Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Enterprise Open Source
Intelligence Gathering
Tom Eston
Open source intelligence (OSINT) is a form
of intelligence collection management...
Open source intelligence (OSINT) is a form
of intelligence collection management...


...involves finding, selecting, and a...
What do the Internets say?
18% had a data
loss event via blog
       or message
           board...



    - Proofpoint, Inc. 2009 Survey
18% had a data
loss event via blog
       or message
           board...


  11% in 2008
    - Proofpoint, Inc. 2009 Survey
17%
experienced
data loss
related to social
networks...

- Proofpoint, Inc. 2009 Survey
17%
experienced
data loss
related to social
networks...
12 % in 2008
- Proofpoint, Inc. 2009 Survey
“A brand is the
personification of a product,
service, or even entire company.”
        - Robert Blanchard, former P&G exec...
5 things you will learn
• What is out there on your company?
• Metadata
• Removal of Internet postings, metadata
• Setting...
What gets posted?

• Customer and Employee Complaints
• Exposure of Confidential Information
• Security Vulnerabilities
Customer Complaints
Employee Complaints
FAIL
Exposure of Confidential
     Information
What about
Vulnerabilities?
Things you wouldn't
     expect...
Where does this
information get posted?
       ...and how to find it!
Social Networks
300 Million Users

110 Million Users

40 Million Users

Grew 752% in 2008
Finding Information on
   Social Networks
• Socnet Search Engines
• Maltego (Twitter/Facebook)
• RSS feeds/Google Hacks
 •...
Socnet Search Engines
•   Wink, Spock, Twoogle, Knowem, WhosTalkin
    (there are many more, see my blog post)
•   Twitter...
Maltego + Mesh = WIN




*Screen shot from the “Maltego and Twitter!” post on paterva.com
Searching Facebook
•   Good: Maltego Facebook Transform (violates TOS)
    ** No longer working! :-(
•   Better: Login and...
Searching LinkedIn
• Similar to Facebook
• Google dorks
 • site:linkedin.com inurl:pub (bofa | "bank
    of america") = Pu...
Blogs and News

• Blogpulse, Technoratti, IceRocket
• Social Mention
  (Search Engine for blogs, comments)
• Google/Yahoo ...
Document Repositories

• DocStoc
• Scribd
• SlideShare
• PDF Search
  Engine
Message Boards
• Internet Forums (yes, even 4chan)
• Craigslist
• Full Disclosure Mailing List (vulnerabilities)
• Google ...
All your metadata are
    belong to us...
What is Metadata?

• Metadata = Data that describes Data
• Catalog, index files, documents and more
• Often overlooked by:
...
Why do we care?
• Can expose potential vulnerable software/
  hardware in use! (client side attack)
 • OS and version numb...
Where do you find it?

• Microsoft Office Documents
• PDF
• JPEG’s (photos)
• Other file types
Metadata is everywhere!
How do you find it?

• Google
• Document Repositories
• Wget to download photos
  (many other tools)
• Your Company Website
Tools to analyze
         Metadata
• EXIFtool (cmd line or GUI)
• Maltego
• Metagoofil
• Metadata Extraction Tool
• FOCA
Real World Example
Removing Internet
Postings and Metadata
Removing posts from
    the Internet
• Hard, but not impossible.
  Search Engine Cache FTL
• Submit request to Search Engi...
Metadata Removal
      Techniques
• MS Office Documents
 • Office 2002/03: CMD Line app “Remove
    Hidden Data” (Offrhd.exe...
Metadata Removal
     Continued...

• PDFs: File -> Document Properties
• EXIFtool
• Many third-party tools! ($)
Setting up a monitoring
        program
What do you want to
     monitor?
• Impossible to monitor everything!
• Pick the most popular social networks,
  news site...
Free Tools
• Yahoo! Pipes (mashups)
• RSS Feeds/RSS Reader
  Google Reader FTW
• Maltego (community version)
  Good for de...
Yahoo! Pipes
Google Reader RSS
What works best?
    • Assign someone! (someone in infosec,
      social media skill sets)
    • Create RSS Feeds from ide...
Building a Internet
  Posting Policy
Define your Social
    Media Strategy
• Partner with Marketing/Public Relations/HR
• What is acceptable for employees to po...
Define what gets
       monitored?
• Difficult or impossible to monitor
  everything
• Determine with your partners what sho...
Cisco Example
Intel Example
Communicate to your
    employees!
How can you enforce a policy if employees don’t know
                     about it?
Where to learn more?

