Enterprise Open Source Intelligence Gathering

  • 13,562 views
Uploaded on

Presented at the Ohio Information Security Summit, October 30, 2009. …

Presented at the Ohio Information Security Summit, October 30, 2009.

What does the Internet say about your company? Do you know what is being posted by your employees, customers, or your competition? We all know information or intelligence gathering is one of the most important phases of a penetration test. However, gathering information and intelligence about your own company is even more valuable and can help an organization proactively determine the information that may damage your brand, reputation and help mitigate leakage of confidential information.

This presentation will cover what the risks are to an organization regarding publicly available open source intelligence. How can your enterprise put an open source intelligence gathering program in place without additional resources or money. What free tools are available for gathering intelligence including how to find your company information on social networks and how metadata can expose potential vulnerabilities about your company and applications. Next, we will explore how to get information you may not want posted about your company removed and how sensitive metadata information you may not be aware of can be removed or limited. Finally, we will discuss how to build a Internet posting policy for your company and why this is more important then ever.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
  • KMC01 any chance this is still available to download please?
    Are you sure you want to
    Your message goes here
  • hi agent0x0 great presentation...is there any way i ca get a downloadable copy ?
    thanks in advance
    stefano
    Are you sure you want to
    Your message goes here
  • Try downloading now. I disable downloads because all my presentations are in Keynote. Email me for a PDF version. Thanks!
    Are you sure you want to
    Your message goes here
  • I was trying to help you out by e-mailing your presentation to somebody, but you disabled downloading. Genius. You probably lost a possible govt contract.
    Are you sure you want to
    Your message goes here
  • intelligence gathering
    Are you sure you want to
    Your message goes here
No Downloads

Views

Total Views
13,562
On Slideshare
0
From Embeds
0
Number of Embeds
7

Actions

Shares
Downloads
53
Comments
7
Likes
52

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • How many of us as security professionals think of reputational issues in regards to the company brand?

