Using OSINT for your personal threat model

Recently, I gave a workshop at the SANS Security Awareness Summit in London, where I showed how one can conduct a simple assessment of him or herself by using some basic OSINT.

In this post, I wanted to go a bit more in depth on that subject. Your adversary might be looking into you now. Do you even know what can be found online about you? And do you know what could pose a potential threat to you, your company, your assets or even your loved ones?

Maybe you read the news last year about how secret military bases can be mapped via an online sports app. Or, did you know about online databases such as haveibeenpwned or Dehashed that tell you if your or your company’s passwords have been compromised in a data breach?

I could point out dozens, if not more, online sources that might keep your confidential data online, but instead of doing that, I would like to approach this from a different angle.

I like to call this self-assessment method being OSINT alert. Because in the end, it is all about what you (or someone else has) have put online, which in turn can make you vulnerable in various ways.

It might be good to think about the following:

  • What can someone find out about me as a private person?
  • What can someone find out about me as a business person?
  • Are your friends and family aware of the fact that you might be a ‘desirable’ high-profile target because of your job, for example?

Example 1:

You post on your social media that you’re on holiday for two weeks.

Threat:

Your home is left without supervision – say hi to the burglar as criminals watch social media for information about their targets.

Posting online that you are on holiday or vacation is almost the same as giving a burglar your home keys.

Now, let’s make example 1 a bit more complex. Let’s say you’re a well known US celebrity and you post that you will be traveling to a specific country. That specific country’s regime is not that fond of the US and its citizens.

Threat:

Your home is at risk because burglars might have seen your post on social media. But, since you’re a celebrity, you probably have a good alarm system, so the threat model, in this case, is acceptable.

However, the country you’re going to travel to is home to radical groups that have seen your social media post and now track your online activity 24/7. You post another message stating that you will visit a certain bar in that country.

The rebel group makes plans to kidnap you for ransom.

Or worse, the rebel group makes plans to assassinate you while you are driving to the bar.

While these threats may seem distant or even unbelievable, in OSINT roles, we see people post where they are at what date and time and with whom all the time. In many areas of the world, mapping someone’s online persona to a physical home address is not hard and if we can do it, people with bad intentions can do it, too.

Example 2:

Let’s say you are in a divorce. You are a person who posts a lot about your activities on social media. You and your ex-spouse-to-be, we will call her “Kelly” have 2 younger kids, maybe 6-10 years old. Kelly lives 2 blocks away from your home. You post that you are going to take a long bath while your 2 kids are playing in the back yard.

Kelly sees your post.

Threat:

Kelly can use this message to show, in court, that you may not be taking care of your kids.

Kelly now also has the chance to come over and grab the kids away from you.

Information posted to social media and other online sites can be used by anyone, including bad actors and also in court.

Example 3:

You work as a fairly high-level person at company x. One of your employees turns 50 years. You decide to ask another employee to take a picture of that employee and you stand in front of your office desk handing him a gift certificate for his/her birthday and post it to social media.

Threat:

The computers on the desk are on and the screens show potential phishers what operating systems and applications your company uses, which allows them to send you more targeted attacks.

The computer on the left has a sticky note with the WiFi network name (SSID) and password on it. Attackers can exploit this through social engineering or using physical access to your office’s location.

The computer on the right has Microsoft Outlook opened (your work email program) and, once we zoom in on that screen, we can see an email which says “confidential”. We can read the whole email.

Company policy is that you wear the company badge visible at all times. Since you were wearing your badge in the photo, bad actors can copy it and remake it into a real badge to try and get into your company using social engineering techniques.

Conclusions

These are a few examples that can pose serious threats to you, your loved ones, and your company. It doesn’t matter if you’re a celebrity, politician, CEO, or parent – these threats are real. And you might want to be reconsider your online activity. Consider the following:

  • Is it necessary to post your sporting habits (each Monday running for instance) online for everyone to see?
  • Consider that taking pictures in certain areas in the company may be forbidden.
  • Do you need to make your cell number publicly available at all times?
  • Do you need to show the world your wealth and valuable things in your home?

Ask yourself, do you make it easier for attackers and bad actors by leaving password hints and other pieces of critical information behind that could be used to crack your password. This is almost the same as leaving the key hanging in your front door for anyone to get into your house or office. Looking at people’s social media timelines will get a bad actor enough information to guess the answers to those questions, for instance:

What is the name of your high school?

It’s on your Facebook!

What is the name of your pet?

It’s on your Facebook and Instagram!

What city was your mother born in?

It’s on her and your dad’s Vk.com profile!

This all might seem far-fetched to some, but these things happen every day.

My tips are to:

  • Assess yourself from time to time. Think about what indicators are online that can pose a threat.
  • Think before you post.
  • Maybe change some company policies to stay safer and more aware.
  • Maybe opt-out or remove information about yourself. Michael Bazzell has a good free guide on this subject matter here.
  • And above all think of what the impact might be if and when your data becomes compromised.

If you want to learn more about sources or techniques to assess yourself and become more OSINT alert (or curious) take a look at other blog posts or our webcast.


Blog written by: Dutch_OsintGuy, Lorando Bodo, and Micah Hoffman.