• Great paper on Metadata
  (SANS Reading Room):
  “Document Metadata, the Silent
  Killer” - Larry ...
OSINT 3 Part Series
• All the details from this presentation!
• Part 1 - Social Networks
  http://bit.ly/osint1
• Part 2 -...
Enterprise Open Source Intelligence Gathering
Enterprise Open Source Intelligence Gathering
Enterprise Open Source Intelligence Gathering
Enterprise Open Source Intelligence Gathering
Enterprise Open Source Intelligence Gathering
Enterprise Open Source Intelligence Gathering
Enterprise Open Source Intelligence Gathering
Enterprise Open Source Intelligence Gathering
Enterprise Open Source Intelligence Gathering
Enterprise Open Source Intelligence Gathering
Upcoming SlideShare
Loading in …5
×

Enterprise Open Source Intelligence Gathering

27,888 views

Published on

Presented at the Ohio Information Security Summit, October 30, 2009.

What does the Internet say about your company? Do you know what is being posted by your employees, customers, or your competition? We all know information or intelligence gathering is one of the most important phases of a penetration test. However, gathering information and intelligence about your own company is even more valuable and can help an organization proactively determine the information that may damage your brand, reputation and help mitigate leakage of confidential information.

This presentation will cover what the risks are to an organization regarding publicly available open source intelligence. How can your enterprise put an open source intelligence gathering program in place without additional resources or money. What free tools are available for gathering intelligence including how to find your company information on social networks and how metadata can expose potential vulnerabilities about your company and applications. Next, we will explore how to get information you may not want posted about your company removed and how sensitive metadata information you may not be aware of can be removed or limited. Finally, we will discuss how to build a Internet posting policy for your company and why this is more important then ever.

