SANS Webcast - Consuming OSINT: Watching You Eat, Drink, and Sleep
Key Takeaways
The SANS Webcast covers Open-Source Intelligence (OSINT) techniques and tools, including gathering information from social media, review sites, and other online platforms, with a focus on cybersecurity and data analysis.
Full Transcript
Thank You Carol really appreciate it and thanks everybody for attending I'm Michael Hoffman as Carol said and I am the seer there we go I am a certified sans instructor I wrote the SEC 487 ascent course for sans and I enjoy all things ascent in my free time I am looking at social media looking at how we can grab information transform it find interesting pieces and I think you're going to be really in you're gonna really enjoy some of the things that John and I have found today my website right there web Reacher comm has a whole bunch of links to different projects and things that I have done in the past you hi everyone thanks for joining us my name is John Turkish fan constructor I also helped some of the development for the new course and my background is a private investigator and researcher nowadays I am doing threat Intel work so doing a lot of OSINT for a long time and hopefully we can share some useful information with you today cool thanks John so John and I have been looking through social media platforms over the past couple of months while we've been planning this webcast and I don't need to show you all of the things that happen on social media I mean this is a really neat infographic here from the visual capitalist of everything that happens on social media in one internet minute it's amazing whether its number of YouTube videos uploaded or Facebook we push so much data up there to the Internet and you know John and I are aren't here to tell you that social media is bad or you should you know get off of it or if you're doing OSINT that it's going that you're going to you know find everything on social media but there are some neat places that John and I noticed people weren't necessarily looking or at least weren't publishing information on and some of these sites that we're going to talk about and show you today I think are going to be really neat for us to understand what kind of ocean and privacy implications they have now one of the things that I always mentioned in my classes is that there's kind of a relationship between your level of privacy and the amount of oceans we can gather as you increased privacy you decrease boats and opportunities less information is being released to the public and so it's harder to find information but conversely as you have more information that's published about you or that you publish out to the Internet through social media and other platforms opportunities to OSINT increase many many fold and your privacy of course decreases now this information is something that's kind of foundational to OSINT we know that the more information that's pushed out there we can grab it analyze it sometimes that information is is published not just about us not just from us but about us by our loved ones by our co-workers or by those people that are just we're interacting with on a date basis or something so John and I took a look at a bunch of different sites that have reviews and ratings as well as information about food and drink sites as well so some of the sites with food with reviews and ratings what we're looking here is more like the yelps the Trip Advisor's and some other places that have some interesting things that we can do from an ocean perspective yeah we're going to start here with Yelp which probably most of you are familiar with if you're not at the review site where people can put in reviews for restaurants and other businesses and talk about their experience there in this case we sort of randomly picked a user we were looking for someone that had a lot of reviews in this case it was a guy named Brent he's a Yelp elite which is sort of their one of their tutors for people to do a lot of reviews and as you can see here they've truncated his last name so we just have Brent be as far as identifying him but let's take a look at this and see if we can identify a little more information one of the things you could do is just take it name and some of the information from his you know reviews or what he says in his profile one of the other things that you might be able to do is an image search in this case that's what we did Mike if you can do dance that slide every okay so doing a simple google image search if you haven't done this before you have an option to do different kinds of searches in Google News images etc and other search engines also providing the searches such as being in this case we just took that image from the Yelp profile and we did a search with that that right on the first page came up with a set up for him on avvo.com which is a website of lawyers so immediately we have his last name here we have some other details like he's an attorney what kind of attorney where he's located at or at least was at that time as we move forward we'll see that he is no longer in Florida where he had been before so that's a little outdated but doing oceans sometimes you don't always get most of the information you have to work through it and analyze it going through his fo profile we also have a street address college she went to full name as I mentioned practice areas and a lot more details that we could continue to pivot from now that we have an address and a full name pretty simple to move around from that and here we have found his Facebook account again we've got more images here more friends of his more details from him on you know himself so just with a couple of quick clicks we've gone from this semi obfuscated name of a user on Yelp and now we've got Facebook account a lot of detailed information about him and before many of you start dropping off the call going oh this is another one of those reverse image search I can find a person thing just stay with us for a little bit because the reality is is that many times it's that simple it really is you know the users are publishing so much information now as John mentioned Brent is one of these Yelp elites one of these people that loves to geo locate themselves and submit reviews all the places that they're going to and so what John and I did was we we recognized that it was it's really easy to do the reverse lookups you look at their user names or other things across other sites so we've died and dived a little deeper or douve a little deeper and what we decided to do was look at his Yelp elite kind of posts and and look at what he was actually posting that content of it in fact what John did was he went through these posts that Brent in and he pulled out what date the post was made where the location was that they supposedly checked in the address the city state zip made this wonderful little spreadsheet for us to do on when we were analyzing it now right off the bat you can look at this spreadsheet and see there's some really interesting things going on here now I don't know if you're that's ever used Yelper I actually have used it but not from a review perspective from an ocean perspective and also from a hey where's a place to eat around here perspective but when you have somebody that's rating hundreds and thousands of restaurants and movie theaters and other