I will be continuing the discussion about Open Source Intelligence (OSINT) and how it relates to information that companies unknowingly and willingly provide. In the previous article, I talked about what OSINT generally is, doing OSINT research professionally and for competition, usernames and email addresses. To further compound on the definition of OSINT, the CIA defines OSINT as “Information does not have to be secret to be valuable. Whether in the blogs we browse, the broadcasts we watch, or the specialized journals we read, there is an endless supply of information that contributes to our understanding of the world.” The definition further cites OSINT as being gathered from “the internet, traditional mass media (e.g. television, radio, newspapers, magazines), specialized journals, conference proceedings, and think tank studies, photos and geospatial information (e.g. maps and commercial imagery products).”
If a company has a web server, it is providing some OSINT. This server has an operating system, a web server application, a scripting language and some code. This information can be used by an attacker to ascertain technologies to assess for vulnerabilities. Attackers do not want to “burn” a Windows IIS (Internet Information Services) vulnerability on an Apache or nginx instance running on Linux or UNIX or vice versa. Taking the time to enumerate the technology will help the attacker remain stealthier. This is another reason to practice aggressive and holistic vulnerability management. In the case of Equifax, the Apache Struts vulnerability used to gain access in their 2017 data breach was accessible via the public internet. The specific vulnerability could also be enumerated using OSINT techniques on the public internet.
The source (raw code) of websites can also provide valuable OSINT to attackers. When competing in the Social Engineering Capture the Flag (SECTF) at DEFCON 26, I was looking through my target company’s website and the source code for each page. I managed to stumble onto a page that not only included comments to explain why it was coded as it was (I am not saying commenting code is bad) but it also included a hard-coded popup box that provided the recipes for usernames and passwords on a per-role basis.
Combine this with the robots.txt file that is used to tell spiders from Google, Bing and other search engines what to and not to index, and a malicious attacker can enumerate obscure websites, technologies, users and directories that would not typically be uncovered using other methods that would likely not be detected. Yes, fuzzing and using web directory enumeration tools like dirb, dirbuster, and nikto would uncover most of these assets, but they will also create noise and afford the defenders the opportunity to detect such activity.
More sources of valuable OSINT are resume sites, career sites and job boards. People want to share what they have been working on in an effort to get hired into their next positions. Companies want to streamline the hiring process for prospective employees and only want resumes from qualified candidates, so they tend to post specific software, hardware, technologies and version numbers in job postings to allow job seekers to know if they are skilled with that version. Instead of listing Mac Book Pro laptops and the use of Oracle ERP version 12.2.4 in a careers page listing, a company could say something to the effect of “Employees are allowed to choose from high-end PCs, Linux laptops, or Apple systems” and “Competency: Experience with Oracle, SAP or other ERP system” with a note to HR to look for the word Oracle in resumes. I was able to enumerate the phone systems used by a target company because an employee had mentioned upgrading from Avaya to Cisco Phones (as well as the version of the Cisco VOIP software used) on his resume.
One source that companies have almost no control over is the Geospatial data. This is provided by mapping tools like Google Maps/StreetView or BingStreetside. The limit of control that companies can leverage with this aspect relies on the placement of doors, platforms, dumpsters and other things that could help an attacker get a leg up. If these things can be placed behind a fence or obscured from the roads and streets nearby, it will make it harder for attackers to case the facility from afar (where the security guards cannot see them). A simple pretext is to pose as the dumpster company and claim that there is an issue with the dumpster and if the attacker is not able to inspect it, the company’s trash may not get picked up. If the attacker knows the vendor, they can dress up as an employee and use company lingo.
In conclusion, it should be starting to become evident that this information cannot be completely eradicated unlike vulnerabilities in software that can be patched. One of the main mitigation techniques for this is to educate all employees and periodically hire an organization to assess the company footprint. The reason I recommend hiring someone is that sometimes employee personal accounts will be scrutinized and it is best for all parties if there is a third party to parse the information and only provide the most relevant data to the company. From the company’s perspective, this will avoid any possible betrayals of trust between the company and its employees.
Swiftype Custom Site Search