Durante l’intervento verranno presentati i cardini del processo di ricerca delle informazioni mediante la consultazione di fonti di pubblico accesso. Sarà illustrata la teoria alla base di questo processo che prevede l’identificazione delle fonti, la selezione e la valutazione del loro contenuto informativo per arrivare infine all’utilizzo stesso dell’informazione estratta. Nella seconda fase della presentazione verranno mostrati i tool e le metodologie per l’estrazione di informazioni mediante l’analisi di documenti, foto, social network e altre fonti spesso trascurate. In ultimo saranno mostrati sistemi in grado di correlare diverse informazioni provenienti dalle fonti aperte e verranno discussi i relativi scenari di utilizzo nonché le possibili contromisure.
2. SIKUREZZA.ORG
Index
Informa+on
that
we
share
Introduc+on
to
OSINT
Tools
and
examples
The
power
of
analysis
Summary
OSINT
-‐
Fes+val
ICT
-‐
Sikurezza.org
7. It’s
not
a
tool
,
it’s
not
a
website
,
it’s
not
with
fee
it’s
not
free…
SIKUREZZA.ORG
OSINT
Open
Source
INTelligence
is
intelligence
collected
from
publicly
available
sources.
[1] http://en.wikipedia.org/wiki/Open-source_intelligence
OSINT
-‐
Fes+val
ICT
-‐
Sikurezza.org
8. Why
OSINT
In
a
world
that
changes
rapidly
we
need
to
have
high
quality
informa+on
in
the
exact
moment
that
we
need
it.
SIKUREZZA.ORG
OSINT
-‐
Fes+val
ICT
-‐
Sikurezza.org
9. What’s
the
value
we
get
from
OSINT
«You
see?
you
hesitate.
But
as
a
captain,
you
can't.
You
have
to
act.
If
you
don't,
you
put
the
en+re
crew
at
risk.
Now
that's
the
job.
It's
not
a
science.
You
have
to
be
able
to
make
hard
decisions
based
on
imperfect
informa+on.
Asking
men
to
carry
out
orders
that
may
result
in
their
deaths.
And
if
you're
wrong,
you
suffer
the
consequences.
If
you're
not
prepared
to
make
those
decisions,
without
pause,
without
reflec+on,
then
you've
got
no
business
being
a
submarine
captain.»
SIKUREZZA.ORG
Lt.
Commander
Mike
Dahlgren
U-‐571
OSINT
-‐
Fes+val
ICT
-‐
Sikurezza.org
10. SIKUREZZA.ORG
How
can
we
use
OSINT?
• What’s
the
need?
Raw
Data
• Mailing
List
• Newsgroup
• Chat
• Pastebin
• Blog
Preprocessed
Data
• Journals
• Publica+ons
Elaborated
Data
• Researches
• Reports
• Analysis
Alerts in real time
Handling and
Monitoring
of the situation State of the Art
OSINT
-‐
Fes+val
ICT
-‐
Sikurezza.org
11. SIKUREZZA.ORG
How
can
we
use
OSINT?
• What’s
the
need?
• How
to
reach
the
scope?
Raw
Data
Preprocessed
Data
Elaborated
Data
• Dedicated
search
engineers
• Keywords
• Ad-‐hoc
early
warning
systems
• Feeds
from
generic
sources
of
informa+on
• “standard”
monitoring
systems
• Are
available
“when
ready”
• Feeds
from
specialist
sources
Ways
to
perform
the
searches
Alerts in real time
Handling and
Monitoring
of the situation State of the Art
OSINT
-‐
Fes+val
ICT
-‐
Sikurezza.org
12. Volume of
the data you
have to
parse
SIKUREZZA.ORG
Time
VS
Quality
VS
Efforts
TIME
QUALITY
Level of
the effort
Reliability
Relevancy } Quality
OSINT
-‐
Fes+val
ICT
-‐
Sikurezza.org
13. SIKUREZZA.ORG
The
InformaCon
Search
Process
Discovery
Selec+on
Formula+on
Delivery
OSINT
-‐
Fes+val
ICT
-‐
Sikurezza.org
14. SIKUREZZA.ORG
#HowToFail
• Incomplete
iden+fica+on
of
the
sources
• Not
always
structured
data
-‐>
Are
you
searching
in
a
library
on
in
a
bazar?
• “Not
easy
to
access”
data
-‐>
methods
and/or
formats
• Too
many
info
«It
refers
to
a
hypothe.cal
situa.on
wherein
an
ass
that
is
equally
hungry
and
thirsty
is
placed
precisely
midway
between
a
stack
of
hay
and
a
pail
of
water.