things you start to see some interesting stuff for instance here we have lines one through seven we're all entered on 321 2018 now it's absolutely possible that he could have done that but when we started looking in the D column on 321 2018 he went ahead and reviewed a place in Orlando a place in Baltimore another place in a different city in Orlando a place in Bethesda Maryland another place in Florida and a place in Washington DC and then we have Cocoa Beach as well in Florida so so in that one day there were seven or eight different check-ins that he had where he reviewed different places now it is absolutely possible that Brent could have visited these places in the past written notes and from 321 he sat down he's like alright I'm gonna do all my Yelp reviews and he pushed him in but it's also possible that those are fake reviews or that those reviews are for places that he's never ever been or maybe he was asked to write them by the owners or by or maybe he was paid to write them those are kind of the questions that John and I asked ourselves as we started to look through this data and you know when we were looking through this data we figured out that well doing it in a in a non automated fashion while it was it proved valuable I'm putting that all in the Excel spreadsheet it was also time consuming and I know a little bit of Python so I volunteered to write something and what I did was I found that every single place that somebody reviewed on Yelp can't in the their rating or review was there as we see on the right-hand side we've got five stars on 9:30 2018 for the carving room on 300 Massachusetts Avenue Northwest Washington DC so we have a location I have a date I have their rating I also have the address what I found is that you could iterate through all of these different pages of reviews and the URL and that you see at the bottom of the screen there with wreck underscore page start equals 10 we could just iterate through and say well show me the records for that start at page and that start at record 20 record 30 record 40 and really simply you could iterate through all of the reviews that a user had had submitted and well if we're going to do that then we might as well write a tool right of course we should now I went ahead and created this github.com web breacher food and drink repository on github it's out there right now and what it does I've blacked out the whole Center where the user names are just to kind of protect a little bit of the anonymity of the the people we're looking at here but this is what the the actual tool does you run it you pass it a user idea Yelp user ID and it will go through and iterate through all of the locations that they have been then it takes each one of those addresses sends it off to Google via the Google API Google will then translate that into GPS coordinates and say oh you're looking at 300 Massachusetts Avenue in Washington DC that's GPS coordinate latitude comma longitude well once we have a whole bunch of latitudes and longitudes it's trivial to go ahead and take that and plot it on a Google map and then we can analyze it and what I found was really really interesting with this with these Yelp reviews I will caveat this when I first wrote this script I did it in a hacker technique you know hey I don't need to get an API key to Google or anything like that I'm just going to go ahead and scrape the web page and then make calls and it'll be fine well it didn't go fine and Google changed their API for geocoding such that you do have to sign up account and that's that's where you need that Google API key and if you go to the web Reacher Food & Drink github repository you'll see on the readme page that you do need to add the you need to sign up for a Google API key for the geocoding and also for the JavaScript map API as well and once you do that and go through that little hassle what you get is some really cool information about where that person has reviewed each one of these black dots on the map actually represents one of their check-ins one of their reviews we've also got a kind of a heat map thing going on here if you can see in the lower portion of the screen we have Florida and then in the upper right of the screen we see Washington DC there's a red circle around Florida for those of you they can see that indicating it more check-ins were in that area but then the map isn't just static let me go ahead and just run this quick video here that shows you what it's like when you actually zoom in you can see exactly where this person has checked in here we see that some places in Tampa but more places around Kissimmee and Orlando this is where he's checked in more often now we could then tie this to specific check-ins and and find out what he said about this place but really what I'm looking at at this point is the groupings of where he checked in you see the high high level of grouping right there in the middle this might be a place that he frequents maybe he works there maybe he lives in this area or just travels there a bunch and then if we zoom out we can go ahead up to Washington DC area and do the same thing and dive in there and see what places this person has frequented the one thing that I don't like about Yelp is that Yelp represents a one-time check-in so at one point in time somebody said I'm going to review this place and you know that's okay but it doesn't necessarily mean that that person's ever going to go back there so it's not a repeated type of activity but if we are looking for repeated act to I decided to take this exact same technique and then apply it to other applications other websites like rate beer comm rate beer comm has a really neat interface website this information is public and again if you've seen some of my other talks about how people are publishing their drinking activity publicly I still can't understand how people do this but people do so this person chadwick will just take for an example has a profile that's public and the URL to get to his profile is something like red rapier comm slash user slash and then a number 1 1 1 1 1 is not his actual user ID but here we actually see that this is the HTML version of the rapier comm page one of the things I always like doing is try to find out if there's another view of that page and sure enough there's a Ajax version or asynchronous JavaScript and XML version that doesn't have all those pretty icons and pretty fonts in there but it does give us all of the information in a way that's really easy to scrape using a Python script so what we did is the exact same type of thing and we see now the places where this person has checked in on rapier comm the exact same thing happens here we can see that he's got some activity in France we can dive in and we see that this person lives somewhere in the Triangle between Louisville Lexington and that's Cincinnati with most of the places that he's checked into for this for where he's drank beers in the Lexington I mean in the Cincinnati area we can even dive deeper and see which actual place he went to um in case we want to to do that so I was like well this is this is kind of neat um I you know let's let's go ahead and take this and revisit something that I had done before if those do they do you remember the untapped work that I did essentially with the untapped website the last 25 beers that somebody has drink