Welcome to another episode of “Osom to Know,” where Maciej Nowak delves into the intricate world of cybersecurity with his guest, Ricardo Silva.

Ricardo is a security consultant from Portugal with over 11 years of experience in both the military and law enforcement sectors. His current focus is on assessing and testing organizational security efforts from an offensive perspective, replicating the tactics, techniques, and procedures utilized by real-world threats. He specializes in physical security and Open Source Intelligence (OSINT) investigations, helping organizations identify and mitigate potential vulnerabilities before they can be exploited.

In this episode, we explore the critical role of reconnaissance in cybersecurity operations, the nuances of Open-Source Intelligence (OSINT), and the often-overlooked vulnerabilities present in workplaces, particularly larger offices and hospitals. Ricardo takes us through the importance of balancing security with functionality, especially in platforms like WordPress, and emphasizes the need for robust security practices, both online and physical. Tune in to gain insights on everything from password policies and data protection to innovative penetration testing methods, including the use of drones. Stay with us as we uncover practical tips and best practices to fortify your cybersecurity posture in an increasingly digital world.

Cybersecurity FAQ

How Important is Reconnaissance in Cybersecurity?

Reconnaissance, or information gathering, is a critical first step in cybersecurity, military operations, law enforcement, and pen testing. Security expert Ricardo Silva emphasizes that recognizing suspicious activities, such as unusual web activity or someone gathering intel, can help identify potential threats early. Businesses must be prepared to respond to these threats effectively.

What is Open-Source Intelligence (OSINT) and Why Is It Crucial?

Open-Source Intelligence (OSINT) involves gathering publicly available information to gain insights without relying on assumptions. Silva underscores its importance, stating that detailed information about targets, such as website version disclosures or leaked personal data from breaches, can be exploited by attackers. Hence, OSINT is a fundamental component in planning and executing cyber attacks.

How Does Physical Penetration Testing Work?

Physical penetration testing assesses the security of physical locations by attempting to access sensitive areas or data. Ricardo Silva discusses common tactics such as tailgating, using disguises, and bypassing security guards. For instance, penetration testers may manipulate RFID access cards to clone and replay credentials, highlighting vulnerabilities in physical security measures.

What Should Incident Response Include?

An effective incident response plan includes log reviews, forensic work, staff interviews, and CCTV reviews. Silva notes that creating multiple incidents can overwhelm a company by occupying staff with log reviews, thus slowing down their response. Having a well-coordinated incident response plan ensures quick and effective handling of security incidents.

How Can Drones Be Used in Penetration Testing?

Drones are increasingly being used in penetration testing to create rogue access points remotely and gather intelligence about network access points. Silva points out a security gap whereby security guards often overlook drone sightings, treating them as non-threatening. This highlights the need for better awareness and training among security personnel to recognize and report such activities.

Why is Security Awareness Essential?

Continuous education and awareness are crucial for both technical and physical security teams to address emerging threats effectively. Silva stresses that understanding attacker motives, recognizing suspicious behavior, and knowing how to report incidents accurately are vital components of a comprehensive security strategy.

How Can Strong Password Policies Impact User Behavior?

Balancing strong security policies with user convenience is challenging. Silva gives an example where users often bypass strict password policies by using simple or predictable passwords, such as leaving reminders like post-its with passwords. This compromise can weaken overall security despite strong advisories in place.

What to Do if There’s a Data Leak?

Once data is lost or attacked, the best response is to recognize and prepare for potential attacks. We discussed the impact of a Portuguese city council attack, emphasizing the need for robust data protection policies and legal awareness. Affected individuals and organizations should take immediate protective measures to secure remaining data and prevent further incidents.

What Are the Legal and Financial Implications of Data Breaches?

Data breaches can lead to serious legal and financial repercussions. Silva mentions cases like British Airways facing fines for GDPR violations following a data breach. These incidents affect both the finances and reputation of the organizations involved, underscoring the importance of robust cybersecurity measures and compliance with data protection laws.

How Can Individuals Protect Their Personal Data?

