The OSINT and reconnaissance landscape is beginning to face some challenges. Current valuable sources such as open sourced lists are  already facing offensive and malicious data poisoning.

Privacy laws are creating barriers in many areas, and as court rulings are levying increasing fines for playing fast and loose with user data privacy. Social media companies are starting to realize that they actually need to start making profits, and are restricting their data. Sites are aggressively combating web crawling, services like TOR and VPN face uncertain futures, the list of potential hurdles to the future of OSINT and recon seems grim.

But fear not. There is still hope - and plenty of it.

This presentation will discuss both the challenges and changes to both offensive and defensive reconnaissance that the presenter believes we will see in the future, and strategies that will help mitigate or enhance these changes.

Institutions of higher education are supposed to be somewhere that students go, earn a degree, and leave, all while their data is safe. Or is it?

In this talk, I discuss the gaping security holes left by FERPA (Family Educational Rights and Privacy Act (20 U.S.C. § 1232g; 34 CFR Part 99) with regard to student data.

Almost all student data, with the exception of grades and select demographics picked by each institution, are commonly listed as directory information that is available to anyone who asks. Add to this most institutions of higher education commonly practice automatic “opt-in” for Directory Information and require students to specifically request that their information be withheld. This leads to an OSINT opportunity ripe for abuse.

However, that is not the only issue. Due to a loophole in the way medical records are handled at institutions of higher education, these records can lose almost all protections and become classified as Directory Information. I show examples of how easily this information can be retrieved from several institutions and what sort of information is available from many institutions.

At the conclusion of the talk, I illustrate the various ways this information can be potentially used against a victim or in the construction of a false identity.

This practical talk is about using OSINT techniques and tools to obtain intelligence from source code. By analyzing the source code, we will profile developers in social networks to see what social networks they use, what they are saying, who they follow, what they like and much more data about them.

We will use well-known tools and custom Python scripts to automatize the parsing of source code, analyzing comments for behavior and sentiments, searching for OSINT patterns in code and fingerprinting developers in social networks, among other things. The collected data will be plotted in different visualizations to make the understanding of information easier.

The objective of the talk is to introduce attendees into OSINT tactics they can use to collect and analyze data, use the right tools and automatize tasks with Python scripting. For this example we have targeted developers and their projects.

Come and learn some OSINT tricks you can apply to collect and analyze data!

Everyone has probably heard about orchestration and automation tools in DFIR but what if we took the same concepts from DFIR and apply that to OSINT? In this talk we will discuss how to use DFIR tools and concepts for reconnaissance, investigations, and OSINT data gathering.

We will work through an automated playbook to gather evidence on things like domains, organizations and people, then discuss using integrations like Intrigue.io, Pipl, DataSploit, and more all in parallel and finally wrapping up by storing the evidence, contacting, liberating and helping others by responding with the evidence, or simply just having some fun.

Whether you do wide scope pentesting or bounty hunting, domain discovery is the 1st method of expanding your scope.

Join Jason as he walks you through his tool chain for discovery including; subdomain scraping, bruteforce, ASN discovery, permutation scanning, automation, and more!

Once upon a time, I saw this tweet from Kenneth Lipp: https://twitter.com/kennethlipp/status/848566661384990722

In summary, the tweet is about an AT&T program available to law enforcement meant to make burner phones meaningless. Even if someone switches phones, if their pattern of behavior (both in terms of contacts and call locations) stays the same or similar, AT&T can determine that it's the same person simply using a new phone.

This seems like a great teaching opportunity! Attendees at this workshop will build the same analytics as AT&T does, using Python on some "phone metadata" created just for you to play with.

You'll be able to find burner phones in the mess, and hopefully learn some fun network analysis, machine learning, and Python programming skills along the way!

What's more fun than discovering vulnerable and attack-worthy systems on the internet? Come join us for live demos!

Intrigue is a powerful and extensible open source engine for discovering attack surface. It helps security researchers, penetration testers, bug bounty hunters, and defenders to discover assets and their vulnerabilities.

During this session, we'll demo Intrigue and talk through architecture, with focus on recent areas of improvement such as meta-entities and discovery automation strategies.

With 313 million active users and approximately 500 million Tweets sent per day, Twitter has plenty of low-hanging fruit ripe for OSINT picking.

Learn from an experienced information professional how to craft advanced searches to retrieve data from this popular social media platform. Understand the search commands that Twitter uses, tips and techniques for extracting data, examine some of the lesser-known features of Twitter, and get a glimpse of some of the resources that work in conjunction with Twitter to help you better organize all the information you will retrieve.

While you may know how to write scripts and scrape data from Twitter, this session will focus on the GUI which can retrieve much older data. This session is not how to Tweet better, get more likes, or even how to get verified.

This is all about searching for and extracting information from Twitter and its associated sites. You will come away from this session with a better understanding of how to use Twitter as a research tool.

Tinder. The Final Frontier. Pick gorgeous (or not so gorgeous) members of your desired sex with the tip of your finger, at the comfort of your sofa, your bed, and let’s admit it - your toilet seat...