now our public if their person if their profile is public so you can just type in on tap comm slash user slash whatever name and then you pull up their profile as I did here with Dean C in st. Louis Park Minnesota now you could see Dean C is one of those frequent drinkers he or frequent logger of his drinkers drinkers Wow good English Micah so we have on the left hand side 4380 total beers that this user has logged doesn't necessarily mean that he drank them but it does mean that he logged them if we go ahead and change that user URL a little bit and add the slash venues to the end of it what we now see is the aggregation of how many beers this user Dean C has drank or logged at a certain location so for the first one there steel-toe brewing at a certain location he first visited in the in March 15 2013 and most recently visited July 22nd 2017 is that useful from an ocean perspective oh absolutely now again this might not be accurate information there's nothing that says he has to visit a place in order to check in there but he's got 59 check-ins to this steel-toed brewing place and 41 at McCoy's public house and he's got 22 it's early so if we start grabbing that information and then doing that geocoding I of course have the untapped scraper script that's in a different repository on my github that also requires a Google API key but this is what it does it grabs that exact section of the URL the untapped com slash user slash whatever the user name is slash venues and by adding on the sort equals highest check in we can the most frequently checked in place at the top of the list so we get where they're more frequently visiting if you have the Google API key and added according to the readme that's on the site it will do the steel-toed brewing that address and it will geo code it to 44.94 whatever they're using that google api and of course if we have that we can find out where this person drinks more frequently the thing that I've done here is each one of these markers will tell you what the name of the place is and how many drinks they have logged at it so we can zoom in here to Minneapolis and we can see over here we got a red area to the lower left we've got places up here in Prospect Park 15 beers nine beers drank a couple places over here with 10 22 beers so this represents probably oh there's the 59 beers 14 and then finally the 41 beers so if I was to find try to figure out where this person most frequently hung out I would probably say in this Wolf Park area that's where they've logged more of the they're drinking and I have those numbers too because this person has public information on the Internet okay so earlier we had alluded to the idea that there might be people doing reviews for places they hadn't been or not saying that our initial example was doing that but that that is a possibility when you start seeing a bunch of reviews for different cities on the same day for example so we took a look into this and it definitely is a good bit of this going on out there there's a pretty good trade in it actually here on the slide we have fiber which is a site where people can basically offer offer quick jobs for you know for whatever sum of money they want to ask from random people it's a freelance marketplace basically and this guy's offering you know Google reviews and that sort of thing a lot of these actors are located outside the United States and it doesn't really matter they're not really going to visit these sites for example or you know if it's in Europe they don't have to be there right a lot of these reviews also there's two ways that you're looking at fake reviews right either you're a user that is maybe trying to find a good place to eat or maybe you're doing some OSINT and you're trying to track some people down there are some tells that you can find if people are doing these reviews and we'll go into that a little bit but you will find though is that there are a lot of services that will offer this and they'll just create users and they'll kind of earn them and do the reviews and then they'll set up some more there are websites out there that offer this service and sometimes it's pretty blatant like website you can see here on the slide sometimes it's not as obvious it may be presented a search engine optimization will get more hits and reviews on your site and it's not necessarily explained perhaps to the purchaser that they're buying fake reviews a lot of these reviews obviously recur a business that wants positive reviews they're trying to drive business to their establishment on the other hand you may also have reviews that are negative where people are trying to knock out the competition basically by giving bad reviews to other restaurants in their neighborhood or they might be competitive with for example those would probably be more likely to result in issues because the recipients of those fake reviews might bring those up with Yelp or someone else indicating that they might be fake reviews there are some forms out there as an example here on this slide that have a lot of this sort of activity going on people come on and say hey I need good reviews for this or offering to sell reviews or that website or you know it's all over the place it's very open market for this and this is kind of tied in with the search engine optimization where people are trying to try business to their sites and into their restaurants or others forms of business the false reviews are as I said sometimes very blatant about what they are selling you can see here this advertisement doesn't really make any pretenses about what it's doing but you may also find some some search engine social media services type organizations that are selling driving business to you getting you more clients so they may not necessarily be obvious stating that they are basically going to give you a bunch of fake reviews for your claim and obviously this is you know with your restaurants and hotels and businesses like that but this also extends to you know video views on YouTube and like some Facebook Instagram followers and all of those sorts of things you can ping advertisement here on that same form that we showed earlier and you know you can pretty much buy anything some of these are driven by what you would call account takeovers where people just take over accounts some of them they're essentially creating sock puppets and doing reviews or just following people on Twitter or whatever and some of them are essentially there's something called credit stuffing or credential stuffing where they automated li take login information from different breaches or leaked data and then they will run this against a twitter users and then they can take over a bunch of accounts and essentially run these if their own accounts they just take them over so you'll have that as a resource as well so this sort of some criminal activity going on here and there's quite a bit of it there's a real market for it there are people out there with businesses that don't mind doing some shady things to get their business going so one of the outcomes of this kind of is that you you do need to be careful about what you're getting either when you're doing ocean research does this user really a person are they really doing these reviews or just as a user of some of these review sites you you know have to be a little bit cautious about