OSINT AnglesTo apply the open source intelligence (OSINT) angle to the questionnaire, think of this: everything external to your house is open (assuming you do not live on a large property with the home centered on it). The same goes for your car(s). From the street, it is fair game.
Car StickersThose pesky stickers we see on cars, the ones of stick figure families, are vectors of OSINT gathering about you and your family. Stickers that say things like "My heart is in Iraq/Afghanistan" are also of value to would-be attackers. Stickers announcing your children's basketball team name can release the same information. Here is an example:
- The owner has pets; several of them. This is worth noting when scoping the house for intrusion.
- The owner has several children and has lost a couple. It is something that could be used to build a social engineering pretext for communication and exploitation.
- Dad likes to work out, and Mom is a school teacher. Non-holiday weekdays are a lucrative target. An aspiring thief can also be used to build pretexts for phishing and vishing campaigns.
- John plays soccer and/or other sports. Depending on his age and whether he is on an organized team, he may practice 2-5 days per week after school.
- Neil skateboards. You may find him at the skate park after school.
- Jessica is too young to watch herself. She likely has a babysitter, which could be John, Neil, or someone else.
- Beaker and Ruby do not seem to be large or aggressive breeds.
- We know the kid's name and team. Most teams in 2016 have websites and/or social media, mostly Facebook pages.
- We can use this to infer the child's age range and team schedule. This gives attackers an idea of when to strike since they can reasonably infer the house is empty.
- Depending on the team, this can also provide information about wealth levels based on the travel schedule, team, etc. that can help attackers further profile the targets.
Baby On Board
Security System SignsThe respondents of the questionnaire talked about their opinions of security systems and their signs. The general consensus was split between deterrence and the ability to disarm. Understanding that I can add little to nothing about deterrence, I would like to pose this from the perspective of disarming and deception. From the perspective of the attacker or thief, they are looking at who the security system carrier is. This allows them to research ways to bypass and defeat the system. A simple way to further challenge the burglars via deception is to use a sign that is not that of your carrier. If you use Comcast, get an ADT or Brinks sign for example. While there are overlaps in defeating the systems, it would be a surprise to the thief. Other methods to complicate this are below:
- When selecting a system, choose a variety of networking methods if possible. The burglar may attempt to sever phone and/or cable lines to kill the connection. Having cellular and/or reciprocity with your neighbor (via their wireless network) can provide the resilience that burglars are not expecting (assuming they're not doing homes in parallel).
- Use real and dummy cameras. Have them cover the same area. If the burglar decides to disable one, they are now conflicted as to which one they should shut down (assuming they see both).
- Consider installing a wireless doorbell (with camera) like Ring. This is a doorbell that can be rung, but it's also a motion sensing camera.
- Whether you have dogs or not, consider some signs and/or magnets showing your love for your (insert aggressive breed [i.e. Rottweiler, Doberman Pinscher, Pitbull, etc.] here). Having a large dog is to your benefit per the questionnaire, but just making the attacker wonder if there is such a dog may do the trick, as well.
Social MediaThis is the pinnacle of OSINT gathering platforms. I will discuss some of this a little more in-depth below. What you post and how you post it can help cyber-enabled crooks paint a good picture of you and your routine. Obviously, all users of social networks and social media should have some level of cognizance about operations security (OPSEC). This is the thought that they should not make everything public and that they should scrutinize what they share and with whom they share it with. Social media platforms can give attackers some of the following examples of information:
- Information about (including pictures of) you, your family and your children.
- Information about your schedule, as well as your children's sports and activities schedule.
- IP Address or GPS Latitude and Longitude from where you posted. (See my Kim Kardashian post for more information).
- Enough information to build an effective pretext (character) to get close to you.
Miscellaneous Tools and IdeasAn awesome tool that I have found to collect and interpret OSINT data is the Advanced Recon Framework. A specific tool worth mentioning in this post is Melissa Data Property Viewer. This allows would-be thieves to follow vehicles then get their address and possibly contact the occupants using various pretexts. Note: This appears to only work in the USA.
Advice and ConclusionThere is little you can do to prevent entities from gathering OSINT on you, and even less can be done to prevent the creation of OSINT. The best thing that you can do is to be aware. Be cautious of any unsolicited visitors, emails, phone calls, etc. Think before you speak or respond. Attackers may be building a profile on you and yours to exploit you for their gain. Minimize what you tell people yourself. Be polite yet brief in any unsolicited conversations in-person, online, or otherwise. Do not provide too many details about anything. Understand what you're telling people in your use of sticks and adornments. Most of all, remain vigilant, and if it seems too good to be true, it probably is.