Over the past two quarters, we’ve focused upon the technologies and practices that help to establish (and maintain) an effective privacy posture. We’ve recommended ceasing almost all personal activity on social media. But the work of ensuring personal privacy cannot end there. Our adversaries are numerous – and they counter every defensive action that we take with increasingly devastating offensive tools and techniques. While the tools of data capture are proliferating, so are the tools for data analysis. Using open source intelligence (OSINT) tools, it is possible to transform vast piles of data into meaningful and actionable chunks of information. For this reason, our company has extended its security and privacy focus to include the understanding and the use of OSINT techniques.
Start At the Beginning
For countless generations, a partner was someone that you knew. You met them. You could shake their hand. You could see their smiling face. You knew what they could do. And you probably even knew how they did it. In short, you could develop a trust-based relationship that would be founded upon mutual knowledge and relative proximity. It is no coincidence that our spouses are also known as our ‘partners‘ as we can be honest and forthcoming about our goals and desires with them. We can equitably (and even happily) share the burdens that will help us to achieve our shared goals.
But that kind of relationship is no longer the norm in modern business. Most of our partners (and providers) work with us from behind a phone or within a computer screen. We may know their work product. But we have about as much of a relationship with them as we do with those civil servants who work at the DMV.
So how can we know if we should trust an unknown partner?
A good privacy policy is an essential starting point in any relationship. But before we partner with anyone, we should know exactly how they will use any data that we share with them. So our first rule is simple: before sharing anything, we must ensure the existence of (and adherence to) a good privacy policy. No policy? No partnership. Simple, huh?
That sounds all well and good. But do you realize just how much data you share without your knowledge or explicit consent? If you want to really know the truth, read the end user license agreements (EULA’s) from your providers. What you will usually find is a blanket authorization for them to use any and all data that is provided to them. This certainly includes names, physical addresses, email addresses, birth dates, mothers’ maiden names, and a variety of other data points. If you don’t believe me (or you don’t read the EULA documents which you probably click past), then just use a search engine and enter your name in the search window. There will probably be hundreds of records that pertain to you.
But if you really want to open your eyes, just dig a little deeper to find that every government document pertaining to you is a public record. And all public records are publicly indexed. So every time that you pass a toll and use your electronic pass, your location (and velocity) data is collected. And every time that you use a credit card is logged.
Know the difference between a partner and a provider!
A partner is someone that you trust. A provider is someone that provides something to/for you. Too often, we treat providers as if they were partners. If you don’t believe that, then answer this simple question: Is Facebook a partner in your online universe? Or are they just someone who seeks to use you for their click bait (and revenue)?
A partner is also someone that you know. If you don’t know them, they are not a partner. If you don’t implicitly trust them, then why are you sharing so much of your life with them?
Investigate And Evaluate Every Potential Partner!
If you really need a partner to work with and you don’t already trust someone to do the work, then how do you determine whether someone is worth trusting? I would tell you to use the words of former President Ronald Reagan as a guide: trust but verify. And how do you verify a potential partner? You learn about them. You investigate them. You speak with people that know them. In short, you let their past actions be a guide to how they will make future decisions. And for the casual investigation, you should probably start using OSINT techniques to assess your partner candidates.
What are OSINT techniques?
According to the SecurityTrails blog, “Open source intelligence (OSINT) is information collected from public sources such as those available on the Internet, although the term isn’t strictly limited to the internet, but rather means all publicly available sources.” The key is that OSINT is comprised of readily available intelligence data. So sites like SecurityTrails and Michael Bazzell’s IntelTechniques are fantastic sources for tools and techniques that can collect immense volumes of OSINT data and then reduce it into usable information.
So what is the cost of entry?
OSINT techniques can be used with little to no cost. As a security researcher, you need a reasonable laptop (with sufficient memory) in order to use tools like Maltego. And most of the OSINT tools can run either on Kali Linux or on Buscador (see below). And while some sources of data are free, some of the best sources do require an active subscription to access their data. And the software is almost always open source (and hence readily available). So for a few hundred dollars, you can start doing some pretty sophisticated OSINT investigations.
Protection Against OSINT Investigations
OSINT techniques are amazing – when you use them to conduct an investigation. But they can be positively terrifying when you are the subject of such an investigation. So how can you limit your exposure from potential OSINT investigations?
One of the simplest steps that you can take is to use an operating system designed to protect your privacy. As noted previously, we recommend the use of Linux as a foundation. Further, we recommend using Qubes OS for most of your public ‘surfing’ needs. [We also recommend TAILS on a USB key whenever you are using communal computers.]
Using OSINT To Determine Your Personal Risk
While you can minimize your future exposure to investigations, you first need to determine just how long of a shadow your currently cast. The best means of assessing that shadow is to use OSINT tools and techniques to assess yourself. A simple Google search told me a lot about my career. Of course much of his was easily culled from LinkedIn. But it was nice to see that a simple name search highlighted important (and positive) things that I’ve accomplished.
And then I started to use Maltego to find out about myself. I won’t go into too much detail. But the information that I could easily unearth was altogether startling. For example, I easily found out about past property holdings – and past legal entanglements related to a family member. There was nothing too fancy in my recorded past. While that fact alone was a little discouraging, I was able to find all of these things with little or no effort.
I had hoped that discovering this stuff would be like the efforts which my wife took to unearth our ancestral heritage: difficult and time-consuming. But it wasn’t. I’m sure that it would take some serious digging to find anything that is intentionally hidden. But it takes little or no effort to find out some privileged information. And the keys to unlocking these doors are the simple pieces of data that we so easily share.
Clean Up Your Breadcrumbs
Like the little children in the fairy tale, a trail of breadcrumbs can be followed. So if you want to be immune from casual and superficial searches, then you need to take the information that is casually available and start to clean it up. With each catalogued disclosure, you can contact the data source and request that this data be obscured and not disclosed. With enough diligence, it is possible to clean up the info that you’ve casually strewn in your online wake. And if the task seems altogether too daunting, there are companies (and individuals) who will gladly assist you in your efforts to minimize your online footprints.
Bottom Line
As we use the internet, we invariably drop all sorts of breadcrumbs. And these breadcrumbs can be used for many things. On the innocuous end of the scale, vendors can target you with ads that you don’t want to see. But at the other end of the scale is the opportunity to leverage your past in order to redirect your future. It sounds innocuous when stated like that. So let’s call a spade a spade. There is plenty of information that can be used for kidnapping your data and for “influencing” (i.e., extorting) you. But if you use OSINT techniques to your advantage, then you can identify your risks and you can limit your vulnerabilities. And the good news is that it will only cost you a few shekels – while doing nothing could cost you thousands of shekels.