• Home
  • Categories
    • Protection
    • Hostile Environment
    • Industry News
    • Intel
    • Career Advice
    • Surveillance
    • Cybersecurity
    • Maritime
    • Risk Management
    • Fitness
    • Medical
    • Training
    • Equipment
    • Reviews
  • Daily Briefing
  • Subscription
  • The Magazine
  • Podcast
  • Contribute
  • Advertise
  • Contact Us

Circuit Magazine

For Security & Protection Specialists

Get free circuit subscription with BBA membership
You are here: Home / Cybersecurity / OSINT: Do You Know How to Stay Protected?

OSINT: Do You Know How to Stay Protected?

In terms of cybersecurity, Open Source Intelligence (OSINT) covers any data or information which can be collected from publicly available sources. It often comes as a surprise just how much is available and the nefarious uses it can be put to. OSINT can be applied towards defensive purposes, but this article will only be covering the malicious purposes (i.e. how a bad guy might get access to your client’s sensitive information and data).

One of the biggest challenges of OSINT is not merely recognising it as a threat, but encouraging the behavioural change needed to protect against it widely enough. It is not simply enough for a principal to stop posting Instagram pictures of their travels in order to hide them. Their colleagues, friends, family, and employees also need to be aware and cautious with information which could be misused.

 

Social Media

The first and simplest step is to look at any of your client’s (and close associates’) social media profiles and fully review any privacy settings available. Depending on the site and the network of connections, different settings may be appropriate. The important idea to remember is that only information that someone is happy to share publicly should be put on a site. Even where details are shared only with connections, friends, or family, the target of any OSINT operation is susceptible to vulnerability because they are then relying on the security of their connections to protect their own information.

Sharing pictures of family holidays is a common activity on various social media platforms, and when combined with a home address or check-ins at locations near home, this can inform a malicious party of a valuable target property that is left unoccupied. Burglaries are not the only options, as an unoccupied property is also useful for people looking to protect themselves while committing various forms of fraud by having valuable deliveries sent to an address they are not linked to. During the Christmas holidays, photos and videos of Christmas present openings will be common and, if unwisely shared, can be very popular with thieves with shopping lists.

Even when not providing targets to a potential burglar, sharing of personal data can be a serious issue. When phoning a bank, or speaking with a phone company, often personal information is requested as a security check. Guidance for these security questions often include items such as:

  • What is your mother’s maiden name?
  • Where was your first school?
  • What is your birthdate?
  • What was your first pet’s name?

Answers to all of these questions are easily available through social media postings, and a principal must be aware of this either when setting up the security questions or when posting information. In this case, it is often a good idea to provide an inaccurate, but memorable, answer to a bank’s security questions protocol.

One particularly helpful action if there is a good relationship with a bank or service provider is to request notification any time someone answers these questions inaccurately. Unfortunately, however, many do not offer this service, but it is worth inquiring about.

People Searches

While social media is the most obvious and often the first target for OSINT, it is essential to recognise that it is not the only source. Various people search engines, both legal and otherwise, compile numerous sources of public information such as electoral registers, company filings, news reports, and other information that can uncover the individual identities behind the data. These are often commercial platforms that will charge a small fee for a search, but the available information is worthwhile.

As an example, a search for me on one of these paid people search platforms reveals my name, address, house price, and positions as a director. These details have obviously been pulled from the UK electoral register, Companies House filings, and property search sites. Each of these requires a different approach to prevent disclosing the information, and for many people, the effort involved is not worthwhile. When it is worthwhile, in many cases, services have an option to opt-out of publication. Where they do not, such as Companies House, the only way to hide some information is to have a separate registered business correspondence address.

There are other methods of authentication available now. For instance, one popular two-factor method of authentication is popular and involves sending a one-time password over SMS to the phone number on file. As we’ll see, this is far from a guarantee of safety. It is vital for someone truly trying to protect themselves against particular attacks to have a secure phone number with no connections back to the individual.

SIM Swapping

One of the rapidly growing attack methods is the SIM swap. While this goes beyond the scope of OSINT, it is only possible because attackers are able to put together information to enable the attack. At its simplest level, SIM swapping is an impersonation attack – either in person or by calling customer services for a mobile provider. Using publicly available information such as birth dates, addresses, and phone numbers, along with a few other pieces of information, the attacker persuades the mobile provider that they have lost their SIM card and need a new one. The moment they have that SIM card, they have access to the target’s mobile number.

