiple files at once - underrated feature of the month!

List view - back by popular demand!
Recent entities section in entities pallet so you don't need to search for them
Leaf selection (we should have had this in V1)
100+ small bug fixes so things just works better.

Tabular Importer

Connectivity Matrix

The new connectivity matrix allows you to easily define the relationships between the imported entities.

Column Entity Types

You can now specify the entity type in the data headers.

E.g. A column with the heading "maltego.Person" will automatically be recognized as a Person entity, without having to do the mapping manually.

Import Multiple Files at Once

If you have your data split over multiple files, you can configure your column mapping once, and import all the files at once. Please note that the file layouts must all be identical.

List View

The List View can be used as an alternative to the entity view as a way to view a graph in a tabular format. The entity selection behavior and functionality is identical between the entity view and the list view. Changing from "Entity Selection" to "Link Selection" will display all the graph links of entities.

Leaf Selection

The new "Select Leaves" button allows you to quickly select entities that have no outgoing links and a single incoming link (so strictly speaking it's not a "real" leaf node... but we like it like that!).

To update your Maltego client click on the Application Button (left top), Tools -> Check for Updates:

This will update your Maltego to 4.0.15. We hope you're having fun with our latest update!

↧

We loaded new certs on our servers

February 23, 2017, 6:14 am

≫ Next: Bing v2 API is dead, long live v5? Also CTAS updates.

≪ Previous: Maltego 4.0.15 is here!

Just a really quick note to say that - yes - it's us and not some nasty MITM - we've changed certificates on our servers. So when you see this...

...then you know what it's about. After our 4.0.5 update we're a little paranoid with checking certificates! You should check that the Modulus is the same, it's signed by Entrust and the Serial number match. If so you can happily click on 'Trust' and be on your merry way.

If you don't see this or the details are different it means you're not speaking to our servers...and you should be worried.

Happy days,
RT

↧

Bing v2 API is dead, long live v5? Also CTAS updates.

March 1, 2017, 7:40 am

≫ Next: Maltego documentation is amazing! AMAZINGGG!

≪ Previous: We loaded new certs on our servers

As some of you might have notice Microsoft is in the final throes of shutting down Bing API v2 and replacing it with v5 (v3 and v4...well...who knows). The new API is part of [Microsoft Cognitive Services]. MCS have some pretty cool APIs and as soon as they're priced right we might start putting more of them into Maltego. We've put this in here specifically for MS people. You know who you are. We've spoken to you. We know where you live....;)

Currently Maltego uses Bing for all the Search Engine transforms - these all end with '_SE'.

The migration to v5 was not always easy. The question enumerator in the server code had to be changed (a lot). Some options are not supported in v5. There are only 25 results per page. One of the biggest impacts the new API has is that its pricing model is significantly higher than the previous version. Microsoft was pretty helpful in the migration process but less helpful when we complained about the new prices. This means we *might* need to cut down this service for our community edition users - but let's see how it goes.

We will be changing our public servers to v5 when Microsoft literally pull the plug on v2. For our clients that have their own private CTAS servers - you can easily change over to the v5 API by simply applying a patch. Do the following:

Browse to the CTAS web interface. Click on 'Update Server' at the top. Click on 'Update Server Automatically' and .. wait. Soon the server will begin with the updating process. There is no need to reboot the server.

Once you server is up to date it will be using Bing v5 API and your Bing API v2 key will no longer be valid. You may want to read how to enter the Bing v5 API key on your server in our fantastic new CTAS guide here:

https://docs.paterva.com/en/server-guides/ctas-guide/#toc-bing-api-key

If you run into any trouble please drop us a friendly note at support@paterva.com. Enjoy!!

↧

Maltego documentation is amazing! AMAZINGGG!

March 2, 2017, 5:30 am

≫ Next: Maltego 4.0.16 is out!

≪ Previous: Bing v2 API is dead, long live v5? Also CTAS updates.

It's been said before that Paterva's documentation is not up to scratch and often out-dated. Lies! Lies! And damn lies!! However untrue this might have been I am here today to tell that we have sat down and put some real effort into updating all our documentation for the Maltego client, all our server guides as well as our developer guides. This shiny beacon of Maltego documentation goodness can now be found on the [Maltego Documentation Portal].

All the existing developer portal content has been migrated to this website and can be found under the Developer Portal heading in the navigation bar. We will also be discontinuing the existing Developer Forum on the 'dev portal'. If you've searched our documentation and you still have questions we recommend that you mails friendly questions to support@paterva.com.

That's all for now.

PR

↧

Maltego 4.0.16 is out!

March 17, 2017, 6:28 am

≫ Next: Maltego 4.0.seventeen. / dezessete / семнадцать / seitsemäntoista / de diecisiete / 17 / 17 / 17 / 17

≪ Previous: Maltego documentation is amazing! AMAZINGGG!

