Open source intelligence gathering (OSINT) is an important part of the reconnaissance phase of a penetration test. The more connected we are, the more information about people and assets is held by seemingly everything. This information can be juicy for both penetration testers and malicious threat actors. Learning what sources of information is available to start an engagement is a crucial step in completing a thorough but effective exploration. Risks associated with leveraging, misusing or selling discovered material are all too real. Come on a journey of discovery through IT/IOT/ICS SCADA systems, databases, solar panels, smart homes, washing machines and the vulnerable, interconnected world. This presentation was showcased during Ladies in Cyber Security, an event organised by DefCamp and Cyber Security Research Center from Romania - CCSIR.

1. HACK THE WORLD WITH OSINT
DEFCAMP LADIES ROMANIA
CHRIS KUBECKA, CEO HYPASEC
21 MARCH 2019

2. BIOGRAPHY
• Cyber warfare & Critical infrastructure security expert: Oil & Gas, Water,
Electric & Nuclear
• Author, presenter at Black Hat, Security BSides, ICS/SCADA Nuclear Cyber
Security
• Previous headed Aramco Overseas Security Operations, Information
Protection & Intelligence
• Previous U.S Air Force Space Command
• Previous script kiddie hacking the US Government

3. WHAT IS OSINT?
• Search Engine Discovery & Reconnaissance
• Identifying Web Servers
• Webserver Metafiles & Webpage Comments for Information
Leakage
• Identify application entry points
•Discover corruption
3

4. SECURITY
CHALLENGES
Large number
of access
points
Security is
hard
Internet of
Shite
Profit over
vulnerabilities
Assuming
security
Security an
afterthought

5. WEAK ENCRYPTION = HACKER OPPORTUNITIES
• Government encryption certificates
required
• Banking, tax authorities, hydroelectric
dams
• Mandated, weak backdoors everywhere
• Australian government passed a bill
requiring technology companies
unencrypt December 2018
• Happy hacker fun ☺
5

6. WHO LIKES ELECTRICITY?
• Exposed
• Remote controllable
• No authentication
• Modbus
• No authentication
• Will accept a command from
anyone
6

7. OPEN AUTOMATED DEMAND RESPONSE
• North America
• Interoperability
management
• Pricing
• Demand
• Controls all components
• Zero security

8. SOLAR & WIND
• Crucial for the Paris Accord
• Load management
• Many vendors
• Not much security testing

9. SMART ELECTRIC METERS
• Mandatory in some EU countries
• Mandatory in some US areas
• Privacy concerns
• Can be refused in NL
• Security concerns
• No cyber security testing requirements

10. WHO LIKES WATER?
• Water and electricity
production are
intertwined
• 390% increase in
attacks against water
systems in the USA
2000-2009
10

11. AGRICULTURE
• Salmon Farm in the EU
• Geolocated to a country
where growing weed is
illegal
• Authentication disabled for
remote access
• Remote Controllable
11

12. METADATA TIME = BETRAYED BY DOCUMENTS
• Hidden info
• TMI
• Manual labor to hide
• Overlooked

13. ELECTION INSECURITY
13

14. CAN I HACK A BUILDING?
• Smart Appliances
• Washing Machines
• Refrigerators
• Smart plugs
• Smart lighting
• Alarm systems

15. HOW DIFFICULT IS SECURITY?
• Saudi Intelligence MOFA
• CIA
• NSA
• GCHQ

16. CONCLUSION
• Proactive OSINT testing or
unwelcome pen test
• Security testing = Yes
• Don’t assume it’s okay
• Testing tools can fit any
budget
• Everything can be hacked
given enough resources
13 days later
Your strategic supply is gone!
GAMEOVER

17. QUESTIONS & THANK YOU
• Everything@hypasec.com
• @SecEvangelism
• Hack the World with OSINT
• Down the Rabbit Hole an OSINT Journey
• Darknet Diaries Shamoon episode 30
• When the internet gives you remotely exploitable
systems, take them. They’re like free candy, right?
- Chris Kubecka