Since
the
paradox
assumes
the
ass
will
always
go
to
whichever
is
closer,
it
will
die
of
both
hunger
and
thirst
since
it
cannot
make
any
ra.onal
decision
to
choose
one
over
the
other..»
hbp://en.wikipedia.org/wiki/Buridan%27s_ass
OSINT
-‐
Fes+val
ICT
-‐
Sikurezza.org
16. SIKUREZZA.ORG
Analysis
of
a
Web
Site
• From
the
website
to
the
people
– Owners
– Shareholders
– Maintainers
– Etc…
OSINT
-‐
Fes+val
ICT
-‐
Sikurezza.org
23. SIKUREZZA.ORG
Image
Analysis
• Where
a
photo
has
been
taken
?
hbp://imageforensic.org
OSINT
-‐
Fes+val
ICT
-‐
Sikurezza.org
24. SIKUREZZA.ORG
Law
and
the
metadata
“La
proposta
di
legge
di
Gabriella
Carlucci
per
“regolamentare
Internet”
è
in
realtà
l’ennesimo
goffo
provvedimento
“an+pirateria”
mascherato
da
qualcosa
d’altro.
Del
resto
l’onorevole
Carlucci
si
è
faba
in
ques+
anni
una
vera
e
propria
competenza
in
materia
(dove
competenza
è
termine
da
maneggiare
con
estrema
prudenza).
E
comunque
la
proposta
Carlucci
liberamente
scaricabile
sul
suo
blog
in
formato
.doc
ha
qualcosa
di
strano.
Come
ha
notato
Guido
Scorza
il
computer
sul
quale
il
documento
è
stato
scribo
è
intestato
ad
un
certo
Daniele
Rossi
di
Univideo.
Evidentemente
un
amico
di
Gabriella,
omonimo
del
presidente
della
Unione
Italiana
Editoria
audiovisivi.”
hbp://www.rigeneriamoci.com/i-‐metada+-‐e-‐lon-‐carlucci/
OSINT
-‐
Fes+val
ICT
-‐
Sikurezza.org
26. Why
metadata
are
important
• You
will
discover
the
true
authors
of
the
documents
• Or
clues
about
if
the
documents
have
been
shared
with
someone
(e.g.
the
user
that
has
saved
the
document)
• Verify
if
the
document
is
from
a
certain
company,
person
etc..
• Who
is
working
in
a
company
o
for
a
specific
company
SIKUREZZA.ORG
OSINT
-‐
Fes+val
ICT
-‐
Sikurezza.org
28. Foca
and
Foca
Forensics
• Foca:
it’s
a
tool
to
scan
websites
and
download
documents
in
order
to
extract
metadata
in
those
documents
• Foca
Forensics:
same
as
Foca,
but
it
works
on
already
downloaded
data
SIKUREZZA.ORG
• Download:
• hbp://www.informa+ca64.com/foca.aspx
• hbp://www.informa+ca64.com/forensicfoca/
OSINT
-‐
Fes+val
ICT
-‐
Sikurezza.org
29. SIKUREZZA.ORG
Foca
Forensics
Anonymous
has
leaked
some
data
and
you
want
to
verify
if
the
informa+on
contained
is
true….
You
have
to
download
the
data
and
scan
it
with
Foca
Forensics
OSINT
-‐
Fes+val
ICT
-‐
Sikurezza.org
30. SIKUREZZA.ORG
Shodan
-‐
h^p://www.shodanhq.com/
• Shodan
is
a
system
able
to
index
services
and
devices
on
Internet
• You
can
easily
iden+fy
Webcams,
Web
administra+on
systems,
vulnerable
sorware
(e.g.
based
on
the
sorware
banner)
OSINT
-‐
Fes+val
ICT
-‐
Sikurezza.org
32. Maltego
-‐
h^ps://www.paterva.com
Maltego
is
an
open
source
intelligence
and
forensics
applica+on.
It
will
offer
you
+mous
mining
and
gathering
of
informa+on
as
well
as
the
representa+on
of
this
informa+on
in
a
easy
to
understand
format.
A
Maltego
analysis
can
start
from:
– A
SIKUREZZA.ORG
person
name
– A
document
– An
email
– A
phone
– Etc..
OSINT
-‐
Fes+val
ICT
-‐
Sikurezza.org
40. SIKUREZZA.ORG
Who
is
using
OSINT
?
“For the past three years, Elaine Rich and 3,000 other average
people have been quietly making probability estimates about
everything from Venezuelan gas subsidies to North Korean politics
as part of , an experiment put together by three well-known
psychologists and some people inside the intelligence community.”