Hi there,

We just released Maltego 4.0.16. The delta between version 15 and 16 is mostly bug fixes. We've made Classic and XL available as [downloads] as well as creating update files for people running older versions of Maltego:

From today we're going to try and give you an idea of what features and fixes we've implemented. Some client have asked for it and we think that it's just proper to have some sort of changelog. So here goes!

Numerous fixes for using Maltego with a proxy server. Specifically surrounding authenticated proxies.
Start-up stability issues addressed.
Support for POSTs in OAuth integration. There are a couple of other issues we've addressed in OAuth and there's a few we're still going to address in future releases. But it's a lot better!
Fair amount of cosmetics, spelling mistakes fixed.
Refresh button on transform hub items (sure all devs will love us for this!).
Factory reset now..uhmm... works...better.
Fixes viewlets that's been with us since - forever.

Hope this helps giving you an idea of what the devs have been up to.
Baby seals / enjoy the weekend!
RT

↧

Maltego 4.0.seventeen. / dezessete / семнадцать / seitsemäntoista / de diecisiete / 17 / 17 / 17 / 17

June 5, 2017, 11:53 am

≫ Next: Linking individuals to organizations using network footprinting and leaked data.

≪ Previous: Maltego 4.0.16 is out!

Hi there all the people of the Internet.

We are happy to show you Maltego 4.0.17. We fixed many mistakes in this release. We now remember proxy settings (again/better). We fixed font scaling in the OAuth service window. Since Ubuntu decided ifconfig no more we worked our way around it. Furthermore - in the transform hub we fixed the refresh button for custom entries.

We also introduced search functionality in the context menu as well as permanent search functionality in the entity palette.

Woot - this is a win!
RT

PS：Japeneseのこのブログ記事全体を翻訳しましたが、ポールはそれがトップ...過ぎていると言っていました。だから私はそれを取り除いた。あなたが彼を見る次回は、あなたは彼を蹴るべきです。ごめんなさい！

↧

Linking individuals to organizations using network footprinting and leaked data.

September 21, 2017, 8:06 am

≫ Next: In our bid to take over the world we hunt ICS devices using Maltego.

≪ Previous: Maltego 4.0.seventeen. / dezessete / семнадцать / seitsemäntoista / de diecisiete / 17 / 17 / 17 / 17

Every year we train on Maltego at BlackHat USA in Las Vegas. This year we decided to submit a talk to Defcon – the notorious hacker conference right after BlackHat. For various reasons our talk was not accepted (Maltego being a commercial tool was right up there). At the last minute a slot opened up and since we were backup speakers Andrew MacPherson presented our work on the Saturday.

If you didn’t see the talk this blog post will go into a bit more detail on what Andrew presented. The talk had two main sections – a) finding useful information pertaining to Industrial Control Service (ICS) devices and b) finding embarrassing information. In this blog post I am going to focus on the latter.

We recently saw a talk from someone on using Maltego for infrastructure footprinting. We’ve been doing footprints in Maltego for many years and the tool is well geared towards working with structured data contained in DNS and related services – so it was big ‘told you so’ / ‘glad you could make it’ kind of thing. To read our blog post on the subject – click [here]. In the good old days of black box penetration tests an analyst would first perform an in-depth footprint of an organization to learn what networks belonged to it – and what services were exposed on it. These days this ancient art is almost forgotten since spear-phishing simply works better and more reliably (and is less work!).

In recent years a lot of data leaks occurred. Think back to the famous Ashley Madison dump and the chilling effect it had on people all around the world. When we looked at the data we saw that it also contained the IP address where the user signed up from (and yes, we know that email addresses were unverified…but transactions...less so). Combined with a verified network footprint we could connect leaked profiles to organizations – even when the user signed up with a non-related email address.

This is fairly mundane – unless you’re looking at interesting networks. Consider the following:

We can clearly see that one netblock stands out – so let’s concentrate on those IP addresses. We start by taking the network to its individual IP addresses:

Just out of curiosity let’s run the transform that checks for Wikipedia edits (from the IP address) against all of the IPs:

Turns out there are 473 Wikipedia edits made from 6 IP Addresses in the range. Some edits are pretty interesting, some less so:

Above just a sample - feel free to replicate this work at your own leisure.

Those 6 IP addresses are what we’ll call exit nodes for the organization – meaning those are where their browsing traffic is likely to come from.

Armed with this info we can go ask if anyone in the Ashley Madison database signed up from any of those IPs. And – someone actually did:

We blurred the personal info. Because we're nice.

This made us wonder– what if you could do it with ALL the leaks – e.g. where ever there are signup IPs or IPs used at login in a data breach? We spoke to our friends at SocialLinks and they were happy to build us a transform that did exactly that (at time of writing not public). We could now query multiple databases at once. When running it on the 6 IP addresses we have:

In total there are 43 instances of the organization’s IP addresses contained within leaks that were made public.

