When the average person in Information Security thinks about Open Source Intelligence (OSINT), Instagram, LinkedIn, Facebook, Twitter, Pinterest or even MySpace come to mind. The idea is that people will unknowingly tell those collecting the OSINT most of what they want or need to know via their profiles and posts. While I do not dispute this, there are far more vectors to include.
I will discuss some of these additional vectors in subsequent articles. For this one, I want to hone in on one in particular. This vector serves a limited purpose for penetration testing and ethical activities. While I do not condone illegal and unethical activities, in fact, I condemn them, I think it is important to acknowledge these vectors and work to mitigate them. What good is threat modeling and assessing our security if we are not introducing the methods that the malicious actors are using?
To frame this scenario, you have just bought a house. Your social media’s privacy is a little loose and you post that you just bought the house on Twitter, Facebook, and Instagram. You or your spouse has several Pinterest boards about ideas for the new house. You go as far to post the cliche picture with the sold sign to social media.
Right off the bat, even if we are not friends or connected, I can likely see your name and location. Posting that you bought the house makes me conscious of forthcoming public records. That picture with the SOLD sign. I am reverse image searching that picture to see if it pops up on Trulia, Realtor or Zillow. If the image search works, I have your address. I also have something to use to build rapport when it comes to phishing and vishing, whether I am targeting you as a person (assuming that I am a malicious actor) or as an employee (a social engineer or penetration tester). I will use this to gain your trust then ask you to tell me something sensitive that I can misuse or asking you to do something that is not in your best interests.
Back to the victim side of the scenario, your nosey aunt asks for a picture of your keys and you oblige. Because your new house is already equipped with new (and nicer) appliances and goodies than your previous abode, you decide to sell your old stuff on Craigslist and Facebook Marketplace. In doing so with a touch of social engineering yourself, you mention in the listing that this is a moving sale and explain the situation. A polite gentleman offers to take the stuff off your hands but has to wait an extra day or two to pick them up but is willing to pay what you are asking without haggling or setting off any alarms.
Regarding the keys, the KeyMe app allows attackers to scan keys using a smartphone and either have them mailed to them or created at a kiosk. The marketplace and yard/garage sale sites open people up to a significant amount of OSINT collection potential. Like the house buying in general, this creates a reason for strangers to talk to you and collect information. Because refrigerators, washers and dryers are not exactly portable in a car or SUV, people typically come to pick them up at the seller’s location. While the appliances may be at the previous residence or storage, a procrastinating “buyer” with a convincing story can move that to your house, your house with an address that you will have to share for them to come and get them.
At this point, an adversary may have cloned your key, gotten your address, communicated with you via phish or vish, they may even be on their way to your house to buy your old dryer and an old laptop. Taking this a step further, during the phish or vish, they may have injected malware into your computers. Even if you have a home security system, they may be able to disrupt it if they like. If they bought an old laptop, they may be able to retrieve sensitive documents and information using forensic and disk recovery tools.
Now, the final stages before they attempt to burglarize your new house. They know your address. All they need to do is search for your address on Trulia, Zillow, Realtor or MLS sites. Many times, realtors do not remove listings from these sites. Sometimes the sites gather information like tax costs from public records. The realtor sites also list which schools the home is zoned for, allowing a phish claiming to be the school to scare you into opening it. Aside from the children, the real threat is the pictures on the listings. They are going to show entrances and exits, technologies used such as locks and window latches, hiding places and other useful pieces of information for an attacker.
In conclusion, this article is not meant to discourage or scare you with regards to buying or selling a house or even buying or selling items in online marketplaces. My intention is to illustrate a potential worst-case scenario with a seemingly innocent beginning. My best advice to you is to limit the audience of what can see things on your social media. Additionally, be cognizant of what you are posting and whether people need to know it and in what detail they should know it. Take proactive precautions to protect you and your family. If in doubt, consult your local law enforcement or a local security consultant.