Presentation on personal data. How it happens, how to protect yourself.

1. How Personal Data is Collected & Used, and Steps to Protect Your Digital Footprint
Sandy Dunn
1.23.19
Public Information
1

2. OSINT Talk One
o What is OSINT
o Why you should care
o Steps to protect your privacy
OSINT Talk Two
o BCI Attack Surface
o Third Party Vendor Assessment
At The End Of This
Presentation
• Aware of how OSINT information is
captured
• Take steps to protect your personal data
• Be conscientious about sharing what
member data is shared and with who
2

3. What is OSINT
OSINT
Open Source Intelligence Information
Publicly available information located inside newspapers, blogs, web pages,
tweets, social media cards, images, podcasts, or videos as long as it is public,
free and legal.
The U.S. Director of National Intelligence and the U.S. Department of Defense
have defined it as intelligence “produced from publicly available information
that is collected, exploited, and disseminated in a timely manner to an
appropriate audience for the purpose addressing a specific intelligence
requirement.”
Intelligence Discipline
Intelligence produced form publicly available information this collected
3

4. Josh Huff
• https://www.youtube.com/watch?v=6kBOCnOlwqI
4

5. How Personal Data Happens
Social Media Data Breaches Public Records
Credit or Debit
Card / Loyalty
programs
Friends, Family,
School Athletics,
Clubs, Hobby
DNA Testing,
Ancestry Sites
5

6. Swatting
Swatting “is the harassment tactic of deceiving
an emergency service into sending a police and
emergency service response team to another
person's address. ..This is triggered by false
reporting of a serious law enforcement
emergency, such as a bomb threat, murder,
hostage situation, or other alleged incident. It can
also be triggered by a false report of a "mental
health" emergency, such as reporting that a
person is allegedly feeling suicidal or homicidal
and may or may not be armed.”1
• 1 https://en.wikipedia.org/wiki/Swatting
• https://arstechnica.com/information-technology/2019/01/facebook-executive-swatting-sends-significant-
police-response-to-his-home/
• https://arstechnica.com/tech-policy/2017/12/kansas-mans-death-may-have-resulted-from-call-of-duty-
swatting/
6

7. ©2015 by Blue Cross of Idaho, an Independent Licensee of the Blue Cross and Blue Shield Association
7
PRIVATEANDCONFIDENTIAL 1.10.19
• https://arstechnica.com/information-technology/2019/01/facebook-executive-swatting-sends-significant-
police-response-to-his-home/
7

8. Doxxing
Doxxing “is the Internet-based practice of
researching and broadcasting private or
identifiable information (especially personally
identifiable information) about an individual or
organization.
The methods employed to acquire this
information include searching publicly available
databases and social media websites (like
Facebook), hacking, and social engineering.”1
• 1 https://en.wikipedia.org/wiki/Doxing
• https://hornet.com/stories/doxxed-ice-employees/
• https://www.audible.in/pd/How-Doxxing-Became-a-Mainstream-Tool-in-the-Culture-Wars-
Audiobook/B073QWNZ33
8

9. I Don’t Have Anything to
Hide
What do you have to protect ?
9

10. Social Media
• Facebook
• Google
• Instagram
• Snapchat
• Twitter
• LinkedIn
• WhatsApp
• Pinterest
• Tumbler
• Reddit
• Dating sites
• https://www.wired.com/story/facebook-10-year-meme-challenge/
10

11. What They
Have
• Name, gender, email, date of
birth, email, mobile, IP
address, all user activity,
likes, tags
• Tracking non- face book users
• Applications, contacts
• Access to your webcam
• Where you have been
• Everything you’ve searched &
deleted
• They have an advertisement
profile for you
• What apps you use
• News you have read
• Fitness level, fitness goals
• Upcoming plans
• Calendar
• https://www.theguardian.com/commentisfree/2018/mar/28/all-the-data-facebook-google-has-on-you-
privacy
11

12. Data
Breaches
• Records Breached: 11,582,116,452
• 9,033 Data Breaches made public
since 2005
• https://informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
• https://www.privacyrights.org/data-breaches
12

13. Genetic
Testing &
Ancestry
Sites
“If you’re white, live in the United States, and a distant relative
has uploaded their DNA to a public ancestry database, there’s a
good chance an internet sleuth can identify you from a DNA
sample you left somewhere. “
• https://www.businessinsider.com/dna-testing-delete-your-data-23andme-ancestry-2018-7
13

14. EXIF Data
from
Photos
What can be captured
•GPS Data
•Who created it and when
•Who last modified it and when
•Tags and it’s categories'
•Who can access and update
Sites to be careful
•Most photo sharing sites
•Flickr
•Tumbler
•Pinterest
Sites that remove metadata
•Facebook
•LinkedIn
•Twitter
•Blogger
• https://www.peerlyst.com/posts/extracting-juicy-info-from-an-image-using-exif-metadata-shaquib-izhar
14