Individuals should use strong password policies, be cautious with personal data, and avoid clicking suspicious links. Silva recommends using services like ProtonMail that offer features to generate multiple email addresses for better protection against cyber threats. Additionally, regular review of past digital information can help identify and mitigate security risks.

Ricardo Silva [00:00:00]:
Hello, everyone. My name isMaciej Nowak, and welcome to the Osom to Know podcast where we discuss all things related to building a great website. And as security is only increasing in importance these days, we will talk about it from a different perspective than the usual website security angle. My today’s guest is Ricardo Silva, ex infantryman and a special force officer fighting drugs and organized crime. Now why do we talk with Ricardo? Because he’s specialized in cybersecurity, physical pen testing, and he shares in this conversation. He’s experiencing these areas and he gives plenty of ideas. What are the blind spots, in the security of your company? Digital and physical. I think we’ll have to record a sequel to get even more out of Ricardo.

Maciej Nowak [00:00:46]:
If you don’t want to miss new episodes and keep learning more about WordPress and security, subscribe to Osom to Know newsletter at osomstudio.com/newsletter. And this is osomstudio.com/newsletter. If you are just on YouTube, give us a thumb. This means a word to us. Without further ado, please enjoy my conversation with Ricardo Silva.

Lector [00:01:17]:
Hey, everyone. It’s good to have you here. We’re glad you decided to tune in for this episode of the Osom to Know podcast.

Maciej Nowak [00:01:24]:
Hi, Ricardo. Long time no see.

Ricardo Silva [00:01:28]:
Hello? I believe it was, like, 3 months ago, we saw each other 4 months, probably.

Maciej Nowak [00:01:34]:
Yes. Yes. On or during during. Yeah. Ricardo, I I don’t ask this to many guests, but for you, I would make an exemption. Can you tell us a little bit more about yourself, what you are doing now, what you what you’ve been doing until now?

Ricardo Silva [00:01:53]:
Okay. So my name is Ricardo. I’m from, Portugal. As you can see by my English, I’m not a native English speaker. And, I started, as a infantry man in Portuguese army, and then I made my way into the into the police into a police force where I used to work at a special weapons and tactics team and unit that’s responsible for, fighting against illegal drug smuggling and, also organized crime. Okay? So and for the last few years, I’ve noticed that, in cybersecurity, in security in general, there was a there was a place for this type of set of skills and, to use this this type of planning and to to get your skills and to and get your skills to work towards a safer environment. So I start I’m starting my own company that focuses on doing that specifically on offensive cybersecurity and physical, security. So that’s where I am right now.

Maciej Nowak [00:03:02]:
Alright. And how how how did you come to, you know, visit WordCamp Porto? It’s it’s like, you know, WordPress centric, event WordPress only event. And how x, you know, soldier, x, you know, special

Ricardo Silva [00:03:17]:
law enforcement.

Maciej Nowak [00:03:19]:
Exactly. Oh, yeah. Okay. There’s a distinction. And, a a guy undercover fighting Jack Waller War Warlords is, you know, suddenly at the World War World Conference.

Ricardo Silva [00:03:33]:
Yeah. The thing is, one of the things I noticed while, starting to work in cyber is that, as you may know, and I don’t know if you’re, if your listeners know, their, offensive cybersecurity has several areas, one of them being web application. And when it comes to web application, I’ve noticed that most, most of, of small and medium businesses resort to to WordPress, and use you use WordPress to run their websites, to run their ecommerce, and so on. So I figured out if you want to work with, web app penetration testing, what’s the best place to start? Probably start, focusing on small and medium businesses that might require your help. So one of the things that, that I realized is that, programmers and developers are not very, security aware, and one of the things that I wanted to do was to try to get to them and, try to figure out, how they think and what are when they are building and developing, a a platform for ecommerce on WordPress, for instance, like like you asked, what is on their mind? What what are they thinking when they are developing? What is their goal? And how can I get the, a middle term between security and their own objectives? So that’s why I went to WordPress to get to talk to developers and talk to them a bit about security, get to know what they know about security, And one of the things that we we talked about we talked about when I was there is that, developers are not very aware of security issues that they might, they might, encounter. So that’s why that’s why I went there.