When SMS tokens (single-use passcodes via text message) are sent to provide ‘secure’ access to systems, they are sent to the active phone number. It’s easy to see how a targeted SIM swap attack can grant access to vitally important systems, such as banking.

The best protection against such SIM swapping methods is simple. Buy a dual SIM phone with a second pay-as-you-go number on a separate provider, which is used only for these authentication purposes. Since nothing is tying the number directly to you, it becomes much more challenging for an attacker to carry out a SIM swap.

Ideally, providers would start providing better protection against this attack vector by requiring stronger authentication and using different methods than SMS messages to access accounts. Still, until this happens, a separate un-linked phone number is the best method.

 

Finding out more

Limiting easily available information on public profiles and separating authentication phone numbers from known ones are two simple and effective tactics to prevent opportunists from using OSINT. However, things become more complex when targeted by sophisticated professionals. Dealing with the capabilities of a well-motivated investigator is far beyond what I can go into in a short article, but here are very useful resources to look into for more information.

  • Hiding from the Internet: Eliminating Personal Online Information by Michael Bazzell is a very comprehensive work by an expert in using OSINT, going far beyond privacy controls and into legal mechanisms to hide even from marketing companies. Probably the best reference work available.

 

  • Open Source Intelligence Techniques: Resources for Searching and Analyzing Online Information, also by Michael Bazzell, is the mirror image of the above work, covering the tactics and tools used to collect and analyse OSINT by investigators. Again, an excellent reference work and worth a read to understand the potential for OSINT.

 

  • The Smart Girl’s Guide to Privacy: A Privacy Guide for the Rest of Us by Violet Blue is focused on privacy for women, but is useful to anyone, and covers how to respond to damaging privacy breaches to mitigate fallout. Unlike Bazzell’s works, this is much more focused on practical advice for everyday persons who are concerned with attacks by malicious opportunists.

 

In the next article, I’ll be looking at threat modelling methods in a broad sense and how they are used by both designers and attackers to defend and attack systems. Specific, detailed methodologies have been defined by various groups and companies, but the high-level method and aims are relatively universal with shared goals. A quick look at attack trees, personae non-grata, and the more formal STRIDE method used by Microsoft will show how they are applicable to much more than computer security.

 


James Bore is a cybersecurity Jack-of-all-trades by vocation and choice. In over a decade, he has gathered experience meandering across a range of industry sectors, organizations, and disciplines in IT, always with a focus on championing and improving security. Currently, he heads up security for a challenger bank, and in rare spare time, runs a blog on cybersecurity (https://coffeefueled.org).

 

Buy The Latest Issue

Sign Up For News and Updates

We respect your privacy and will not share your information with anyone.
We will only message you when we have something relevant and of value to share with you.

Comments

  1. Rob says

    November 11, 2019 at 8:41 PM

    You may want the editor to double check the spelling of the Headline acronym ONSIT instead of OSINT.

    Reply
    • Jonathan Moss says

      November 13, 2019 at 1:16 PM

      Hi Rob, Great catch! Thank you for taking the time to make us aware of that! we’re a small team and really appreciate the input from our readers.

      Jon Moss
      Managing Editor

      Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Latest Issue

Circuit magazine cover issue 55

Issue 55

Buy Now

Latest Industry News

Industry News October 2020

We cast our eye over the main stories impacting the security industry. Here’s what’s appeared on the radar since the last issue.

Security industry News Brought to you by the Circuit Magazine

Industry News

We cast our eye over the main stories impacting the security industry, including, Kanye West’s former bodyguard is calling the rapper a “bully” and is threatening to sue for damages after West accused him of breaking a confidentiality agreement.

Industry News

We cast our eye over the main stories impacting the security industry. Here’s what’s appeared on the radar since the last issue.

