Upgrade to Pro — share decks privately, control downloads, hide ads and more …

ZOMG OSINT Heaven - Stealing a Card vs a Life

Tazz
August 11, 2015

ZOMG OSINT Heaven - Stealing a Card vs a Life

(Presented at BSidesLV 2015)
In the wake of continued "bragging" about getting a credit or debit card via social media, the author demonstrates that the value of your card is far less than that of your entire persona. The speaker demonstrates how someone could use partially redacted sensitive data posted by a user to create an entire profile of that individual using basic OSINT techniques.

Video: http://www.irongeek.com/i.php?page=videos/bsideslasvegas2015/mainlist/mainlist

(See the ToorCon 2015 slides which will be presented at ToorCon 2015 San Diego for a more in depth presentation of OSINT and Threat Intelligence)
https://speakerdeck.com/grcninja/zomg-osint-heaven-what-no-magic-button

Tazz

August 11, 2015
Tweet

More Decks by Tazz

Other Decks in Technology

Transcript

  1.  Intro  This Talk  Quick Card Overview 

    Stealing a Card vs a Life (or Identity)  OSINT  What OSINT is Not  The Multiplier - OSINTernet  Case Study  Summary/Questions  Demo of Card Guessing Program Overview
  2.  Tazz  Not representing any employer  Love, Fight

    & Play Hard  Contact details on last slide Intro
  3.  14 - 16 digits  Industry + Vendor +

    Bank + Account + CheckSum  Permutations = nr  n = 10 options (0-9)  r = unknown numbers  Reduce the Stolen Card possibilities:  Validation = Luhn Algorithm  CVV isn’t required The Card: It’s really this easy…
  4.  …Open Source INTernet  …The Dark Web  …Conducted

    with a Magic Button  …Something that requires expensive tools  …Something only the Gov’t does OSINT is NOT…
  5.  Don’t break the law  STFU about what you

    do – nobody is going to jail for you  Be Safe – Don’t be a Hero  Immediately involve authorities if you’ve found something criminal WARNINGS & DISCLAIMERS
  6. Men & Their Money – in one forum  Posts

    have M/D/Y & time stamps!  Age  DOB Month & Year (based on DTG stamps)  Single/Dating  Self Employed  Petroleum Landman  Lives in Texas EMPLOYER & GOODIES
  7.  SEARCH BIG  Petroleum Landman  Self employed (keyword

    Independent)  RESULTS:  X within Y mi of Houston TX Linked In
  8.  Eliminated anyone obviously older than 28  Eliminated females

     Eliminated lawyers and business owners (as stated in 20XX posts he was planning on opening a business but was not self employed)  Eliminated anyone “employed by”  Narrowed to “assoicated with”  Narrowed by college data  The 1 post w/ User ID identified his alumni  He’s 28-10yrs, means in college ~200X/Y Linked In – Narrow it Down
  9. Online Search Source S for snoop? LinkedIn Name Age/Addy/Name Match

    • Phones! • New Addy = College • Hello FAMILY!
  10. Puzzle Piece Source Forum User ID / Handle Twitter Post

    Forums UID + Google & Search Sites Age, Employment, Marital Status, Income, City, State, Sports Teams Forums Name, Current Employer Linked In DOB, Address Voter Registration Records Phone, Family, Former Address Online Search Source ! Haven’t Even Touched Facebook! Put It Together
  11. SEARCH: Name & In Houston Data Overlap:  Photos 

    Family Members  Liked Sites  Travel Dates / Activities  ETC Facebook Comes Last!
  12.  Facebook is great, but there’s so much more 

    Twitter: @GRC_Ninja  Github: grcninja Summary / Questions UserID Hobbies Official Data Social Media Photos Job/Family