In terms of cyber security, Open Source Intelligence (OSINT) covers any data or information which can be collected from publicly available sources.
It often comes as a surprise just how much is available, and the nefarious uses it can be put to. OSINT can be applied towards defensive purposes, but we will be looking only at malicious purposes. One of the biggest challenges of OSINT is not merely recognising it as a threat, but encouraging the behavioural change needed to protect against it widely enough. It is not enough simply for a principal to stop posting Instagram pictures of their travels in order to hide them – their colleagues, friends, family, and employees also need to be aware of the need to take care with information which could be misused.
The first and simplest step is to look at any social media sites in use and fully review any privacy settings available. Depending on the site, and the network of connections, different settings may be appropriate. The important idea to remember is that only information that someone is happy to share publicly should be put on a site – even where details are shared only with connections, friends, or family the target of any OSINT operation is then relying on the security of their connections to protect their own information.
Sharing pictures of family holidays is a common activity on various social media platforms, and when combined with a home address or check-ins at locations near to home, this can inform a malicious party of a valuable target property which is currently unoccupied. Burglaries are not the only options, as an unoccupied property is also useful for people looking to protect themselves while committing various forms of fraud by having valuable deliveries sent to an address they are not linked to. Photos and videos of Christmas present openings will be common in a short time, and unwisely shared are very popular with thieves with shopping lists.
Even when not providing targets to a potential burglar, sharing of personal data can be a serious issue. When phoning a bank, or speaking with a phone company, often personal information is requested as a security check. Guidance for these security questions often suggests examples like the below:
- What is your mother’s maiden name?
- Where was your first school?
- What is your birthdate?
- What was your first pet’s name?
Answers to all of these questions are easily available through social media postings, and it is important that a principal is aware of this either when setting up the security questions (in which case an innaccurate memorable answer can be provided) or when posting information.
One particularly helpful action if there is a good relationship with a bank or service provider, is to request notification any time someone answers these questions innaccurately. Unfortunately many do not offer this service.
While social media is the most obvious, and often first, target for OSINT it is important to recognise that it is not the only source. Various people search engines, both legal and otherwise, compile various sources of public information such as electoral registers, company filings, news reports, and others and tie them to individual identities as much as possible. These are often commercial platforms which will charge a small fee for a search, but the available information is worthwhile. As an example, a search for me on one of these platforms reveals my name, address, house price, and positions as a director.
These details are pulled from the UK electoral register, Companies House filings, and property search sites. Each of these requires a different approach to prevent disclosing the information, and for many people the effort involved is not worthwhile. When it is worthwhile, in many cases services have an option to opt out of publication. Where they do not, such as Companies House, the only way to hide some information is to have a separate registered business correspondence address.
There are other methods of authentication now, popularly sending a one time password over SMS. As we’ll see this is far from a guarantee of safety, and means that for someone truly trying to protect themselves against particular attacks it is vital to have a secure phone number with no connection to the individual.
One of the rapidly growing attack methods is the SIM swap. While this goes beyond the scope of OSINT, it is only possible because attackers are able to put together information to enable the attack. At its simplest level SIM swapping is an impersonation attack – either in person or by calling customer services for a mobile provider. Using publicly available information such as birth dates, an address, and a phone number, along with a few other pieces, the attacker persuades the mobile provider that they have lost their SIM card and need a new one. The moment they have that SIM card, they have access to the target’s mobile number.
When SMS tokens (single-use passcodes via text message) are sent to provide ‘secure’ access to systems, they are sent to the active phone number. It’s easy to see how a targeted SIM swap attack can grant access to vitally important systems. The best protection is simple – I have a dual SIM phone, with a second pay-as-you-go number on a separate provider which is used only for these services. Since there is nothing tying the number directly to me it becomes much more challenging for an attacker to carry out a SIM swap.
Ideally, providers would start providing better protection against this attack vector by requiring stronger authentication, and using different methods than SMS messages to access accounts, but until this happens a separate un-linked phone number is the best method I have found.
Finding out more
While limiting easily available information and separating authentication phone numbers from known ones are two simple and effective tactics to prevent opportunists from using OSINT, when targeted by sophisticated professionals things become more complex. Dealing with the capabilities of a well-motivated investigator is far beyond what I can go into in a short article, but there are very useful resources to look into for more information.
- Hiding from the Internet: Eliminating Personal Online Information by Michael Bazzell is a very comprehensive work by an expert in using OSINT, going far beyond privacy controls and into legal mechanisms to hide even from Marketing companies. Probably the best reference work available.
- Open Source Intelligence Techniques: Resources for Searching and Analyzing Online Information, also by Michael Bazzell, is the mirror image of the above work, covering the tactics and tools used to collect and analyse OSINT by investigators. Again, an excellent reference work and worth a read to understand the potential for OSINT.
- The Smart Girl’s Guide to Privacy: A Privacy Guide for the Rest of Us by Violet Blue is focused on privacy for women, but is useful to anyone, and covers how to respond to damaging privacy breaches to mitigate fallout. Unlike Bazzell’s works this is much more focused on practical advice for everyday persons who are concerned with attacks by malicious opportunists.
In the next article I’ll be looking at threat modelling methods in a broad sense, and how they are used by both designers and attackers to defend and attack systems respectively. Specific, detailed methodologies have been defined by various groups and companies, but the high-level method and aims are fairly universal with shared goals. A quick look at attack trees, personae non grata, and the more formal STRIDE method used by Microsoft will show how they are applicable to much more than computer security.
Hiding from OSINT
By: James Bore
James Bore is a cybersecurity Jack of all trades by vocation and choice. In over a decade he has gathered experience meandering across a range of industry sectors, organizations, and disciplines in IT, always with a focus on championing and improving security. Currently he heads up security for a challenger bank, and in rare spare time runs a blog on cyber security (https://coffeefueled.org).