Presented at the Ohio Information Security Summit, October 30, 2009. What does the Internet say about your company? Do you know what is being posted by your employees, customers, or your competition? We all know information or intelligence gathering is one of the most important phases of a penetration test. However, gathering information and intelligence about your own company is even more valuable and can help an organization proactively determine the information that may damage your brand, reputation and help mitigate leakage of confidential information. This presentation will cover what the risks are to an organization regarding publicly available open source intelligence. How can your enterprise put an open source intelligence gathering program in place without additional resources or money. What free tools are available for gathering intelligence including how to find your company information on social networks and how metadata can expose potential vulnerabilities about your company and applications. Next, we will explore how to get information you may not want posted about your company removed and how sensitive metadata information you may not be aware of can be removed or limited. Finally, we will discuss how to build a Internet posting policy for your company and why this is more important then ever.

1. Enterprise Open Source
Intelligence Gathering
Tom Eston

2. Open source intelligence (OSINT) is a form
of intelligence collection management...

3. Open source intelligence (OSINT) is a form
of intelligence collection management...
...involves finding, selecting, and acquiring information
from publicly available sources and analyzing it
to produce actionable intelligence.
- wikipedia

4. What do the Internets say?

5. 18% had a data
loss event via blog
or message
board...
- Proofpoint, Inc. 2009 Survey

6. 18% had a data
loss event via blog
or message
board...
11% in 2008
- Proofpoint, Inc. 2009 Survey

7. 17%
experienced
data loss
related to social
networks...
- Proofpoint, Inc. 2009 Survey

8. 17%
experienced
data loss
related to social
networks...
12 % in 2008
- Proofpoint, Inc. 2009 Survey

9. “A brand is the
personification of a product,
service, or even entire company.”
- Robert Blanchard, former P&G executive

10. 5 things you will learn
• What is out there on your company?
• Metadata
• Removal of Internet postings, metadata
• Setting up a simple (cheap) monitoring
program
• Building a Internet Posting Policy

11. What gets posted?
• Customer and Employee Complaints
• Exposure of Confidential Information
• Security Vulnerabilities

12. Customer Complaints

13. Employee Complaints

17. FAIL

18. Exposure of Confidential
Information

19. What about
Vulnerabilities?

23. Things you wouldn't
expect...

25. Where does this
information get posted?
...and how to find it!

26. Social Networks

27. 300 Million Users
110 Million Users
40 Million Users
Grew 752% in 2008

28. Finding Information on
Social Networks
• Socnet Search Engines
• Maltego (Twitter/Facebook)
• RSS feeds/Google Hacks
• Google Alerts + Google Reader = WIN
• Manual Searching
• Facebook status updates

29. Socnet Search Engines
• Wink, Spock, Twoogle, Knowem, WhosTalkin
(there are many more, see my blog post)
• Twitter Search
• Social Bookmark Sites
• Delicious, StumbleUpon
• Don’t forget about photos/video!
• Flickr Photo Search
• YouTube and Vimeo Video Search

30. Maltego + Mesh = WIN
*Screen shot from the “Maltego and Twitter!” post on paterva.com

31. Searching Facebook
• Good: Maltego Facebook Transform (violates TOS)
** No longer working! :-(
• Better: Login and use the search! FB doesn’t make status
updates public...yet.
• Best:
site:facebook.com inurl:group (bofa | "bank of america") =
Groups
• inurl:pages = Facebook Pages
• allinurl: people "John Doe" site:facebook.com = Public Profiles
• Yahoo! Pipe for Facebook Groups:
Facebook Discussion Board RSS Feed
• Create Google Alert(s)

32. Searching LinkedIn
• Similar to Facebook
• Google dorks
• site:linkedin.com inurl:pub (bofa | "bank
of america") = Public Profiles
• inurl:updates = Profile Updates
• inurl:companies = Company Profiles

33. Blogs and News
• Blogpulse, Technoratti, IceRocket
• Social Mention
(Search Engine for blogs, comments)
• Google/Yahoo News

34. Document Repositories
• DocStoc
• Scribd
• SlideShare
• PDF Search
Engine

35. Message Boards
• Internet Forums (yes, even 4chan)
• Craigslist
• Full Disclosure Mailing List (vulnerabilities)
• Google Groups/Yahoo Groups

36. All your metadata are
belong to us...

37. What is Metadata?
• Metadata = Data that describes Data
• Catalog, index files, documents and more
• Often overlooked by:
• Document/File Creators
• Your Company

38. Why do we care?
• Can expose potential vulnerable software/
hardware in use! (client side attack)
• OS and version numbers
• Location information (GPS from
smartphones)
• User names, naming schemes, file paths

39. Where do you find it?
• Microsoft Office Documents
• PDF
• JPEG’s (photos)
• Other file types

40. Metadata is everywhere!

41. How do you find it?
• Google
• Document Repositories
• Wget to download photos
(many other tools)
• Your Company Website

42. Tools to analyze
Metadata
• EXIFtool (cmd line or GUI)
• Maltego
• Metagoofil
• Metadata Extraction Tool
• FOCA

43. Real World Example

46. Removing Internet
Postings and Metadata

47. Removing posts from
the Internet
• Hard, but not impossible.
Search Engine Cache FTL
• Submit request to Search Engines to
remove (there are multiple)
• Legal team involvement, especially w/
socnets

48. Metadata Removal
Techniques
• MS Office Documents
• Office 2002/03: CMD Line app “Remove
Hidden Data” (Offrhd.exe)
• Office 2007: Document Inspector
• EXIFtool (photos)
• Can be scripted to auto remove

49. Metadata Removal
Continued...
• PDFs: File -> Document Properties
• EXIFtool
• Many third-party tools! ($)

50. Setting up a monitoring
program

51. What do you want to
monitor?
• Impossible to monitor everything!
• Pick the most popular social networks,
news sites, blogs, forums...
• Monitoring should be defined with your
PR/Marketing groups!

52. Free Tools
• Yahoo! Pipes (mashups)
• RSS Feeds/RSS Reader
Google Reader FTW
• Maltego (community version)
Good for defining relationships, not
automated
• Maltego for specific searching when you
need “more details”

53. Yahoo! Pipes

54. Google Reader RSS

55. What works best?
• Assign someone! (someone in infosec,
social media skill sets)
• Create RSS Feeds from identified sites
• Utilize Yahoo! Pipes, create RSS from pipes
• Monitor w/Google Reader
• Sites you can’t monitor
automatically...determine manual methods.
Build this into your Incident Response Procedures!

56. Building a Internet
Posting Policy

57. Define your Social
Media Strategy
• Partner with Marketing/Public Relations/HR
• What is acceptable for employees to post?
• At work/off work
• Employees have mobile devices, home
computers!

58. Define what gets
monitored?
• Difficult or impossible to monitor
everything
• Determine with your partners what should
be monitored
• Careful with policy conflicts!

59. Cisco Example

60. Intel Example

61. Communicate to your
employees!
How can you enforce a policy if employees don’t know
about it?

62. Where to learn more?
• Great paper on Metadata
(SANS Reading Room):
“Document Metadata, the Silent
Killer” - Larry Pesce
• Maltego Tutorials:
Chris Gates, EthicalHacker.net
• My blog: spylogic.net

63. OSINT 3 Part Series
• All the details from this presentation!
• Part 1 - Social Networks
http://bit.ly/osint1
• Part 2 - Blogs, Message Boards, Metadata
http://bit.ly/osint2
• Part 3 - Monitoring, Social Media Policies
http://bit.ly/osint3