In this article, we will give a brief introduction to OSINT gathering and discover how public -ordinary looking- information can be exploited by ‘the bad guys’ to gain unauthorized access to a corporate information system.
The Open Source Intelligence (OSINT) term -which was originally formulated by the intelligence community- refers to all the information which is freely accessible to the public and can be used in any intelligence context. Years ago, this term was mainly associated with intelligence and military, however, with the rapid growth of internet communications and the emergence of social media websites, it becomes heavily used by corporates to profile and collect useful information about internet users for marketing purposes. The perpetrators did not miss the wave and are now using such sources to gain useful insight about their targets before launching attacks.
Where can OSINT be found?
OSINT resources can be found either online or offline, it includes all the information which is freely accessible to the public. The following list main OSINT categories:
- Internet resources: This is the most important one and includes all free resources available online such as: blogs, discussion forums, social networks (Facebook, YouTube, Twitter…. etc.), Previously breached websites information repositories, domain names, IP addresses, specialized search engines (People, telephone, username and email search engines), digital files such as images/videos/documents, archive, geolocation data and online maps (Including commercial satellite images), digital files metadata and resources available in the deep and dark web.
- Traditional media: This includes all classical media services such as: TV, radio, newspapers, magazines and books.
- Grey literature resources: These resources are produced by the world publishing system and is mainly produced by researchers and practitioners in the field and contains all the information that is available to the public through specialized channels, where you need to pay or have a permission from its copyright holder in order to acquire it. Example of grey literature resources includes the following and more: Research papers, white papers, dissertation and thesis, academic journals, books and trade publications.
- Government records: This includes all information published by government entities publicly through different media channels (Both online and offline). It includes the following and more: Phone directories, public government reports, budget reports, conferences information, citizen’s records (Birth, death, patent, property, criminal records) in addition to public speeches.
As we note, OSINT sources are wide and cover -almost- all sorts of publicly accessible information, from a cybersecurity perspective, exploiting such resources by the bad actors can lead to catastrophic consequences as we are going to see next.
How can malicious actors exploit OSINT sources?
From a cybersecurity perspective, OSINT sources can be exploited using various methods, the following are two of them:
Digital files metadata
Metadata is data about data; it contains descriptive hidden information about the file it belongs to. It exists in almost all digital files such as documents, video and audio files, and web pages. Metadata -usually- comes within the file it belongs to, however, some file types store it separately. We can differentiate between two types of metadata:
- Descriptive metadata: Created by the user, such as: Author name, organization name, email, comments.
- Technical metadata: Created by the program/software used to create/modify the file, such as: creation date/time, File path on the disk/share, device name, GPS coordination of a specific photo, captured camera type and resolution if the file is a photo.
If you are responsible for producing documents for your organizations (e.g Meeting schedule, invoices, budget files, job announcements, white papers and any type of Office, PDF or image file..etc.), You must check the metadata of all digital files before uploading them to the Internet or sharing them with colleagues/customers to avoid leaking sensitive information about yourself and the machine you have used to create a subject file/s. There are many freeware tools that can view and edit a digital file’s metadata; The following are the most popular one.
- Exif Pilot (colorpilot.com/exif.html): free EXIF editor for viewing, editing and removing EXIF, EXIF GPS, IPTC, and XMP metadata.
- Mp3tag (mp3tag.de/en): for audio files.
- MediaInfo (https://mediaarea.net/en/MediaInfo): for video files.
If you are a Windows user, you can view/edit the metadata info of many file types by just right-clicking a file ➤ Properties (see Figure 1)
MS Office documents and PDF files are of special importance, because of their widespread usage in the corporate world. To View/Remove metadata from Microsoft Office 2010, 2013, and 2016 documents, you can check the document metadata by selecting File and then going to the Info tab. The Properties panel will be on the right side; from here you can remove document metadata by clicking the Properties button and selecting Advanced Properties (see Figure 2).
It is a good practice to delete all hidden metadata associated with MS Office files before sharing them with someone else or posting them online, fortunately, Microsoft Office provides functionality for deleting hidden metadata. You can access this feature in Microsoft Word 2010, 2013, and 2016 by selecting File ➤ Info ➤ Check for Issues ➤ Inspect Document.
To clear all hidden metadata from PDF files, Adobe has a feature called Sanitize Document. You can access it from Tools ➤ Sanitize Document. Please note that not all Adobe Acrobat Reader versions support this feature.
Social media websites
Social media sites open up numerous opportunities for cyber criminals to harvest sensitive information about prospect target (whether it is a person or corporation) because of the vast amount of useful information located in one place. For example, you can get a great deal of personal information about any person worldwide by just checking their Facebook page. Such information often includes the person of interest’s connections on Facebook, political views, religion, ethnicity, country of origin, personal images and videos, spouse name (or marital status), home and work addresses, frequently visited locations, social activities (e.g., Sports, theater, and restaurant visits), work history, education, important event dates (such as birth date, graduation date, relationship date, or the date when left/start a new job), and social interactions. This can all be found in one Facebook profile.
To know what your Facebook profile reveals about your social interactions on this platform and investigate other Facebook users’ activities, you can use a free online service called StalkScan (https://stalkscan.com). This service allows you to investigate the public information of any Facebook user. To use this service, enter the Facebook URL of the target profile, and the site will populate the page with all the public social interactions produced by the entered profile (see Figure 3).
Information from social media websites along with the one collected from the target file’s metadata can be combined together to draw a complete picture of target corporate IT systems and managerial hierarchy. Some benefits cybercriminals gain by exploiting these sources include the following – and more:
- By knowing the type -and version- of the software used to create files of the target company, criminals can target it with the appropriate malware. For example, if the targeted company uses an open source office program (e.g. LibreOffice or WPS) to create its documents, then sending VBA macro malware will not work.
- If a targeted company uses a Linux OS, then sending Windows malware will have no effect. Besides, knowing the current build/version of target OS may reveal unpatched vulnerabilities that simplify hackers access through specific exploit-kits.
- Knowing the path to where the corporate store its files (network share) will allow criminals to focus on the file share server where all corporate data is stored and hit it with a ransomware attack.
- Knowing the author name and/or email address from file metadata can reveal a work hierarchy and the email naming convention used within a company.
- Searching for a specific email ID in data compromised repository websites (Which lists websites suffered from a data breach in the past) like https://haveibeenpwned.com/ may reveal the username and password associated with the searched email. The same password can be used for other online accounts.
- Posting details about your next vacation – and your current location- on Facebook will reveal when you are outside your work or home, this could be dangerous when the IT security admin is the intended person!
- Posting photos at work may reveal plenty of useful information for hackers, screen shots that displays running programs on computer screens and type of hardware used can be of a great benefit for outside attackers.
- Job announcements can also reveal the entire IT infrastructure of a target company, for example, posting a vacancy for “Windows Server 2008 administrator with experience in managing Cisco ASA 5505 firewall”, give clear info about the used server OS and firewall.
OSINT resources can be leveraged in different scenarios to acquire useful information about any target online, in this article we’ve briefly examined two methods: files metadata and information gathered from social media sites. Any of this information could contribute to a serious data breaches if utilized successfully in phishing attacks against your employees. Make sure that they are prepared to recognize such attempts.