Monitoraggio delle informazioni Quello che gli altri sanno di
Transcript
Monitoraggio delle informazioni Quello che gli altri sanno di
Monitoraggio delle informazioni Quello che gli altri sanno di noi e come può essere utilizzato Antionio Ricci – Solution Engineer Gabriele Zanoni – EMEA Solutions Architect Who’s Who – AR Data Loss Prevention User Authentication Encryption Cloud Security Mail Security Web Security Who’s Who – GZ Cloud Security Penetration testing Incident Response Anti-Fraud Computer Forensics Mobile Security Index Information that we share Introduction to OSINT Tools and examples The power of analysis Counter-measures Information that we share Social networks expose our private and professional life… http://www.youtube.com/watch?v=F7pYHN9iC9I Social networks expose our private and professional life… Companies expose their own information… Introduction to OSINT OSINT Open Source INTelligence is intelligence collected from publicly available sources. It’s not a tool , it’s not a website , it’s not with fee , it’s not free… [1] http://en.wikipedia.org/wiki/Open-source_intelligence Why OSINT In a world that changes rapidly we need to have high quality information in the exact moment that we need it. What’s the value we get from OSINT «You see? you hesitate. But as a captain, you can't. You have to act. If you don't, you put the entire crew at risk. Now that's the job. It's not a science. You have to be able to make hard decisions based on imperfect information. Asking men to carry out orders that may result in their deaths. And if you're wrong, you suffer the consequences. If you're not prepared to make those decisions, without pause, without reflection, then you've got no business being a submarine captain.» Lt. Commander Mike Dahlgren U-571 How can we use OSINT? • What’s the need? Alerts in real time Handling and Monitoring of the situation State of the Art Raw Data Preprocessed Data Elaborated Data • Mailing List • Newsgroup • Chat • Pastebin • Blog • Journals • Publications • Researches • Reports • Analysis How can we use OSINT? • What’s the need? • How to reach the scope? Alerts in real time Handling and Monitoring of the situation State of the Art Raw Data Preprocessed Data Elaborated Data Ways to perform the searches • Dedicated search engineers • Keywords • Ad-hoc early warning systems • Feeds from generic sources of information • “standard” monitoring systems • Are available “when ready” • Feeds from specialist sources Time VS Quality VS Efforts Volume of the data Q U A L I T Y Level of the effort Reliability Relevancy TIME } Quality The Information Search Process Discovery Delivery Selection Formulation #HowToFail • Incomplete identification of the sources • Not always structured data -> Are you searching in a library on in a bazar? • “Not easy to access” data -> methods and/or formats • Too many info «It refers to a hypothetical situation wherein an ass that is equally hungry and thirsty is placed precisely midway between a stack of hay and a pail of water. Since the paradox assumes the ass will always go to whichever is closer, it will die of both hunger and thirst since it cannot make any rational decision to choose one over the other..» http://en.wikipedia.org/wiki/Buridan%27s_ass TOOLS AND EXAMPLES Analysis of a Web Site • From the website to the people – Owners – Shareholders – Maintainers – Etc… Who has registered the website What are the Web Sites on the same IP? An example Back in time Registro Imprese Finding people on Social Networks Finding a nick: • http://namechk.com • http://www.namechecklist.com • http://www.namecheckr.com Creepy - http://ilektrojohn.github.io/creepy/ • A Geolocation OSINT Tool. Offers geolocation information gathering through social networking platforms. • Support: – Flickr – Instagram – Twitter Image Analysis • Where a photo has been taken ? http://imageforensic.org Law and the metadata “La proposta di legge di Gabriella Carlucci per “regolamentare Internet” è in realtà l’ennesimo goffo provvedimento “antipirateria” mascherato da qualcosa d’altro. Del resto l’onorevole Carlucci si è fatta in questi anni una vera e propria competenza in materia (dove competenza è termine da maneggiare con estrema prudenza). E comunque la proposta Carlucci liberamente scaricabile sul suo blog in formato .doc ha qualcosa di strano. Come ha notato Guido Scorza il computer sul quale il documento è stato scritto è intestato ad un certo Daniele Rossi di Univideo. Evidentemente un amico di Gabriella, omonimo del presidente della Unione Italiana Editoria audiovisivi.” http://www.rigeneriamoci.com/i-metadati-e-lon-carlucci/ Why metadata are important • You will discover the true authors of the documents • Or clues about if the documents have been shared with someone (e.g. the user that has saved the document) • Verify if the document is from a certain company, person etc.. • Who is working in a company o for a specific company Finding Metadata with FOCA https://www.elevenpaths.com/labs-tools-foca.html Foca and Foca Forensics • Foca: it’s a tool to scan websites and download documents in order to extract metadata in those documents • Foca Forensics: same as Foca, but it works on already downloaded data • Download: • http://www.informatica64.com/foca.aspx • http://www.informatica64.com/forensicfoca/ Foca Forensics Anonymous has leaked some data and you want to verify if the information contained is true…. You have to download the data and scan it with Foca Forensics Shodan - http://www.shodanhq.com/ • Shodan is a system able to index services and devices on Internet • You can easily identify Webcams, Web administration systems, vulnerable software (e.g. based on the software banner) Fbstalker - https://github.com/milo2012/osintstalker Maltego - https://www.paterva.com Maltego is an open source intelligence and forensics application. It will offer you timous mining and gathering of information as well as the representation of this information in a easy to understand format. A Maltego analysis can start from: – A person name – A document – An email – A phone – Etc.. The power of analysis Nobody knows…together we know! Who is using OSINT ? “For the past three years, Elaine Rich and 3,000 other average people have been quietly making probability estimates about everything from Venezuelan gas subsidies to North Korean politics as part of , an experiment put together by three well-known psychologists and some people inside the intelligence community.” “According to one report, the predictions made by the Good Judgment Project are often better even than intelligence analysts with access to classified information, and many of the people involved in the project have been astonished by its success at making accurate predictions.” http://www.npr.org/blogs/parallels/2014/04/02/297839429/-so-you-think-youre-smarter-than-a-cia-agent http://www.goodjudgmentproject.com/ Reality Check! http://www.theguardian.com/technology/askjack/2008/sep/19/security.email How do you answer your security questions? The scope is to optimize the attacks making low noise. Info for password cracking: • Girlfriend/wife name • Pet name • Date of Birth • Sport teams • Place of birth • Addresses • List of schools I know where you are…I know your password! http://www.oversecurity.net/2014/02/27/casaleggio-bucato-lapassword-usata-e-lindirizzo-della-sede-legale/ Google Hacking #1 – The unexpected Knowledge of Google Operators and how Internet or software work helps reach any information Google Hacking #2 – Passwords from backups So you forgot to remove the geo-tag ? Shodan - how to identify the distribution of a vuln • A recent vulnerability about a backdoor listening on port TCP/32764 in Linksys WAG200G (and also on some other devices) has been published • Using Shodan is possible to map the vulnerability • http://shodanio.wordpress.com/2014/01/23/quick-statistics-on-the-router-backdoor-on-port-32764/ • https://github.com/elvanderb/TCP-32764 Recorded Future Inc. - https://recordedfuture.com/ “is a software company based in Cambridge, Massachusetts, United States, and Gothenburg, Sweden, specializing in web intelligence and predictive analytics. Using what they call a "temporal analytics engine", Recorded Future provides forecasting and analysis tools to help analysts predict future events by scanning sources on the Internet, and extracting, measuring, and visualizing the information to show networks and patterns in the past, present, and future.” “Both Google (on May 3, 2010) and the CIA have invested in the company, through their investment arms, Google Ventures and In-Q-Tel, respectively.” http://en.wikipedia.org/wiki/Recorded_Future Event Analysis Analysis “Pressure cooker bombs have been more commonly seen in Indian and Southeast Asian attacks than anywhere else. Recent reports out of India also suggest that the weapon has become a “fad” in militant camps along the Afghanistan/Pakistan border. In contrast, discounting thwarted attacks such as the attempted attack on Times Square in 2010, the United States has experienced just one bombing with a pressure cooker, and that was back in 1976. There’s also little to see in Europe during the last several years.” http://analysisintelligence.com/terrorism/pressure-cooker-bombings-map/ Counter-measures A true story: Anonymous and the GPS tag http://www.cnet.com/uk/news/breasts-lead-to-arrest-of-anonymous-hacker/ Whois • Are you curious about who is is behind a website? • E.g. whois polimi.it whois maglangroup.com Ing. Francesco Ceccarelli (ENEL) @ AIEA ISACA Milan Chapter - Roma, 09 Novembre 2011 Reputational controls • IP Reputation: – What about the reputation of my IP addresses? – What about the reputation of the IP addresses of my competitor? • Web Reputation: – Prevent threat by blocking IP/URLs – Connection to botnet/C&C MetaShield Removing Banners GET / HTTP/1.0 HTTP/1.1 200 OK Server: nginx/1.1.19 Date: Mon, 12 May 2014 10:21:59 GMT Content-Type: text/javascript; charset=utf-8 Connection: keep-alive X-Powered-By: PHP/5.3.10-1ubuntu3.4 Content-Length: 294 Awareness • Main Topics: – Policy/Use of the Social Networks – Standard for publishing info on the Corporate WebSite – Hardening of Internet Exposed systems (avoiding leaking) Conclusioni Mettere questo gatto da qualche parte Conclusioni Internet spesso contiene le informazioni di cui abbiamo bisogno In base al nostro obiettivo dobbiamo capire le modalità di estrazione più opportune PS: Attenzione ai dati che lasciamo su Internet ogni giorno Thanks! [email protected] [email protected]