Many organisations and individuals are unaware of the variety and richness of information and data sources that are publicly available, and therefore the many risks they could face as a result. Such open source intelligence may expose a company and its directors to litigation risk caused by data leakage or unlawful disclosure of personal data for instance. This article discusses the different risks of open source intelligence and points out how publicly available information can be used by criminals to help facilitate crime.
What is open source intelligence?
Open source intelligence (OSINT) refers to the collation of information from publicly available sources, for example the internet, press and media publications, public records or commercial sources which are accessible to the public for a fee. It also refers to data which is available online even when the data owner is unaware that it’s accessible publicly. An example of this is when a website is misconfigured or there is some other technical oversight which causes information to be directly or indirectly available to the public.
The gathering and analysis of OSINT has become highly specialised and is utilised by a broad range of professions including intelligence services, journalists, security professionals and academics.
However, OSINT is also routinely exploited by criminals and this is a risk that is often overlooked.
Bringing the use of OSINT to life
Earlier in 2021, an article published by the Global Investigative Journalism Network entitled “Interrogating China’s “Google Maps” to Investigate the Xinjiang Detention Centers” suggested that sensitive locations such as suspected internment camps and other industrial buildings, had been removed from the street level view of Baidu Total View, the Chinese equivalent of Google Street View.
The author suggested that sensitive areas had been purposefully obscured in Baidu Total View by a grey tile overlayed on the map image and hence the grey tiles themselves could be used to indicate possible locations of suspected internment camps.
This example demonstrates that OSINT can be a highly effective method of researching an issue or assessing a risk but that the same freely available information can also be used in ways that the owner of the data did not originally intend.
Even online tools that most of us rely upon every day can be used to gather OSINT. For example, there is an entire subculture around the use of Google’s search engine’s functionality where complex search terms (Google advanced operators) can be structured to identify very precise pieces of information. Known in cyber security circles as “Google hacking” or “Google dorks”, this approach is used routinely to identify information that is indexed by Google web-crawling technology and hence is openly available online but often probably shouldn’t be. Examples include login details, passwords and indicators of technical vulnerabilities. Whilst Google hacking techniques are used by security practitioners to help identify potential IT control weaknesses, they also provide a treasure chest of information for a fraudster or cyber-criminal.
Even at a personal level, fraudsters that wish to identify personal data about an individual can look online at social media accounts such as Facebook, LinkedIn, Twitter or Instagram and build up a profile of an individual’s life that could subsequently be used to facilitate fraud or cybercrime. For example, this might include analysis of location tags on photographs on Facebook, Twitter and Instagram which have in the past been used to map the movements of individuals who post frequently to social media platforms. Social media OSINT also includes other personal information, for example a mother’s maiden name or place of birth, which are routinely used to help authenticate an individual’s identity and are frequently harvested from online OSINT.
Some other examples of online information sources that can be exploited include:
- Jobsites which make jobseeker CVs available
- Genealogical websites which share family tree details
- IT vendors support webpages which make manuals containing default passwords available
For hackers who wish to identify vulnerabilities in a company’s IT security configuration or tailor phishing emails to individuals so that they contain genuine user information and hence look realistic, the exploitation of online OSINT is a key weapon in their armoury.
There are many other non-cyber related examples of OSINT being exploited for criminal purposes including:
- The monitoring of Automated Identification System (AIS) locator signals of maritime traffic by pirates to identify the location of their targets
- Research on targets by terrorists and the identification of sources of equipment/supplies to make explosive devices
- The abuse of publicly available records and databases, for example harvesting company directors’ details, such as date of birth, residential address, signatures, and shareholdings
These and many other examples help illustrate the variety and richness of OSINT but also emphasise how important it is for an individual or a company to consider if they are exposed to any risks as a result.
At the very least they should be aware of what relevant OSINT is available and consider how that could expose them to criminal activity or risks that may impact their business objectives. OSINT may also expose a company and its directors to litigation risk caused by data leakage or unlawful disclosure of personal data.
OSINT risk is often overlooked but as OSINT tools and techniques become more comprehensive and sources become more innovative and diverse, it’s incumbent on companies to recognise that criminals will also be able to harness its power.