VIDEO
HIGHLIGHT
Log InSign up
Episode 42: OSINT - What You Don't Know Can Hurt You
SummaryTranscriptChat

Episode 42: OSINT - What You Don't Know Can Hurt You

Cyber Threat Perspective: OSENT

In this episode, the Offensive Security Group discusses Open Source Intelligence (OSINT) and how it can be used against you. They cover what OSINT is, what constitutes as OSINT data, and how it can be used for both good and evil purposes. The speakers also discuss how they use OSINT in their pen testing processes.

Introduction to OSINT

  • OSINT is the process of collecting and analyzing publicly available information for some purpose.
  • It can be used to achieve a goal or accomplish an objective.
  • The information that's available online is very widespread.
  • OSINT can be used for all sorts of things and is applicable to virtually every industry.

How OSINT Can Be Used Against You

  • What you don't know about OSINT is what can really hurt you.
  • Hackers and other malicious entities use OSINT extensively to find vulnerabilities in systems.
  • The more information that's available online, the more leverage attackers have to attack different resources that they discover through OSINT.

What Constitutes as OSINT Data

  • Anything that's publicly available can be considered as open source intelligence (OSINT).
  • Traditional search engines like Google, Bing, Yahoo are popular resources for gathering information.
  • Social media sites such as LinkedIn, Instagram, Twitter are also valuable sources of information.
  • Paid resources like industry journals or satellite data subscriptions are also considered as part of the broader category of open source intelligence.

How Offensive Security Uses OSINT

  • Offensive Security relies heavily on using open source intelligence during their pen testing processes.
  • They use it both externally and internally during social engineering tests.
  • Google Dorking is one way they modify search queries to look for certain things in certain ways.
  • They also use LinkedIn to look for users and information about specific companies or organizations.

Managing the Risk of OSINT

  • It's important to be aware of what information is publicly available about you or your organization.
  • Regularly monitor social media accounts and Google search results for any potentially sensitive information.
  • Consider implementing a security awareness training program for employees to educate them on the risks associated with OSINT.

What is Open Source Intelligence (OSINT)?

In this section, the speakers discuss what open source intelligence (OSINT) is and where it can be found.

Definition of OSINT

  • OSINT refers to publicly available information that can be accessed by anyone.
  • Examples of OSINT include social media posts, geolocation data, public records like tax rolls and court records, public meeting notes, and IoT search engines.

Vastness of OSINT

  • The amount of information available through OSINT is immense.
  • Every PDF an organization publishes, every picture posted on social media, and every post made online is archived and put on the internet somewhere.
  • Even if a website or social media platform no longer exists, there are internet archives that intentionally archive every website they can crawl and get access to.

How Can OSINT Be Abused?

In this section, the speakers discuss how open source intelligence (OSINT) can be used for malicious purposes.

Non-Technical Ways

  • Blackmail: Someone could use information found through OSINT to blackmail an individual or organization.
  • Impersonation: An attacker could impersonate someone using personal information obtained through OSINT.
  • Data Leak: Sensitive data could be leaked due to poor security practices or lack of awareness about what information is being shared online.
  • Profile Pages on Websites: Attackers could use profile pages on websites to gather personal information about individuals or organizations.

Technical Ways

  • Gaps in Security Programs: Organizations may have gaps in their security programs that attackers can exploit using information obtained through OSINT.

Data Leakage via Social Media

The speaker discusses the risks of data leakage through social media and how it can compromise an organization's security. They provide examples of how pictures and posts on social media can reveal sensitive information about a company's layout, access points, and employee badges.

Risks of Sharing Information on Social Media

  • Users should be aware of what is appropriate to post on social media regarding work-related information.
  • Pictures shared on LinkedIn revealed the location of a prominent law firm in a big city, including access points and employee badges.
  • Pictures shared online may contain sensitive information such as passwords or notes that can be used to infiltrate an organization.

Non-Technical Ways to Compromise Security

The speaker discusses non-technical ways that organizations' security can be compromised. They explain how sharing documents online can reveal metadata containing usernames, IP addresses, geographic locations, and other sensitive information.

Risks of Sharing Documents Online

  • Pictures shared online may contain sensitive information such as passwords or notes that can be used to infiltrate an organization.
  • Metadata contained in documents shared online may include usernames, IP addresses, geographic locations, and other sensitive information.

Overall Summary:

The speaker highlights the importance of being aware of what is appropriate to share on social media regarding work-related information. They provide examples of how pictures and posts on social media can reveal sensitive information about a company's layout, access points, and employee badges. Additionally, they discuss non-technical ways that organizations' security can be compromised by sharing documents online containing metadata with usernames, IP addresses, geographic locations among others.

Non-Technical Considerations for Job Postings

In this section, the speaker discusses non-technical considerations for job postings and how to protect sensitive information.

Protecting Sensitive Information in Job Postings

  • Avoid divulging unique or proprietary information in job listings.
  • Use caution when creating profile pages on websites, such as attorney pages. Hover over an attorney's picture to obtain their email address.
  • Gathering emails is important for social engineering tests and additional enumeration.

Obfuscating Email Addresses

  • Organizations use Cloud WAFF or proxying tools to obfuscate email addresses until they are rendered on the page.
  • These methods can be easily bypassed by crawling tools or by downloading the unobfuscated form from the page source.