what is actually a good review it's not a good review there are some sites like fake spot comm where you can essentially take a restaurant or some sort of business from Yelp or product on Amazon and they've got an algorithm that detects okay this is a review by a new user they've only doesn't want to review ever it's a really glowing review it's a chance this is maybe a fake review someone manufactured this review and you can use some of those resources to test testing it out they're not perfect but they can give you an idea of what is happening with that review or that facility or service that has a bunch of review excusing bunch of reviews thanks John so we looked at those things we thought about how both centers many of us are already aware that there's a lot of false data on the Internet some of it is propaganda based where people are trying to sway our opinion some of them are trying to focus our money in certain places we there were some wonderful YouTube videos out there that show how in certain places in the world they will have banks of mobile devices and people get paid to go and submit 5-star ratings on each one of the devices to amp up the the Amazon rating of a certain product so this type of concept of paid for ratings is something that that we kind of know about however if you ask people out there in the world if you asked your mother father sister brother spouse children what do you use when you to know which is a good site or what do you use when when you look for a great product people say ratings I mean how many times have you or a co-worker gone to Yelp and looked for a rating of a restaurant you're like oh well it gets four-and-a-half stars on Yelp it must be good well what if that stuff is false you're making decision based upon erroneous information now the title of the talk is watching you eat drink and sleep and we thought how creepy would it be if we could actually watch people while they sleep and so we didn't do any of that stuff what we did do is look into other types of kind of vacation hotel and other type of travel sites and we found some stuff on Airbnb now before we get into Airbnb specifically we did look at a bunch of other travel sites as I mentioned everything from TripAdvisor to Zagat to other places and and what we found was a variety of I guess security was what I would call it we saw we found things like this this is these ratings on the slide here are from a cruise ship company and it's neat it says you know by air or sea I was a member of join in 2005 to reviews written but you can't get to by air or Seas profile to see their picture or when they made the reviews or what they were made it up so it might be that they've got some great security going on there and and this is a valid person but part of me thinks well if I can't tell that you're a real person how do I know that this site isn't just going ahead and manufacturing these reviews and posting them as members or something like that so my skeptical meter really kind of spikes on these things now shifting back to Airbnb we found some really interesting things there now if you've never used Airbnb where air bed and breakfast it's a place that you can use to find a home a condo an apartment in a different part of the world or in your local city that you can rent from somebody that owns it so if I have a place at the beach and I want people to go ahead and rent it while I'm not there I can put it up as a host I will be a host on Airbnb and guests can say oh I want to stay there and then they can come and pay me money and stay at my place now the neat thing that I found when looking through this was not necessarily that oh we can find this person from their picture we could Jada up there was really easy to find based upon the information that she provided in her profile picture and her profile just her the profile information but what we saw was we have a 2-way type of rating system here where Jada as the guest can rate the host and the host like Charlie in this picture can rate the guest and I was browsing through many of these comments and just looking at you know that kind of the Oh so-and-so it was a terrific guest they were so clean and neat and it got me started thinking you know hey Jada here went on a trip and stayed at Charlie's place in Wilmington North Carolina cool well she raided his place and then Charlie raided her and said hey Jada and Christian were perfect guests blah blah blah but what if Jada's husband is not Christian but Bob now Charlie doesn't know that he just says hey the two people I met I'm gonna put their names in here and what we see is we see this done a lot because these guests want to be personable they want to say that they know and understand who's staying at their place and so the comments from the hosts we're actually pretty interesting to read because that gives us a little bit more insight sometimes they would disclose Oh Jada and her family of four kids were just so adorable little Bobby was and they give us more information even though Jada probably didn't give him permission to do anything like that now of course Christian might be her husband or Christian might be her brother or whatever and I'm not saying that that Jada is cheating on anybody but the opportunity exists from an ocean perspective to scour the comments on some of these these homes sharing rating sites to find interesting information now while we were looking at Airbnb we found some other things that kind of made us remember something I don't know if you ever seen Josh Huff he's probably listening hey Josh well done there man josh has a website a blog at learn all the things net the URL is right there what Josh did was he looked at Facebook IDs none of those account those unique identifiers that say this person Micah Hoffman has this UID this account number and Facebook does this so that multiple people with the name Micah Hoffman can use the name Micah Hoffman you know it just for its records it uses that user ID or UID in order to figure out what content is tagged to which user what Josh did was he figured out from people's face Savur Suri's when those accounts were created to the month and the year and then he saw that there was a natural progression not linear as you can see in this graph here but there was a progression from oldest which had the lowest numbers for Facebook IDs to the most recent which had the largest numbers and if you look in Michael pizzelles ascent book that Josh links to in his blog Josh created a really neat chart that will tell you if you have a Facebook ID with this number or in this range it was probably created between this month and year so what John and I did while we were looking at this information is we kind of remembered that I did something like this back in 2015 with Strava with Strava I noticed that if I incremented a user ID which was just a number I could pull up somebody else's profile and sure enough if we do that here on Airbnb and we go to airbnb.com slash users slash show slash enter their user ID we might pull up Jada but if we change that number just increment it or decrement it we pull up somebody else's account and so one could wonder hey if we did that enough could we come up with our own chart of approximate dates when certain account user IDs or created and sure enough John and I were able to do that very very simply I will