Presented at the Ohio Information Security Summit, October 30, 2009.
What does the Internet say about your company? Do you know what is being posted by your employees, customers, or your competition? We all know information or intelligence gathering is one of the most important phases of a penetration test. However, gathering information and intelligence about your own company is even more valuable and can help an organization proactively determine the information that may damage your brand, reputation and help mitigate leakage of confidential information.
This presentation will cover what the risks are to an organization regarding publicly available open source intelligence. How can your enterprise put an open source intelligence gathering program in place without additional resources or money. What free tools are available for gathering intelligence including how to find your company information on social networks and how metadata can expose potential vulnerabilities about your company and applications. Next, we will explore how to get information you may not want posted about your company removed and how sensitive metadata information you may not be aware of can be removed or limited. Finally, we will discuss how to build a Internet posting policy for your company and why this is more important then ever.
3. Open source intelligence (OSINT) is a form
of intelligence collection management...
...involves finding, selecting, and acquiring information
from publicly available sources and analyzing it
to produce actionable intelligence.
- wikipedia
9. “A brand is the
personification of a product,
service, or even entire company.”
- Robert Blanchard, former P&G executive
10. 5 things you will learn
• What is out there on your company?
• Metadata
• Removal of Internet postings, metadata
• Setting up a simple (cheap) monitoring
program
• Building a Internet Posting Policy
11. What gets posted?
• Customer and Employee Complaints
• Exposure of Confidential Information
• Security Vulnerabilities
28. Finding Information on
Social Networks
• Socnet Search Engines
• Maltego (Twitter/Facebook)
• RSS feeds/Google Hacks
• Google Alerts + Google Reader = WIN
• Manual Searching
• Facebook status updates
29. Socnet Search Engines
• Wink, Spock, Twoogle, Knowem, WhosTalkin
(there are many more, see my blog post)
• Twitter Search
• Social Bookmark Sites
• Delicious, StumbleUpon
• Don’t forget about photos/video!
• Flickr Photo Search
• YouTube and Vimeo Video Search
30. Maltego + Mesh = WIN
*Screen shot from the “Maltego and Twitter!” post on paterva.com
31. Searching Facebook
• Good: Maltego Facebook Transform (violates TOS)
** No longer working! :-(
• Better: Login and use the search! FB doesn’t make status
updates public...yet.
• Best:
site:facebook.com inurl:group (bofa | "bank of america") =
Groups
• inurl:pages = Facebook Pages
• allinurl: people "John Doe" site:facebook.com = Public Profiles
• Yahoo! Pipe for Facebook Groups:
Facebook Discussion Board RSS Feed
• Create Google Alert(s)
32. Searching LinkedIn
• Similar to Facebook
• Google dorks
• site:linkedin.com inurl:pub (bofa | "bank
of america") = Public Profiles
• inurl:updates = Profile Updates
• inurl:companies = Company Profiles
33. Blogs and News
• Blogpulse, Technoratti, IceRocket
• Social Mention
(Search Engine for blogs, comments)
• Google/Yahoo News
37. What is Metadata?
• Metadata = Data that describes Data
• Catalog, index files, documents and more
• Often overlooked by:
• Document/File Creators
• Your Company
38. Why do we care?
• Can expose potential vulnerable software/
hardware in use! (client side attack)
• OS and version numbers
• Location information (GPS from
smartphones)
• User names, naming schemes, file paths
39. Where do you find it?
• Microsoft Office Documents
• PDF
• JPEG’s (photos)
• Other file types
47. Removing posts from
the Internet
• Hard, but not impossible.
Search Engine Cache FTL
• Submit request to Search Engines to
remove (there are multiple)
• Legal team involvement, especially w/
socnets
48. Metadata Removal
Techniques
• MS Office Documents
• Office 2002/03: CMD Line app “Remove
Hidden Data” (Offrhd.exe)
• Office 2007: Document Inspector
• EXIFtool (photos)
• Can be scripted to auto remove
51. What do you want to
monitor?
• Impossible to monitor everything!
• Pick the most popular social networks,
news sites, blogs, forums...
• Monitoring should be defined with your
PR/Marketing groups!
52. Free Tools
• Yahoo! Pipes (mashups)
• RSS Feeds/RSS Reader
Google Reader FTW
• Maltego (community version)
Good for defining relationships, not
automated
• Maltego for specific searching when you
need “more details”
55. What works best?
• Assign someone! (someone in infosec,
social media skill sets)
• Create RSS Feeds from identified sites
• Utilize Yahoo! Pipes, create RSS from pipes
• Monitor w/Google Reader
• Sites you can’t monitor
automatically...determine manual methods.
Build this into your Incident Response Procedures!
57. Define your Social
Media Strategy
• Partner with Marketing/Public Relations/HR
• What is acceptable for employees to post?
• At work/off work
• Employees have mobile devices, home
computers!
58. Define what gets
monitored?
• Difficult or impossible to monitor
everything
• Determine with your partners what should
be monitored
• Careful with policy conflicts!
61. Communicate to your
employees!
How can you enforce a policy if employees don’t know
about it?
62. Where to learn more?
• Great paper on Metadata
(SANS Reading Room):
“Document Metadata, the Silent
Killer” - Larry Pesce
• Maltego Tutorials:
Chris Gates, EthicalHacker.net
• My blog: spylogic.net
63. OSINT 3 Part Series
• All the details from this presentation!
• Part 1 - Social Networks
http://bit.ly/osint1
• Part 2 - Blogs, Message Boards, Metadata
http://bit.ly/osint2
• Part 3 - Monitoring, Social Media Policies
http://bit.ly/osint3
Notes de l'éditeur
How many of us as security professionals think of reputational issues in regards to the company brand?