OSINT Part 3

00:00

Hello and welcome to another penetration. Testing, execution. Standard discussion. This is the third and final part of our ascent discussions, so let's go ahead and jump into our disclaimer. The Pee test videos do cover tools that could be used for system hacking.

00:16

Any tools discuss their used during the demonstrations should be researched and understood by the user.

00:23

Please research your laws and regulations in your given area when using such tools and ensure that you're not violating anything that could get you into trouble. So the objectives of today's discussion

00:36

are to discuss really individual ascent, and we're going to be looking at employee information, social networking profiles, Internet presence, mobile footprint and four pay information. Now, depending on the scope and scale of the engagement, some of this data may be off limits.

00:52

You also want to take into consideration any privacy protections in your given area that could be violated by accessing Are using this information for testing purposes?

01:00

So what is individual? Oh sent? Well, it is intelligence about the individual employees or the employee base, which is considered individual. Oh, sent this type of information again, should be carefully researched and understood to ensure no laws were violated in its use.

01:19

So let's jump straight in

01:23

to employee type data sets now.

01:26

This can include court records. So records that are all all public records related to criminal or civil complaints, lawsuits or other legal actions for or against a person or organization of interest. Political donations are individuals personal funds directed to specific political candidate candidates,

01:44

parties or special interest organizations,

01:48

and then professional licenses or registries. Professional licenses, the registries of repositories of information that contain lists of members and other related information of individuals who attained a particular license or some measure of specific affiliation within a community. All of this can be useful

02:07

when pretexting and doing

02:08

social engineering. Now

02:12

I know that in the United States at least court records, especially those that you'd have to pay for criminal records things of that nature are very sensitive and have to be treated and a certain nature. So you need to ensure that if you're collecting any public records

02:30

that you understand the statutes and limitations of the information that you're gathering, you don't want to get into any type of legal trouble or cause any type of legal trouble for your client because of a misuse of a court document.

02:44

Political donations can help you to understand maybe special interests or believes that a person may hold, which could be again beneficial in social engineering and pretexting, professional licenses and registration again common ground on a common understanding of information with a particular party or something that you both have in common

03:02

could be beneficial in social engineering and in those attempts.

03:07

Now we know that social networking profiles are wonderful beds of data. They can include things like metadata. They provide tone of the person, how they act and discuss different things frequency as far as how often they're on and what they're doing, their location awareness

03:28

and their social media presence. Overall,

03:30

I can give you kind of a personal profile of the target Thean vivid Jewel that you're trying to maybe give you get to give you access to a system or you know that you're trying to build trust with

03:43

again. All of this is going to be pertinent to the length of the engagement and the overall goal that the client is trying to achieve. But social network profiles linked in Facebook, Twitter instagram.

03:55

Things of that nature are hotbeds of data that can be used to your benefit. And again, you could really learn a lot about a person

04:04

and figure out some avenues for

04:09

attack. Or at least build a risk profile, maybe of the employee base. Maybe not so much to directly engage in social engineering, but to understand

04:18

what risks the employees have presented to the organization that he based on the type of data that they share on their social networking profiles are the types of information that they're releasing, too

04:30

the public, so that could be beneficial in understanding.

04:34

And overall Internet presence for the individual is also key here, so that can include email addresses, personal handles and nicknames, personal domain names that are registered to them, a sign static I. P. Information and network blocks.

04:51

This is probably getting more into private investigation type

04:56

things and stuff of that nature. But personal domain names registered to the individual could be, you know, a domain name that is similar to your business in that they may be looking to start a business of their own

05:10

handles and nicknames, or beneficial for searching message boards and looking for pseudonyms related to maybe technical staff members in an organization. Sometimes those air associate ID

05:19

with personal email addresses and things of that nature. So

05:25

understanding their Internet presence, um,

05:28

and the synonyms, nicknames and some of the things that they're using their could be very beneficial in collecting additional data about the target organization.

05:36

The mobile footprint.

05:40

Now, depending on the phone number device type, you know, that could be beneficial as faras What that would do that, how, how often they use it and how and how they use it in selling applications. And, um, you know, administration of that device again

05:55

being careful that we're testing against and looking for data related to

06:00

an employer owned device, I would

06:03

here on the side of caution, to collect information associated with a personal device. Again, this could be relevant if you're an investigator of some kind. But for those of us that are doing security testing and that things of that nature, we could end up in a lot of trouble by collecting private device information and collecting personal data.

06:24

And then we've got

06:26

four pay information, which is generally associated with some type of cost. So If you do like a full spectrum background check on a person, typically you have to have permission

06:35

to do that. And so I know that in the United States a person has to give you a written authorization to do so. So, you know, you may be able to get 1/3 party company to do kind of a collection of public records and information about a person. Maybe they've got, ah, way that they build profiles on individuals, but, um,

06:53

in the United States to get criminal background information, you'd have to have permission

06:59

four paid length in is beneficial and giving you some additional, like insights about the person or additional access to views or things of that nature, so that could be beneficial in that process. But those those types of accounts are typically pricey,

07:14

and then LexisNexis is kind of a collection of legal information. So if you're trying to look at laws, regulations or do additional types of research,

07:21

that could be beneficial as well. Now again, want to reiterate the use of private information, the use of personal information? Just you need to understand the limitations of that and ensure that you're not crossing any lines legally on Bennett's within scope

07:36

of the engagement. If any of the information is collected, like phone numbers, et cetera, and there

07:42

in the possession of the employer

07:45

and they are owned by the employer than

07:47

they could likely give you permission to, um, you know, collect information about that that devices use and how it's represented in the grand scheme of things as far as the Internet. But if it's personal devices, personal accounts always tread on the side of caution with what you collect him, how you use that information. So let's do a quick check on learning.

08:07

True or false, the tester should validate the use of personal devices by employees to ensure they do not violate their privacy.

08:18

Now, if you need to think about this for a second, pause the video and take some time to do so. We didn't really get deeply into personal device. Verse is employer owns device,

08:30

but we did mention over and over again that we want to ensure that we validate that the employee is not used in a personal device for business purpose, because

08:41

if we do not validate that it is a personal device, and we do some form of smashing or vision against the personal device, and we put

08:50

a payload on it. We skin personal information.

08:54

You know, we're now violating that person's privacy.

08:56

And so the tester should validate, um, the use of personal devices by employees to ensure that they do not violate their privacy and that we don't violate any applicable laws. So let's step into our summary for this discussion. So we discussed

09:13

individual oh sent a CZ faras information that would collect on employees

09:18

how we could use Social network profiles to understand the tone and ways in which the employees communicate with other parties. What kind of data are they sharing? What is their overall Internet presence, such as handles and nicknames that could be used to tie them back to message boards where we could collect

09:35

information about the organization, such as current issues or troubleshooting that maybe they've been doing

09:39

mobile foot printing is important when we're looking at Mobile device is owned by the organization. If we're looking at personal devices, we would need to be careful that we don't violate any walls. And then we discussed four pay information, such as professional background check. Service's LexisNexis is paid for lengthen

09:56

and other four pay service is that give you access to profiles or