warn you this chart is not entirely accurate this is a ruff-ruff user mapping we took a very small sample and kind of mapped with the year they were they those user accounts were that were created in and we could do that because if you look at the image on the Left where it says hey I'm Logan u.s. joined in October 2017 so if you take that October 2017 along with Logan's actual Airbnb user ID then we can make this chart now this chart is very rough it's not exact at all but it kind of gives you an idea that you could because all of these Airbnb user IDs are pretty public you could grab a whole bunch of the user IDs and then make a very detailed chart to using your open source intelligence so we kind of did a shotgun approach of showing you a whole bunch of different areas whether it's Yelp reviews or whether it's Airbnb we kind of wanted to leave you with some overall impressions that we wanted to well that we wanted to share and and so you know from a perspective of a user and if we are going to use social media first off it really is your personal risk based decision now if you've heard me talk to other places you understand that I use this personal risk based decision all the time to refer to the fact that in your work many of you are doing cybersecurity or you doing cyber threat intelligence or you're doing other types of evaluation of data and then determining risk to a person to an organization or to something else this is business but we use social media when your family when your friends when your colleagues use social media you're also making that same type of risk-based decision of do I post this do I tweet this do i geolocate this do I rate this you're just doing it based upon or you're doing it with your personal information up for grabs so you have to decide what's what's comfortable for you to post what's comfortable for you to share on these sites now one of the other things that I wanted to just bring up briefly is that's some of these websites some of these social media sites you probably know them you can turn on some security flags that prevent people from getting access to your data you can submit those pictures but only people in your circles or only people that are in your friends list will go ahead and get access to it cool if you're limiting who can see it that in those posts and that's terrific but that doesn't mean that the platform itself isn't doing these types of analysis on your behavior and what you're doing so if you're sharing stuff on Facebook to only your friends Facebook may be looking at okay Facebook is looking at that data to determine what you're doing where you're going who you're doing it with and other platforms do similar stuff so one of the things I always try to help people understand is that limiting who has access to your data does not include that platform itself Twitter Instagram we vovk those platforms once you submit your information those system administrators many times those database administrators many times will have access to that data whether you say hey I want them to or not in the news recently we found things like Twitter said that their system administrators have access to read people's direct messages ah if their direct messages Y or other people who reading them it should just be between me and the other person that's reading the message but no they said that yeah their administrators do have access to read those messages and Facebook has done things like in 2013 they had a study that was actually published by two of their employees in a journal like a real peer-reviewed journal and it analyzed the censorship the self-censorship that Facebook users did so when you type a really ranty tweet ranty posting like oh I hate you Aunt Marge I can't believe you did this and but before you send it you delete it who it didn't go out but every single character that a person sends or types to Facebook they record and what they do is they store that then they allowed thirty-one million of those self-censored posts to be reviewed over 17 days with for some of their employees and theirs employees did some in front and did some analysis on that so we understand that these platforms many times are harvesting and analyzing our data obviously if your data is out there in the public sphere it can be scraped harvested downloaded archived analyzed we see this all the time with Twitter with Instagram just there are a huge bunch of other sites like Yelp like TripAdvisor that also provide opportunities for data gathering and analysis so if you're listening to this webcast as a person that uses social media some suggestions one use a pseudonym don't use Micah Hoffman well I please don't use Micah Hoffman I'll use my coffin but but what I would say is that if your name is Micah Hoffman pick a different name to do your Yelp reviews on up on Yelp reviews through so my Yelp account might be Bob Smith or something like that and as John showed you know consider not showing your face consider not uploading pictures of the front part of your face you can do other things like of your hand or other location or other things but that face is many times coming into play as more and more platforms are doing facial recognition as more and more platforms are analyzing who's appearing in what pictures at what date at what time so consider not showing or posting your face and then one of the other things is try not to provide your real hometown honestly this recommendation doesn't really come into play that much but I did one of these Yelp reviews as John and I were working on the the scripts and stuff in the talk I did one of the Yelp reviews for a person that said her hometown was Fayetteville North Carolina like cool you know on her Yelp profile says Viet view North Carolina and when I ran where she had reviewed she had not reviewed anything in the state of North Carolina all of her reviews were in Denver Colorado and so I thinking well yeah maybe she identifies as a person that was born in that state but realistically with the room with the the geolocation of these reviews of these beers that are drank or whatever it's pretty easy to see through where you might be located and then you know if you do want to use social media you might want to consider creating a fictitious person to you that you can use the platform as if I really want to use the untapped beer-drinking application I could create that Bob Smith account and log all my beers as Bob of course at some point somebody may be able to say wait a second you know this person was in this place and that place in this place huh I'm thinking that that's not Bob I mean if that might be Mike Kaufman so again make your own personal risk based decisions here to decrease or remove your proof in your social media profiles as you see fit so many of you online probably not listening to this just as the user of these sites but are doing ocean research or investigator of some sort so some of the things that we brought forth from our research here is aggregation of the data can be pretty useful if you're collecting information on somebody and you're just finding that they have reviewed a bunch of things on Yelp and then okay here's you know their user name has a picture of them and then just run off and go towards other things you might be missing some stuff there if you can collect all that information and put it