The implication of this research (if you want to call it that) is simple. Firstly - you may think your organization cannot be connected to your online profile because you’re not using a work email address – but if you’re doing it from a work computer your IP address is most likely a dead giveaway.

Secondly – from an attacker’s side of things the following. Footprints are useful not only for attacking computers but as we've seen also in finding unlinked email addresses, contextual information, etc. In other words - for crafting proper email payloads to targets - fit for a high yield phishing attack. And you can email them at home. When their guard is down. In the dark. Sneaking from behind. 😉

Baby seals,

↧

In our bid to take over the world we hunt ICS devices using Maltego.

September 22, 2017, 7:52 am

≫ Next: Saving the planet with Maltego 4.1

≪ Previous: Linking individuals to organizations using network footprinting and leaked data.

In continuing our discussions of our Defcon talk (see previous post [here]) in this section we are going to look at ICS devices and what we can do with them in Maltego.

[Shodan] is a mass Internet scanner – much like [Censys]. The core idea is – find all the machines that are alive on the Internet, extract as much data as we can from them, put it all in a database and make that available to the world to query. Pretty neat actually.

We’ve developed transforms querying Shodan for a while – you can read about it [here]. When we started looking at ICS devices we saw that Shodan actually has a page devoted to it. It looks like [this]:

On every ‘Explore’ button you’ll see that it translates to a Shodan query string. For instance – for instance finding PCWorx device the query will be “port:1962 PLC”. In other words – look for devices that has the word ‘PLC’ somewhere in the response as well as having port 1962 open. This search term will find all of these devices that Shodan has seen on the Internet… much like searching Google for ‘intitle:index of’ will look for indexable directories. The analogy of this combination of searches on Shodan is thus close to ‘Google hacking’ search terms – only it’s not on Google but on Shodan and the result is devices, not websites.

Our next step was naturally to build a transform that searched Shodan for all the ICS search terms and combined it with whatever the user wanted to add to the query. We wanted to keep the ICS terms dynamic so that the user can update/ change it at any time – therefore we made the terms a transform setting. The format we use is Shodan_query_1#Description_1|Shodan_query2#Description_2 etc. Adding all the queries we ended up with a transform setting as such:

This transform could now be used with any of the other Shodan search parameters – and the ICS search terms would be appended to it. To get a list of Shodan search terms you can click [here]:

This means we can start doing some cool stuff – like finding all ICS devices in a city – say Amsterdam:

Shodan finds 98 devices that match any of the ICS search terms and with city set to Amsterdam.

One of the Shodan search parameters that caught our eye was the ‘geo’ parameter. It meant we could give a long/lat to Shodan and find ICS devices around the precise point. A BIG caveat here is that we’re relying on Shodan to do this accurately – and they rely on other databases (like MaxMind etc.) IP to geolocation is a bit finicky – and a discussion for another time. The bottom line is that it can be pretty good in densely populated areas and pretty bad in remote areas.

The next few hours we spend browsing Google Maps, trying to find places that would likely have ICS devices but that were remote enough to not include too many false positives. For this we’d go to Wikipedia and find the location of (for instance) power stations in various countries. We would then take the coordinates from Google Maps, enter it in Maltego, set a radius of around 2 or 3 kilometer and see if anything showed up:

This resulted in the following queries to Shodan:

In this case – no ICS devices found open on the Internet in a 3km radius around the Unimar Marmara Ereğlisi Power Plant in Turkey. Which is a good thing!

We spend a while doing this and it quickly became clear that it was going to be time consuming. Surely there was a way to automated it? There was. Geonames is:

Better still – they have a friendly API. You could ask Geonames things like ‘what are the GPS coordinates of all power stations in Japan?’. In Maltego it looks like this:

The country is passed as a transform parameter. We send the country code ‘jp’ – and get back the GPS coordinates of 51 power stations in Japan:

I think you can see where we’re going with this? Right?... RIGHT? 😉

No? OK – let’s do this step by step. Let’s assume we have 0day for some ICS device and we’re a nation state and we want to attack a country’s power infrastructure. We cannot do proper attribution on the devices as they are not located on power companies networks and they don’t have forward or reverse DNS names that point to the company. So unless we have boots on the ground we simply don’t know what to hit. So we decide to target IPs that match ICS device characteristics, are open on the Internet and that are physically located close to these power station. We know we’re going to have collateral damage (e.g. devices that are within the physical range of the target power stations but do not actually belong to the mine), but that’s OK because those might be secondary targets anyhow.

Here’s the process in pictures. As a country we chose Poland. It’s not because we don’t like people from Poland. It’s because they’re understanding people. They understand this is not about them. We actually really like Polish people - that's why we blurred out the IP addresses.

