Conducting Old School OSINT
A man bumps into you in a crowded café and almost immediately his eyes light up. You raise your eyebrows as he says your name, before telling you he used to be your neighbor back when you were a child, living in the house next door to yours. He remembers when your father built the addition on the house and the fact that you won an award for community service in third grade. He even remembers the year you moved, when your parents sold the house shortly after the recession.
You’ve never seen this man in your life, but he seems to know you. He asks you how work is going, and you tell him about your job working security at the bank, thinking nothing of it. After all, you must know him, right? How else could he know so much about you?
In a previous blog post, we discussed the history of open-source intelligence (OSINT) and how this field can be split into two lanes: old school OSINT and new school OSINT. In this context, old school OSINT refers to information and intelligence that can be easily accessed and collected before the digital age, such as public records, newspapers, and broadcasts.
Before the internet, collecting information through open-source intelligence was much trickier. It required tenacity and parsing through hours of extraneous details to find the one name, location, or date one was looking for. It could even require travel, such as searching town records, only held in a town hall on the other side of the country. Things like newspapers, land deeds, and broadcasts were allowed to be accessed by any member of the public, but that did not mean they always could be easily accessed.
Now, however, with the internet, the process has been streamlined. In Massachusetts, for example, an online portal gives researchers a way to request access to a subject’s birth, death, and marriage certificates, with only a few restrictions for subjects born to unwed parents. The use of sites such as netronline.com has also streamlined the process of accessing public records, property data, and environmental records.
In the case of your would-be neighbor, he found your parents’ property records online, combing through data on their mortgage and the deed’s history. He even searched through old newspaper archives stored carefully online by your public library to find the small article about your elementary school award.
All of this, so that he could get you talking about security at your bank. After all, you’d be more willing to open up to an old neighbor.
As discussed in the previous blog post , we reviewed how limiting the number of public records available on you or your organization can be difficult, as often these same records exist for legal and transparency purposes. It is important to remember that just because someone knows where you live or where you work doesn’t mean they’re a legitimate party. Whether it’s through email, phone, or in person, you must verify these individuals as you would anyone else , even if they seem to know everything about you; otherwise they could be phishing.