together there might be some useful things that you can take out of that and following on that you might want to become familiar with some of the tools for collecting and storing these sorts of things whether that's doing some Python scripting using tools like mica has created that he has a github for getting familiar with you know secret like databases and how you can load information into those so you can really analyze some information would be a useful thing for you perhaps and also you can use some tools like data miner is a chrome plug-in that basically makes scraping some of these sites pretty easy you can create all the fields that you want to collect from a certain kind of a page like a yelp review and select you know this field this field this field this field pull those all out drop them into a CSV file or something that you can then manipulate and analyze so these are some of the things that you might need to look at doing if you're doing it regularly is collecting larger amounts of data then you know you're just going to put into your your report negative client you might collect a huge of volume of information if they're very active online if they have a lot of tweets for example if they you know do a lot of reviews or travel a lot on Airbnb you might find them and you can put this information together and maybe come up with improve use negative information also following up on our discussion of fake reviews what we saw with that initial yelp review from Brent where there were seven or eight reviews and all these different cities now that may have just been he entered the reviews for that date may also be that someone is putting reviews out there to obfuscate where they actually were or to you know spread some false information maybe it's a fake review happening for some monetary purpose but as you're aware it may not be truthful what is out there that you are seeing there could be other explanations it may not be specifically an attempt to fool you it may just be that this is when the person logged on and entered these reviews or whatever but you do need to keep in mind that some of this information out there might not be as exact as we would want when we're conducting an oceans investigation and it's a very important point John what I find is people are really enthusiastic about running tools if you look at the some of the stuff that comes through on the to the Twittersphere there are people that are saying hey look at this - look at that - look at this plug in look at that it's the analysis of that data that you collect that is so so important and that many people either do really well and get some amazing results out of or fall a little bit short and I think that for me that's where a lot of the the training a lot of the experience and a lot of the conversations I've had with a lot of my friends are because as you are exposed to more and more parts of ascent that are truthful that are not truthful that where you've seen things done you become more capable of deciding what alternatives might be actually out there for that data what other reasons are there and with that we've come to the end of our presentation with about ten minutes to spare I do want to do a quick plug this is this is sans and this is open source intelligence so I do want to do a quick for the sec 487 class that John and I are teaching it's six days and we've got a huge number of locations and there are more that are in the works I just couldn't fit them on the slide here including something that's really neat in February of 2019 we have an ocean summit which is one day of a whole bunch of talks just like this one by people that are leading OSINT experts in the in the in the world and they are going to be coming to Alexandria Virginia first a day and talking about ocean topics and with that I'd like to say thank you and open up the floor actually I like to turn this back over to Carol all right thanks for that great presentation we have quite a few questions already in the in the Q&A here so I'm going to jump in and get started first of all what was that site John mentioned with the algorithm to discover fake reviews okay sorry I we probably should have put that on the slide there it's called fake spot calm and there's a couple other sites like it but that's probably one of the better known ones and you can just go to that site and drop a link in for you know a restaurant on Yelp or if like I said a product on Amazon or you know TripAdvisor that's sort of thing and it'll run its algorithm on it and basically tell you 70% of these reviews look sketchy you know you might want to be cautious about taking all these reviews in good faith again fake spot com all right thank you are you finding that some of the social media firms are keeping information in other countries say that I don't know about that I don't know about where they would be storing the information I'm guessing that this is because some countries are more laughs with their privacy laws than others specifically thinking about probably GDP are but I don't I really haven't done any and done any research into where what countries places are storing information I did hear about some people some companies storing things in Ireland but I can't remember that John do you remember anything did you think I Roland has been a place because it's within the EU where where some large social media networks have been storing information but they you know they have very broad networks and data centers all over the world they if they can can have all this information a central location they'll do that but sometimes country laws restrict that so they may just keep that information if possible in one area what you probably do a whole talk on that sort of flowing here but I don't have exact answers for you on that but they do move your data around and they do have spaces specifically they where they will keep Shifa country or regional data hi thank you I'm gonna read this exactly as it's phrased they say is there a way to sort of you you're online click print sort of view you're online what print footprint yes there is sort of that means with just one I so yes keep one eye closed and just look at it sort of food now I think that the question is more is there an easy button method and I'll read into this is there an easy button method where you could visit one site and say hey tell me what I look like across all my social media and and the answer if that is the question is there are some places that will tell you they will do this from what I've seen many of them don't do it well there's some of the credit reporting agencies will say hey for an extra fee will will scour social media will look in the dark web for information about you about your accounts and I haven't really tested a lot of those but I know from my personal experience much of the information that we find when we're doing OSINT investigations is from that manual work yes we'll run tools but there's a lot of false positive checking in so it is intensive my suggestion actually John do you know of professional tools that people could use or anything like that no I think it really is kind of a matter of doing your own OSINT on yourself seeing what you come up with I don't think there's one central location and I do know from personal experience some of these you know like credit monitoring tools