Baby seals,

PS: currently the ICS Shodan transforms are not publicly available but with the right motivation we'll release them!

↧

Saving the planet with Maltego 4.1

September 29, 2017, 6:08 am

≫ Next: Using the new transforms without all the questions

≪ Previous: In our bid to take over the world we hunt ICS devices using Maltego.

Greetings people of the Internet.

In the last couple of months a lot of things have changed at Paterva. The good thing is that most of these changes will make your life better and will generally inspire you to live healthier. It's also better for Planet Earth - the environment - and it can help save lives.

Not really. Almost none of that is true of course. But enough with this nonsense - let's run through the changes really quick. Alternatively you can watch Andrew tell you about it:

Client side: Maltego 4.1

Exactly a year ago - to the minute almost - we released Maltego 4.0 (well - the Kali/CE release). Today we are releasing a new Maltego client - 4.1. Thanks AvA and PM team! The main change here is that 4.1 is all Maltego versions rolled into a single client. This means you don't ever have to download a different version - you can simply switch to it. It also means that any updates or fixes will be available to ALL versions of Maltego at exactly the same time - which in turns means we're also releasing CaseFile 4.1...right? Yay! Right? ;)

CE users will get updates when Kali users get updates when Classic users will get updates when XL users will get updates. I think you can see how this works. As such - take a look at how our download section has changed too - no more picking which client you want. No more confusion! And - let's be honest - nobody likes confusion!

If you don't want to download 4.1 you can actually upgrade your current Maltego to it. It requires two updates. Update one will take you from 4.0.18 -> 4.0.19 and the 4.0.19 release will update to 4.1.0. For Kali Linux users - once the repos are NSYNC - you'll need to apt update && apt full-upgrade to get all the newer packages as well as Maltego. Or apt update && apt install maltego for just Maltego.

We're also really happy to be back in the Kali Linux top 10 tools. Thanks for all your support Kali Team!!

New transforms, new server

To go with the shiny Maltego 4.1 client we rewrote ALL (140 of them) of our transforms and built a new server framework from the ground up to host them. Transforms should be better, faster, shiny-er with fantasticer results and of course completely bug free (whahaha). The new server framework allows us to scale up our transform hosts a lot better too - so inside you'll feel the difference and outside you'll see the difference. Thanks A2 (and M/K)...

For our corporate clients that need to adjust firewall rules - the old hosts were alpine.paterva.com for CTAS and cetas.paterva.com for CETAS. We've moved it all to a single machine called g52.paterva.com. We called it G52 because we like how ominous and expensive it sounds. Like a plane or a big cannon. Or a secret code word. Just... go with it.

Back-end

We've complete redone all our back-end systems. It means that every bit of Maltego interaction (hub, start page, documentation redirects, license interaction) is all running to a brand new system. Thanks PR! While you might not see the direct benefit from this immediately it's a huge thing for Paterva staff. Changes to the hub / start page / etc. no longer requires Andrew or myself to SSH into a host and edit a file by hand. It will allow us to give you a much higher level of support. Geez - we almost sound like a proper company now! ;)

Where the start/hub was served from www.paterva.com it now runs off dolores.paterva.com. We're all West World fans here at Paterva.

We hope you'll enjoy 4.1 and all the changes we've made.

RT & the rest of the Paterva team

↧

Using the new transforms without all the questions

October 2, 2017, 2:53 am

≫ Next: Time to say goodbye

≪ Previous: Saving the planet with Maltego 4.1

Hi there,

As some of you may have seen, we recently updated the client and servers for Maltego in order to make it better, faster and stronger.

If you're running the commercial version of Maltego (e.g. Classic or XL) these changes have resulted in an extra choice when running transforms between our old and new servers. Unless you've done a clean install of 4.1 you'll see the following when running a transform:

The choice is between the old servers (alpine), and our new servers (g52) - 'Paterva Public'. In the short term, either choice will work, though we would encourage you to use the new server 'Paterva Public' going forward as this will be using the shiny new transforms (feel free to compare speed / results!).

How to remove the old servers

We will be releasing Maltego 4.1.1 within the next few days to remove the old servers from Maltego.

Until we release Maltego 4.1.1, or if you are running an older version of the client you can remove the choice of the old servers by simply re-installing the CTAS hub item:

1: Go to the home page of the Maltego Client.
2: Uninstall the 'Paterva CTAS' Hub item.

3: Wait for the uninstall to complete.
4: Install the 'Paterva CTAS' Hub item.

Reinstalling the 'Paterva CTAS' Hub item using the steps above, will remove the old servers and the server selection choice when running transforms.

