It’s a recurrent trope in spy movies—a skilled secret agent infiltrates an organisation and gathers compromising data on its people and processes; information that can be used as leverage. Far from being limited to works of fiction, such intelligence gathering is more common in everyday life than you think, especially in this digital age.
For example, when companies seek to fill a position, their human resource division runs background checks on potential candidates, tapping information on job portals and even social media pages to make hiring decisions. Intelligence amassed from public and unclassified sources and analysed for a specific purpose—be it national security or corporate profiling—is known as open-source intelligence (OSINT). Depending on how the information is used, it can help or harm individuals and organisations.
Here are three things you need to know about OSINT, with tips on how you can identify and plug information ‘leakages’ about yourself and your organisation.
What are some key OSINT sources?
Traditional media remains one of the most accessible sources of public information. These include magazines and newspapers as well as radio and television broadcasts. Some governments and corporations may also put out unclassified datasets and reports for public viewing.
Importantly, following the dawn of the Internet, new media such as blog posts, digital newsletters and social media have emerged and quickly developed into an OSINT treasure trove. Not only is new media accessible from anywhere. It is also easily shared, which means that it enters the collective consciousness of the general populace more rapidly.
Why should you use OSINT?
OSINT can be used by companies to inform the hiring process. Law enforcement agencies could also use OSINT to identify and track security threats. In these contexts, OSINT is directed outwards.
However, organisations can also carry out OSINT on themselves to learn more about their online privacy and security landscape. For example, OSINT could help organisations uncover leaked credentials of high-value targets such as C-suite personnel. Employees may also inadvertently reveal their organisation’s IT assets on their LinkedIn profiles, perhaps even providing outsiders with details on the operating systems and servers used as IT infrastructure at their organisation. Similarly, developers may fail to keep application source code confidential.
Having an OSINT protocol in place could help plug these loopholes before they are exploited by hostile groups.
How do I perform OSINT?
Search engines and social media sites are perhaps the most straightforward means of carrying out OSINT. Simply by keying in the name of an individual or organisation, one can learn what the public knows about the said party.
To go deeper, organisations can use advanced search engines like:
Google Hacking Database
The Google Hacking Database (GHD) is a repository of custom Google search terms for files containing sensitive information such as usernames, vulnerable servers, and even passwords, also known as ‘Google Dorks’. Attackers can use this database to identify search strings that may uncover vulnerabilities and sensitive information on affected websites.
For example, the following search string would produce a list of directories within with directory listing enabled, and these files are publicly accessible:
**site: intitle:”index of”**
Hence, organisations may use GHD to check whether any of their sensitive information is inadvertently exposed via these custom search strings.
Wayback Machine
The Wayback Machine is a digital archive of the World Wide Web that stores snapshots of websites at various points in time over the course of history. Attackers may use it to gather compromising intelligence about an organisation through earlier versions of its websites.
Defensively, organisations may use Wayback Machine to ensure that no sensitive data exists in legacy editions of its webpages.
Sploitus
Sploitus is a search engine for publicly-available exploits for vulnerable software. Attackers may use these exploits to launch attacks against organisational assets.
On the other hand, organisations may use Sploitus to find out if exploits for the specific software versions they are using are publicly available. Organisations can then remediate these exploits to pre-empt a breach.
For example, if an organisation server is using Drupal 8.6.10 (a Content Management System, or CMS), a search in Sploitus could reveal if a public exploit exists to compromise the CMS.
HaveIBeenPwned
HaveIBeenPwned is a search engine for compromised email addresses. Anyone can use it to check if their email addresses have been hijacked for malicious purposes and identify which breaches the email addresses were involved in. If an employee learns that his or her email address has been compromised, they can be advised to change their passwords or to enable 2-factor authentication.
Hopefully, with the sharing of some of these basic OSINT tools, you can now leverage this knowledge to discover unexpected information you or your organisation might have leaked on the internet. Take action now to prevent vulnerabilities from being exploited.