that monitor the dark web and stuff I don't put a lot of stock in those I think I got lured for one of those through one of my credit cards one time that was for some data leak from you know five years ago like great okay that's not really useful so I don't think there's a go-to location where you can do that I think you are better off just doing some of students on yourself and seeing what you come up with all right thank you what are some examples of how employers are using Osen to vet potential candidates I think I'm gonna gonna defer that like John said earlier in just a little bit ago that's like oh that's not the topics that we have talked about here and there's a whole bunch of information about that on on the Internet and other places I'd prefer to keep the topics that we talk about here focused on the the webcast for right now I don't know if this falls in the same category but they asked do you find that people with unusual names are easier to hunt than for example approximate John why don't you take this one yeah absolutely I mean if there's a very unusual name that that makes it much simpler to filter out the false positives if you have a Bob Smith or a Harry Jones you're quite possibly going to spend a lot of time filtering out the correct subject from other people with that name even if you have you know one city that you know they're in and can sort it by that you still are going to have a lot of people probably with that name and you're going to have the problem also of is this once you have information that seems valid being a hundred percent certain that that is actually the right person the subject of your search so doing research on people with uncommon names is certainly much simpler alright someone says if the unusual name is a real person correct yeah all right is there a way for a person to check whether a person like you guys is performing Oh sent on them for example your name is being searched several hundred times over two to three to two three days for example from my perspective there are a couple of platforms that will tell you what accounts are looking at your information for instance LinkedIn has the LinkedIn premium that you can get a thirty day trial for and you can see look these people are looking up my profile however if we as Oh sensors are aware of this what we'll do is we'll use a series of different sock puppet accounts or fake accounts or whatever to look at your account over those days so you won't necessarily see the same account hitting your account many different times you'll see up just a bunch of recruiters hitting your account and it looks kind of normal the the challenge with other account other platforms is that many times you don't have access to their data analytics they're what web pages are being hit most when I was doing the lookup of these Yelp reviews I wasn't even logged in as a valid Yelp user so it was just anonymous access and I don't think that many platforms give out that information to their their users all right thank you do you have a link to a good list of tools haha yes it's on the screen right now ww sans org slash SEC 487 we talk about all the tools all the best tools no don't talk about tools tools are just things we use it nobody says hey show me how to get the best list of forks and spoons we talk about how to how to get clay settings we talk about how to use those place settings to serve a meal or to consume a meal we talk about the recipes for making the food the the tools are a way to accomplish o --scent if you focus on learning the tools then you're missing the point of Osen which is that analysis of the data that was aggregated you can obviously go to Osen framework calm or tecna's eat calm or any one of these other web frameworks bruno more da now has one and there's a ton of these start me pages just search for them online do some OSINT to find these frameworks and there's a ton of tools in there but but don't want Osen bye-bye it by learning the tools that will gather it sorry for the rants it's it's one of my pet peeves john do you have ideas when where do people find tools i think you you gave some good go to and that was a very good point you know there's more to it than just running some tools there's this one all right thanks someone asks can you can you use this to find fake news John I'm sorry can you repeat that and you use this to find fake news ah well I don't know if you can use travel advisory and Yelp sites to find fake news you certainly could if you wanted to do some research with Twitter in some of these other platforms and find box and and try and find fake news but it's definitely outside the scope of what we're discussing with this webcast it absolutely can be done those are people that track the source stuff and thinks is the oesn't summit free the ocean summit is not free I'm not sure of the actual pricing but it is on if you go to sans org SEC 487 at the bottom of the page you'll see on February 26 in Alexandria you'll see the ocean summit you can click on that and head over to that the ocean summit page and check out what whatever sans has set the cost for you guys how can the contact information as well someone wants to reach out to you directly maybe already presented back hmm I don't think we did present that we've we provided our Twitter feed our Twitter handle that was on the front slide maybe we can go back to that so that done yeah personally question it a minute soon thank you all right while you're while you're pulling that up on the mountain the next question are there any services that can erase your digital footprint for example your social media presence so you could essentially start from zero John I think the best resource that I've found is Michael bezels a privacy workbook that
Original Description
Learn more about OSINT: https://www.sans.org/sec487
Ah vacations, walk-abouts, and holidays. Most people love getting away from work and the stresses of daily life. Coworkers look at sitting in the sun on beaches for a little rest and relaxation. Families head off to historical sites, camp grounds, or to amusement parks for entertainment. And OSINTers, we sit back and watch people "check-in", snap photos of their food, rate their wine, and share details inside hotel rooms. What a glorious time of the year!
Join John TerBush and Micah Hoffman, author of the new SEC487, Open-Source Intelligence Gathering and Analysis class, as they show how people collect and use food-ratings, images from reviews, and other information for OSINT and investigations.
Presenters
Micah Hoffman
Micah Hoffman has been working in the information technology field since 1998 supporting federal government, commercial, and internal customers in their searches to discover and quantify information security weaknesses within their organizations. He leverages years of hands-on, real-world penetration testing and incident response experience to provide unique solutions to his customers. Micah holds GIAC's GAWN, GWAPT, and GPEN certifications as well as the CISSP. Micah is an active member in the NoVAHackers group, has written Recon-ng and Nmap testing tool modules and enjoys tackling issues with the Python scripting language. When not working, teaching, or learning, Micah can be found hiking or backpacking on Appalachian Trail or the many park trails in Maryland. Catch him on Twitter @WebBreacher.