Thanks for your patience, we promise not to break anything else ;)
Paterva Team

↧

Time to say goodbye

December 14, 2017, 6:58 am

≫ Next: Holiday Special (yes, it’s this time of year again)

≪ Previous: Using the new transforms without all the questions

All things must come to an end, nothing gold can stay – including my time with Paterva. As of today - 14 Dec 2017 - I will no longer be employed by Paterva. I also resigned as managing director of the company and disposed of all my shares in the company.

Many people have asked me why I decided to leave Paterva. I’ve always wanted a company where everyone is close enough that you can throw them with something (like a ping pong ball) and in the last year or so I feel like I’ve been holding the company back to become bigger than that. After 10 years of running Paterva I’ve realized we’re not a start-up anymore and that it’s time to hand it over to people that’s more adept at running ‘proper’ companies.

I am handing Paterva over to [Chris and Sonja]. They have been faithfully involved with Maltego since the start of the product and have been partners and significant shareholders in the company from the get-go. Handing it to them I am sure the product will go from strength to strength and I have no doubt that they are more than capable to run the company to its full potential.

I am excited to see where Paterva will grow in the coming years – I’ve always believed in the product’s massive potential and I am sure that it will flourish under the new leadership.

Take care & good luck team Paterva!

Baby seals,

Roelof Temmingh

↧

Holiday Special (yes, it’s this time of year again)

December 21, 2017, 5:27 am

≫ Next: Bitcoin Tracking and Analysing with Maltego

≪ Previous: Time to say goodbye

Whether 2017 has treated you well or poorly, it is nearing its end. The year of AlphaBay and Hansa Market takedowns, WannaCry woes, the rise of Reaper…. and of course the popularization of crypto currencies - where even my 78 year old mother asked me recently what this “BitCoin thing” is. Don’t worry mommy, it’s just a phase 😉.

For Paterva it has been a great year in many ways. A year of consolidating things and laying solid foundations for the future. So, before we sign off, here is a look at what you can expect to see in the Maltego universe next year.

Lots of effort is currently going into development and next year will see the release of:

Time and space support in Maltego (woohoo – you have been wanting this for a long time)
Brand spanking new servers
Quick and sexy ways to attach your own data to Maltego
Lots of smaller improvements (check back here in due time)

So whether you celebrate Christmas or not, here is the perfect stocking filler for 2017 and a great gift for your partner/spouse/parent or grandparent: 50% off Maltego Classic or XL (even useful for your septuagenarian mother, especially if she has a newly found fascination with blockchain technology). Use coupon code "time_and_space" in the web store (single license purchases only). Please note the coupon code is valid only on the 25th of December (GMT +00)

Happy Holidays, dear Maltego users!
Your Maltego Team

↧

Bitcoin Tracking and Analysing with Maltego

March 5, 2018, 5:13 am

≫ Next: We are updating our privacy policy

≪ Previous: Holiday Special (yes, it’s this time of year again)

Bitcoin and cryptocurrency has been over basically everything. We've all had those awkward conversations over Christmas dinner with that weird uncle where they explain that it's a pyramid scheme or a scam! Well we thought it's time we refreshed some of the BTC transforms in Maltego.

A quick recap of the basics of BTC:

'Addresses' are what you generate from your wallet and people can send and receive money to these

'Transactions' are the well.. transactions, the key point here is that transactions take in addresses(thats plural) that have a value as an input and the addresses as the output that also receive a value.

You can go to https://bitcoin.org/ for a better refresher than this!

As a side note, you may have noticed we have had these transforms before, written originally by the breaker of chains, slayer of elks and herder of cats, Paul Richards. We decided to re-write these for a number of reasons. Firstly, our new born superstar server developer, Andrew Walters, has gone far beyond building us faster, shinier servers and rebuilt how we do things on the backend as a whole. We now have fancy new docker images, error reports that come in quickly and a framework that let's us build faster. As such I decided to rebuild the crypto transforms in a way that allows us to build directly with the Blockchain.info API specifically for Bitcoin. Apart from that we also wanted to have some nested hierarchy to expand from Bitcoin into the other cryptocurrencies like Ethereum, Ripple, Litecoin and others. So please feel free to let us know what you want to see next!

Onward James! So now you have the basics of the how and why, let us take a look at how we can investigate and analyse a bitcoin blockchain. I decided to use https://www.reddit.com/r/SorryForYourLoss/, the saddest of BTC subreddits, where people share their stories about how they lost many Bitcoins, never to see them return!

https://np.reddit.com/r/Bitcoin/comments/5fnsbw/today_i_got_owned_by_someone_who_targeted_my/

This poor person unfortunately ended up getting their friends account scammed! So let's start here, first I paste the URL into Maltego and with its magical regular expressions we see the following URL in the tool and can run our first transform on it!

