It’s a recurrent trope in spy movies—a skilled secret agent infiltrates an organisation and gathers compromising data on its people and processes; information that can be used as leverage. Far from being limited to works of fiction, such intelligence gathering is more common in everyday life than you think, especially in this digital age.
For example, when companies seek to fill a position, their human resource division runs background checks on potential candidates, tapping information on job portals and even social media pages to make hiring decisions. Intelligence amassed from public and unclassified sources and analysed for a specific purpose—be it national security or corporate profiling—is known as open-source intelligence (OSINT). Depending on how the information is used, it can help or harm individuals and organisations.
Here are three things you need to know about OSINT, with tips on how you can identify and plug information ‘leakages’ about yourself and your organisation.
What are some key OSINT sources?
Traditional media remains one of the most accessible sources of public information. These include magazines and newspapers as well as radio and television broadcasts. Some governments and corporations may also put out unclassified datasets and reports for public viewing.
Importantly, following the dawn of the Internet, new media such as blog posts, digital newsletters and social media have emerged and quickly developed into an OSINT treasure trove. Not only is new media accessible from anywhere. It is also easily shared, which means that it enters the collective consciousness of the general populace more rapidly.
Why should you use OSINT?
OSINT can be used by companies to inform the hiring process. Law enforcement agencies could also use OSINT to identify and track security threats. In these contexts, OSINT is directed outwards.
However, organisations can also carry out OSINT on themselves to learn more about their online privacy and security landscape. For example, OSINT could help organisations uncover leaked credentials of high-value targets such as C-suite personnel. Employees may also inadvertently reveal their organisation’s IT assets on their LinkedIn profiles, perhaps even providing outsiders with details on the operating systems and servers used as IT infrastructure at their organisation. Similarly, developers may fail to keep application source code confidential.
Having an OSINT protocol in place could help plug these loopholes before they are exploited by hostile groups.
How do I perform OSINT?
Search engines and social media sites are perhaps the most straightforward means of carrying out OSINT. Simply by keying in the name of an individual or organisation, one can learn what the public knows about the said party.
To go deeper, organisations can use advanced search engines like:
Google Hacking Database
The Google Hacking Database (GHD) is a repository of custom Google search terms for files containing sensitive information such as usernames, vulnerable servers, and even passwords, also known as ‘Google Dorks’. Attackers can use this database to identify search strings that may uncover vulnerabilities and sensitive information on affected websites.
For example, the following search string would produce a list of directories within with directory listing enabled, and these files are publicly accessible:
**site: intitle:”index of”**
Hence, organisations may use GHD to check whether any of their sensitive information is inadvertently exposed via these custom search strings.
Wayback Machine
The Wayback Machine is a digital archive of the World Wide Web that stores snapshots of websites at various points in time over the course of history. Attackers may use it to gather compromising intelligence about an organisation through earlier versions of its websites.
Defensively, organisations may use Wayback Machine to ensure that no sensitive data exists in legacy editions of its webpages.
Sploitus
Sploitus is a search engine for publicly-available exploits for vulnerable software. Attackers may use these exploits to launch attacks against organisational assets.
On the other hand, organisations may use Sploitus to find out if exploits for the specific software versions they are using are publicly available. Organisations can then remediate these exploits to pre-empt a breach.
For example, if an organisation server is using Drupal 8.6.10 (a Content Management System, or CMS), a search in Sploitus could reveal if a public exploit exists to compromise the CMS.
HaveIBeenPwned
HaveIBeenPwned is a search engine for compromised email addresses. Anyone can use it to check if their email addresses have been hijacked for malicious purposes and identify which breaches the email addresses were involved in. If an employee learns that his or her email address has been compromised, they can be advised to change their passwords or to enable 2-factor authentication.
Hopefully, with the sharing of some of these basic OSINT tools, you can now leverage this knowledge to discover unexpected information you or your organisation might have leaked on the internet. Take action now to prevent vulnerabilities from being exploited.
This article was first published by the Government Technology Agency of Singapore on April 22, 2019. The opinions expressed in this publication are those of the authors. They do not purport to reflect the opinions or views of Bank of Singapore Limited or its affiliates.
Important information
This product may only be offered: (i) in Hong Kong, to qualified Private Banking Customers and Professional Investors (as defined under the Securities and Futures Ordinance); and (ii) in Singapore, to Accredited Investors (as defined under the Securities and Futures Act) and (iii) in the Dubai International Financial Center to Professional Clients (as defined under the Dubai Financial Services Authority rules) only. No other person should act on the contents of this document.This product may involve derivatives. Do NOT invest in it unless you fully understand and are willing to assume the risks associated with it. If you have any doubt, you should seek independent professional financial, tax and/or legal advice as you deem necessary.
Please carefully read and make sure that you understand all Risk Disclosures, Selling Restrictions, and Disclaimers. This document must be read together with the relevant Prospectus & Offering Documents &/or Key Fact Statement.
Disclaimer
This document is prepared by Bank of Singapore Limited (Co Reg. No.: 197700866R) (the “Bank”), is for information purposes only, and is not, by itself, intended for anyone other than the recipient. It may contain information proprietary to the Bank which may not be reproduced or redistributed in whole or in part without the Bank’s prior consent. It is not an offer or a solicitation to deal in any of the investment products referred to herein or to enter into any legal relations, nor an advice or by itself a recommendation with respect to such investment products. It does not have regard to the specific investment objectives, investment experience, financial situation and the particular needs of any recipient or customer. Customers should exercise caution in relation to any potential investment. Customers should independently evaluate each investment product and consider the suitability of such investment product, taking into account customer’s own specific investment objectives, investment experience, financial situation and/or particular needs. Customers will need to decide on their own as to whether or not the contents of this document are suitable for them. If a customer is in doubt about the contents of this document and/or the suitability of any investment products mentioned in this document for the customer, the customer should obtain independent financial, legal and/or tax advice from its professional advisers as necessary, before proceeding to make any investments.
The Bank, its Affiliates and their respective employees are not in the business of providing, and do not provide, tax, accounting or legal advice to any clients. The material contained herein is prepared for informational purposes and is not intended or written to be used, and cannot be used or relied upon for tax, accounting or legal advice. Any such client is responsible for consulting his/her own independent advisor as to the tax, accounting and legal consequences associated with his/her investments/transactions based on the client’s particular circumstances.
This document and other related documents have not been reviewed by, registered or lodged as a prospectus, information memorandum or profile statement with the Monetary Authority of Singapore nor any regulator in Hong Kong or elsewhere.
This document may not be published, circulated, reproduced or distributed in whole or in part to any other person without the Bank’s prior written consent. This document is not intended for distribution to, publication or use by any person in any jurisdiction outside Singapore, Hong Kong, or such other jurisdiction as the Bank may determine in its absolute discretion, where such distribution, publication or use would be contrary to applicable law or would subject the Bank and its related corporations, connected persons, associated persons and/or affiliates (collectively, “Affiliates”) to any registration, licensing or other requirements within such jurisdiction.