Maciej Nowak [00:05:41]:
And, you know, remarks after visiting WordCamp, WordCamp portal, have you, like, you know, confronted your views with any I don’t know. Freelance developers, plug in makers, agency, own sign like, any comments on that?

Ricardo Silva [00:05:57]:
Yeah. The the one of the things one of the things that I’m that I, that I realized is after WordPress, I’m, it’s it’s easier for me to approach, a company that has their website running on WordPress. That’s just one of the things that made it easier because now, it seems like it’s easier for me to to figure out what the what developers want. So the thing is, when you cannot have a level of security that’s, too high and, that kinda seems like an obstacle for, what developers want users to to to be faced with. Okay? So, since WordPress and since since I talk a lot with the developers, one of the things one of my takeaways is that security is a compromise, between functionality, and the effective protection that it’s providing. And that’s one of the really key points that, now when I’m talking to someone, I don’t focus so much on okay. So you are taking an approach that it’s not secure at all. I try to, to understand why they are doing that.

Ricardo Silva [00:07:23]:
What what is their goal? And if if that compromising security because when you’re when you only work in security, you one of the things is you only consider one thing that is safe. Okay? What is the safest path to achieve a goal? That’s one of the things as a as a, as someone working in security, you will think. Developer, no. The developer wants has a specific goal that he wants to fulfill. So, there’s, like, a commitment between effectiveness and the the security level or the security, defenses that you will, employ. So that’s one of the the takeaways I got from the

Maciej Nowak [00:08:06]:
So so so to to reiterate to make sure I understand. So see the discrepancy between, you know, coming from this security, let’s say, space. You a security expert, you think about only security. What was the most secure way of doing stuff? Yeah. Whereas the developer wants to achieve a goal and it’s not on the radar and the security is not on the radar. So then that’s the discrepancy. Or is it like when you are looking at that, is it like you are even maybe obsessed with that security? You know?

Ricardo Silva [00:08:41]:
One one of the principles that you employ when dealing with the security issues is, risk mitigation. Okay? So you list all of the things that could in a in a simple term, you list all of the things that could go wrong, and then you have measures to mitigate those risks. That’s something that is, into that that’s the main principle of risk managing management. So, when you are working strictly in security, that’s something that you almost, only think about is mitigating risks. And some of the I’ll give you an example, for instance. When, when you are doing a fan test and you come across a client, doesn’t matter if it’s an internal network or, web penetration testing, and you come across a client that has a very weak, password policy, has a has a security consultant or so on. One of the things you will advise your client is to have a really strong password policy. This is like the the main the main role

Maciej Nowak [00:09:55]:
No brainer.

Ricardo Silva [00:09:55]:
Main guideline. Yeah. The no brainer. The thing is, we usually advise to have really good and strong password policies. What this leads to is that the users will resort to weak passwords. Again. They will have, like, for instance, instead of having, I am the greatest, 123 with a capital letter, they will do something to keep a a weak password. Like, for instance, this is, to give you a good example, I am the greatest 1234.

Ricardo Silva [00:10:33]:
The next time you reset the password, you will have, I am the greatest 12345. You will follow you won’t follow procedures. You will follow the same thing. So when you create really strong, really strong security policies, you will compromise the effectiveness of probably the the the website or so on. And when dealing with users, if you create really strong policies, users will get it will try to figure a way to, go across that, that policy to make it easier for them. So it’s like a compromise between effectiveness and, and being secure.

Maciej Nowak [00:11:16]:
It’s like, the level of security is getting into the way of being effective. Right? So this is what you were saying at the beginning of the conversation. So they users will compromise the security for their, you know because of every user is lazy. No? It’s it’s just natural way of, like, humans.

Ricardo Silva [00:11:39]:
Something that you really come across in, in the workplaces that have a really strong password policy is that users usually use, for instance, phrases from, from a book or so on, and they have them with the Post its on their screen or underneath their keyboard.

Maciej Nowak [00:11:58]:
But it’s like it’s like MEM. You know? This is this sounds like a MEM. You know? You you can only think about

Ricardo Silva [00:12:04]:
It’s a human condition. It’s a human condition.

