OSINT (open source intelligence) is the public information you can find out about a person or organisation, and I’ve been getting into it a lot lately. Mostly familiarising myself with tools and techniques and intel feeds, and joining community forums to pick up tips and generally join in where I can.
I try to practice on local stuff where I can because it’s familiar to me: I made a case file in Maltego for the KKK people who defaced the Islamic Community Centre in Ards, for example. It was good practice for using the tool and establishing connections between the people in all of the various online sources, storing photos, videos, links to earlier incidents, etc.
So, when a random account followed me on Twitter that looked a little bit like a bot, and was kinda nasty in my DMs, it felt a little bit like an opportunity for some investigation…
And look, I need to stop here and make a disclaimer. I was reluctant to write this post in case it made people nervous. I am mostly Lawful Good, and I love people and their humanity and we’re all just struggling to get along, we’re all in this together. I don’t investigate the online lives of everyone that follows me – who the heck would have time, apart from anything else – because that’s rude, and uncomfortable. I would like to get to know people the normal and enjoyable way through actual conversation, thank you.
And I’m certainly not going to be friends with this rude person, so knowing stuff about them doesn’t make me as weirdly uncomfortable, but they are still a human being with a life. So even though I went ahead and did the investigation this time, I’m not going to go into specifics or show photos, because doxxing is not cool. But I think there is still something interesting to be learned from the process – if you’re bored you can bow out anytime!
So, I get this mean DM and I click through to see who the heck is this and there is less than 20 followers, which is usually a red flag for a bot account. But wait!
Some of the other accounts being followed are recognisable as people and companies local to me. Hmmm. So I look back over the Tweets from the account. There aren’t very many, and the Tweet frequency is in small bursts quite far apart, so I’m thinking this is a secondary account that doesn’t get logged into very often. More interestingly, many of the tweets tag one particular large Belfast company. Some are retweets and show photos of people receiving awards from competitions run by that company. I figure this means the account is run by someone that works there, or has a close family member working there.
The Twitter account name is far too general for a Google Search, but I reverse image search on the profile picture because it’s a fairly clear sort of logo. Loads of things turn up, but one that catches my eye is a GitHub user profile that has the same username as the Twitter account. As I tweet a lot of tech stuff many of my followers have GitHub profiles, so this seems like a really good match.
The GitHub profile ReadMes show someone learning Java and working their way to being a software developer and onward into fully fledged projects. The projects are not anything unusual until I hit ‘browse commits’ on one of the oldest ones and then I notice something interesting. The username for the old commits is something else, and something quite unique. Here we go again…
Armed with another, more unique username, Google turns up much more. Now I can see this person asking for advice about house repairs, tech purchases, and commenting on restaurants and hotel stays. I have found videos and photos of them doing hobby things and on holiday, and an entire hobby group which they regularly post in and attend meetings for. Quite a number of these forums have a user profile which mentions they are from Belfast, or from Northern Ireland. One forums mentions that they used to work in the particular Belfast company which they have been retweeting, so confirmation on that. The user profile picture is often one of this one particular hobby item, or of the person themselves, so there is some correlation that can be easily made between them all.
This also gave me an email: dehashed.com identifies it in quite a number of breaches, though of course I would strongly expect the corresponding passwords to be old and defunct.
And I found a post which mentions the college they attended, their real name and grade in a particular subject. There’s a reasonable chance I could now find some of their classmates and teachers if I tried.
I also found a photo from the window of their house, taken during a lovely snowfall, from which you can clearly see the Harland & Wolff cranes. No EXIF data, but I know that a few minutes with Google Maps would probably give me a street.
This is where I stopped. It felt really uncomfortable. I hope it made you feel uncomfortable, too. And I hope it made you think about your OpSec just a little bit.
I don’t know what the answer is. We should be able to share things that are important to us online. We should be able to share photos that make us happy. We should be able to ask for advice, and share our code, and our hobbies with each other. And we should be able to keep in touch with friends and family from afar, especially those that we don’t see often. We are living online now, and we should be able to live. I am not going to be that person who says you should never post anything personal.
- Tweak your privacy settings, so that bad people can’t just look up all your details. (You can search how to do this!)
- When you take photos check nothing too personal is in view, and you have everyone’s consent to give away their location online.
- Don’t say online when your house will be empty or you’ll be alone and vulnerable, because you might be easy to find!
And don’t be rude to people online. Sometimes they can find out where you live.