The first transform is fairly useful, it browses to the page, uses a regular expression to find any BTC addresses and then validates that they pass the check sum so we get the following out:

From here we can isolate the address from the page '1CatXmMAiPKC5uk9UsUjQmFQV4wvGwqAmh' (we don't care for the others) and run the first transform 'to Details' which will go and fetch all the details for this particular address:

Here we can see that there was 1.999 BTC in the account, but it has also sent that somewhere else and the current balance is 0 :(

So let's take a look at the transactions that have been involved with this address. We can either look at transactions where this is the INPUT (meaning it's moving BTC FROM this address) or where it is the OUTPUT ( BTC is moving TO this address ). We want to 'follow the money' so let's look at the transactions where this address is used as INPUT:

We see just the single transaction where the Bitcoin was moved away. It's important to note here the text on each link will give you a rough idea of the transaction but it should be also noted that one transaction could have multiple inputs. For example, if you were paying 6 BTC it could be from an address with 5 BTC and one with just 1 BTC.

Let's look at the addresses where the bitcoin was received for our transaction:

Another address where those pesky hackers have taken the BTC. Let's take a look at the details again. This new address you can see has currently got a balance of 0, so let's do this again! We take this new address and we look at transactions where it is the INPUT ( BTC moving out of the address ) and then any addresses that transaction has as OUTPUT:

Now we can see we have two more addresses we'd need to branch into to keep track of where the original funds went (unless of course those addresses simply contain the funds!)

The process of following-the-money is a simple iteration of this:

Look at the address (with the transform To Details), see if they have a balance, if they do have the balance that's where the coins went to and you can track them from there
If there is no balance, look at transactions where it is the INPUT and the addresses that are the output from there
Go back to step 1.

If we kept going eventually you might get a slightly larger graph following where the BTC went to:

Additionally, when looking at the detail information for an address you can also visualise any tags that are listed from blockchain.info. It is important to note these are user generated and should always be taken with a pinch of salt as many people have been social engineered into believing accounts belong to exchanges/groups via this!

Of course there are other interesting aspects such as looking at a single address and the transaction that moved stolen BTC out and look at other addresses involved as INPUTs to try and find what other addresses were compromised.

Overall this should give you an easy rundown of how to investigate BTC blockchain events and allow you to use all this goodness in Maltego. If you add in the ability to sort the transactions between incoming and outgoing nodes you can look at entire segments of the chain to quickly find the information you are after. Remember the nodes are weighted so nodes with higher BTC values (or for transactions, higher inputs) will be weighted heavier. If you are in block layout this means they will move from top left to bottom right.

While we let you enjoy these BTC transforms we have another exciting post coming up visualising TOR hidden services and what we can do with them. From finding addresses (both email and BTC) to looking these up on the Internet!

Pink fluffy unicorns dancing on rainbows,
-AM

↧

We are updating our privacy policy

May 24, 2018, 5:05 am

≫ Next: Announcement: EULA, Updates, Pricing

≪ Previous: Bitcoin Tracking and Analysing with Maltego

At Paterva, we have always strived to be as transparent as possible with regard to the information that we need for you to purchase, register or use our Maltego Desktop clients and server products.

With this in mind, we have taken new data protection regulation that will come into effect in the European Union on May 25th as opportunity to generally update our “legal documents”. Today we want to inform you about our new Privacy Policy aiming to help you better understand what information we collect, why we collect it and how we use it. We have decided to make these updates globally because we think the new policies are fundamentally better and should be shared by everyone in the Maltego community.

The updated Privacy Policy will enter into force on May 25th, 2018. We recommend that you read the complete Privacy Policy here. If you have any questions, please contact us using the contact information provided in the Privacy Policy.

Your Paterva Team

http://www.paterva.com/web7/static/20180524PatervaDataProtectionNotice.pdf

↧

Announcement: EULA, Updates, Pricing

July 23, 2018, 9:02 am

≫ Next: Maltego launches version 4.1.15 - New tabular export formats and bug fixes!

≪ Previous: We are updating our privacy policy

First big (long) 2018 post: better support for you, updated EULA, new prices

It’s been rather quiet on this channel since our last, joyous Christmas message. But rest assured, we are still here, busy at work. And yes, we have been working on our bucket list of cool new features for 2018. And they will come, the first of which will be the release of our “brand spanking new servers” in fall!

In the meantime, there has been lots of work and fixes under the hood. We hope you notice and appreciate the improved usability and stability. A further nice improvement is being rolled out this week. We have made the experience of collaboration when working with collection nodes much better.

We’ve also been busy setting up new systems and processes to provide you with even better support, troubleshooting and onboarding services. We started by implementing a proper ticketing system and, most importantly, a new crew and more people excited to work with Maltego. We will introduce them in time.