Security industry News Brought to you by the Circuit Magazine

Security Industry Association Announces New SIA Women in Security Scholarship Opportunity

“The SIA Women in Security Forum works to grow and retain leaders in the security industry,” said Gloria Salmeron, director of human resources at Brivo and co-chair of the scholarship committee. “With the addition of this new scholarship, we look forward to helping bring opportunities for further education and advancement to as wide a spectrum of people as possible and inviting individuals to participate in the Women in Security Forum.”

Product Review earHero

Product Review – Ear Hero

Designed by an audiologist, earHero’s speakers are so tiny they will never block your ear canal giving you the ability to literally talk on a separate phone without removing the earHero tactical earpiece from either ear.

You can literally hear whisper level sounds from yards away, while identifying the sounds’ precise location. The earHero tactical headsets have wires so thin and clear, they are virtually undetectable, and the design is so comfortable, you’ll barely know the earpiece is there.

Introduction to Cybersecurity Part 4

Insecure Smart Houses

They are only of limited relevance today, but as the technologies involved become more widespread and implemented into every facet of life they will only become more prevalent. While it sounds like the stuff of science fiction, these threats exist now and are not going to go away.

For simplicity, we’ll say that a ‘smart’ device is anything which connects to the internet (or a network) and is not intended to be a computer interface. Intended is the key word there, as many of these devices are insecure for the simple reason that they are a computer. The problem is that it is now cheaper and easier to put a general purpose computer into a device and run some software to, for example, turn lights on and off than it is to design a single-purpose lightbulb which also connects to a network.

Behavioral Analysis

Turning Habitual Habits into a Positive

Being an instructor for Tony Scotti’s Vehicle Dynamics Institute has forwarded the opportunity to observe how a large section of professionals interact and function from different niches of the industry. Military, transnational EP teams, US based teams, Federal LEO’s or with civilians this theme shows through. Even in the larger training arena the change can be seen as more of the schools are starting to focus on classes or blocks of instruction such as client management and behavioral analysis. The discussion forms are flooded with conversations relating to how to work in a team dynamic. It doesn’t matter if its a 28 day school or a three day school, they will be touching on and teaching these topics.

Global Risk

Global Situation report provided by Stratfor

Global Situation Report October, 2020

Having informed insight in today’s increasingly complex international environment is more important than ever. That’s why we’ve partnered with Stratfor, the worlds leading geopolitical intelligence platform, to bring readers regular analysis and accurate forecasting of global trends from someone you can trust.

Popular Tags

Afghanistan armed attack Bodyguard Bodyguarding Celebrity client Close Protection Close Protection Officer Elijah Shaw Executive Executive Protection fight firearm gun Intelligence Iraq Law Enforcement Medical military News online police Prevention professional protect protection PTSD Risk Risk Assessment Risk Management Safety Security Security Incidents Security Industry Authority SIA Social Media Surveillance terror Terrorism terrorist Threat train Training VIP

On The Frontline

The Relationship Between Protector and Venue Security

You notice him as he walks into the venue on autopilot.  One of the security personnel walking, in a nonchalant manner, … >>>

Working in the Maritime Security Industry

Working in the Maritime Security (MARSEC) Industry By Kevin ‘Knocker’ Whyte Maritime Security has become the new ‘Must … >>>

Tiger kidnapping Could you be targeted?

Tiger Kidnapping

Over the years there have been many articles in Circuit Magazine about the kidnapping threat, and rightly so. As we … >>>

Follow us

  • Email
  • Facebook
  • Twitter

From The Archives

Review: Medipro PHMT

Course Review: Medipro Training Ltd. PHMT ( Pre-Hospital-Medical-technician )     Having previously completed … >>>

Advice and Treatment for PTSD

  Pink & fluffy? Not at all! There are many reactions that I encounter when I tell people what my profession is … >>>

Security Industry Authority

SIA to host business licensing roadshow

SIA to host business licensing roadshow 11 September 2013   The Security Industry Authority will be hosting a … >>>

Nigeria – Country Risk Assessment

Significant Events On December 9, university lecturers defied a government ultimatum to return to work after their … >>>

  • Terms And Conditions
  • Magazines
  • Privacy Policy
  • Archives

© 2021 Circuit Magazine · Rainmaker Platform

This website or its third-party tools use cookies which are necessary to its functioning and required to improve your experience. By clicking the consent button, you agree to allow the site to use, collect and/or store cookies.
I accept