by Roger A. Grimes, Data-Driven Defense Evangelist, KnowBe4
Whenever I think of Sun Microsystems’ CEO Scott McNealy 2008 quote, “You have no privacy. Get over it!” I can’t help but think of Jack Nicholson’s character in the movie, A Few Good Men, who says, “You can’t handle the truth!” That’s got to be one of the best movie quotes ever! Most of us felt that way about McNealy’s quote. It hurt to hear it, but we also knew it was so, so true. Although I wonder if even McNealy could have imagined where we are today, with the good, the bad, and ugly of open source intelligence (OSINT) gathering.
OSINT is the process of someone (or a device or algorithm) gathering publicly available information on a person, group, or organization. The intent is to gather as much (useful) information as is possible about the target in preparation for a potential future act. The gathering of information could simply be a legitimate exercise to be prepared for a future legal interaction with the subject (say an organization learning as much as they can about a potential job candidate or the job candidate learning as much as they can about a potential employer), or it can be used to maliciously attack the target. Unfortunately, anyone can do both. It simply depends on the intent of the reconnaissance.
OSINT refers directly to all the publicly available resources that anyone can use to find out information about a target. There are large databases of information which are publicly available and free to search. These sources include:
- Internet address databases (such as DNS, Whois, etc.)
- Municipal databases, such as housing purchases, driver licenses, taxes paid, etc.
- Judiciary information such as court dockets, tickets, marriages, divorces, etc.
- Public Company Information Databases
- Voting history, donation histories, etc.
- General search engines (Google, Bing, etc.)
- Specialized search engines (e.g. Shodan, etc.)
- Social media sites
- Internet Information Harvesting tools (e.g. The Harvester, FOCA, Metagoofil, etc.)
There are literally thousands and thousands of free, public-accessible, sites and services from which you or anyone can learn a ton of information about anything.
Note: Awesome OSINT is one of the best, most inclusive curated lists of OSINT sites and tools: https://github.com/jivoi/awesome-osint.
Broadening the Definition of OSINT
Add to the purely legitimate OSINT sites and services the multitude of “dump sites” and “pastebins”. Oftentimes when hackers illegally take confidential information, they then dump that information to publicly accessible locations. Much like a reporter who publishes top-secret government information can’t be arrested (in the United States at least, currently), anyone can copy and access information in a dump site without fear of illegal lawsuits (usually). OSINT often includes any information which can be learned from these types of sites. Darkweb sites and services may also be included in the broad definition of OSINT, although the darkweb often consists of both free and commercial resources.
In addition to the free, legitimate, publicly-accessible, sites there are many other types of sites, which aren’t necessarily known as OSINT, but are often used by information gathers. There are hundreds, if not thousands, of commercial, investigation sites, which if you pay money, will return information usually considered otherwise illegal for an unauthorized person to obtain. Many of these sites have links into confidential databases or have participants who will illegally obtain requested records for the service for a fee. Thus, there are lots of sites where you can obtain all the same information a law enforcement officer can obtain. You can request people’s very detailed purchasing and medical information. If you are willing to part with some money, there is little you can’t buy.
There is an amazing about of information you can purchase on anyone regarding their shopping and buying activities. Turns out most organizations offer information on their customers, sometimes information about specific customers, which anyone can buy. The joke is that when Google found out that an entity was stealing GBs of personal information on its customers and selling it to other organizations, that they were not as mad about the theft as they were that they were not also being compensated.
Many times, privacy laws require that the sellers do not identify any specific records by any unique personally-identifying information about particular records or customers. But many times, the data they include with the data buy allows purchases to easily put two-and-two together to identify specific people. Other times, it is literally the business model of the data selling organization to absolutely, specifically identify particular people by name, such as how you can buy nearly any mailing list of any magazine in any country. Your bank sells your personal information to buyers who want to market to you. One of the biggest industries in the world are all the organizations which can’t wait to sell your specific information. And sometimes those databases get stolen and end up in dump sites where anyone can copy and peruse.
You can use OSINT and it can also be used against you and your organization. So, what can you do?
First, understand and educate yourself and others about OSINT. Trying to minimize the risk to yourself and your organization starts with education and security awareness training. You can’t mitigate what you don’t understand. Start with this article and then search the Internet for other general articles on OSINT. You will easily find hundreds.
Second, use OSINT tools and techniques to find out what OSINT information is out there about you and your organization. Don’t let the first time your OSINT information is gathered be when an adversary does it. Find out how much is out there in freely accessible databases and remove it where you legally can and where it makes sense. Unfortunately, you won’t be able to legally get rid of most of it. But there are times when you find your information that you can request that it be removed by the hosting entity. Sometimes all it takes is a request. Either way, one of the best defenses is to understand how much OSINT is out there about you and your org and then take the appropriate defensive mitigations.
Lastly, think about how that OSINT can be used against you and your org. Does it include logon names and passwords? Does it include confidential information which can be used to create a spear phishing attack? Does it include information, which would allow a hacker to craft an email or other scenario that might easily trick someone into revealing other confidential information? Then prepare and train against those scenarios. Sometimes the best defense is to think like an OSINT hacker and defend against those attacks.
Kevin Mitnick Shows You How
You can learn in-depth strategies straight from the World’s Most Famous Hacker, Kevin Mitnick. He and Perry Carpenter are discussing this topic and Kevin will demonstrate several tools he uses to gather OSINT for his penetration tests. Join them on June 12th @ 2:00 pm to hear all the shocking details.
About the Author
Roger Grimes is a 30-year computer security consultant, instructor, holder of dozens of computer certifications and an award-winning author of 10 books and over 1,000 magazine articles on computer security. Roger is the Data-Driven Defense Evangelist for KnowBe4. Previously he worked at some of the world’s largest computer security companies, including Foundstone, McAfee and Microsoft. Roger holds a bachelor’s degree from Old Dominion University. He has been the weekly security columnist for InfoWorld and CSO magazines since 2005.
Roger can be reached online at firstname.lastname@example.org and at our company website www.knowbe4.com.