As previously announced 2018 has so far also been a year of house cleaning in terms of legal documents. First came an entirely updated (and GDPR-conform) Privacy Policy in May. And you don’t want to know the dev work it took to get it delivered in the Desktop client at the “right time” and record agreement the “right way” …

This week, we follow up with an update of our End User License Agreement. It is now called General Terms & Conditions and there is now only one document for all products and all versions of Maltego. We also aimed at making the structure clearer and the wording more readable. For our “invoice customers” we also made the renewal process easier and will now send out invoices in due time prior to an upcoming renewal. No need to repeat the quoting and purchase order process anymore. We continue to have 1-year contracts only, but shorter periods are in discussion and may come in 2019. Please download and read the new agreement. It is effective as of July 23, 2018, for all purchases of new and the renewal of licenses.

Finally, after pushing it for months and quite honestly for years, we have decided that it’s time to update our prices as well. It’s the first increase since 2013 and in fact the first ever on renewals. We have realized that we will have to build a different, and yes bigger, organization in order to keep up the pace of improving Maltego adequately and to be a responsive and competent partner. The new first-year prices are $999 for Maltego Classic and $1,999 for Maltego XL. Renewals are $499 (Classic) and $999 (XL). New prices will go into effect for orders of new licenses on August 1 and for renewal of existing licenses on September 1.

After the first half of 2018 being so much about legal and backend work, we are now excited about what’s to come. We will stay busy improving Maltego and your entire experience around it, and we promise not quite as quiet…

Your Team at Paterva

↧

Maltego launches version 4.1.15 - New tabular export formats and bug fixes!

December 21, 2018, 3:45 am

≫ Next: Fun with Flags

≪ Previous: Announcement: EULA, Updates, Pricing

We are excited to announce that we have released an update from 4.1.14 to 4.1.15 for Maltego !

You will be able to update your client by either clicking on “Check for Updates” under the Tools section of the Maltego application menu, or by monitoring the bottom-right corner for an update prompt.

The current version of Maltego is visible in the title bar:

Version 4.1.15 brings with it a rework of the graph export features in the form of updated CSV and Excel file structures, as well as graph export to XML in the yEd and Gephi GraphML formats (more on this below and also on our documentation docs.maltego.com.)

We have also worked on fixing bugs that have been reported by you such as deadlocks when reaching 10,000 entities in CE or Classic. This ensures smooth use of Maltego without roadblocks in between your important investigation.

Overall, the update entails the following changes and bug fixes:

NEW FEATURE OVERVIEW

Export Graph to Table

During your investigations, you might want to export graphs to a tabular format for use in other software, or to incorporate in a report. The new export options give you a bit more flexibility in how the graph data is represented in these tables.

Let’s create a simple graph to export:

As before, the Graph Export Wizard allows you to choose whether you want to export the whole graph or just a selection. Depending on what data you choose to include in the export, you might end up generating duplicate rows.

Remove these duplicates automatically by checking the Remove duplicate rows option.

When choosing the export details, there are two main options:

Export a table containing the Source and Target Entities value only or

Export a table with All Property Values.

When you want to export all the property values, you can choose that they are Grouped by Entity type with blank lines separating them, or as an Entity property flat map.

When you export the properties, you also get a list of the links in the graph, and there is an option to export that to a Separate Link File instead.

Exporting Source and Target Entities value only

For the above example graph, exporting only the source and target entities will produce the following result:

Exporting All Property Values, Grouped by Entity type

Exporting the entities with their properties, grouped by type, produces the table below.

The export also includes a list of the links, using the ‘EntityID’ reference to link two entities. These can be in a separate file or at the bottom of the list of entities as in this example:

Data is grouped into two header rows and multiple property value rows.

The first row (1) includes the entity type and display values of the properties

The second row (2) contains the property name

The remaining rows (3) include the property values

Exporting All Property Values as a flat map

Exporting the entities and their properties as a flat table produces a file like the one below. Notice that there is only one header-row, and that properties are only populated where relevant in an entity. As an example, only the Website entity has a value for the ‘ports’ property.

Export Graph as XML

There are three GraphML formats to which you can export:

one used by Maltego,

one by yEd and

another by Gephi.

Please take note:

Unfortunately, the GraphML format is not standardised, with different applications using the format in a different way. There is no agreed way to store metadata within the XML file, and not even whether the y-axis runs from the top to the bottom, or the other way around. Therefore, more export formats with the same extension must be supported.

The Save dialog presents the two new export formats along with the existing Maltego GraphML XML format. There is also a checkbox to select whether you want to export only the selected entities.

Let’s import the GraphML exports into applications that support these formats.

This is what the graph looks like in yEd:

And after a bit of tweaking on how it is rendered, this is what the same graph looks like in Gephi:

We would like to thank you all for your feedback and unwavering support. We are happy to incorporate it in our updates and will continue to do so in the future.

