Social Media as an OSINT tool
It is that time of the year again, the one that is particularly annoying for people who have lots of friends with small children.
It is the ‘back to school’ or ‘stand by the front door’ week. Many parents do this, I have been guilty of it myself and this year it will be even more prominent as due to Covid the majority of children ended the summer term without meeting the annual leaving milestone as expected, which was especially hard for those reaching the end of their primary schooling or even completing their first year in reception. This year going back to school is a bigger deal for most than ever before and this will be accurately reported on social media and with various versions of #backtoschool and #firstdayatschool
So what? you might ask. What is wrong with uploading a photo of my child looking super cute in their new school uniform?
For many people, nothing at all. I don’t aim to scaremonger with this post, many people have a Facebook or Instagram account with locked down privacy settings and they only share this sort of picture with their close friends and family.
However, in times where employees are manipulated via social engineering to give away confidential information or access such as was initially suspected in the recent twitter hacking breach, people need to be aware of what they are posting on social media and to have a good awareness of what could be compromised if they were manipulated.
Sloane Risk Group specialise in identifying and preventing vulnerability’s which enable malicious access to information security, this is both the physical security of buildings, offices and systems and the access which is obtained through hacking people, by manipulating them to give away vital information leading to data loss or physical breach.
We have worked with clients in businesses that specialise in software development, pharmaceuticals, and research all with their own reasons to be targets of malicious attackers, some of which have experienced campaigns against them including threats of direct violence towards the family members of their staff.
When we look at an organisations staff and their attitude towards security, we frequently find links between accounts such as linked-in and various social media platforms which inadvertently give away far more personal information than can be recommended from a security aspect. We find that people often take measures not to show their address but then they miss other exploitable personal identifiers. This is especially prevalent in spouses who do not realise the access to information or development that their partners may have.
If a malicious attacker is able to trace your children to a local primary school it would not take long to identify them being dropped off, your vehicle and from there your home address. This could be to place you under further surveillance, plant audio devices at your address, search through your rubbish, place tracking devices on your vehicle or even to directly threaten you.
If you are not in the category of people who could be exploited for criminal or competitor gain, the general security of your children should always be a cause for concern. In many child abduction incidents, the perpetrator has conducted some sort of research around that child first especially in kidnap for ransom cases.
What steps should I take to stay safe?
Before you or your spouse post anything with details such as school jumpers with emblems stating exactly where that school is, consider the following:
• Am I in a position where I could be bribed, blackmailed or tricked into giving away company secrets?
• Could the organisation that I work for be a target for hackers, scammers, criminals or protestors?
• Is the company information so valuable that someone could even threaten me or my family to get it?
• Am I giving away too much information about my family and our routines?
This is extreme but unfortunately not unheard of. If you feel that you should maintain the freedom to post about your family life, consider blacking out emblems or logos on uniform, think about the wording you use when you make your posts, and what other information you may be giving away in the picture such as door numbers or car number plates.
If you would like more information regarding counter espionage, a company security assessment, security audit, black team/physical penetration test, staff security awareness training or an employee security profiling test then please contact us.