Nothing to Hide

• Privacy vs “I have nothing to hide” - Kev Quirk
• Why ‘I Have Nothing to Hide’ Is the Wrong Way to Think About Surveillance | WIRED
• You May Have ‘Nothing to Hide’ But You Still Have Something to Fear | News & Commentary | American Civil Liberties Union

Information Asymmetry

Information asymmetry is enables those with more information to manipulate those with less to great effect.

• Insider Trading
• Cons (Confidence Games)
• Advertising

Looks can be Deceiving

Just because it doesn’t look intimidating doesn’t mean that it’s not incredibly dangerous.

Bolton Strid

What appears to be a small stream one could easily jump across hides unfathomable depths of around 65 meters.

• Why Bolton Strid May Be Earth’s Deadliest Body Of Water
• The Most Dangerous River in THE WORLD is HOW DEEP?! The Strid at Bolton Abbey
• I filmed beneath THE STRID and this is what I found…. CHAOS

Everyone is a target

1. Low value info in bulk is valuable
2. Sometimes you are the secondary target
3. Data enrichment and Attack chaining
4. As attacks get easier/automated more people are targeted
5. Data can become more valuable with time

Information is More Valuable in Bulk

• No one is terribly interested in the info of a single person.
• Selling access to large numbers of people is profitable.
• Phone number and address lookup services.

Information is More Valuable Over Time

• Historical DNS records
• Housing info over time
• Employment/credit history
• If a person becomes famous, their old info suddenly becomes much more interesting.

Secondary Targets

Sometimes you aren’t the target, but merely a stepping stone on the way to the true target.

Data Enrichment

Multiple information sources can be combined to enrich data and give a more complete overall picture.

OSINT Sources

Any publicly available data source

• Social media: people frequently over-share
• Public records: housing, taxes, DNS records
• Publicly available corporate info and records
• Data brokers (not OSINT proper)

OSINT Tools

• 12 Resourceful OSINT Tools You Should Know
• What is OSINT? 15 top open source intelligence tools | CSO Online
• OSINT Sources: What Are the Different Types? - Blackdot Solutions Videris
• OSINT Framework

OSINT Collections

• OSINT-Framework: OSINT Framework
• osint_stuff_tool_collection: A collection of several hundred online tools for OSINT
• awesome-osint: A curated list of amazingly awesome OSINT
• FBI-tools: OSINT Tools for gathering information and actions forensics

1. Hidden Metadata

• EXIF data in images
• ID3 tags in audio
• Printer dots on paper
• Checksums and Error Correcting Codes
• Digital watermarks
• Pattern based file naming (digital cameras)

2. Incomplete Redaction

Did you actually remove the info?

• Layered file formats
• Hiding structured data
• Drawing a box over text in a layered file format does not remove the data.
• “Track Changes” in MS Word keeps old information around.
• Other hidden fields and metadata.

3. Re-correlation of “anonymized data”

Data has a unique “shape” and can thus be fit back togeher like the pieces of a puzzle.

Imagery Analysis

Even with just the picture and no additional data, there are ways of matching landmarks in the picture to determine where it was taken.

Matching Landmarks

LinkedIn showed me this photo because they work with someone I know.

They mentioned the name of the mountain in the picture. Even without EXIF data I was able to find out their exact address.

Automated Imagery Analysis

4. Stylometry

The analysis of writing styles to determine authorship e.g. word frequency, adjacency, punctuation, misspellings, etc.

• Stylometry Methods and Practices
• Unveiling the Anonymous Author: Stylometry Techniques
• Basic Stylometry 101

The Water Cooler

• Shoulder surfing and eavesdropping are the oldest and easiest side channels
• Most people are pretty careless when discussing important matters
• Restaurants, break rooms, anywhere people gather can be troves of info

Technological Side Channels

• Extracting audio from visual information
• Great. Now Even Your Headphones Can Spy on You
• tempest-lcd: Play music from your LCD monitor with a radio
• Picking Locks with Audio Technology
• iPhone Apps Can Tell Many Things About You Through the Accelerometer
• PLATYPUS: With Great Power comes Great Leakage

Remote Sensing Technologies

• The next big Wi-Fi standard is for sensing, not communication
• Seeing Through Walls
• Household Radar Can See Through Walls and Knows How You’re Feeling
• Toward Centimeter-Scale Human Activity Sensing with Wi-Fi Signals
• Human Activity Sensing with Wireless Signals: A Survey

Mobile Sensors: Drones and IoT

Even sensors that can only read info from nearby, can now be remotely accessed or moved into proximity via a drone.

With Information Comes Power

• Information allows intentional action.
• The more information available, the more successful the action can be.

Knowing Where to Find You

Knowing Your Weaknesses

AI Impersonation Attacks

How easy is it for some in Russia/China/India to pretend to be you, or pretend to be a client, and send very convincing fake instructions?

Deep Fakes

• How Underground Groups Use Stolen Identities and Deepfakes
• Deepfakes: Uncensored AI art model prompts ethics questions
• The Road to Realistic Full-Body Deepfakes - Metaphysic.ai
• Deepfakes expose vulnerabilities in certain facial recognition technology
• Artificial Intelligence, Deepfakes, and Disinformation: A Primer | RAND

Lyre Bird

• Google’s AI Clones Your Voice After Listening for 5 Seconds!
• Audio samples from “Transfer Learning from Speaker Verification to Multispeaker Text-To-Speech Synthesis”
• lyrebird: Simple and powerful voice changer for Linux, written in GTK 3.
• I Used AI To Clone My Voice And Trick My Mom Into Thinking It Was Me
• Fraudsters Cloned Company Director’s Voice In $35 Million Bank Heist, Police Find