Have feature requests? Write to us at https://www.maltego.com/contact.html

↧

Fun with Flags

February 20, 2019, 7:51 am

≫ Next: A Step Towards Stealth Mode

≪ Previous: Maltego launches version 4.1.15 - New tabular export formats and bug fixes!

...with Dr Sheldon Cooper, Dr Amy Farrah Fowler and the new Maltego 4.2 Entity Overlays!

Did you know: Tuvalu, a country in the Pacific Ocean about midway between Australia and Hawaii, risks being wiped from the map due to rising sea waters? The country’s highest point is only 5m above sea level and they have a population of scarcely more than 10,000 people. The capital of Tuvalu, Funafuti, houses more than half the population and is an atoll encircling a 275 km² lagoon—the largest in Tuvalu.

Tuvalu’s flag contains the Union Flag in the upper left, with a sky-blue background and nine stars representing the nine islands that form part of Tuvalu. The nine stars are geographically correct, if you point the top of the flag towards the east.

Another relatively unknown country which also used to be under British Colonial Rule, on the other side of the world, is Lesotho. Lesotho is the only independent state in the world that lies entirely above 1,000m elevation. In fact, more than 80% of its land lies above 1,800m in elevation. Quite the opposite of Tuvalu, Lesotho is entirely landlocked, encircled by South Africa.

The flag of Lesotho has three horizontal bands of blue (representing rain), white (representing peace) and green (representing prosperity). In the centre there is a black Mokorotlo, a traditional Basotho hat. The current flag replaced the previous more militaristic flag in 2006, reflecting a nation in peace with itself and its only neighbour.

The flags of both Tuvalu and Lesotho are now part of Maltego, along with almost all other countries and independent territories. From version 4.2.0 onwards, you can now add flag icons to entities, and the standard Location entity has been updated to include this feature.

Now, if you set the “Country Code” property of a Location entity to the correct value, a flag icon will be added as an overlay of the entity on the graph, just like in the examples above.

But flags are not the only new overlays that we can add to graphs… Actually, there is a whole new mechanism at work that you can exploit for your own entities (more on this later).

Website Icons

Favicons (pronounced ‘fav-ih-con’ in both British and American English) are those tiny little icons that a web-browser can show in the tab next to the title of a website or in the bookmarks (as in favourite icon). One of the ways a browser can find the icon, is by looking for a “favicon.ico” file in the root folder of a website, e.g. http://www.google.com/favicon.ico.

The new standard Website entity in Maltego 4.2.0 has been updated to use a calculated property that will automatically map to this icon if it exists. The calculated property is derived from the main-property of the entity, namely the FQDN, with a “/favicon.ico” extension attached. This icon is then mapped to the south-west overlay position as an image. Have a look at the new Entity specification of the default Website entity in Maltego:

The result is that you can now visually identify websites from the entity on the graph itself:

This feature is limited, of course, as it does not read any of the meta-tags nor perform more advanced interpretations of the URL, but it should work in most cases where the entity-value refers to a root location.

But wait, there’s more…

Advanced overlays for your own entities

As you may have noticed by now, Maltego has received an overhaul of the overlays system, and apart from the built-in flags and the new image-overlay positions, you now also have the option to add text and a splash of colour next to the entity icons.

To illustrate all the new features, let’s create a new custom entity: Employee. Properties of our employee entity will be:

Gender
Age
Job
Nationality
Favourite Colour

Our Employee entity will extend the standard Maltego Person entity, so all the default properties will also be present.

Features of our new entity will be:

The Gender and Job properties will be combined into a new Calculated property, and represented with an icon instead of the default icon;
The employee’s age will be printed along the top of the entity icon;
The flag of the person’s nationality will be added to the side; and
The employee’s favourite colour will be added as a colour swatch above his name.

We create a new entity by using the advanced editor in Maltego and following the wizard. Remember to set the Base Entity Type to “maltego.Person”. We create the additional properties and create an additional “GenderJob” property and set it to be hidden. We set the default value of this new hidden property to “$property(gender)$property(job)”. This will concatenate the value of the two other properties into a new property.

Finally, we set up the overlays on the new Display Settings tab, like this:

Note that you can set, for each overlay, whether it should be interpreted as text, an image, or a colour.

At last, our new entity is ready. But before we can try it out, we need to also add a few custom icons to Maltego, and this can be done using the Icon Manager (under the Entities tab):

The icons are available from Google’s Noto Emoji, which can be found here: https://github.com/googlei18n/noto-emoji.

Finally, we can try out our new entity.

And here are a few more examples:

With great power comes great responsibility and maybe too many overlays are too much of a good thing, but I am sure you get the picture. 😉

You can download a Maltego MTZ file that contains the icons and Employee entity for you to reference here.

Happy flag-hunting, colour-splashing, and icon-bashing!

↧