寄件者: David Perry (MKT-US)
傳送日期: Monday, August 02, 2010 11:00:58 PM
主旨: ::NEWSBANK:: Open Source Intellegence from DEFCON 18
PS---this is not MY (David Perry's) talk, that's just the title of the piece.
My DefCon 18 Social Engineering Skytalk
Finished up my skytalk on Social Engineering a bit ago and thought I would share some additional thoughts…..
The overall theme of the skytalk was how to use open sources of information to both profile and social engineer users/targets/victims and I think it went quite well. Open source intelligence gathering (called OSINT) is defined by wikipedia as:
Open source intelligence (OSINT) is a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. In the intelligence community (IC), the term “open” refers to overt, publicly available sources (as opposed to covert or classified sources); it is not related to open-source software or public intelligence.
Although there are quite a few “sources” to use for this method:
- Media: newspapers, magazines, radio, television, and computer-based information.
- Web-based communities and user generated content: social-networking sites, video sharing sites, wikis, blogs, and folksonomies.
- Public data: government reports, official data such as budgets, demographics, hearings, legislative debates, press conferences, speeches, marine and aeronautical safety warnings, environmental impact statements and contract awards.
- Observation and reporting: amateur airplane spotters, radio monitors and satellite observers among many others have provided significant information not otherwise available. The availability of worldwide satellite photography, often of high resolution, on the Web (e.g., Google Earth) has expanded open source capabilities into areas formerly available only to major intelligence services.
- Professional and academic: conferences, symposia, professional associations, academic papers, and subject matter experts.
- Most information has geospatial dimensions, but many often overlook the geospatial side of OSINT: not all open source data is unstructured text. Examples of geospatial open source include hard and softcopy maps, atlases, gazetteers, port plans, gravity data, aeronautical data, navigation data, geodetic data, human terrain data (cultural and economic), environmental data, commercial imagery, LIDAR, hyper and multi-spectral data, airborne imagery, geo-names, geo-features, urban terrain, vertical obstruction data, boundary marker data, geospatial mashups, spatial databases, and web services. Most of the geospatial data mentioned above is integrated, analyzed, and syndicated using geospatial software like a Geographic Information System (GIS) not a browser per se.
My focus was on using Web 2.0 technologies, specifically twitter, twitter-based or enabled apps and facebook as a way to gather info and intel on users to specifically target them for various social engineering-based attacks. Not “textbook” OSINT maybe as I have a very different goal but certainly in the vein… The sheer amount of actionable user information that is available on sites like these is mindboggling if you know how to mine them and connect the dots. Gold mines of personal information on user trends, popular searches, favorite subjects, things users hate, things users love, etc, are all a click or two away for the social engineer or intel gatherer if you know the sites to hit. This is the very type of data a scammer, phisher or attacker would want to take their attack from broad and hopeful to targeted, precise and GUARANTEED.
If I, as an attacker, know my target to the point of likes, dislikes, political leanings, mobile platform most used, operating system most used, what they talk about on Twitter or Facebook, etc.. the likelihood of that user clicking something I want them to (or engaging in a variety of actions I may want them to take) is assured. The ability to craft a specific message based on a targets Internet behavior profile is actually quite easy if you mine a few sites correctly.
Some of the sites I showed were:
TwitScoop – Twitter Trending Info
PicFrog – Twitter Image Searching
Twopular _ Popular Twitter Trends
Trendistic – Twitter Trends (also gives tag percentages which are MONEY!!)
hashtags – Twitter Tag Searches
TwitterMap – Geo and Tag-based Global Twitter Maps
OpenBook – FaceBook Searches
TinyURL – URL Shortner (allows customized shortened URLs which is MAGIC for hiding malware and other naught bits!!)
Bing – Create Geographic Twitter Mapping
These are most of the ones I showed but believe me there are tons of other related ones. It is not the sites themselves (or really even the data on them individually) but rather what users themselves are putting out there combined with a good intel analysts (you could insert social engineer or scammer here as well) ability to mine these sites a develop some VERY detailed target/victim profiles.
Be conscious of what you share. Be responsible with what you post. It is NOT the bad guys fault if they gather info their victims freely and mindlessly share. Take back the Internet.