On the 23 of February 2022, I am presenting a webinar to an international audience titled, ‘Don’t look back in anger look forward and predict the unknown’ on the subject of, what for many today would seem to be still considered a Dark Art – subject OSINT (Open-Source Intelligence). In this webinar we will explore both positive, and negatives of the specific methodologies which may be applied to fulfil both good, and evil purpose, and will delve into how OSINT may be used by the aggressors to footprint a target pre-attack to identify any weak-points which may be analysed, and then subject to further exploitation – and to look for examples of such activities, one only has to look back over the previous two years of cases involving breaches of Experian, Serco, and other more long standing events such as those which impacted Equifax, cases all of which went on to expose client details, and impacted millions of world-wide individuals. And of course, then, there are all those adverse events involving the Third-Party Supply Chain which provides digital security services and support into high profile companies – supply chains which are now proven to be a potential backdoor into the procuring organisations infrastructure.
Reflecting on the webinar, and with consideration on the digital Third-Party Supply Chain proven weakness, I decided to take a closer look at those who are providing some form of service or feed out of the Cyber Security Industry, from Cyber Recruiters to Security Awareness, from Certification Bodies to Cyber Service Suppliers, and the discoveries from the sample, to say the least are worrying. For Example:
Example 1: The high profile, Cyber Security Recruitment Agency who boast on their web site:
“Our extensive network includes technology and risk experts with unrivalled experience protecting businesses against both internal and external threats and vulnerabilities. Whether your business is adopting security controls and measures for the first time, or is looking to mature a pre-existing function, we will partner with you to provide industry-leading authorities, capable of creating a best-in-class security posture”
And yet, this very same company are hosting 37 vulnerabilities and exposures ranging from HIGH all the way down to LOW, not to mention a host of other points of exposure and data leakage.
Example 2: Or consider the Security Awareness company who state on their website the following mantra:
“Improving trust in the online environment”
Here we discover that they are hosting no less that 36 vulnerabilities, again raging from HIGH through to LOW, along with several other malicious associations and an exposure to XXS (Cross Site Scripting) attacks, and matters relating to the privacy of those who visit the site – yip, this is certainly the path to Improving trust in the online environment!
Example 3: Then we may cast our digital eye over the deployment of well-known, long-standing site which offers advice on Cyber Security – who’s home page mantra is:
“A Leading source of unbiased, factual and easy-to-understand information on online safety”
In this example we discover they are hosting 30 potentially exploitable exposures and vulnerabilities, again from HIGH through to LOW, along with several other privacy, and scripting exposures associated with their Tld.
Example 4: We may then look toward the company who offer support offering companies a badge to demonstrate they are secure, who state on their web site:
“A not-for-profit accreditation and certification body that represents and supports the technical information security market”
Here we have discoveries of a site which is hosting 28 vulnerabilities and exposures in the ranking of HIGH through to LOW, along with exposures to XSS, and more worrying on the privacy front, it would seem the web site was capturing user keystrokes!
Example 5: This one is a classic in every sense of the discovery – a company who are offering Cyber Security Services who state on their home page:
“A team of Cybersecurity and Collaboration experts protecting your business and improving communications”
Notwithstanding their boast, they are hosting 12 exposures on their Tld, again in the HIGH through to LOW range, along with associations with malicious IP addresses, other related sub-CVE exposures, and several exposures which could potentially support a XSS attack.
Example 6: The last example I provide is very much focused on the provision of Third-Party support services which integrate, and communicate with the internals of the organisation – this in the form of systems management and support – in this case the mantra is:
“What we can do for your business”
So, looking at the security associations with this deployment, we can see they have suffered several compromises amounting to 64 compromised accounts, 194 data leakages, and have suffered 37 password security issues. On top of that there were several mechanisms detected which may be used to invade the privacy of those who visit the site. However, more worrying is their Tld was hosting a high number of potentially exploitable insecure postures ranging from HTTP exposures, through to JavaScript implementations which could be subject to exploitation. We also discovered 30 email addresses which had been leaked, raising the potential of a Social Engineering attack to a higher rung on the rung of the attack ladder. And again, so as not to spoil the trend, here to we discover 22 security exposures and vulnerabilities ranging over HIGH through to LOW – and a few interesting open ports – and here remembering these are the type of organisation who are connecting into ‘your’ hopefully secure corporate environments to provision support – just saying! To close on this find, one area does concern me here – and maybe here again we find a part of the jig-saw with the world of cyber – this company are holders of Certified status under the ISO/IEC 27001 – not sure what that tells us, but!
Conclusion
We are all aware of the potential for the Third-Party to introduce or to facilitate a side-channel security exposure into our business, as stated above, “What we can do for your business” – right? It has also been suggested that around 40% of intercompany breaches have been associated with a Third-Party, so maybe a little more due diligence would be a good recommendation. Maybe look at the BSi web site for publications on Third-Party Management or look at the ISO/IEC 27001 for some top-level directions.
When it comes to the overall discoveries relating to, what we call the Cyber Security Industry, it is worrying that so much insecurity would seem to prevail over those who. are, by their own definition supporting the Cyber Security Missions of their Clients, and Readers. Maybe when we see such a hole in what is being considered as secure, we may also understand that the level of the cyber-skills crisis is more lacking than we first could have possibly imagined – maybe the world of tick-box, and boot-camp driven Certifications, and the lack of associated technical skills have a lot to answer for.
Back to the topic of OSINT – we should be very much aware that OSINT methodologies have been applied for years by the Cyber Aggressors, and for that State-Sponsored Actors to discover, acquire, and Footprint their targets as a precursor to underpin an attack to ensure the outcome is guaranteed to be at a higher level of success. So why not move over into the driving seat of that aggressor and start to utilise OSINT in a proactive way to discover those corporate unknown-unknowns and known-unknown insecurities before somebody else does – at your cost!
In the meantime, get that can opener out, open a can of favourite dog food, and get chomping!
John is the Principle at Shadow-Intelligence (Si), partnering with PALISCOPE, BreachAware and iStorage. He is a Visiting Professor at the School of Science and Technology, Nottingham, Trent University (NTU) and holds the appointment of Editor in Chief for the International Journal of Cyber Forensics and Advanced Threat Investigations (CFATI). For the last decade he has delivered training courses in the Middle, and Far East to Commercial, Industrial, the Financial Services Sector, and Military Agencies, including the UAE, US, Pakistan, Saudi Arabia, Malaysia (KL), Singapore, Argentina, and Sao Paulo
He served in the Royal Air Force 22 years’, specialising in Counterintelligence, working with UK Agencies such as GCHQ/CESG, and others in the fields of SIGINT, COMINT and Satellite Communications, holding appointments such as System ITSO for a CIA SCIF.
In the commercials sectors of IT/Cyber he has worked for/with Logica, Bae, T5, GM, Experian, Betfair, Palace of Westminster, House of Lords/Commons, TSol (Treasury Solicitors) and provided Consultancy to the Saudi Arabian MOD, TRA (Telecommunications Authority (Dubai) and the Military Academy of Malaysia (KL) on SOC, CSIRT, Digital Forensics and OSINT. Within the last 5 years he has focused on Geopolitics, with global expertise around the UAE and Russia, Anti-Terrorist Operations (ATO), Cyber-Warfare, Dezinformatsiya (Disinformation) and Maskirovka (Military Deception).
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.