Information Security: The Dark Side of OSINT

In 2015, an ISIS headquarters building in the Middle East was destroyed by US forces using location information found in a selfie posted on social media. According to USAF General Hawk Carlisle, airmen at Hurlburt Field, Florida, found an image posted online with a person bragging "...about command and control capabilities for ISIS." The photo’s background apparently gave away the location of the building, which was reduced to rubble by an air strike a mere 22 hours later.

In 2007, troops at a US base in Iraq took photographs of newly-arrived AH-64 Apache helicopters and uploaded them to social media sites. Little did they realize that insurgents were able to extract the location data (geotags) from the images and use it to launch an accurate mortar attack that destroyed four helicopters. US forces were subsequently warned that they should disable geo-location on their phones and avoid taking any photographs while in operational locations.

...consider the amount and the nature of the personal information that you share online, and how it might disclose more than you had bargained for.

What can we learn from these examples? And how does this apply to your life and your work? In a previous article, we discussed the power of Open Source Intelligence (OSINT) to help us find out all there is to know about a person, organization or issue of interest, at least as far as publicly-available data is concerned. Yet the above examples show us the other side of the OSINT coin, where critical information is inadvertently handed over to an adversary, with dire consequences.

Now consider the amount and the nature of the personal information that you share online, and how it might disclose more than you had bargained for. To put it differently, if a stranger was to search for you on Google, Facebook, LinkedIn and elsewhere, how much could they learn about you as a person, your family and friends, and your coworkers? Could they discover where you live? Where you work? Where you attended school? Your hobbies, interests and daily routines?

In 2019, a stalker managed to track down and sexually assault a young pop star in Japan after identifying a local train station reflected in the victim’s eyes in a selfie she posted online. According to reports of the incident, the attacker waited at the station until he saw his victim and followed her home.

From the business side of things, consider what information an outsider could glean about your company simply by looking at its online presence? For example, if they wanted to learn about the systems and software used by the company, then job ads and employee resumes are a good place to start, as these often include a wealth of (“insider”) information. Once enough ads and resumes have been gathered and analyzed, a much more detailed picture may emerge.

The phenomenon of small bits of seemingly insignificant or unrelated data revealing a more vivid picture in aggregate is known as the “mosaic effect,” and it is one of the key methods of intelligence gathering. The power and danger of this approach, is that even anonymized data may become vulnerable to re-identification if enough datasets containing similar or complementary information are released.

The Mosaic Effect, turning bits of data into useful intelligence

Another danger of the mosaic effect, is that given enough data points about a person (or an organization), certain undisclosed details may nonetheless be exposed or “predicted” using statistics and algorithms. One such example is the case of retail store chain Target whose data analysis department used customer demographic data (much of which is available in the public domain) and purchase patterns to create a “pregnancy prediction” algorithm that could tell, with a high degree of accuracy, if a particular customer was pregnant and even predict her due date. In one case, Target discovered that a high-school girl was pregnant even before her family did.

...given enough data points about a person (or an organization), certain undisclosed details may nonetheless be exposed or “predicted” using statistics and algorithms.

Who’s after your data? and why? The answer to the first question depends on who you are and what you do, but it is safe to say that a (partial) list of the usual suspects will include one or more of the following: government agencies, law enforcement organizations, terrorists, hackers, criminals, stalkers, insiders (e.g. disgruntled employees), competitors, marketers and advertisers, and the nosey. As to the why, the motives range from guarding national security to selling you chewing gum and socks, and everything in between, including hacking your personal data and accounts and stealing your identity.

What most people may not realize is that the first step of any cyber attack involves reconnaissance to collect as much information as possible about the target. In some cases, the reconnaissance is active, i.e. the attacker interacts directly with their target to gather information, but in many cases the reconnaissance is passive, seeking to collect information quietly from publicly available sources, i.e. using OSINT techniques and tools. It therefore stands to reason that the more information is made publicly available by a person or an organization, the easier it is for an attacker to gather and use it.

What can be done to minimize the risks? Cyber security is a multifaceted discipline that deals with protecting information at all times and from all directions. Data may be intercepted during transmission, such as when a hacker eavesdrops on a public Wifi network, or while it is sitting dormant on a computer or in the cloud, such as when someone’s computer or accounts are hacked.

Data could also fall into the wrong hands as a result of carelessness, such as when sharing sensitive or personal information on social media, or as a result of malice, such as when an employee knowingly leaks company information.

Anonymity (and security) is an inverse function of the number of bits of data your release into the world.

Each of the above examples represents one aspect of cyber threat which, in turn, is addressed by a particular security discipline. On the hardware and software side of the equation, Information Security (INFOSEC) deals with protecting information through secure storage and access procedures, while Communication Security (COMSEC) deals with protecting information in transit by using secure networks and safe modes of communication.

On the behavioral side, Person Security (PERSEC) focuses on the human factor and assessing the trustworthiness of people who have access to sensitive information, while Operational Security (OPSEC) focuses on the actions and common sense of the person who holds the data and who is in a position to decide if and what to share and with whom.

Of all of these methods, the weakest link is often the human behavioral aspect, as can be attested to by the sheer volume of sensitive, potentially damaging information that people and organizations all over the world willingly and constantly release into the public domain. In order to mitigate this weakness and avoid becoming the next unwitting victims of cybercrime, people all over the world must be made aware of the risks and should learn how to defend themselves through a combination of regular security education and the adoption of good defensive habits.