This article was first published by the Government Technology Agency of Singapore on April 22, 2019. The opinions expressed in this publication are those of the authors. They do not purport to reflect the opinions or views of Bank of Singapore Limited or its affiliates.
Disclaimers and Disclosures
This material is prepared by Bank of Singapore Limited (Co Reg. No.: 197700866R) (the “Bank”) and is distributed in Singapore by the Bank.
This material does not provide individually tailored investment advice. This material has been prepared for and is intended for general circulation. The contents of this material does not take into account the specific investment objectives, investment experience, financial situation, or particular needs of any particular person. You should independently evaluate the contents of this material, and consider the suitability of any product discussed in this material, taking into account your own specific investment objectives, investment experience, financial situation and particular needs. If in doubt about the contents of this material or the suitability of any product discussed in this material, you should obtain independent financial advice from your own financial or other professional advisers, taking into account your specific investment objectives, investment experience, financial situation and particular needs, before making a commitment to purchase any product.
This material is not and should not be construed, by itself, as an offer or a solicitation to deal in any product or to enter into any legal relations. You should contact your own licensed representative directly if you are interested in buying or selling any product discussed in this material.
This material is not intended for distribution, publication or use by any person in any jurisdiction outside Singapore, Hong Kong or such other jurisdiction as the Bank may determine in its absolute discretion, where such distribution, publication or use would be contrary to applicable law or would subject the Bank or its related corporations, connected persons, associated persons or affiliates (collectively “Affiliates”) to any licensing, registration or other requirements in such jurisdiction.
The Bank and its Affiliates may have issued other reports, analyses, or other documents expressing views different from the contents of this material, and may provide other advice or make investment decisions that are contrary to the views expressed in this material, and all views expressed in all reports, analyses and documents are subject to change without notice. The Bank and its Affiliates reserve the right to act upon or use the contents of this material at any time, including before its publication.
The author of this material may have discussed the information or views contained in this material with others within or outside the Bank, and the author or such other Bank employees may have already acted on the basis of such information or views (including communicating such information or views to other customers of the Bank).
The Bank, its employees (including those with whom the author may have consulted in the preparation of this material))and discretionary accounts managed by the Bank may have long or short positions (including positions that may be different from or opposing to the views in this material or may be otherwise interested in any of the product(s) (including derivatives thereof) discussed in material, may have acquired such positions at prices and market conditions that are no longer available, may from time to time deal in such product(s) and may have interests different from or adverse to your interests.
Analyst Declaration
The analyst(s) who prepared this material certifies that the opinions contained herein accurately and exclusively reflect his or her views about the securities of the company(ies) and that he or she has taken reasonable care to maintain independence and objectivity in respect of the opinions herein.
The analyst(s) who prepared this material and his/her associates do not have financial interests in the company(ies). Financial interests refer to investments in securities, warrants and/or other derivatives. The analyst(s) receives compensation based on the overall revenues of Bank of Singapore Limited, and no part of his or her compensation was, is, or will be directly or indirectly related to the inclusion of specific recommendations or views in this material. The reporting line of the analyst(s) is separate from and independent of the business solicitation or marketing departments of Bank of Singapore Limited.
The analyst(s) and his/her associates confirm that they do not serve as directors or officers of the company(ies) and the company(ies)or other third parties have not provided or agreed to provide any compensation or other benefits to the analyst(s) in connection with this material.
An “associate” is defined as (i) the spouse, parent or step-parent, or any minor child (natural or adopted) or minor step-child, or any sibling or step-sibling of the analyst; (ii) the trustee of a trust of which the analyst, his spouse, parent or step-parent, minor child (natural or adopted) or minor step-child, or sibling or step-sibling is a beneficiary or discretionary object; or (iii) another person accustomed or obliged to act in accordance with the directions or instructions of the analyst.
