ZOMG OSINT Heaven - Stealing a Card vs a Life

Transcript

1. { ZOMG It’s OSINT Heaven Stealing a Card –vs– a

   Life

2.  Intro  This Talk  Quick Card Overview 

   Stealing a Card vs a Life (or Identity)  OSINT  What OSINT is Not  The Multiplier - OSINTernet  Case Study  Summary/Questions  Demo of Card Guessing Program Overview

3.  Tazz  Not representing any employer  Love, Fight

   & Play Hard  Contact details on last slide Intro

4. This Talk You think they want your card….. ……why not

   your life (identity)?

5.  14 - 16 digits  Industry + Vendor +

   Bank + Account + CheckSum  Permutations = nr  n = 10 options (0-9)  r = unknown numbers  Reduce the Stolen Card possibilities:  Validation = Luhn Algorithm  CVV isn’t required The Card: It’s really this easy…

6. UserID Hobbies Official Data Social Media Photos Job/Family Your Life:

   it’s really this easy…

7. {OPSEC FAIL = OSINT HEAVEN Open Source Intelligence

8.  …Open Source INTernet  …The Dark Web  …Conducted

   with a Magic Button  …Something that requires expensive tools  …Something only the Gov’t does OSINT is NOT…

9. The Multiplier – “OSINTernet”

10. The Multiplier – “OSINTernet”

11. { Case Study From UserID & 1 post - to

    Full Profile

12.  Don’t break the law  STFU about what you

    do – nobody is going to jail for you  Be Safe – Don’t be a Hero  Immediately involve authorities if you’ve found something criminal WARNINGS & DISCLAIMERS

13. UserIDs & Google He! Oh My

14. Men & Their Money – in one forum  Posts

    have M/D/Y & time stamps!  Age  DOB Month & Year (based on DTG stamps)  Single/Dating  Self Employed  Petroleum Landman  Lives in Texas EMPLOYER & GOODIES
15. None

16. DOB = JUL (eom) 19XX AGE = 28 (can u

    math?)

17.  SEARCH BIG  Petroleum Landman  Self employed (keyword

    Independent)  RESULTS:  X within Y mi of Houston TX Linked In

18.  Eliminated anyone obviously older than 28  Eliminated females

     Eliminated lawyers and business owners (as stated in 20XX posts he was planning on opening a business but was not self employed)  Eliminated anyone “employed by”  Narrowed to “assoicated with”  Narrowed by college data  The 1 post w/ User ID identified his alumni  He’s 28-10yrs, means in college ~200X/Y Linked In – Narrow it Down

19. Name + DOB: JUL ?? 19XX Voter Registration Search =

    Name + DOB 31 tries and BINGO!

20. Online Search Source S for snoop? LinkedIn Name Age/Addy/Name Match

    • Phones! • New Addy = College • Hello FAMILY!

21. Puzzle Piece Source Forum User ID / Handle Twitter Post

    Forums UID + Google & Search Sites Age, Employment, Marital Status, Income, City, State, Sports Teams Forums Name, Current Employer Linked In DOB, Address Voter Registration Records Phone, Family, Former Address Online Search Source ! Haven’t Even Touched Facebook! Put It Together

22. SEARCH: Name & In Houston Data Overlap:  Photos 

    Family Members  Liked Sites  Travel Dates / Activities  ETC Facebook Comes Last!

23. From User ID to Full Profile

24.  Facebook is great, but there’s so much more 

    Twitter: @GRC_Ninja  Github: grcninja Summary / Questions UserID Hobbies Official Data Social Media Photos Job/Family