Open Source Intelligence: The Web’s Dirty Little Secret
In recent years, a phenomenon known as Open Source Intelligence (OSINT) has steadily gained ground as a means to collect information on pretty much anyone connected to the Internet. Formally defined by the United States’ Department of Defense (DoD), OSINT is intelligence produced from publicly available information that is collected, leveraged, and disseminated in a timely manner to an appropriate audience for the purpose of addressing a specific intelligence requirement. This is not new as the intelligence community has long since depended on publicly available information for a substantial portion of its operations.
What is emergent and perhaps worrisome for the security/privacy conscious is the fact that with our private information floating around on the Web, new tools enable other non-governmental entities – perhaps even criminal – to use these same techniques for their own needs. Two such data mining tools are FBStalker and GeoStalker, both of which were released by SpiderLabs in the 2013 HackInTheBox (HITB) conference in Kuala Lumpur, Malaysia. Other tools exist, but the scope that these two tools mentioned provide is substantial.
FBStalker takes advantage of Facebook’s Graph Search functionality to extract any of the following information about an individual:
- Active times on Facebook
- The type of device being used
- Public status updates
- Geolocation information
- Other details
Disturbingly, the FBStalker tool allows for data mining and extraction without the need to befriend anyone. All that is required is an individual’s username. GeoStalker, on the other hand, data mines Twitter, Instagram, Flickr, and other social media networks to extract geolocation information (often embedded in images shared).
When the data output of FBStalker and GeoStalker are consolidated with a forensics application like Maltego, an individual’s day-to-day life can be clearly painted over time. This in turn has the potential to give cyber-criminals an advantage when developing targeted campaigns using techniques such as social engineering that rely on knowledge of an individual’s private or social life in order to be effective.
Plenty of other OSINT tools and tutorials about how to use them exist. While it would be impractical to encourage people to go offline to protect their privacy, it helps to raise awareness about the existence and growing use of data mining tools.