Open source intelligence in cyberspace
The main objective of the intelligence effort is to provide the client with as much information as possible.
Open source intelligence (OSINT) – collecting information from open sources (press and electronic media, government-issued information, academic papers, open databases and so forth). OSINT is distinguished from classified intelligence sources. There is also semi-open source intelligence gathered by diplomatic channels, including ambassadors, military attaches, and others.
OSINT involves data processing, which includes location, selection, and gathering of data from public resources and analyzing it to produce useful military, political, or business intelligence.
OSINT includes a wide range of intelligence and sources of intelligence: Mass
- Mass media – newspapers, magazines, radio and television.
- Internet communities – and data created by internet users on forums, video clip storage sites, Wiki-based sites, blogs, etc.
- Public information – government reports and official information, such as budgets, demographics, minutes of cabinet and legislature meetings, press conferences, speeches, shipping and aircraft warnings, reports by environmental agencies, government tenders, etc.
- Observation and reporting – amateur aviation reports, reports by airwaves and satellite monitors, online satellite images, etc.
- Professional and academic sources – professional conferences and public symposiums, unions and associations, scientific literature, etc.
- Open geospatial information – maps, atlases, seaport and airport plans, aeronautical information, maritime navigation and geodesic data.
Creating intelligence from open sources, in contrast to general research, applies intelligence processes to open sources in order to produce reliable and precise intelligence that will support decision-making on specific questions posed by a person or organization.
Open source information is handled the same way as intelligence from other sources (such as secret sources).
In contrast to secret intelligence sources, intelligence produced from open sources has great value with regard to its technological aspects, with an emphasis of cyber defense, since the latter can exploit open source intelligence to identify and close existing loopholes and vulnerabilities in the systems for which it is responsible.
Links and additional reading material:
Israel Intelligence Heritage & Commemoration Center
Appendix – concrete example of open source intelligence in a real event
Hacking team Leak – 06/07/2015
“Moreover, it is our ESSENTIAL policy that under NO circumstances we confirm or deny allegations: our clients’ privacy and security are of the HIGHEST importance to us”
On Sunday, Hacking Team was hacked.
The attackers have published a Torrent file with 400GB of internal documents, source code, and email communications to the public at large.
In addition, the attackers have taken to Twitter, defacing the Hacking Team account with a new logo, biography, and published messages with images of the compromised data.
- Implemented PC code to avoid AVG anti-virus
- Support call recording from:
o Google Talk
- It seems they have the “Android Exploit Delivery Network” that seems to have a 4-stage Android exploit
- Flash 0-day (Chrome browser) – https://twitter.com/w3bd3vil/status/618168863708962816
- Have a file “SELINUX_Exploit”
- “Network injection” – SBT solution
- “Exploit portal” – A way to transform web pages or files to exploits
- Social Engineering Toolkit
o Official website: https://www.trustedsec.com/social-engineer-toolkit/
- Kali Linux (old Backtrack): https://www.kali.org/
o Linux distribution with security testing tools.
- Network tools:
o Blog and Podcast.
- Other tools:
o Maltego: https://www.paterva.com/web6/
o Intelligence online tolos: http://inteltechniques.com
o Nirsoft Windows appes: http://launcher.nirsoft.net
o Nmap: http://nmap.org/ (Network mapping tool).
o Ettercap for man-in-the-middle atacks http://ettercap.github.io/ettercap/
o Wireshark: https://www.wireshark.org/ (Network protocol analyzer).
- Exif and metadata:
o ExifReader: www.takenet.or.jp/~ryuuji/minisoft/exifread/english/
- Search engines:
- Spcialized searching engines:
o https://www.shodan.io/: PCs, webcams, IPs, geolocation…
o http://namechk.com/: Check a username in more than 150 services.
o http://knowem.com/: More services than NameCHK.
o https://www.tineye.com/: Similar to image searching of Google.
- People searching:
o Metagoofil (https://code.google.com/p/metagoofil/): offimatic document metadata (pdf, doc, xls, ppt, docx, pptx, xlsx).
o Libextractor (http://www.gnu.org/software/libextractor/): Support more formats than Metagoofil but less detailed.
o http://www.domaintools.com/: professional watch over domains and contracting holder.
o https://www.robtex.com/: reliability analysis and domain visits.
o http://www.my-ip-neighbors.com/: check which domains and services share an IP or server.
o GooScan (http://www.aldeid.com/wiki/Gooscan): automatic google searching.
o SiteDigger (http://www.mcafee.com/es/downloads/free-tools/sitedigger.aspx): from McAfee; like GooScan but also searching in Google cache and revealing vulnerabilities.
o OsintStalker (FBStalker & GeoStalker): Collecting info about a person from social network profiles.
o Cree.py: get locations, dates, etc from social network accounts.
o Theharvester: search people/companies information using search engines and social networks