Open Source Intelligence (OSINT)

Open Source INTelligence

Gabriele Zanoni @infoshaker

OSINT -‐ Fes+val ICT -‐ Sikurezza.org

SIKUREZZA.ORG

Index

Informa+on that we share

Introduc+on to OSINT

Tools and examples

The power of analysis

Summary


SIKUREZZA.ORG

InformaCon that we share


SIKUREZZA.ORG

Social networks expose our private and professional life…


SIKUREZZA.ORG

Companies expose their own informaCon…


SIKUREZZA.ORG

IntroducCon to OSINT


SIKUREZZA.ORG

OSINT

Open Source INTelligence is intelligence collected from publicly available sources.

[1] http://en.wikipedia.org/wiki/Open-source_intelligence

It’s not a tool , it’s not a website , it’s not with fee it’s not free…


SIKUREZZA.ORG

Why OSINT

In a world that changes rapidly we need to have high quality informa+on in the exact moment that we need it.


SIKUREZZA.ORG

What’s the value we get from OSINT

«You see? you hesitate. But as a captain, you can't. You have to act. If you don't, you put the en+re crew at risk. Now that's the job. It's not a science. You have to be able to make hard decisions based on imperfect informa+on. Asking men to carry out orders that may result in their deaths. And if you're wrong, you suffer the consequences. If you're not prepared to make those decisions, without pause, without reflec+on, then you've got no business being a submarine captain.»

Lt. Commander Mike Dahlgren U-‐571


SIKUREZZA.ORG

• What’s the need?

How can we use OSINT?

Raw Data

• Mailing List • Newsgroup • Chat • Pastebin • Blog

Preprocessed Data

• Journals • Publica+ons

Elaborated Data

• Researches • Reports • Analysis

Alerts in real time

Handling and Monitoring

of the situation State of the Art


SIKUREZZA.ORG

• What’s the need? • How to reach the scope?

Raw Data Preprocessed Data Elaborated Data

• Dedicated search engineers

• Keywords • Ad-‐hoc early warning systems

• Feeds from generic sources of informa+on

• “standard” monitoring systems

• Are available “when ready”

• Feeds from specialist sources

Ways to perform the searches

Alerts in real time

Handling and Monitoring

of the situation State of the Art

How can we use OSINT?


SIKUREZZA.ORG

Time VS Quality VS Efforts

TIME

QUALITY

Level of the effort

Volume of the data you

have to parse

Reliability Relevancy } Quality


SIKUREZZA.ORG

The InformaCon Search Process

Discovery

Selec+on

Formula+on

Delivery


SIKUREZZA.ORG

#HowToFail

•  Incomplete iden+fica+on of the sources • Not always structured data -‐> Are you searching in a library on in a bazar?

•  “Not easy to access” data -‐> methods and/or formats

• Too many info

«It refers to a hypothe.cal situa.on wherein an ass that is equally hungry and thirsty is placed precisely midway between a stack of hay and a pail of water. Since the paradox assumes the ass will always go to whichever is closer, it will die of both hunger and thirst since it cannot make any ra.onal decision to choose one over the other..» hbp://en.wikipedia.org/wiki/Buridan%27s_ass


SIKUREZZA.ORG

TOOLS AND EXAMPLES


SIKUREZZA.ORG

Analysis of a Web Site

• From the website to the people –  Owners –  Shareholders – Maintainers –  Etc…


SIKUREZZA.ORG

Who has registered a website


SIKUREZZA.ORG

An example


SIKUREZZA.ORG

Back in Cme


SIKUREZZA.ORG

Registro Imprese


SIKUREZZA.ORG

Finding people on Social Networks

Finding a nick: •  h^p://namechk.com •  h^p://www.namechecklist.com •  h^p://www.namecheckr.com


SIKUREZZA.ORG

Creepy -‐ h^p://ilektrojohn.github.io/creepy/

• A Geoloca+on OSINT Tool. Offers geoloca+on informa+on gathering through social networking plaiorms.

• Support: –  Flickr –  Instagram –  Twiber


SIKUREZZA.ORG

Image Analysis

• Where a photo has been taken ?

hbp://imageforensic.org


SIKUREZZA.ORG

Law and the metadata

“La proposta di legge di Gabriella Carlucci per “regolamentare Internet” è in realtà l’ennesimo goffo provvedimento “an+pirateria” mascherato da qualcosa d’altro. Del resto l’onorevole Carlucci si è faba in ques+ anni una vera e propria competenza in materia (dove competenza è termine da maneggiare con estrema prudenza). E comunque la proposta Carlucci liberamente scaricabile sul suo blog in formato .doc ha qualcosa di strano. Come ha notato Guido Scorza il computer sul quale il documento è stato scribo è intestato ad un certo Daniele Rossi di Univideo. Evidentemente un amico di Gabriella, omonimo del presidente della Unione Italiana Editoria audiovisivi.”

hbp://www.rigeneriamoci.com/i-‐metada+-‐e-‐lon-‐carlucci/


SIKUREZZA.ORG OSINT -‐ Fes+val ICT -‐ Sikurezza.org

SIKUREZZA.ORG

Why metadata are important

• You will discover the true authors of the documents • Or clues about if the documents have been shared with someone (e.g. the user that has saved the document)

• Verify if the document is from a certain company, person etc..

