Happy New Year everyone (right got that out of the way), so this week I was presented with an opportunity to do a piece of OSint work. Now this is the first time I’ve done any “real” work of this nature, in the past I’ve only really used any OSint skills when it came to job interviews. Before attending an interview I do a little checking about the company, the people interviewing me and search for any clues about the companies infrastructure that I can drop into the conversation during an interview. I’ve found it works quite well especially if I lack a detailed understanding of what a company does, I mean after all I work in Infrastructure so detailed product knowledge isn’t a key requirement for the majority of my roles.

So for this tasking I was not looking at infrastructure but at a person (not in a creepy stalker way either), I was provided with the following information:

• Full Name
• City
• State

I was also given a list of objectives of what information was required and the “rules” of the game. There was only one rule, all the information had to be obtained from “free” sources, as in no paying for information on the numerous websites that offer detailed reports on people. Now I assumed tracking people would be a lot more difficult that hunting down infrastructure, I live in the UK and the few times I’ve looked the amount of personal information available online isn’t great unless you want to pay for it, however my target was in the USA so it was virgin territory for me.

So for the first 30 minutes or so it seemed like I needed more information about my target, but then it slowly started coming together. I’m not going to bore you with the details but in the end I think I spent a couple of hours looking around and ended up with a 6 page written report to submit. Some of the information I retrieved was as follows:

• Targets home address, property details and telephone number
• Targets current employer, LinkedIn profile, and a list of his connections (not obtained from his LinkedIn profile)
• Targets work email address (well 2 addresses actually)
• Targets age
• Targets high school

Then it got a bit more interesting/fun, using the initial information supplied to me, as well as his age and where he went to High School I was able to map he details to a list of possible relatives. From this I was able to locate his immediate family (including some of their current address details), Facebook profiles, photos, and various other bits of info.

So this is the actual point of this post, OSint is originally a military term which according to Wikipedia is defined as:

OSINT is defined by both the U.S. Director of National Intelligence and the U.S. Department of Defense (DoD), as “produced from publicly available information that is collected, exploited, and disseminated in a timely manner to an appropriate audience for the purpose of addressing a specific intelligence requirement.”

Outside of the military the only people I know of that engage in this type of activity is hackers/security professionals and private investigators (I’m sure there is more than that) and the purpose is different for each one.

However the thing that interested me the most was the amount of “private” data that is available online for free. In a world of terrorism, organised crime, online attacks and fraud can we really be this casual about letting this sort of information be so free and easy to collect?

Lets expand on my OSint tasking, if I wanted to go further with my investigation what else could I have done?

So I know my targets home address and work address, using this information I could plot the mostly likely method and possibly route that the target would take to work. If it’s a 2 hour drive to work, then maybe a train? Which is quicker, cheaper what are the current petrol prices in the area?

Does Google Street View give me an idea of the car he might be driving?

Does his house have wireless? Well wigle.net could help with that and then I could park outside his house and try and compromise his wireless network.

If he does have wireless can I obtain any information from places such as shodanhq.com? Is his wireless route vulnerable to attack? How much could a individual do from a computer half way around the world?

If I was intent on gathering as much information as possible then the paid reports available would provide much more information and to anyone willing to pay the $30 it might cost.

OSint is something that I’m going to be spending a lot more time on this year, in a weird (non creepy) way I enjoy the possibilities to see what you can find, which is only limited by your imagination and your patience. Watching the threads of information joining together to form a web of information is intriguing and scary at the same time.

So stay tuned for more..