Conflict of Interest Declaration
The Bank is a licensed bank regulated by the Monetary Authority of Singapore in Singapore. Bank of Singapore Limited, Hong Kong Branch (incorporated in Singapore with limited liability), is an Authorized Institution as defined in the Banking Ordinance of Hong Kong (Cap 155), regulated by the Hong Kong Monetary Authority in Hong Kong and a Registered Institution as defined in the Securities and Futures Ordinance of Hong Kong (Cap.571) regulated by the Securities and Futures Commission in Hong Kong. The Bank, its employees and discretionary accounts managed by its Singapore Office/Hong Kong Office may have long or short positions or may be otherwise interested in any of the investment products (including derivatives thereof) referred to in this document and may from time to time dispose of any such investment products. The Bank forms part of the OCBC Group (being for this purpose Oversea-Chinese Banking Corporation Limited (“OCBC Bank”) and its subsidiaries, related and affiliated companies). OCBC Group, their respective directors and/or employees (collectively “Related Persons”) may have interests in the investment products or the issuers mentioned herein. Such interests include effecting transactions in such investment products, and providing broking, investment banking and other financial services to such issuers. OCBC Group and its Related Persons may also be related to, and receive fees from, providers of such investment products. There may be conflicts of interest between OCBC Bank, the Bank, OCBC Investment Research Private Limited, OCBC Securities Private Limited or other members of the OCBC Group and any of the persons or entities mentioned in this report of which the Bank and its analyst(s) are not aware due to OCBC Bank’s Chinese Wall arrangement.
The Bank adheres to a group policy (as revised and updated from time to time) that provides how entities in the OCBC Group manage or eliminate any actual or potential conflicts of interest which may impact the impartiality of research reports issued by any research analyst in the OCBC Group.
If this material pertains to an offer, it may only be offered (i) in Hong Kong, to qualified Private Banking Customers and Professional Investors (as defined under the Securities and Futures Ordinance); (ii) in Singapore, to Accredited Investors (as defined under the Securities and Futures Act 2001); and (iii) in the Dubai International Financial Center, to Professional Clients (as defined under the Dubai Financial Services Authority rules). No other persons may act on the contents of the material.
Other Disclosures
Singapore
Where this material relates to structured deposits, this clause applies:
The product is a structured deposit. Structured deposits are not insured by the Singapore Deposit Insurance Corporation. Unlike traditional deposits, structured deposits have an investment element and returns may vary. You may wish to seek independent advice from a financial adviser before making a commitment to purchase this product. In the event that you choose not to seek independent advice from a financial adviser, you should carefully consider whether this product is suitable for you.
Where this material relates to dual currency investments, this clause applies:
The product is a dual currency investment. A dual currency investment product (“DCI”) is a derivative product or structured product with derivatives embedded in it. A DCI involves a currency option which confers on the deposit-taking institution the right to repay the principal sum at maturity in either the base or alternate currency. Part or all of the interest earned on this investment represents the premium on this option.
By purchasing this DCI, you are giving the issuer of this product the right to repay you at a future date in an alternate currency that is different from the currency in which your initial investment was made, regardless of whether you wish to be repaid in this currency at that time. DCIs are subject to foreign exchange fluctuations which may affect the return of your investment. Exchange controls may also be applicable to the currencies your investment is linked to. You may incur a loss on your principal sum in comparison with the base amount initially invested. You may wish to seek advice from a financial adviser before making a commitment to purchase this product. In the event that you choose not to seek advice from a financial adviser, you should carefully consider whether this product is suitable for you.
Hong Kong
This document has not been delivered for registration to the Registrar of Companies in Hong Kong and its contents have not been reviewed by any regulatory authority in Hong Kong. Accordingly: (i) the shares/notes may not be offered or sold in Hong Kong by means of any document other than to persons who are "Professional Investors" within the meaning of the Securities and Futures Ordinance (Cap. 571) of Hong Kong and the Securities and Futures (Professional Investor) Rules made thereunder or in other circumstances which do not result in the document being a "prospectus" within the meaning of the Companies (Winding Up and Miscellaneous Provisions) Ordinance (Cap. 32) of Hong Kong or which do not constitute an offer to the public within the meaning of the Companies (Winding Up and Miscellaneous Provisions) Ordinance; and (ii) no person may issue any invitation, advertisement or other document relating to the shares/notes whether in Hong Kong or elsewhere, which is directed at, or the contents of which are likely to be accessed or read by, the public in Hong Kong (except if permitted to do so under the securities laws of Hong Kong) other than with respect to the shares/notes which are or are intended to be disposed of only to persons outside Hong Kong or only to "Professional Investors" within the meaning of the Securities and Futures Ordinance and the Securities and Futures (Professional Investor) Rules made thereunder.