• Who is working in a company o for a specific company


SIKUREZZA.ORG

Finding Metadata with FOCA

hbps://www.elevenpaths.com/labs-‐tools-‐foca.html


SIKUREZZA.ORG

Foca and Foca Forensics

• Foca: it’s a tool to scan websites and download documents in order to extract metadata in those documents

• Foca Forensics: same as Foca, but it works on already downloaded data

• Download: • hbp://www.informa+ca64.com/foca.aspx

• hbp://www.informa+ca64.com/forensicfoca/


SIKUREZZA.ORG

Foca Forensics

Anonymous has leaked some data and you want to verify if the informa+on contained is true….

You have to download the data and scan it with Foca Forensics


SIKUREZZA.ORG

Shodan -‐ h^p://www.shodanhq.com/

• Shodan is a system able to index services and devices on Internet

• You can easily iden+fy Webcams, Web administra+on systems, vulnerable sorware (e.g. based on the sorware banner)


SIKUREZZA.ORG

Fbstalker -‐ h^ps://github.com/milo2012/osintstalker


SIKUREZZA.ORG

Maltego -‐ h^ps://www.paterva.com

Maltego is an open source intelligence and forensics applica+on. It will offer you +mous mining and gathering of informa+on as well as the representa+on of this informa+on in a easy to understand format.

A Maltego analysis can start from: –  A person name

–  A document

–  An email

–  A phone –  Etc..







SIKUREZZA.ORG

The power of analysis


SIKUREZZA.ORG

Nobody knows…together we know!


hbp://wisdomofcrowds.blogspot.it/2009/12/vox-‐populi-‐sir-‐francis-‐galton.html

SIKUREZZA.ORG

Who is using OSINT ?

“For the past three years, Elaine Rich and 3,000 other average people have been quietly making probability estimates about

everything from Venezuelan gas subsidies to North Korean politics as part of , an experiment put together by three well-known

psychologists and some people inside the intelligence community.”

“According to one report, the predictions made by the Good Judgment Project are often better even than intelligence analysts

with access to classified information, and many of the people involved in the project have been astonished by its success at

making accurate predictions.”

http://www.npr.org/blogs/parallels/2014/04/02/297839429/-so-you-think-youre-smarter-than-a-cia-agent http://www.goodjudgmentproject.com/



hbp://gizmodo.com/5947393/remember-‐youre-‐not-‐only-‐naming-‐your-‐pet-‐youre-‐also-‐securing-‐your-‐digital-‐future

There is a funny comic strip in which the father gives this advice to his son: “You should pay a-en0on while choosing your dog's name because it will be your security ques0on answer for the rest of your life!”

SIKUREZZA.ORG

Reality Check!

http://www.theguardian.com/technology/askjack/2008/sep/19/security.email


SIKUREZZA.ORG

How do you answer your security quesCons?

The scope is to op+mize the abacks making low noise. Info for password cracking: •  Girlfriend/wife name •  Pet name •  Date of Birth •  Sport teams •  Place of birth •  Addresses •  List of schools


SIKUREZZA.ORG

I know where you are…I know your password!

hbp://www.oversecurity.net/2014/02/27/casaleggio-‐bucato-‐la-‐password-‐usata-‐e-‐lindirizzo-‐della-‐sede-‐legale/


SIKUREZZA.ORG

Google Hacking #1 – The unexpected

Knowledge of Google Operators and how Internet or sorware work helps reach any informa+on


SIKUREZZA.ORG

Google Hacking #2 – Passwords from backups


SIKUREZZA.ORG

So you forgot to remove the geo-‐tag ?


SIKUREZZA.ORG

Shodan -‐ how to idenCfy the distribuCon of a vuln •  A recent vulnerability about a backdoor listening on port TCP/32764 in Linksys WAG200G (and also on some other devices) has been published

•  Using Shodan is possible to map the vulnerability

•  hbp://shodanio.wordpress.com/2014/01/23/quick-‐sta+s+cs-‐on-‐the-‐router-‐backdoor-‐on-‐port-‐32764/

•  hbps://github.com/elvanderb/TCP-‐32764


SIKUREZZA.ORG

Recorded Future Inc. -‐ h^ps://recordedfuture.com/

“is a sorware company based in Cambridge, Massachusebs, United States, and Gothenburg, Sweden, specializing in web intelligence and predic+ve analy+cs. Using what they call a "temporal analy+cs engine", Recorded Future provides forecas+ng and analysis tools to help analysts predict future events by scanning sources on the Internet, and extrac+ng, measuring, and visualizing the informa+on to show networks and paberns in the past, present, and future.”

“Both Google (on May 3, 2010) and the CIA have invested in the company, through their investment arms, Google Ventures and In-‐Q-‐Tel, respec+vely.”

http://en.wikipedia.org/wiki/Recorded_Future


SIKUREZZA.ORG

Event Analysis




SIKUREZZA.ORG

Analysis

“Pressure cooker bombs have been more commonly seen in Indian and Southeast Asian abacks than anywhere else. Recent reports out of India also suggest that the weapon has become a “fad” in militant camps along the Afghanistan/Pakistan border. In contrast, discoun+ng thwarted abacks such as the abempted aback on Times Square in 2010, the United States has experienced just one bombing with a pressure cooker, and that was back in 1976. There’s also lible to see in Europe during the last several years.”

http://analysisintelligence.com/terrorism/pressure-cooker-bombings-map/


SIKUREZZA.ORG

Summary


SIKUREZZA.ORG

Summary

• Pay aben+on to the informa+on we leave on Internet every day

• Internet usually contains the informa+on that we need

• Keeping in mind our goal we need to iden+fy the proper methods to extract the informa+on we are looking for


Thank you!


Gabriele Zanoni @infoshaker

Technology

Open Source Intelligence (OSINT)