• Skip to primary sidebar
  • Skip to content
  • Skip to footer
  • Home
  • Subscription
  • The Magazine
  • Podcast
  • Contribute
  • Advertise
  • Contact Us

Circuit Magazine

For Security & Protection Specialists

In terms of cybersecurity, Open Source Intelligence (OSINT) covers any data or information which can be collected from publicly available sources. It often comes as a surprise just how much is available and the nefarious uses it can be put to. OSINT can be applied towards defensive purposes, but this article will only be covering the malicious purposes (i.e. how a bad guy might get access to your client’s sensitive information and data).

One of the biggest challenges of OSINT is not merely recognising it as a threat, but encouraging the behavioural change needed to protect against it widely enough. It is not simply enough for a principal to stop posting Instagram pictures of their travels in order to hide them. Their colleagues, friends, family, and employees also need to be aware and cautious with information which could be misused.

 

Social Media

The first and simplest step is to look at any of your client’s (and close associates’) social media profiles and fully review any privacy settings available. Depending on the site and the network of connections, different settings may be appropriate. The important idea to remember is that only information that someone is happy to share publicly should be put on a site. Even where details are shared only with connections, friends, or family, the target of any OSINT operation is susceptible to vulnerability because they are then relying on the security of their connections to protect their own information.

Sharing pictures of family holidays is a common activity on various social media platforms, and when combined with a home address or check-ins at locations near home, this can inform a malicious party of a valuable target property that is left unoccupied. Burglaries are not the only options, as an unoccupied property is also useful for people looking to protect themselves while committing various forms of fraud by having valuable deliveries sent to an address they are not linked to. During the Christmas holidays, photos and videos of Christmas present openings will be common and, if unwisely shared, can be very popular with thieves with shopping lists.

Even when not providing targets to a potential burglar, sharing of personal data can be a serious issue. When phoning a bank, or speaking with a phone company, often personal information is requested as a security check. Guidance for these security questions often include items such as:

  • What is your mother’s maiden name?
  • Where was your first school?
  • What is your birthdate?
  • What was your first pet’s name?

Answers to all of these questions are easily available through social media postings, and a principal must be aware of this either when setting up the security questions or when posting information. In this case, it is often a good idea to provide an inaccurate, but memorable, answer to a bank’s security questions protocol.

One particularly helpful action if there is a good relationship with a bank or service provider is to request notification any time someone answers these questions inaccurately. Unfortunately, however, many do not offer this service, but it is worth inquiring about.

People Searches

While social media is the most obvious and often the first target for OSINT, it is essential to recognise that it is not the only source. Various people search engines, both legal and otherwise, compile numerous sources of public information such as electoral registers, company filings, news reports, and other information that can uncover the individual identities behind the data. These are often commercial platforms that will charge a small fee for a search, but the available information is worthwhile.

As an example, a search for me on one of these paid people search platforms reveals my name, address, house price, and positions as a director. These details have obviously been pulled from the UK electoral register, Companies House filings, and property search sites. Each of these requires a different approach to prevent disclosing the information, and for many people, the effort involved is not worthwhile. When it is worthwhile, in many cases, services have an option to opt-out of publication. Where they do not, such as Companies House, the only way to hide some information is to have a separate registered business correspondence address.

There are other methods of authentication available now. For instance, one popular two-factor method of authentication is popular and involves sending a one-time password over SMS to the phone number on file. As we’ll see, this is far from a guarantee of safety. It is vital for someone truly trying to protect themselves against particular attacks to have a secure phone number with no connections back to the individual.

SIM Swapping

One of the rapidly growing attack methods is the SIM swap. While this goes beyond the scope of OSINT, it is only possible because attackers are able to put together information to enable the attack. At its simplest level, SIM swapping is an impersonation attack – either in person or by calling customer services for a mobile provider. Using publicly available information such as birth dates, addresses, and phone numbers, along with a few other pieces of information, the attacker persuades the mobile provider that they have lost their SIM card and need a new one. The moment they have that SIM card, they have access to the target’s mobile number.

When SMS tokens (single-use passcodes via text message) are sent to provide ‘secure’ access to systems, they are sent to the active phone number. It’s easy to see how a targeted SIM swap attack can grant access to vitally important systems, such as banking.

The best protection against such SIM swapping methods is simple. Buy a dual SIM phone with a second pay-as-you-go number on a separate provider, which is used only for these authentication purposes. Since nothing is tying the number directly to you, it becomes much more challenging for an attacker to carry out a SIM swap.