Published in: Technology

Enterprise Open Source Intelligence Gathering

  1. Enterprise Open Source Intelligence Gathering Tom Eston
  2. Open source intelligence (OSINT) is a form of intelligence collection management...
  3. Open source intelligence (OSINT) is a form of intelligence collection management... ...involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. - wikipedia
  4. What do the Internets say?
  5. 18% had a data loss event via blog or message board... - Proofpoint, Inc. 2009 Survey
  6. 18% had a data loss event via blog or message board... 11% in 2008 - Proofpoint, Inc. 2009 Survey
  7. 17% experienced data loss related to social networks... - Proofpoint, Inc. 2009 Survey
  8. 17% experienced data loss related to social networks... 12 % in 2008 - Proofpoint, Inc. 2009 Survey
  9. “A brand is the personification of a product, service, or even entire company.” - Robert Blanchard, former P&G executive
  10. 5 things you will learn • What is out there on your company? • Metadata • Removal of Internet postings, metadata • Setting up a simple (cheap) monitoring program • Building a Internet Posting Policy
  11. What gets posted? • Customer and Employee Complaints • Exposure of Confidential Information • Security Vulnerabilities
  12. Customer Complaints
  13. Employee Complaints
  14. FAIL
  15. Exposure of Confidential Information
  16. What about Vulnerabilities?
  17. Things you wouldn't expect...
  18. Where does this information get posted? ...and how to find it!
  19. Social Networks
  20. 300 Million Users 110 Million Users 40 Million Users Grew 752% in 2008
  21. Finding Information on Social Networks • Socnet Search Engines • Maltego (Twitter/Facebook) • RSS feeds/Google Hacks • Google Alerts + Google Reader = WIN • Manual Searching • Facebook status updates
  22. Socnet Search Engines • Wink, Spock, Twoogle, Knowem, WhosTalkin (there are many more, see my blog post) • Twitter Search • Social Bookmark Sites • Delicious, StumbleUpon • Don’t forget about photos/video! • Flickr Photo Search • YouTube and Vimeo Video Search
  23. Maltego + Mesh = WIN *Screen shot from the “Maltego and Twitter!” post on paterva.com
  24. Searching Facebook • Good: Maltego Facebook Transform (violates TOS) ** No longer working! :-( • Better: Login and use the search! FB doesn’t make status updates public...yet. • Best: site:facebook.com inurl:group (bofa | "bank of america") = Groups • inurl:pages = Facebook Pages • allinurl: people "John Doe" site:facebook.com = Public Profiles • Yahoo! Pipe for Facebook Groups: Facebook Discussion Board RSS Feed • Create Google Alert(s)
  25. Searching LinkedIn • Similar to Facebook • Google dorks • site:linkedin.com inurl:pub (bofa | "bank of america") = Public Profiles • inurl:updates = Profile Updates • inurl:companies = Company Profiles
  26. Blogs and News • Blogpulse, Technoratti, IceRocket • Social Mention (Search Engine for blogs, comments) • Google/Yahoo News
  27. Document Repositories • DocStoc • Scribd • SlideShare • PDF Search Engine
  28. Message Boards • Internet Forums (yes, even 4chan) • Craigslist • Full Disclosure Mailing List (vulnerabilities) • Google Groups/Yahoo Groups
  29. All your metadata are belong to us...
  30. What is Metadata? • Metadata = Data that describes Data • Catalog, index files, documents and more • Often overlooked by: • Document/File Creators • Your Company
  31. Why do we care? • Can expose potential vulnerable software/ hardware in use! (client side attack) • OS and version numbers • Location information (GPS from smartphones) • User names, naming schemes, file paths
  32. Where do you find it? • Microsoft Office Documents • PDF • JPEG’s (photos) • Other file types
  33. Metadata is everywhere!
  34. How do you find it? • Google • Document Repositories • Wget to download photos (many other tools) • Your Company Website
  35. Tools to analyze Metadata • EXIFtool (cmd line or GUI) • Maltego • Metagoofil • Metadata Extraction Tool • FOCA
  36. Real World Example
  37. Removing Internet Postings and Metadata
  38. Removing posts from the Internet • Hard, but not impossible. Search Engine Cache FTL • Submit request to Search Engines to remove (there are multiple) • Legal team involvement, especially w/ socnets
  39. Metadata Removal Techniques • MS Office Documents • Office 2002/03: CMD Line app “Remove Hidden Data” (Offrhd.exe) • Office 2007: Document Inspector • EXIFtool (photos) • Can be scripted to auto remove
  40. Metadata Removal Continued... • PDFs: File -> Document Properties • EXIFtool • Many third-party tools! ($)
  41. Setting up a monitoring program
  42. What do you want to monitor? • Impossible to monitor everything! • Pick the most popular social networks, news sites, blogs, forums... • Monitoring should be defined with your PR/Marketing groups!
  43. Free Tools • Yahoo! Pipes (mashups) • RSS Feeds/RSS Reader Google Reader FTW • Maltego (community version) Good for defining relationships, not automated • Maltego for specific searching when you need “more details”
  44. Yahoo! Pipes
  45. Google Reader RSS
  46. What works best? • Assign someone! (someone in infosec, social media skill sets) • Create RSS Feeds from identified sites • Utilize Yahoo! Pipes, create RSS from pipes • Monitor w/Google Reader • Sites you can’t monitor automatically...determine manual methods. Build this into your Incident Response Procedures!
  47. Building a Internet Posting Policy
  48. Define your Social Media Strategy • Partner with Marketing/Public Relations/HR • What is acceptable for employees to post? • At work/off work • Employees have mobile devices, home computers!
  49. Define what gets monitored? • Difficult or impossible to monitor everything • Determine with your partners what should be monitored • Careful with policy conflicts!
  50. Cisco Example
  51. Intel Example
  52. Communicate to your employees! How can you enforce a policy if employees don’t know about it?
  53. Where to learn more? • Great paper on Metadata (SANS Reading Room): “Document Metadata, the Silent Killer” - Larry Pesce • Maltego Tutorials: Chris Gates, EthicalHacker.net • My blog: spylogic.net
  54. OSINT 3 Part Series • All the details from this presentation! • Part 1 - Social Networks http://bit.ly/osint1 • Part 2 - Blogs, Message Boards, Metadata http://bit.ly/osint2 • Part 3 - Monitoring, Social Media Policies http://bit.ly/osint3

×