Research shows that there are 50 million active users on Tinder, who check their accounts 11 times per day and spend an average of 90 minutes per day on the app. Even celebrities, it seems. [Marie Claire]

In the name of Science, I decided to sacrifice myself and delve into the world of Tinder Dating. At first, I was detecting patterns in photos, in poses, in language and in attitude, all over the world! But suddenly something else showed up on my radar: Bots. And not just one - I was being surrounded. Imagine the heartbreak of matching 7 gorgeous women in a Scandinavian capital, only to discover that not only were they in reality bots, but they actually had an agenda!

In this talk I’ll describe the research, how I came to discover that Bots were not an isolated case, and how I uncovered the pattern behind generating the profiles. I’ll also break down the infrastructure behind the operation, and show who’s behind a campaign that spawned over multiple countries and continents.

I’ll give multiple examples, from Tinder as well as from other platforms, of how bots operate under the radar of the site owners and carry out their agenda.

Ever wonder for what your app is up to? In this talk we focus on discovery methods for mobile applications. iOS App security is a hot topic these days.

However, due to lack of tutorials and documentation, the bar to entry is still very high.

In this presentation we will try to bring the bar down by exposing internals of CHAOTICMARCH, an automation tool, and techniques for instrumenting and observing Apps’ activities.

I was able to create a proof of concept application that scrubs a recreation of the Ohio Voter Database, which includes first name, last name, date of birth, home address, and link each entry confidently to its real owners Facebook page.

By doing this I have created a method by which you can use the Voter Database to seed you with name address and DOB, and Facebook to hydrate that information with personal information.

My application was able to positively link a voter record to a Facebook account approximately 45% of the time. Extrapolated that out over the 6.5 million records in my database and you get 2.86 million Ohio resident Facebook records.

NA

OSINT can be ones worst enemy or best friend, depending on what angle the person is looking at it from. This introduction level workshop will start out discussing the basis of OSINT then transition into applicable use case scenarios. Once we have a sound foundation in OSINT, we’ll start to work on some collection considerations and techniques.

In terms of tools used in this presentation, the list is somewhat fluid based upon the advancement of other tools, social media platforms, or other variables. Tools intended to be highlighted are: OSINTFramework.com, Inteltechniques.com, Buscador Linux, Recon-ng, Datasploit, APIs (Twitter and possibly Facebook; maybe others), haveibeenpwned. Cree.py, whois, persona generator, and others.

Depending on your position, this talk with either arm you with the right tools to build better OSINT engagements, whether for phishing or other investigations or educate you on steps you can take to better secure yourself.

Back in 2016, it was very new the way how the Facebook mobile application implements content through "Instant articles".

A user can view content from third parties directly in the Facebook platform without requiring to open the Browser, for instance. This content can also be shared, saved, opened in browser and so on.

In this talk, we will share how this Instant articles, and the way the were shared, lead us to the possibility to access Facebook accounts and how through internet searches this became a huge problem! We'll discuss how we identify the issue and how it was tested, reported, fixed, rewarded and also we talk about a new vector attack for further research.

With 313 million active users and approximately 500 million Tweets sent per day, Twitter has plenty of low-hanging fruit ripe for OSINT picking.

Learn from an experienced information professional how to craft advanced searches to retrieve data from this popular social media platform. Understand the search commands that Twitter uses, tips and techniques for extracting data, examine some of the lesser-known features of Twitter, and get a glimpse of some of the resources that work in conjunction with Twitter to help you better organize all the information you will retrieve.

While you may know how to write scripts and scrape data from Twitter, this session will focus on the GUI which can retrieve much older data. This session is not how to Tweet better, get more likes, or even how to get verified. This is all about searching for and extracting information from Twitter and its associated sites.

You will come away from this session with a better understanding of how to use Twitter as a research tool.

Recon is an important phase in Penetration Testing. But wait, not everyone does that because everyone's busy filling forms with values <script>alert(1);</script>.

Effective recon can often give you access to assets/boxes that are less commonly found by regular penetration testers. Internet is one of the best ways to find such hosts/assets. There are a bunch of tools available on the internet which can help researchers to get access to such boxes.

Is reverse-IP really useful? Is dnsdumpster the only site that can give list of sub-domains? What if I told you there are many different ways which combined together can give you effective results. What if I told you I have got access to many dev/test boxes which should not have been public facing.

In this talk, the speaker will demonstrate few effective techniques using which researchers/pen testers can do better information gathering. The speaker would also share many stories which allowed him to earn some bounties using these recon techniques. This techniques might also be useful to red teams/incident response teams to identify rogue devices in their organisation which are often missed out during normal penetration testing.

These might not be "best practices" but are definitely "good practices" and "nice to know" things while doing Penetration Testing. Plus, the speaker will not just use presentation but will try to pray demo gods for some luck. Definitely some direct and key take aways to most attendees after the talk.

This talk covers skip tracing TTPs and countermeasures in the digital and human domains. The audience will be guided through two real world examples of how a regular citizen can use open source tools, exploits, and social engineering to assist law enforcement and profit.

Some examples include phishing websites tailored to a fugitive’s resume, geolocating a target through video game clients, and using social media meta-data to build pattern-of-life.

As the audience is moved through the process step by step, online and offline countermeasure such as USPS forwarding, false resume writing, and secure communications will also be covered.

In this talk I will give a brief introduction to phonetic algorithms and how they can apply to gathering recon and searching through social media data.

I will then demonstrate applying these techniques to a US Census dataset, and generate a searchable dataset capable of suggesting alternative spellings and pronunciations of names.