The product may involve derivatives. Do not invest in it unless you fully understand and are willing to assume the risks associated with it. If you have any doubt, you should seek independent professional financial, tax and/or legal advice as you deem necessary.
Where this material relates to a Complex Product, this clause applies:
Warning Statement and Information about Complex Product
(Applicable to accounts managed by Hong Kong Relationship Manager)
Where this material relates to a Complex Product – funds and ETFs, this clause applies additionally:
Where this material relates to a Complex Product (Options and its variants, Swap and its variants, Accumulator and its variants, Reverse Accumulator and its variants, Forwards), this clause applies additionally:
Where this material relates to a Loss Absorption Product, this clause applies:
Warning Statement and Information about Loss Absorption Products
(Applicable to accounts managed by Hong Kong Relationship Manager)
Before you invest in any Loss Absorption Product (as defined by the Hong Kong Monetary Authority), please read and ensure that you understand the features of a Loss Absorption Product, which may generally have the following features:
Where this material relates to a certificate of deposit, this clause applies:
It is not a protected deposit and is not protected by the Deposit Protection Scheme in Hong Kong.
Where this material relates to a structured deposit, this clause applies:
It is not a protected deposit and is not protected by the Deposit Protection Scheme in Hong Kong.
Where this material relates to a structured product, this clause applies:
This is a structured product which involves derivatives. Do not invest in it unless you fully understand and are willing to assume the risks associated with it. If you are in any doubt about the risks involved in the product, you may clarify with the intermediary or seek independent professional advice.
Dubai International Financial Center
Where this material relates to structured products and bonds, this clause applies:
The Distributor represents and agrees that it has not offered and will not offer the product to any person in the Dubai International Financial Centre unless such offer is an “Exempt Offer” in accordance with the Market Rules of the Dubai Financial Services Authority (the “DFSA”).
The DFSA has no responsibility for reviewing or verifying any documents in connection with Exempt Offers.
The DFSA has not approved the Information Memorandum or taken steps to verify the information set out in it, and has no responsibility for it.
The product to which this document relates may be illiquid and/or subject to restrictions in respect of their resale. Prospective purchasers of the products offered should conduct their own due diligence on the products.
Please make sure that you understand the contents of the relevant offering documents (including but not limited to the Information Memorandum or Offering Circular) and the terms set out in this document. If you do not understand the contents of the relevant offering documents and the terms set out in this document, you should consult an authorised financial adviser as you deem necessary, before you decide whether or not to invest.
Where this material relates to a fund, this clause applies:
This Fund is not subject to any form of regulation or approval by the Dubai Financial Services Authority (“DFSA”). The DFSA has no responsibility for reviewing or verifying any Prospectus or other documents in connection with this Fund. Accordingly, the DFSA has not approved the Prospectus or any other associated documents nor taken any steps to verify the information set out in the Prospectus, and has no responsibility for it. The Units to which this Fund relates may be illiquid and/or subject to restrictions on their resale. Prospective purchasers should conduct their own due diligence on the Units. If you do not understand the contents of this document you should consult an authorized financial adviser. Please note that this offer is intended for only Professional Clients and is not directed at Retail Clients.
These are also available for inspection, during normal business hours, at the following location:
Bank of Singapore
Office 30-34 Level 28
Central Park Tower
DIFC, Dubai
U.A.E
Cross Border Disclaimer and Disclosures
Refer to https://www.bankofsingapore.com/Disclaimers_and_Disclosures.html for cross-border marketing disclaimers and disclosures.