John TerBush
John TerBush works as a senior cyber threat intelligence (CTI) analyst serving multi-national enterprises in a variety of industries including finance, manufacturing, retail and energy. In this role he conducts open-source and dark web investigations, malware and traffic analysis, tracking of threat actors and their tactics, techniques and procedures, and many other tasks in order to pro
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from SANS Institute · SANS Institute · 57 of 60
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
▶
58
59
60
SANS FOR610: Reverse Engineering Malware: Malware Analysis Tools & Techniques
SANS Institute
SANS Institute Cybersecurity Training Customer Stories
SANS Institute
SANS Institute UK Cyber Academy
SANS Institute
SANS Institute UK Cyber Academy
SANS Institute
CISSP® Prep Exam, MGT414, by SANS Institute
SANS Institute
SANS Institute's Rob Lee Discusses The OPM.GOV Hack on CNN
SANS Institute
Information Security Training from SANS Institute - Student Testimonials
SANS Institute
SANS NetWars
SANS Institute
SANS DFIR NetWars
SANS Institute
Hack The Drone - SANS Cyber Academy UK
SANS Institute
SANS VetSuccess Immersion Academy
SANS Institute
SANS Cybersecurity Training, Certifications & Placement for Veterans
SANS Institute
The 2015 SANS Holiday Hack Challenge
SANS Institute
SANS VetSuccess Academy: Hands-on Skills
SANS Institute
SANS VetSuccess Academy Overview
SANS Institute
SANS ICS Security Summit & Training 2017
SANS Institute
Exploring the Unknown Industrial Control System Threat Landscape – SANS ICS Security Summit 2017
SANS Institute
WannaCry recap, patches, and analysis
SANS Institute
If We’re Doing So Well at Cyber Security, Why Are We Still Doing So Poorly?
SANS Institute
Graduation Day - SANS HM Gov Cyber Retraining Academy
SANS Institute
Incentivizing ICS Security: The Case for Cyber Insurance – SANS ICS Security Summit 2017
SANS Institute
SANS Data Breach Summit & Training 2017
SANS Institute
SANS Secure DevOps Summit & Training 2017
SANS Institute
How Threats Are Slipping In the Back Door - SANS ICS Security Summit 2017
SANS Institute
SANS Webcast – Continuous Opportunity: DevOps & Security
SANS Institute
SANS Cybersecurity Programs for the Department of Defense
SANS Institute
SANS Pen Test HackFest Summit & Training 2017
SANS Institute
SANS SIEM & Tactical Analytics Summit & Training
SANS Institute
If We’re Doing So Well, Why Are We Still Doing So Poorly? – SANS ICS Security Summit 2017
SANS Institute
SANS Institute
SANS Institute
ICS515: ICS Active Defense and Incident Response
SANS Institute
SANS Institute
SANS Institute
Introducing the NEW SANS Pen Test Poster
SANS Institute
SANS Institute - An Inside Look at the Newly Updated ICS515 Course
SANS Institute
SANS ICS Security Training, Munich, Germany
SANS Institute
SANS Automotive Summit Webcast
SANS Institute
Privesc Playground - SANS Pen Test HackFest Summit 2017
SANS Institute
Introduction to Reverse Engineering for Penetration Testers – SANS Pen Test HackFest Summit 2017
SANS Institute
Honey, Please Don’t Burn Down Your Office: Fun with Smart Home Automation
SANS Institute
SANS Security Operations Summit & Training 2018
SANS Institute
Sh*t Happens! (But You Still Need to Drink the Water) – SANS ICS Summit 2018
SANS Institute
ICS Threat Intelligence: Moving from the Unknowns to a Defended Landscape – SANS ICS Summit 2018
SANS Institute
You’re Probably Not Red Teaming (And Usually I’m Not, Either) – SANS ICS Summit 2018
SANS Institute
A Sneak Peak at the New ICS410
SANS Institute
Jumping Air Gaps – SANS ICS Summit 2018
SANS Institute
Introduction to Linux
SANS Institute
Introduction to Malware Analysis
SANS Institute
You’re Probably Not Red Teaming (And Usually I’m Not, Either) Webcast by Deviant Ollam
SANS Institute
Hacking your SOEL: SOC Automation and Orchestration – SANS Security Operations Summit 2018
SANS Institute
Hunting for Post-Exploitation Stage Attacks with Elastic Stack and the MITRE ATT&CK Framework
SANS Institute
Apples and Oranges?: A CompariSIEM – SANS Security Operations Summit 2018
SANS Institute
SANS Webcast - Perimeter Security and Why it is Obsolete
SANS Institute
SANS Webcast - Trust No One: Introducing SEC530: Defensible Security Architecture
SANS Institute
The Science of Security: The Psychological Impacts of Security Awareness Programs
SANS Institute
How I Pulled Off an Edgy Security Campaign – SANS Security Awareness Summit 2018
SANS Institute
Practical Advice for Submitting to Speak at a Cybersecurity Conference
SANS Institute
SANS Webcast - Consuming OSINT: Watching You Eat, Drink, and Sleep
SANS Institute
SANS Webcast - Zero Trust Architecture
SANS Institute
SANS STX Cyber Range
SANS Institute
Part 1 – SANS Institute and Tenable talk about cloud security
SANS Institute
More on: Tool Use & Function Calling
View skill →Related Reads
📰
📰
📰
📰
Australian Cyber Security Centre Issues Alert on Mass Exploitation of CMS Vulnerabilities
Dev.to · NetSecOpsIO
Malicious 'jscrambler' NPM Package Versions Deploy Cross-Platform Infostealer in Sophisticated Supply Chain Attack
Dev.to · NetSecOpsIO
This Week in Breaches: What HSIN and Accenture Teach Us About Life After the Break-In
Dev.to · Arashad Dodhiya
If I Had to Start From Zero in 2026, I Would Do This
Medium · AI
🎓
Tutor Explanation
DeepCamp AI