Ideally, providers would start providing better protection against this attack vector by requiring stronger authentication and using different methods than SMS messages to access accounts. Still, until this happens, a separate un-linked phone number is the best method.

 

Finding out more

Limiting easily available information on public profiles and separating authentication phone numbers from known ones are two simple and effective tactics to prevent opportunists from using OSINT. However, things become more complex when targeted by sophisticated professionals. Dealing with the capabilities of a well-motivated investigator is far beyond what I can go into in a short article, but here are very useful resources to look into for more information.

  • Hiding from the Internet: Eliminating Personal Online Information by Michael Bazzell is a very comprehensive work by an expert in using OSINT, going far beyond privacy controls and into legal mechanisms to hide even from marketing companies. Probably the best reference work available.

 

  • Open Source Intelligence Techniques: Resources for Searching and Analyzing Online Information, also by Michael Bazzell, is the mirror image of the above work, covering the tactics and tools used to collect and analyse OSINT by investigators. Again, an excellent reference work and worth a read to understand the potential for OSINT.

 

  • The Smart Girl’s Guide to Privacy: A Privacy Guide for the Rest of Us by Violet Blue is focused on privacy for women, but is useful to anyone, and covers how to respond to damaging privacy breaches to mitigate fallout. Unlike Bazzell’s works, this is much more focused on practical advice for everyday persons who are concerned with attacks by malicious opportunists.

 

In the next article, I’ll be looking at threat modelling methods in a broad sense and how they are used by both designers and attackers to defend and attack systems. Specific, detailed methodologies have been defined by various groups and companies, but the high-level method and aims are relatively universal with shared goals. A quick look at attack trees, personae non-grata, and the more formal STRIDE method used by Microsoft will show how they are applicable to much more than computer security.

 


James Bore is a cybersecurity Jack-of-all-trades by vocation and choice. In over a decade, he has gathered experience meandering across a range of industry sectors, organizations, and disciplines in IT, always with a focus on championing and improving security. Currently, he heads up security for a challenger bank, and in rare spare time, runs a blog on cybersecurity (https://coffeefueled.org).

 

Tweet
Share
Pin
Share336
336 Shares

Buy The Latest Issue

Sign Up For News and Updates

We respect your privacy and will not share your information with anyone.
We will only message you when we have something relevant and of value to share with you.

Reader Interactions

Comments

  1. Rob

    November 11, 2019 at 8:41 PM

    You may want the editor to double check the spelling of the Headline acronym ONSIT instead of OSINT.

    Reply
    • Jonathan Moss

      November 13, 2019 at 1:16 PM

      Hi Rob, Great catch! Thank you for taking the time to make us aware of that! we’re a small team and really appreciate the input from our readers.

      Jon Moss
      Managing Editor

      Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Latest Issue

Circuit Magazine - Issue 66 - AI Armageddon

Issue 66

Buy Now

Latest Newsletter

Newsletter Sign Up

What you don't know CAN hurt you!

SUBSCRIBE

Latest Industry News

Ugandan Minister Killed by Bodyguard in Apparent Wage Dispute

A Ugandan government minister, Charles Engola, was shot and killed by his bodyguard early Tuesday in an apparent private dispute over wages, according to the army and local media. Engola, a retired army colonel, served as the junior minister in charge of labor in President Yoweri Museveni’s government.

Event

News - Circuit Magazine

Zelenskiy Denies Ukraine’s Involvement in Alleged Kremlin Drone Attack

Ukrainian President Volodymyr Zelenskiy has refuted Russia’s claims that Ukraine was involved in a drone attack on the Kremlin, which was allegedly aimed at killing Russian President Vladimir Putin. Zelenskiy stated that Ukraine fights and defends its territory, not attacking Putin or Moscow. The Kremlin reported that two drones were used in the attack but were disabled by Russian defenses.

News taken from Issue 65 of the Circuit Magazine

Bodyguard Saves Japanese PM from Pipe Bomb Attack

A bodyguard has been hailed as a hero for his quick-thinking actions during a suspected pipe-bomb attack on Japanese Prime Minister Fumio Kishida. Video footage captured the bodyguard kicking away a metal object as it landed near Kishida
before positioning himself between the Prime Minister and the device, shielding him with a collapsible, handheld ballistics shield.

News from Issue 65 of the Circuit Magazine

AlertEnterprise Reveals First-Ever Guardian AI Chatbot Powered by OpenAI ChatGPT

AlertEnterprise has unveiled its first-ever Guardian AI Chatbot powered by OpenAI ChatGPT. The chatbot will make its global debut at the ASIS Europe and ISC West trade events. Built on OpenAI’s GPT-3 platform, the Guardian AI Chatbot aims to provide security operators with instant access to critical physical access and security insights through quick questions and prompts.

