Enterprise Open Source Intelligence Gathering

Enterprise Open Source Intelligence Gathering Tom Eston

Open source intelligence (OSINT) is a form of intelligence collection management...

Open source intelligence (OSINT) is a form of intelligence collection management... ...involves ﬁnding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. - wikipedia

What do the Internets say?

18% had a data loss event via blog or message board... - Proofpoint, Inc. 2009 Survey

18% had a data loss event via blog or message board... 11% in 2008 - Proofpoint, Inc. 2009 Survey

17% experienced data loss related to social networks... - Proofpoint, Inc. 2009 Survey

17% experienced data loss related to social networks... 12 % in 2008 - Proofpoint, Inc. 2009 Survey

“A brand is the personiﬁcation of a product, service, or even entire company.” - Robert Blanchard, former P&G executive

5 things you will learn • What is out there on your company? • Metadata • Removal of Internet postings, metadata • Setting up a simple (cheap) monitoring program • Building a Internet Posting Policy

What gets posted? • Customer and Employee Complaints • Exposure of Conﬁdential Information • Security Vulnerabilities

Customer Complaints

Employee Complaints

Exposure of Conﬁdential Information

What about Vulnerabilities?

Things you wouldn't expect...

Where does this information get posted? ...and how to ﬁnd it!

Social Networks

300 Million Users 110 Million Users 40 Million Users Grew 752% in 2008

Finding Information on Social Networks • Socnet Search Engines • Maltego (Twitter/Facebook) • RSS feeds/Google Hacks • Google Alerts + Google Reader = WIN • Manual Searching • Facebook status updates

Socnet Search Engines • Wink, Spock, Twoogle, Knowem, WhosTalkin (there are many more, see my blog post) • Twitter Search • Social Bookmark Sites • Delicious, StumbleUpon • Don’t forget about photos/video! • Flickr Photo Search • YouTube and Vimeo Video Search

Maltego + Mesh = WIN *Screen shot from the “Maltego and Twitter!” post on paterva.com

Searching Facebook • Good: Maltego Facebook Transform (violates TOS) ** No longer working! :-( • Better: Login and use the search! FB doesn’t make status updates public...yet. • Best: site:facebook.com inurl:group (bofa | "bank of america") = Groups • inurl:pages = Facebook Pages • allinurl: people "John Doe" site:facebook.com = Public Proﬁles • Yahoo! Pipe for Facebook Groups: Facebook Discussion Board RSS Feed • Create Google Alert(s)

Searching LinkedIn • Similar to Facebook • Google dorks • site:linkedin.com inurl:pub (bofa | "bank of america") = Public Profiles • inurl:updates = Profile Updates • inurl:companies = Company Profiles

Blogs and News • Blogpulse, Technoratti, IceRocket • Social Mention (Search Engine for blogs, comments) • Google/Yahoo News

Document Repositories • DocStoc • Scribd • SlideShare • PDF Search Engine

Message Boards • Internet Forums (yes, even 4chan) • Craigslist • Full Disclosure Mailing List (vulnerabilities) • Google Groups/Yahoo Groups

All your metadata are belong to us...

What is Metadata? • Metadata = Data that describes Data • Catalog, index ﬁles, documents and more • Often overlooked by: • Document/File Creators • Your Company

Why do we care? • Can expose potential vulnerable software/ hardware in use! (client side attack) • OS and version numbers • Location information (GPS from smartphones) • User names, naming schemes, ﬁle paths

Where do you find it? • Microsoft Office Documents • PDF • JPEG’s (photos) • Other file types

Metadata is everywhere!

How do you ﬁnd it? • Google • Document Repositories • Wget to download photos (many other tools) • Your Company Website

Tools to analyze Metadata • EXIFtool (cmd line or GUI) • Maltego • Metagooﬁl • Metadata Extraction Tool • FOCA

Real World Example

Removing Internet Postings and Metadata

Removing posts from the Internet • Hard, but not impossible. Search Engine Cache FTL • Submit request to Search Engines to remove (there are multiple) • Legal team involvement, especially w/ socnets

Metadata Removal Techniques • MS Office Documents • Office 2002/03: CMD Line app “Remove Hidden Data” (Offrhd.exe) • Office 2007: Document Inspector • EXIFtool (photos) • Can be scripted to auto remove

Metadata Removal Continued... • PDFs: File -> Document Properties • EXIFtool • Many third-party tools! ($)

Setting up a monitoring program

What do you want to monitor? • Impossible to monitor everything! • Pick the most popular social networks, news sites, blogs, forums... • Monitoring should be deﬁned with your PR/Marketing groups!

Free Tools • Yahoo! Pipes (mashups) • RSS Feeds/RSS Reader Google Reader FTW • Maltego (community version) Good for deﬁning relationships, not automated • Maltego for speciﬁc searching when you need “more details”

Yahoo! Pipes

Google Reader RSS

What works best? • Assign someone! (someone in infosec, social media skill sets) • Create RSS Feeds from identiﬁed sites • Utilize Yahoo! Pipes, create RSS from pipes • Monitor w/Google Reader • Sites you can’t monitor automatically...determine manual methods. Build this into your Incident Response Procedures!

Building a Internet Posting Policy

Deﬁne your Social Media Strategy • Partner with Marketing/Public Relations/HR • What is acceptable for employees to post? • At work/off work • Employees have mobile devices, home computers!

Define what gets monitored? • Difficult or impossible to monitor everything • Determine with your partners what should be monitored • Careful with policy conflicts!

Cisco Example

Intel Example

Communicate to your employees! How can you enforce a policy if employees don’t know about it?

Where to learn more? • Great paper on Metadata (SANS Reading Room): “Document Metadata, the Silent Killer” - Larry Pesce • Maltego Tutorials: Chris Gates, EthicalHacker.net • My blog: spylogic.net

OSINT 3 Part Series • All the details from this presentation! • Part 1 - Social Networks http://bit.ly/osint1 • Part 2 - Blogs, Message Boards, Metadata http://bit.ly/osint2 • Part 3 - Monitoring, Social Media Policies http://bit.ly/osint3

http://socialmediasecurity.com	407
http://elladodelmal.blogspot.com	198
http://www.elladodelmal.com	80
http://www.slideshare.net	40
http://vint.sogeti.nl	17
http://www.techgig.com	15
http://www.brandwache.org	10
http://spatiallyrelevant.org	7
http://www.spatiallyrelevant.org	7
http://www.elladodelmal.blogspot.com	3
http://us-w1.rockmelt.com	2
http://h43x.com	2
http://chuckitworld.blogspot.com	1

Enterprise Open Source Intelligence Gathering

by Tom Eston on Oct 30, 2009

Accessibility

Categories

Tags

Upload Details

Usage Rights

13 Embeds 789

Statistics

Enterprise Open Source Intelligence Gathering — Presentation Transcript