Open source Intel: Disturbing? Awesome? Or disturbingly awesome?

There is apparently a name for the art of leveraging social media and free tools to uncover juicy bits of information on someone: open source intel or OSINT for short.

OSINT allows you for instance to make connections between someone’s phone number and their Twitter account, or find out when and where they will be vacationing (away from home), or how much taxes they pay on their property (and in the process, where they live).

Why would you want to do that? Well, the reality is that it doesn’t matter. Just as with everything humanity has ever done: somebody will do it, simply because somebody can.
The fact that these techniques are freely and publicly available means the bad guys already have access to them, and it’s in your best interest to understand how your data online can be leveraged against you.

I listened to a talk by Michael Bazzell, who’s a rock star in this field. He described a couple of real life scenarios where companies had hired him to see if he could get to sensitive data such as the CEO’s email.

Scenario 1:
Looked up tweets geotagged from within a shopping mall from the last 2 days. Foun a woman who checked in at Sears. Sent her a tweet pretending to be with Sears customer service “you were our 20th customer in that section, I’m going to send you a gift card”. Sent her a link containing analytics, and now we’re monitoring her.

Scenario 2:
Need to find out about a company’s employees. Looked up the company on LinkedIn, found tons of employees. Pictures were there, but names were “LinkedIn member”. Grabbed the URL from one of the pictures and ran through Google reverse image search, links up to the employee’s real name and her full LinkedIn profile.

Scenario 3:
Older guy, high level CEO. No social networks. He had kids, went after their social media, found nothing obvious. Used OSINT to find out where he lives. Used echosec to find posts coming out of his house. That lead to the daughter’s twitter and Instagram accounts. Loaded up tweetdeck and put all of the family members twitter accounts to see them tweet live. They’re all talking about a family trip they’re going on over the weekend. Found out which hotel based on a pic of the daughter by the pool. Found out which suite they’re staying at by brute-forcing the last name and room numbers to log onto WiFi. Used social engineering to get a technician to open room door.

If you take away one thing from the above scenarios, let it be this: it is easy as hell to find out tons of information about you online. VERY easily. Think twice about what you post online, and know that there’s no way to control everything, but play your part to stay smart and stay safe online.

Tools of the trade:

Facebook graph – In-depth search using Facebook
Please Rob Me – Shows people who are not currently at home
Echosec – Tweets and posts by geographic location
Shodan HQ – “Internet of things” devices connected to the internet
Google Dorks – Vulnerable sites using Google Search
You get signal – Various technical tools
Peek You – People search
Lullar – Another people search