Maciej Nowak [00:12:06]:
But have you came across, such situations?

Ricardo Silva [00:12:09]:
In a in a physical pen test.

Maciej Nowak [00:12:11]:
Yeah. This is something I also wanted to touch base, like, this cause. You know? Can you explain a little bit more for our listeners what is physical pen testing? Because, you know, we are most of the time, we are developers and pen testing means, you know, getting into a website. Now what’s physical pen testing?

Ricardo Silva [00:12:27]:
Okay. The thing is, like I was saying before, penetration testing has lots of areas, and one of them is physical pen testing. As, cybersecurity has been evolving, it’s, it’s becoming harder for attackers to do an outside attack for for a company or so on or to outside attack a company. So one of the things that’s, that’s usually, not as secure as the digital the cyber environment is the physical world. A physical pen tester is someone who will try to to break, physical control measures to get inside the place and access some type of information. It can be physical information like documents, can be goods, items that are sensible for a company, any type of assets that the company is, protecting. One of the things, one of the things there, is more common and companies usually, like to like to focus more is the physical access to ports, in in server rooms and so on. Okay? That’s usually, a type of, of concern that companies have.

Ricardo Silva [00:13:51]:
But physical pen test may as be may be as simple as, getting through the front door of a company without being detected by the security guards. You can do it by a covert. You can do by doing it covert. You can do it. There’s, several types that you can do. You can do convert. You can do client understand. There’s types of operations that you can develop.

Ricardo Silva [00:14:12]:
The the main goal in here is to get, get to cross that barrier that is supposed to protect physical assets and digital assets within the physical world.

Maciej Nowak [00:14:26]:
Let’s think about an agency. What we are coming across is, for example, clients wanting to fill out a questionnaire. And there is there are many questions regarding physical security of the of of the business. Like, you know, what what is the protection, what are the protection measures, of the premise, if there’s monitoring and stuff like this. This is part of, for example, certification, I I ICO certification. I have a feeling it’s it’s neglect that you you go around an office building with many offices, and I have a feeling this is not very seriously taken. Especially the bigger the office, the more, you know, anonymous people can, you know, wander around, the bigger the the worst. So I’m curious to know what have you came across in your work that is screaming to your face as a security person, that’s, for example, easy to, to get covered.

Ricardo Silva [00:15:25]:
I can give you some examples, some general examples, but that will, join some some, some real things. The thing is, for instance, take a hospital. Okay? A hospital a private hospital or a public hospital. The thing is health care providers have lots of sensitive information within. Why is this information critical? Because something like your home address or, even your service providers and so on are are things that you change during your life. Your health data, your, date of birth, your medical conditions, those those, those pieces of your information will remain the same throughout your life. Okay? So health care providers are nowadays a target for, cybercriminals. Okay.

Ricardo Silva [00:16:24]:
Physical world. One of the things that you will notice is that you can get, and this is part of an engagement we call engagement when you’re doing a pen test. This is part of an engagement. So one of the things that you will notice is that private companies that run security on premises, security guards that are hired to be there, have no idea of what, of what cyber is. The thing is, you can have a guy walking around the premises with a huge antenna on his back top on his backpack or or just sitting down in a waiting area with a laptop on his lap filled with stickers that says I am a hacker, and you won’t get reported. You won’t get checked because security personnel don’t have, that kind of, don’t have any type of idea of what might sound suspicious to them. Okay. Another real example that and this is proven.

Ricardo Silva [00:17:28]:
You can have photographs of an individual, of a guy sitting inside. This is for a pen test. You then present on the report. You have those photos that say, you had the guy sitting on your waiting area and he was with a laptop and he wasn’t approached by anyone from the security team. Another example, you can go from, one of the techniques that you use in physical penetration testing is that is so called the tailgating, where you you wait for someone to open the door and then you just go, hold that door for me, and you get in after that person. No one asks you anything. If you have a good cover, if you have good attitude, if you are confident with the way you are doing doing things in a simple operation, you will get through those doors, and you will be able to access areas that you aren’t supposed to. The same within, companies that and this is you might think, okay.