“According to one report, the predictions made by the Good
Judgment Project are often better even than intelligence analysts
with access to classified information, and many of the people
involved in the project have been astonished by its success at
making accurate predictions.”
http://www.npr.org/blogs/parallels/2014/04/02/297839429/-so-you-think-youre-smarter-than-a-cia-agent
http://www.goodjudgmentproject.com/
OSINT
-‐
Fes+val
ICT
-‐
Sikurezza.org
41. There
is
a
funny
comic
strip
in
which
the
father
gives
this
advice
to
his
son:
“You
should
pay
a-en0on
while
choosing
your
dog's
name
because
it
will
be
your
security
ques0on
answer
for
the
rest
of
your
life!”
hbp://gizmodo.com/5947393/remember-‐youre-‐not-‐only-‐naming-‐your-‐pet-‐youre-‐also-‐securing-‐your-‐digital-‐future
OSINT
-‐
Fes+val
ICT
-‐
Sikurezza.org
SIKUREZZA.ORG
43. How
do
you
answer
your
security
quesCons?
The
scope
is
to
op+mize
the
abacks
making
low
noise.
SIKUREZZA.ORG
Info
for
password
cracking:
• Girlfriend/wife
name
• Pet
name
• Date
of
Birth
• Sport
teams
• Place
of
birth
• Addresses
• List
of
schools
OSINT
-‐
Fes+val
ICT
-‐
Sikurezza.org
44. I
know
where
you
are…I
know
your
password!
hbp://www.oversecurity.net/2014/02/27/casaleggio-‐bucato-‐la-‐
password-‐usata-‐e-‐lindirizzo-‐della-‐sede-‐legale/
SIKUREZZA.ORG
OSINT
-‐
Fes+val
ICT
-‐
Sikurezza.org
45. Google
Hacking
#1
–
The
unexpected
Knowledge
of
Google
Operators
and
how
Internet
or
sorware
work
helps
reach
any
informa+on
SIKUREZZA.ORG
OSINT
-‐
Fes+val
ICT
-‐
Sikurezza.org
46. Google
Hacking
#2
–
Passwords
from
backups
SIKUREZZA.ORG
OSINT
-‐
Fes+val
ICT
-‐
Sikurezza.org
47. SIKUREZZA.ORG
So
you
forgot
to
remove
the
geo-‐tag
?
OSINT
-‐
Fes+val
ICT
-‐
Sikurezza.org
48. Shodan
-‐
how
to
idenCfy
the
distribuCon
of
a
vuln
• A
recent
vulnerability
about
a
backdoor
listening
on
port
TCP/32764
in
Linksys
WAG200G
(and
also
on
some
other
devices)
has
been
published
• Using
Shodan
is
possible
to
map
the
vulnerability
SIKUREZZA.ORG
• hbp://shodanio.wordpress.com/2014/01/23/quick-‐sta+s+cs-‐on-‐the-‐router-‐backdoor-‐on-‐port-‐32764/
• hbps://github.com/elvanderb/TCP-‐32764
OSINT
-‐
Fes+val
ICT
-‐
Sikurezza.org
49. Recorded
Future
Inc.
-‐
h^ps://recordedfuture.com/
“is
a
sorware
company
based
in
Cambridge,
Massachusebs,
United
States,
and
Gothenburg,
Sweden,
specializing
in
web
intelligence
and
predic+ve
analy+cs.
Using
what
they
call
a
"temporal
analy+cs
engine",
Recorded
Future
provides
forecas+ng
and
analysis
tools
to
help
analysts
predict
future
events
by
scanning
sources
on
the
Internet,
and
extrac+ng,
measuring,
and
visualizing
the
informa+on
to
show
networks
and
paberns
in
the
past,
present,
and
future.”
“Both
Google
(on
May
3,
2010)
and
the
CIA
have
invested
in
the
company,
through
their
investment
arms,
Google
Ventures
and
In-‐Q-‐Tel,
respec+vely.”
SIKUREZZA.ORG
http://en.wikipedia.org/wiki/Recorded_Future
OSINT
-‐
Fes+val
ICT
-‐
Sikurezza.org
53. Analysis
“Pressure
cooker
bombs
have
been
more
commonly
seen
in
Indian
and
Southeast
Asian
abacks
than
anywhere
else.
Recent
reports
out
of
India
also
suggest
that
the
weapon
has
become
a
“fad”
in
militant
camps
along
the
Afghanistan/Pakistan
border.
In
contrast,
discoun+ng
thwarted
abacks
such
as
the
abempted
aback
on
Times
Square
in
2010,
the
United
States
has
experienced
just
one
bombing
with
a
pressure
cooker,
and
that
was
back
in
1976.
There’s
also
lible
to
see
in
Europe
during
the
last
several
years.”
http://analysisintelligence.com/terrorism/pressure-cooker-bombings-map/
SIKUREZZA.ORG
OSINT
-‐
Fes+val
ICT
-‐
Sikurezza.org
55. Summary
• Pay
aben+on
to
the
informa+on
we
leave
on
Internet
every
day
• Internet
usually
contains
the
informa+on
that
we
need
• Keeping
in
mind
our
goal
we
need
to
iden+fy
the
proper
methods
to
extract
the
informa+on
we
are
looking
for
SIKUREZZA.ORG
OSINT
-‐
Fes+val
ICT
-‐
Sikurezza.org