15. Meta Data From Documents
Metagoofill
• Searching file types in the target
domain using the Google search engine
• Downloading all of the documents
found and saving them to the local
disk.
• Extracting the metadata from the
downloaded documents
• Saving the result in an HTML file
Checklists for removing document meta data
from Microsoft and PDF files
15

16. Other
Public Records
• Taxes, arrests, births, death, divorce, marriages
• Voter data, name, street, party affiliation, elections in which you
did or did not vote, phone number, email
Credit or Debit Card Transactions / Loyalty programs
Friends, Family, School Athletics, Clubs, or Hobby
Classified listings, Craigslist, Ebay, Amazon,
Business search sites
LinkedIn
Job Sites
Online Communities and Blogs
Reverse Image Search – Google, Tineye
Real Estate Listing
16

17. How Data is
Captured
• GPS Data – Fitness trackers,
Facebook, Google , Twitter,
• Health Data - Fitness Trackers,
Apps
• Loyalty cards
• Smart TV
• Alexa, Google
• Car Movements – Every car
since 2006 contains a chip that
records your speed, braking,
turns, mileage, accidents,
when you start your car
• License plates
• Police – vehicle
location tracking
• Toll booth
• Cell Phone
• https://www.nytimes.com/interactive/2018/12/10/business/location-data-privacy-apps.html
• https://lifehacker.com/how-retail-stores-track-you-using-your-smartphone-and-827512308
17

18. Cell Phone Providers
• https://motherboard.vice.com/en_us/article/nepxbz/i-gave-a-bounty-hunter-300-dollars-located-phone-
microbilt-zumigo-tmobile
18

19. How it OSINT
Information used
• Ads
• Marketing information
• Password breaches
• AI Training
• Police & Law
Enforcement
• Identity Theft
• Phishing Attacks
Detecting Crime
• ShotSpotter triangulate the location of a gunshot
• Cloud Walk’s AI technology seeks to predict if a person
will commit a crime through facial recognition and gait
analysis.
Predicting Crime
• Attempts to forecast when and where crime will occur.
Tacoma, Washington, implemented Predpol in January,
2013, it saw a 22 percent decrease in residential
burglaries within two years
• https://www.washingtonpost.com/apps/g/page/world/how-the-nsa-is-tracking-people-right-
now/634/?noredirect=on
• https://medium.com/qadius/improving-law-enforcement-intelligence-gathering-and-use-with-open-
source-intelligence-osint-and-9dbe64a1f9f9
19

20. E-Discovery
• https://www.runnersworld.com/news/a25924256/mark-fellows-runner-hitman-murder/
• https://blogs.findlaw.com/technologist/2017/02/the-tell-tale-pacemaker-man-charged-with-arson-after-
police-examine-pacemaker-data.html
• https://ediscovery.co/ediscoverydaily/electronic-discovery/tinder-date-murder-case-highlights-the-
increasing-complexity-of-ediscovery-in-criminal-investigations-ediscovery-trends/
20

21. Protecting
Your
Personal
Data
21

22. What You Can Do
1. Understand your threat profile
• Google yourself & your family, what information is out there?
2. Never ever ever reuse a password, use a password manager
3. Credit Freeze
4. Use social media thoughtfully
5. Opt out of any option to “share data”
6. Turn off Bluetooth and Wifi on your phone unless your in a
trusted location
7. Understand the risk if you give an application access to your PC or
phone
8. Use tools like PrivacyBadger when surfing the net
9. Think about the trade off when signing up for reward’s programs
10. Push back when asked for personal information “What do you
need that information for?”
11. Two-Factor Authentication
12. Request to have your data removed
13. Use a VPN
14. Use a VOIP number and have it forward calls and texts to your
cell number
15. Use burner numbers for things like Craigslist
16. Create separate accounts for the different type of email
• Financial
• Social Media
22

23. How Many of Me ?
23

24. https://knowem.com
• https://cybersecurityventures.com/407-women-in-cybersecurity-to-follow-on-twitter-crowdsourcing-
more-names/ [cybersecurityventures.com]
24

25. Follow The Privacy Workbook
https://www.lifewire.com/remove-personal-information-from-internet-3482691 [lifewire.com]
25

26. DeleteMe
https://joindeleteme.com/privacy-protection-plans/
Privacyduck
26

27. Podcasts, Sites, & Books
• Michael Bazzel’s Site https://inteltechniques.com
• Troy Hunt https://haveibeenpwned.com/
27

28. Topics Next Session
• What is a Puppet?
• BCI Attack Surface
• OSINT and Third Party Vendor
Management
• Tools and turning OSINT into
Business Intelligence
• OSINT and Legal Considerations
28