Ricardo Silva [00:18:25]:
So you are talking about the hospital. A hospital is something that has lots of people coming in and out. Yeah. It’s true. But if you are talking about an IT company where and we are talking about medium and larger companies, because if you have, like, a smaller studio or a small company, it’s harder it’s harder to to get inside and not be noticed. But when you, you get to a a a bigger IT company, you can still go through the front door, talk to the security guard, have a drone. One of the things that you have a drone right here over here is, this drone has an equipment off top on top that lets me work, drive, and get, intel about the the the access points on the on the building. One of the things that we test is that when we are flying a drone above an area or a lounge area where employees are smoking and so on, if someone is going to report that.

Ricardo Silva [00:19:23]:
And in 90% of the cases, the even when a security guard notices that there is a drone over there flying, he won’t report that issue. Mhmm. It’s important for everyone on the security team and even Caesars and so on to know that this is a security incident. They they might, they might need to check on this.

Maciej Nowak [00:19:47]:
Yeah. I I’m curious about the drone because, this is very interesting. Drones are getting more and more popular. Why would a guard notice this as a security incident, and what would be the consequences for, you know, you know, all that incident?

Ricardo Silva [00:20:02]:
Okay. So most in penetration testing and physical penetration testings, we use drones for 2 things. This is like a kind of hybrid area of penetration testing. There’s there’s the technical standpoint of it not only breaking in, but exploiting. What can I use a drone for? I can use the drone with a Raspberry Pi to create a rogue access point and to place that access point on the point of my leverage if I cannot get into the premises and get, employees to connect to my, access point.

Maciej Nowak [00:20:34]:
So you’re like creating, Wi Fi hotspot, with, I don’t know, with a self, with a battery pack, let’s say, on top of building, and you can cover the whole area. Right?

Ricardo Silva [00:20:45]:
I can cover the whole area, then I can try to get employees to connect to my access point and then try to get some credentials from that. For instance, something that should be reported is if you if you are, on your break smoking a cigar and then you get a notification with the name of your company and saying that the free Wi Fi is now available because you get that on smartphones. For instance, in the name of your company, free wireless is now available. You should report that to your, security personnel because that’s an issue. That might be an attack vector for, criminals. Okay? You should report anything you should report everything that it’s not usual. Okay? So for instance, one of the things that has a penetration tester we do is with the RFID, access cards.

Maciej Nowak [00:21:42]:
Mhmm.

Ricardo Silva [00:21:42]:
The most common ones that we find are from the brand HID. And I believe worldwide, they are one of the most, used ones. One of the things that you notice is that, if you get to one of the one of the the access doors of the of the building and it has a small reader for you to get your card and to get to get in, it has a small RFID reader. If you start messing around with it, it and then open it even if you you what we usually do, we get a small ship inside that allows us to clone and then replay credentials. So we open it up, install our equipment, close it, and wait for people to get in. And one of the things that we can do after that is to replay that credential and also get our access in.

Maciej Nowak [00:22:38]:
You’re you’re skimming cards. Right? Card schema in

Ricardo Silva [00:22:42]:
in fact. That’s the principle. The thing is you are not only, copying the the cards. You are having you have the ability to replay them by connecting to, to a wireless, access point on your cell phone. And then from my cell phone, I can replay the replay the credentials and get the access. One of the things that we notice is even even if we take too much time installing the equipment and someone alerts the security guard, after we close the the case of the RFID reader and leave the area, one of the main one of the the things that the security guard will do is to get his car to to open the door with his car. We get their credentials. You won’t it they are not trained to look at their equipment, see if it has any anti tampering screws and if it has been tempered with.

Ricardo Silva [00:23:39]:
They don’t have enough knowledge. And this is like this is common sense. It’s, it’s a bit of training that you need to do with your with your security teams. You don’t need to have technical knowledge, but just look at the equipment, see if there’s any signs of tampering. Look at the screws. And if so, just don’t get your card in. Test the door. If the door works, Close the door and go away.

