Enterprise Open Source Intelligence Gathering


Published on

Presented at the Ohio Information Security Summit, October 30, 2009.

What does the Internet say about your company? Do you know what is being posted by your employees, customers, or your competition? We all know information or intelligence gathering is one of the most important phases of a penetration test. However, gathering information and intelligence about your own company is even more valuable and can help an organization proactively determine the information that may damage your brand, reputation and help mitigate leakage of confidential information.

This presentation will cover what the risks are to an organization regarding publicly available open source intelligence. How can your enterprise put an open source intelligence gathering program in place without additional resources or money. What free tools are available for gathering intelligence including how to find your company information on social networks and how metadata can expose potential vulnerabilities about your company and applications. Next, we will explore how to get information you may not want posted about your company removed and how sensitive metadata information you may not be aware of can be removed or limited. Finally, we will discuss how to build a Internet posting policy for your company and why this is more important then ever.

Published in: Technology
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • How many of us as security professionals think of reputational issues in regards to the company brand?
  • Enterprise Open Source Intelligence Gathering

    1. Enterprise Open Source Intelligence Gathering Tom Eston
    2. Open source intelligence (OSINT) is a form of intelligence collection management...
    3. Open source intelligence (OSINT) is a form of intelligence collection management... ...involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. - wikipedia
    4. What do the Internets say?
    5. 18% had a data loss event via blog or message board... - Proofpoint, Inc. 2009 Survey
    6. 18% had a data loss event via blog or message board... 11% in 2008 - Proofpoint, Inc. 2009 Survey
    7. 17% experienced data loss related to social networks... - Proofpoint, Inc. 2009 Survey
    8. 17% experienced data loss related to social networks... 12 % in 2008 - Proofpoint, Inc. 2009 Survey
    9. “A brand is the personification of a product, service, or even entire company.” - Robert Blanchard, former P&G executive
    10. 5 things you will learn • What is out there on your company? • Metadata • Removal of Internet postings, metadata • Setting up a simple (cheap) monitoring program • Building a Internet Posting Policy
    11. What gets posted? • Customer and Employee Complaints • Exposure of Confidential Information • Security Vulnerabilities
    12. Customer Complaints
    13. Employee Complaints
    14. FAIL
    15. Exposure of Confidential Information
    16. What about Vulnerabilities?
    17. Things you wouldn't expect...
    18. Where does this information get posted? ...and how to find it!
    19. Social Networks
    20. 300 Million Users 110 Million Users 40 Million Users Grew 752% in 2008
    21. Finding Information on Social Networks • Socnet Search Engines • Maltego (Twitter/Facebook) • RSS feeds/Google Hacks • Google Alerts + Google Reader = WIN • Manual Searching • Facebook status updates
    22. Socnet Search Engines • Wink, Spock, Twoogle, Knowem, WhosTalkin (there are many more, see my blog post) • Twitter Search • Social Bookmark Sites • Delicious, StumbleUpon • Don’t forget about photos/video! • Flickr Photo Search • YouTube and Vimeo Video Search
    23. Maltego + Mesh = WIN *Screen shot from the “Maltego and Twitter!” post on paterva.com
    24. Searching Facebook • Good: Maltego Facebook Transform (violates TOS) ** No longer working! :-( • Better: Login and use the search! FB doesn’t make status updates public...yet. • Best: site:facebook.com inurl:group (bofa | "bank of america") = Groups • inurl:pages = Facebook Pages • allinurl: people "John Doe" site:facebook.com = Public Profiles • Yahoo! Pipe for Facebook Groups: Facebook Discussion Board RSS Feed • Create Google Alert(s)
    25. Searching LinkedIn • Similar to Facebook • Google dorks • site:linkedin.com inurl:pub (bofa | "bank of america") = Public Profiles • inurl:updates = Profile Updates • inurl:companies = Company Profiles
    26. Blogs and News • Blogpulse, Technoratti, IceRocket • Social Mention (Search Engine for blogs, comments) • Google/Yahoo News
    27. Document Repositories • DocStoc • Scribd • SlideShare • PDF Search Engine
    28. Message Boards • Internet Forums (yes, even 4chan) • Craigslist • Full Disclosure Mailing List (vulnerabilities) • Google Groups/Yahoo Groups
    29. All your metadata are belong to us...
    30. What is Metadata? • Metadata = Data that describes Data • Catalog, index files, documents and more • Often overlooked by: • Document/File Creators • Your Company
    31. Why do we care? • Can expose potential vulnerable software/ hardware in use! (client side attack) • OS and version numbers • Location information (GPS from smartphones) • User names, naming schemes, file paths
    32. Where do you find it? • Microsoft Office Documents • PDF • JPEG’s (photos) • Other file types
    33. Metadata is everywhere!
    34. How do you find it? • Google • Document Repositories • Wget to download photos (many other tools) • Your Company Website
    35. Tools to analyze Metadata • EXIFtool (cmd line or GUI) • Maltego • Metagoofil • Metadata Extraction Tool • FOCA
    36. Real World Example
    37. Removing Internet Postings and Metadata
    38. Removing posts from the Internet • Hard, but not impossible. Search Engine Cache FTL • Submit request to Search Engines to remove (there are multiple) • Legal team involvement, especially w/ socnets
    39. Metadata Removal Techniques • MS Office Documents • Office 2002/03: CMD Line app “Remove Hidden Data” (Offrhd.exe) • Office 2007: Document Inspector • EXIFtool (photos) • Can be scripted to auto remove
    40. Metadata Removal Continued... • PDFs: File -> Document Properties • EXIFtool • Many third-party tools! ($)
    41. Setting up a monitoring program
    42. What do you want to monitor? • Impossible to monitor everything! • Pick the most popular social networks, news sites, blogs, forums... • Monitoring should be defined with your PR/Marketing groups!
    43. Free Tools • Yahoo! Pipes (mashups) • RSS Feeds/RSS Reader Google Reader FTW • Maltego (community version) Good for defining relationships, not automated • Maltego for specific searching when you need “more details”
    44. Yahoo! Pipes
    45. Google Reader RSS
    46. What works best? • Assign someone! (someone in infosec, social media skill sets) • Create RSS Feeds from identified sites • Utilize Yahoo! Pipes, create RSS from pipes • Monitor w/Google Reader • Sites you can’t monitor automatically...determine manual methods. Build this into your Incident Response Procedures!
    47. Building a Internet Posting Policy
    48. Define your Social Media Strategy • Partner with Marketing/Public Relations/HR • What is acceptable for employees to post? • At work/off work • Employees have mobile devices, home computers!
    49. Define what gets monitored? • Difficult or impossible to monitor everything • Determine with your partners what should be monitored • Careful with policy conflicts!
    50. Cisco Example
    51. Intel Example
    52. Communicate to your employees! How can you enforce a policy if employees don’t know about it?
    53. Where to learn more? • Great paper on Metadata (SANS Reading Room): “Document Metadata, the Silent Killer” - Larry Pesce • Maltego Tutorials: Chris Gates, EthicalHacker.net • My blog: spylogic.net
    54. OSINT 3 Part Series • All the details from this presentation! • Part 1 - Social Networks http://bit.ly/osint1 • Part 2 - Blogs, Message Boards, Metadata http://bit.ly/osint2 • Part 3 - Monitoring, Social Media Policies http://bit.ly/osint3