In terms of cybersecurity, Open Source Intelligence (OSINT) covers any data or information which can be collected from publicly available sources. It often comes as a surprise just how much is available and the nefarious uses it can be put to. OSINT can be applied towards defensive purposes, but this article will only be covering the malicious purposes (i.e. how a bad guy might get access to your client’s sensitive information and data).
One of the biggest challenges of OSINT is not merely recognising it as a threat, but encouraging the behavioural change needed to protect against it widely enough. It is not simply enough for a principal to stop posting Instagram pictures of their travels in order to hide them. Their colleagues, friends, family, and employees also need to be aware and cautious with information which could be misused.
The first and simplest step is to look at any of your client’s (and close associates’) social media profiles and fully review any privacy settings available. Depending on the site and the network of connections, different settings may be appropriate. The important idea to remember is that only information that someone is happy to share publicly should be put on a site. Even where details are shared only with connections, friends, or family, the target of any OSINT operation is susceptible to vulnerability because they are then relying on the security of their connections to protect their own information.
Sharing pictures of family holidays is a common activity on various social media platforms, and when combined with a home address or check-ins at locations near home, this can inform a malicious party of a valuable target property that is left unoccupied. Burglaries are not the only options, as an unoccupied property is also useful for people looking to protect themselves while committing various forms of fraud by having valuable deliveries sent to an address they are not linked to. During the Christmas holidays, photos and videos of Christmas present openings will be common and, if unwisely shared, can be very popular with thieves with shopping lists.
Even when not providing targets to a potential burglar, sharing of personal data can be a serious issue. When phoning a bank, or speaking with a phone company, often personal information is requested as a security check. Guidance for these security questions often include items such as:
- What is your mother’s maiden name?
- Where was your first school?
- What is your birthdate?
- What was your first pet’s name?
Answers to all of these questions are easily available through social media postings, and a principal must be aware of this either when setting up the security questions or when posting information. In this case, it is often a good idea to provide an inaccurate, but memorable, answer to a bank’s security questions protocol.
One particularly helpful action if there is a good relationship with a bank or service provider is to request notification any time someone answers these questions inaccurately. Unfortunately, however, many do not offer this service, but it is worth inquiring about.
While social media is the most obvious and often the first target for OSINT, it is essential to recognise that it is not the only source. Various people search engines, both legal and otherwise, compile numerous sources of public information such as electoral registers, company filings, news reports, and other information that can uncover the individual identities behind the data. These are often commercial platforms that will charge a small fee for a search, but the available information is worthwhile.
As an example, a search for me on one of these paid people search platforms reveals my name, address, house price, and positions as a director. These details have obviously been pulled from the UK electoral register, Companies House filings, and property search sites. Each of these requires a different approach to prevent disclosing the information, and for many people, the effort involved is not worthwhile. When it is worthwhile, in many cases, services have an option to opt-out of publication. Where they do not, such as Companies House, the only way to hide some information is to have a separate registered business correspondence address.
There are other methods of authentication available now. For instance, one popular two-factor method of authentication is popular and involves sending a one-time password over SMS to the phone number on file. As we’ll see, this is far from a guarantee of safety. It is vital for someone truly trying to protect themselves against particular attacks to have a secure phone number with no connections back to the individual.
One of the rapidly growing attack methods is the SIM swap. While this goes beyond the scope of OSINT, it is only possible because attackers are able to put together information to enable the attack. At its simplest level, SIM swapping is an impersonation attack – either in person or by calling customer services for a mobile provider. Using publicly available information such as birth dates, addresses, and phone numbers, along with a few other pieces of information, the attacker persuades the mobile provider that they have lost their SIM card and need a new one. The moment they have that SIM card, they have access to the target’s mobile number.
When SMS tokens (single-use passcodes via text message) are sent to provide ‘secure’ access to systems, they are sent to the active phone number. It’s easy to see how a targeted SIM swap attack can grant access to vitally important systems, such as banking.
The best protection against such SIM swapping methods is simple. Buy a dual SIM phone with a second pay-as-you-go number on a separate provider, which is used only for these authentication purposes. Since nothing is tying the number directly to you, it becomes much more challenging for an attacker to carry out a SIM swap.
Ideally, providers would start providing better protection against this attack vector by requiring stronger authentication and using different methods than SMS messages to access accounts. Still, until this happens, a separate un-linked phone number is the best method.
Finding out more
Limiting easily available information on public profiles and separating authentication phone numbers from known ones are two simple and effective tactics to prevent opportunists from using OSINT. However, things become more complex when targeted by sophisticated professionals. Dealing with the capabilities of a well-motivated investigator is far beyond what I can go into in a short article, but here are very useful resources to look into for more information.
- Hiding from the Internet: Eliminating Personal Online Information by Michael Bazzell is a very comprehensive work by an expert in using OSINT, going far beyond privacy controls and into legal mechanisms to hide even from marketing companies. Probably the best reference work available.
- Open Source Intelligence Techniques: Resources for Searching and Analyzing Online Information, also by Michael Bazzell, is the mirror image of the above work, covering the tactics and tools used to collect and analyse OSINT by investigators. Again, an excellent reference work and worth a read to understand the potential for OSINT.
- The Smart Girl’s Guide to Privacy: A Privacy Guide for the Rest of Us by Violet Blue is focused on privacy for women, but is useful to anyone, and covers how to respond to damaging privacy breaches to mitigate fallout. Unlike Bazzell’s works, this is much more focused on practical advice for everyday persons who are concerned with attacks by malicious opportunists.
In the next article, I’ll be looking at threat modelling methods in a broad sense and how they are used by both designers and attackers to defend and attack systems. Specific, detailed methodologies have been defined by various groups and companies, but the high-level method and aims are relatively universal with shared goals. A quick look at attack trees, personae non-grata, and the more formal STRIDE method used by Microsoft will show how they are applicable to much more than computer security.
James Bore is a cybersecurity Jack-of-all-trades by vocation and choice. In over a decade, he has gathered experience meandering across a range of industry sectors, organizations, and disciplines in IT, always with a focus on championing and improving security. Currently, he heads up security for a challenger bank, and in rare spare time, runs a blog on cybersecurity (https://coffeefueled.org).