Executive Protection/Secured Transportation Profession

COVID-19 and the Executive Protection

As practitioners, our responsibilities are many: protection of the client from physical harm, protection of the client from self-embarrassment, etc. Now, that the restrictions in the post COVID-19 era are starting to be lifted in some areas, Clients, and other high-net-worth individuals will be more aware of the area in which they are located, lodging, and traveling to.

James Bore's Cyber Security

Ways to See the Threat Before it Happens

Threat modelling is widely in use, whether knowingly or not, across every walk of life – and has been used since time immemorial to prioritise security defences. The only difference between the well-known risk assessments carried out by everyone and threat modelling in cyber security is the attempt to document and systemise it. I am hoping that this idea of formal threat modelling will be a useful tool for you to use in your future arsenal of available resources as a CP operator.

Close Protection advice

Keeping Your Edge: Building a Solid Foundation

Longevity, consistency and remaining relevant are some primary goals of all protectors. These factors are important when establishing a new contract and providing services for a new client. But what is equally important is the mindset that goes into those first days and weeks on the assignment. As such, I wanted to get the personal perspective of Vantrell Wilson, a close protection agent who I have trained with and worked alongside of for years now.

Global Risk Updates

Global Situation Report - November 2021

Global Situation Report – November 2021

Each issue our global geopolitical partner, Stratfor, provides an in-depth analysis of global incidents via in-house experts, cutting edge technology and through a comprehensive globally sourced network. Here is your summary from the last 30 days.

Popular Tags

armed attack Bodyguard business Celebrity client clients Close Protection Communication cp Crime Elijah Shaw EP Executive Executive Protection firearm firearms government gun Intelligence Law Enforcement Media Medical military News online police Prevention professional protect protection Risk Safety Security SIA Social Media Surveillance Technology terror Terrorism terrorist Threat Training VIP weapon

On The Frontline

The Problem with Selfies

We have all heard the old saying, “Pictures are worth a thousand words,” so who wants an autograph, when a photo with your favorite celebrity conveys much more perceived authenticity? This also has value in the arena of SOCIAL capital.

Due Diligence and Why It Is Required

Due Diligence and Why It Is Required. The biggest blocks that prevent people from carrying due-diligence is their egos as they feel they are wise enough to spot a scammer, also they don’t want to offend those they are dealing with by seeming not to trust them. These are things that scammers and manipulators exploit to the maximum. I forget how many times I have heard people who have been scammed or victimized say they thought the perpetrator was a decent person because they were introduced to them by a friend, my reply to this usually is “define a friend”.

Bullet Proof Vests How Protected Are You?

Bullet proof vests are incredibly useful pieces of equipment for Security Personnel. Not only are they available in a variety of models and designs, they can protect against a wide range of ammunition.

Follow us

  • Email
  • Facebook
  • Twitter

From The Archives

Far From Over

Far From Over Author – Jock Condon   I am not really a big fiction reader but decided to …

Continue Reading about Far From Over

Latest News - Circuit Magazine

ISIS Chief Killed by Turkish Forces in Syria

ISIS Chief Killed by Turkish Forces in Syria What happened: Turkish President Recep Tayyip Erdogan …

Continue Reading about ISIS Chief Killed by Turkish Forces in Syria

Vehicle Attacks Against Pedestrians – 12 Ways to Mitigate the Risk

Whenever I read in the news about vehicles attacks against pedestrians, it’s striking to realize …

Continue Reading about Vehicle Attacks Against Pedestrians – 12 Ways to Mitigate the Risk

The Silent Sniper, PTSD & The Battlefield

Because this will be one of the first years that I’ll be at home and not in a warzone. As a hostile …

Continue Reading about The Silent Sniper, PTSD & The Battlefield

Promoted Event

International Security Expo

Latest Podcast Episode

Latest Issue

Circuit Magazine - Issue 66 - AI Armageddon

Issue 66

As AI armageddon comes closer, the global challenge is discerning the line between innovation and oversight, particularly concerning decision-making biases and security implications.

Buy Now

Follow us

  • Email
  • Facebook
  • Instagram
  • LinkedIn
  • Twitter
  • Home
  • Subscription
  • The Magazine
  • Podcast
  • Contribute
  • Advertise
  • Contact Us

© 2023 Circuit Magazine · Rainmaker Platform

This website or its third-party tools use cookies which are necessary to its functioning and required to improve your experience. By clicking the consent button, you agree to allow the site to use, collect and/or store cookies.
I accept