Exploiting Attorney Pages

  • Attorneys' pages often contain awards and recognitions that can be used to social engineer a law firm.
  • Knowing this information is part of the battle against exploitation.

Fun Story: Social Engineering a Higher Education Organization

  • The speaker impersonated an athlete at a higher education organization using personal information found on their athlete biography page.
  • Verification was based off of birthday, which allowed full account takeover.

Overall, it is important to consider non-technical aspects when creating job postings and protecting sensitive information. Organizations should also be aware of potential exploits through attorney pages and personal biographies.

Technical Aspects of Penetration Testing

In this section, the speaker discusses technical aspects of penetration testing and how social engineering can be both non-technical and technical.

Social Engineering

  • Social engineering has a technical component to it, such as phishing and business email compromise (BEC).
  • OSINT data can be used to construct attacks like BEC.
  • Attackers can impersonate vendors by creating domain names that look similar to the actual vendor's domain name.

Fingerprinting Websites and Applications

  • Default Apache server version responses can reveal information about software versions that are out-of-date and vulnerable.
  • CMS softwares, web frameworks like node.js, JavaScript commonly have high numbers of vulnerabilities.
  • Organizations' websites are often running outdated software versions with cross-site scripting vulnerabilities introduced.

Enumerating Domains and Subdomains

  • OSINT data is used for enumerating domains, subdomains, DNS records, and other assets when doing an external pen test.
  • External pen testers may find additional assets beyond the scope given by clients.

Importance of Validating Domains and Subdomains

In this section, the speaker emphasizes the importance of validating domains and subdomains to identify potential attack paths.

Validating Domains and Subdomains

  • Even if domains and subdomains are just artifacts on the internet, they still hold client data and can be a potential foothold or attack path.
  • It is important to validate domains and subdomains to communicate back to clients their total attack footprint from the perspective of security experts.
  • Finding internet-facing devices like routers, edge devices, management interfaces for appliances, IoT devices like cameras is crucial. OSENT helps in narrowing down these devices by finding version numbers and vulnerabilities in them.
  • Unpatched or untouched devices can be a hidden attack surface.

Cloud Application SAS Products

This section discusses how cloud application SAS products can present risks if not properly protected.

Risks Associated with Cloud Application SAS Products

  • It is essential to look at cloud resources that organizations have, including SAS products.
  • Open S3 buckets or open cloud resources can provide attackers with access to sensitive information.
  • Third-party SAS applications are often not properly integrated into an organization's single sign-on or zero trust architecture. For example, Zoom meetings may not have MFA enabled which could lead to impersonation attacks.

Discovering Usernames through OSENT

This section highlights how OSENT can be used to discover usernames and username formats.

Discovering Usernames through OSENT

  • OSENT can be used to enumerate and discover users, username formats, or organizations.
  • Even if usernames are obfuscated on a website, attackers can still build and craft usernames and complete emails based on names alone.
  • Organizations' websites like higher education list teachers, staff pages that are leveraged by attackers for further attacks.

Defending Against Risks

This section discusses how to defend against risks identified through# Importance of Validating Domains and Subdomains

In this section, the speaker emphasizes the importance of validating domains and subdomains to identify potential attack paths.

Validating Domains and Subdomains

  • Even if domains and subdomains are just artifacts on the internet, they still hold client data and can be a potential foothold or attack path.
  • It is important to validate domains and subdomains to communicate back to clients their total attack footprint from the perspective of security experts.
  • Finding internet-facing devices like routers, edge devices, management interfaces for appliances, IoT devices like cameras is crucial. OSENT helps in narrowing down these devices by finding version numbers and vulnerabilities in them.
  • Unpatched or untouched devices can be a hidden attack surface.

Cloud Application SAS Products

This section discusses how cloud application SAS products can present risks if not properly protected.

Risks Associated with Cloud Application SAS Products

  • It is essential to look at cloud resources that organizations have, including SAS products.
  • Third-party SAS applications are often not properly integrated into an organization's single sign-on or zero trust architecture. For example, Zoom meetings may not have MFA enabled.
  • Attackers can access sensitive information through open S3 buckets or open cloud resources. They can also impersonate users and join meetings.

Non-Technical Risks Associated with OSENT

This section discusses non-technical risks associated with OSENT.

Discovering Usernames and Organizations through OSENT

  • OSENT can be used to enumerate and discover users, username formats, or organizations.
  • Even if usernames are obfuscated on a website, attackers can still build and craft usernames and complete emails based on names alone.
  • Organizations' websites like higher education list teachers, staff pages that are leveraged for further attacks.

Defending Against Risks Associated with OSENT

This section discusses how to defend against risks associated with OSENT.

Mitigating Risk

  • The first step is knowing the risk and educating oneself on what type of data is out there and what kind of data can be obtained by just using OSENT.
  • Implementing proper security measures such as MFA, single sign-on or zero trust architecture can help mitigate risks.
Video description

OSINT - Open Source Intelligence: is the process of collecting and analyzing publicly available information in order to achieve some goal or facilitate some kind of action. OSINT can and is used for all sorts of things and it's applicable to virtually every industry. OSINT like many other things, can be used for good and it can be used for evil. But it's what you don't know about OSINT that can really hurt you... Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://twitter.com/cyberthreatpov Work with Us: https://securit360.com