Summary
Highlights
Tomek Turba, with over 20 years in cybersecurity, introduces OSINT (Open Source Intelligence) as the process of gathering and analyzing information from publicly available sources, and OPSEC (Operational Security) as the art of leaving no traces. He explains that OSINT can be used for both offensive and defensive purposes, but it must always be paired with OPSEC to protect one's identity and operations. The presentation covers common misconceptions about OSINT and OPSEC, showcasing how easily personal and professional information can be exposed.
The first major mistake is conducting OSINT operations from one's own IP address, personal accounts, or standard browser without proper isolation. Using incognito mode offers minimal anonymity, only clearing browsing history locally. Sophisticated tools can reveal a user's operating system, browser version, internet service provider, and even detailed administrator information. To mitigate this risk, it's recommended to use separate browsers or virtual machines (e.g., Hunix, Tails Ppendrive-based OS), avoid logging into personal accounts, and understand that VPNs alone do not guarantee full anonymity.
Sock puppeting, the creation of false online identities for OSINT, is prone to errors if not done correctly. Using AI-generated images from sites like 'This Person Does Not Exist' for profile pictures is easily detected by modern social media algorithms. Creating a credible sock puppet requires more than just an image; it needs a consistent persona, a dedicated prepaid number or virtual SIM, a secure email (e.g., Proton Mail), and active engagement over at least four weeks to build a legitimate online history. Without this, accounts risk immediate banning or rejection by social media platforms.
Metadata embedded in files can reveal significant sensitive information, often unintentionally. Examples include CVs containing previous employer names in their file names, or images with geotags revealing precise locations. The case of John McAfee, who was located based on metadata from a photo, illustrates this point. Tools like ExifTool can extract and clean metadata from various file types. Proper metadata management is crucial, including using Word's document inspector for cleaning files and being aware that cropping an image in a document doesn't remove the original, uncropped data.
Intermingling private and professional digital lives is a significant OPSEC flaw. Using a private phone for work-related OSINT can lead to social media algorithms connecting personal and professional contacts. Shared Wi-Fi networks can also cross-profile users. High-profile examples include a minister's private email exposure due to using it for official communications, and a politician leaving a logged-in ministerial iPad on public transport. The solution is strict separation into three spheres: private, professional, and operational, never transferring data or accessing operational accounts from non-operational devices or networks.
VPNs do not guarantee 100% anonymity. While they hide IP addresses and encrypt traffic, browsers can still be fingerprinted through time zones, language settings, fonts, screen resolution, and canvas fingerprinting (unique rendering characteristics). Furthermore, WebRTC leaks can expose real IP addresses. The 'Fourteen Eyes Alliance' means VPN providers in member countries may be mandated to share user logs. True anonymity requires layered approaches like VPNs combined with Tor Browser, activating kill switches, disabling WebRTC in browser settings, and using privacy-enhancing browser extensions.
A brief interlude to announce the 'OSINT Toolkit' training program, offering a significant discount for early registrants. The program includes nine live sessions, covering in-depth OSINT techniques, OPSEC, and advanced topics like anti-forensics and dark web investigations. Special bonuses include an OSINT e-book and a bonus Q&A session with the presenters.
The belief that all communicators are secure is a fallacy. Many popular platforms like WhatsApp and Telegram, despite their encryption claims, can expose metadata or require specific settings (like 'secret chat' in Telegram) to be truly secure. Instances like gadu-gadu public catalogs or WhatsApp's Firebase data leaks demonstrate how easily personal information can be extracted. For sensitive conversations, Signal or Wire are recommended, along with dedicated encrypted solutions and PGP for emails. Extreme OPSEC measures include dedicated 'burner' smartphones purchased anonymously and used in different locations.
Failing to immediately document and preserve evidence during OSINT investigations can invalidate findings. Screenshots without timestamps, URLs, or cryptographic hashes (like SHA-256) are easily dismissible in legal contexts as they lack integrity. Examples include fake news being debunked due to lack of verifiable evidence, or lost government records related to sensitive communications. The solution involves meticulously securing all materials with checksums, timestamps, and using archiving services like Wayback Machine or dedicated tools like Hunchly to create a robust chain of evidence.
A recap of the first 10 mistakes and an announcement of a contest for observant viewers, with prizes for answering specific questions about the presentation content.
Relying on a single source of information is dangerous due to misinformation, deepfakes, and intentional manipulation. Examples include viral images from conflicts being misattributed or being AI-generated. Even government agencies like the Secret Service have 'lost' records due to 'device replacement programs.' The principle of triangulation is key: verify information with at least two out of three independent sources. This also includes passing content through deepfake detection tools, as AI-generated content now dominates a significant portion of the internet.
The operator's own digital footprint and cognitive biases are major OPSEC risks. Personal data leaks from past online activities (e.g., old social media platforms, compromised databases) and 'confirmation bias' (interpreting information to confirm existing beliefs) can compromise OSINT efforts. It's crucial to audit one's own digital presence using tools like 'Have I Been Pwned' or 'What's My Name' to understand and mitigate personal vulnerabilities. The speaker highlights the vast 'iceberg' of one's digital footprint, with only a small portion visible and the majority hidden below the surface.
The top mistake is approaching OSINT without a structured process. This leads to disorganized information, scattered notes across multiple computers, weak password management, and an inability to maintain data relevance. A simple checklist is provided: establish a secure setup (browser, VPN), define the scope of the investigation, meticulously gather and verify sources (triangulation), analyze using appropriate tools, report findings systematically, and finally, clean up all digital traces. Crucially, a 'canary token' mechanism can alert operators if their data is being accessed by unauthorized parties.
The presentation concludes with a review of historical OPSEC failures: John McAfee's geolocation leak (2012), ISIS command post destroyed due to a selfie's metadata (2014), soldiers exposing base outlines via fitness apps like Strava (2018, 2023), and Russian GRU agents identified through passport and vehicle registration data (2018). These high-profile cases underscore the consistent nature of OPSEC vulnerabilities. Polish examples include Facebook admin revelations, ministerial email leaks, ALAB Laboratories data breach, and errors by public figures (politicians, local councilors) using personal or insecure channels, highlighting that no sector is immune to these mistakes.
Tomasz Turba wraps up the presentation by reiterating that OSINT is an excellent entry point into cybersecurity and that OPSEC skills are essential. He emphasizes that 'who sees more, wins' and 'who cannot hide, loses before they even start.' A comprehensive checklist for OSINT actions (before, during, and after) and a list of recommended tools are provided. The session ends with a lively Q&A segment, addressing questions about secure communication, anonymity, and practical OSINT applications. He invites viewers to his next session for further discussion.