Transcript

  • 1. Enterprise Open Source Intelligence Gathering Tom Eston
  • 2. Open source intelligence (OSINT) is a form of intelligence collection management...
  • 3. Open source intelligence (OSINT) is a form of intelligence collection management... ...involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. - wikipedia
  • 4. What do the Internets say?
  • 5. 18% had a data loss event via blog or message board... - Proofpoint, Inc. 2009 Survey
  • 6. 18% had a data loss event via blog or message board... 11% in 2008 - Proofpoint, Inc. 2009 Survey
  • 7. 17% experienced data loss related to social networks... - Proofpoint, Inc. 2009 Survey
  • 8. 17% experienced data loss related to social networks... 12 % in 2008 - Proofpoint, Inc. 2009 Survey
  • 9. “A brand is the personification of a product, service, or even entire company.” - Robert Blanchard, former P&G executive
  • 10. 5 things you will learn • What is out there on your company? • Metadata • Removal of Internet postings, metadata • Setting up a simple (cheap) monitoring program • Building a Internet Posting Policy
  • 11. What gets posted? • Customer and Employee Complaints • Exposure of Confidential Information • Security Vulnerabilities
  • 12. Customer Complaints
  • 13. Employee Complaints
  • 14. FAIL
  • 15. Exposure of Confidential Information
  • 16. What about Vulnerabilities?
  • 17. Things you wouldn't expect...
  • 18. Where does this information get posted? ...and how to find it!
  • 19. Social Networks
  • 20. 300 Million Users 110 Million Users 40 Million Users Grew 752% in 2008
  • 21. Finding Information on Social Networks • Socnet Search Engines • Maltego (Twitter/Facebook) • RSS feeds/Google Hacks • Google Alerts + Google Reader = WIN • Manual Searching • Facebook status updates
  • 22. Socnet Search Engines • Wink, Spock, Twoogle, Knowem, WhosTalkin (there are many more, see my blog post) • Twitter Search • Social Bookmark Sites • Delicious, StumbleUpon • Don’t forget about photos/video! • Flickr Photo Search • YouTube and Vimeo Video Search
  • 23. Maltego + Mesh = WIN *Screen shot from the “Maltego and Twitter!” post on paterva.com
  • 24. Searching Facebook • Good: Maltego Facebook Transform (violates TOS) ** No longer working! :-( • Better: Login and use the search! FB doesn’t make status updates public...yet. • Best: site:facebook.com inurl:group (bofa | "bank of america") = Groups • inurl:pages = Facebook Pages • allinurl: people "John Doe" site:facebook.com = Public Profiles • Yahoo! Pipe for Facebook Groups: Facebook Discussion Board RSS Feed • Create Google Alert(s)
  • 25. Searching LinkedIn • Similar to Facebook • Google dorks • site:linkedin.com inurl:pub (bofa | "bank of america") = Public Profiles • inurl:updates = Profile Updates • inurl:companies = Company Profiles
  • 26. Blogs and News • Blogpulse, Technoratti, IceRocket • Social Mention (Search Engine for blogs, comments) • Google/Yahoo News
  • 27. Document Repositories • DocStoc • Scribd • SlideShare • PDF Search Engine
  • 28. Message Boards • Internet Forums (yes, even 4chan) • Craigslist • Full Disclosure Mailing List (vulnerabilities) • Google Groups/Yahoo Groups
  • 29. All your metadata are belong to us...
  • 30. What is Metadata? • Metadata = Data that describes Data • Catalog, index files, documents and more • Often overlooked by: • Document/File Creators • Your Company
  • 31. Why do we care? • Can expose potential vulnerable software/ hardware in use! (client side attack) • OS and version numbers • Location information (GPS from smartphones) • User names, naming schemes, file paths
  • 32. Where do you find it? • Microsoft Office Documents • PDF • JPEG’s (photos) • Other file types
  • 33. Metadata is everywhere!
  • 34. How do you find it? • Google • Document Repositories • Wget to download photos (many other tools) • Your Company Website
  • 35. Tools to analyze Metadata • EXIFtool (cmd line or GUI) • Maltego • Metagoofil • Metadata Extraction Tool • FOCA
  • 36. Real World Example
  • 37. Removing Internet Postings and Metadata
  • 38. Removing posts from the Internet • Hard, but not impossible. Search Engine Cache FTL • Submit request to Search Engines to remove (there are multiple) • Legal team involvement, especially w/ socnets
  • 39. Metadata Removal Techniques • MS Office Documents • Office 2002/03: CMD Line app “Remove Hidden Data” (Offrhd.exe) • Office 2007: Document Inspector • EXIFtool (photos) • Can be scripted to auto remove
  • 40. Metadata Removal Continued... • PDFs: File -> Document Properties • EXIFtool • Many third-party tools! ($)
  • 41. Setting up a monitoring program
  • 42. What do you want to monitor? • Impossible to monitor everything! • Pick the most popular social networks, news sites, blogs, forums... • Monitoring should be defined with your PR/Marketing groups!
  • 43. Free Tools • Yahoo! Pipes (mashups) • RSS Feeds/RSS Reader Google Reader FTW • Maltego (community version) Good for defining relationships, not automated • Maltego for specific searching when you need “more details”
  • 44. Yahoo! Pipes
  • 45. Google Reader RSS
  • 46. What works best? • Assign someone! (someone in infosec, social media skill sets) • Create RSS Feeds from identified sites • Utilize Yahoo! Pipes, create RSS from pipes • Monitor w/Google Reader • Sites you can’t monitor automatically...determine manual methods. Build this into your Incident Response Procedures!
  • 47. Building a Internet Posting Policy
  • 48. Define your Social Media Strategy • Partner with Marketing/Public Relations/HR • What is acceptable for employees to post? • At work/off work • Employees have mobile devices, home computers!
  • 49. Define what gets monitored? • Difficult or impossible to monitor everything • Determine with your partners what should be monitored • Careful with policy conflicts!
  • 50. Cisco Example
  • 51. Intel Example
  • 52. Communicate to your employees! How can you enforce a policy if employees don’t know about it?
  • 53. Where to learn more? • Great paper on Metadata (SANS Reading Room): “Document Metadata, the Silent Killer” - Larry Pesce • Maltego Tutorials: Chris Gates, EthicalHacker.net • My blog: spylogic.net
  • 54. OSINT 3 Part Series • All the details from this presentation! • Part 1 - Social Networks http://bit.ly/osint1 • Part 2 - Blogs, Message Boards, Metadata http://bit.ly/osint2 • Part 3 - Monitoring, Social Media Policies http://bit.ly/osint3