Ricardo Silva [00:24:07]:
Report that incident. That’s usually the incident. The first credential. If you get noticed during the, if you got caught during a pen test, the first credential you will get is the one from the security guard. And that’s that’s almost always the case.

Maciej Nowak [00:24:22]:
And but but then let’s say no one reported that and, the security guard will use the card. And, you know, unless you know that, the reader was tampered with, it means, what, you have to look around every every reader. In fact, if you are on a on on what? On on on, let’s say.

Ricardo Silva [00:24:42]:
Yeah. The thing is, you should and this is something that, with my company is one of my goals, is to bring this kind of cyber, knowledge to to everyday everyday to the everyday person, to the everyday Joe. Even if he has, security is something that is traversal to all of the employees in your company, all of your staff. Everyone, even if they are from legal, from accounting, and so on, they should know about security, physical, and cybersecurity. Okay? What we expect what we expect is that companies and companies that have assets that are critical, what we expect from them is that they have incident response plans for this type of incidents. Okay? You cannot rely on the way that that specific person thinks in order to, protect your company. You can get lucky and have a security guard that is willing to go across the parameters, review all the CCTV footage, see if any of the CCTV cameras has been tampered with or is under denial of service. You cannot leave that, you cannot leave that to luck.

Ricardo Silva [00:26:05]:
Okay? Every security personnel on ground has to follow the same guidelines when they notice something that isn’t right. There can be a drone. There can be a a stranger on premises. There can be, something out of the side. There could be a box placed somewhere near, an Internet port or so on. They have to have guidelines to follow, and that’s one of the the things that Mhmm. We want to to teach and to

Maciej Nowak [00:26:38]:
And to what should should a person do, in general terms? You know, when an incident is, you know, strange behavior is observed. Like, obviously, that, you know, guy with a laptop, you know, spending too much time in the lobby or lose no cases of now it’s it gets reported. And then what? How does policy should work?

Ricardo Silva [00:27:04]:
Well, the first thing let’s let’s go from stage by stage. The first thing is knowing how to identify what is a suspicious or not behavior. The issue is that if, staff members are not trained, they will start reporting things that don’t have, any meaning.

Maciej Nowak [00:27:26]:
Mhmm.

Ricardo Silva [00:27:27]:
K? You’ll get if if you if you start, if you start reporting a lot of things with time with the time passing by, you will look at those, major reports with lot of submit with lots of submissions, and you won’t, pay enough attention to any everyone of them. So when reporting, the the the the the staff member who is reporting needs to know what they are reporting about and what might be the implications of that. They don’t they don’t need to know everything in technical terms, but they need to know what’s the base of that. They can you can have it’s, if you have a report that says that there is a, a square box, cardboard box, in the middle of your or near one of your doors, probably the the the the the the person who is responsible to go for looking at the report will think, okay, this has no this has no interest. This guy is just reporting.

Maciej Nowak [00:28:33]:
MS. MS.

Ricardo Silva [00:28:35]:
Yeah. This is a mess. So the first thing is know what you are reporting and know where to report and to who to report it. And and have, like, a way to channel of the all of those reports to the right place. People should report and should not be afraid to report or to look stupid when reporting something. If the one of the, the main essential thing is if people know what they are reporting about, they won’t look stupid. Okay? So don’t be afraid if you if you are on the, even if on the lower tier security guard, for instance, don’t be afraid to report and to and to get your your information to the top layers of your, chain of command. The last step for me is to get reports to be reviewed by someone who really knows what they are what they are looking at.

Ricardo Silva [00:29:30]:
Because one of the things, especially in small and medium businesses, is that the guy who is responsible for the the the the equivalent to a CISO who is responsible for the the the the security of the information is also the same guy who is responsible for, 5 more roles. Okay? So if you don’t have time to focus on the specific task or on the specific issue, that will be, the road to in success.

Maciej Nowak [00:30:00]:
Just know okay. You have the report. You read the report. Everyone reported the stuff. Reports got red. What now? Like like, you know, that’s it it’s already in the past. You know? You don’t can you do anything about that?

Ricardo Silva [00:30:14]:
Okay. Okay. Yeah. I see what you mean. One of the things that you can do about that is to review logs. This is why training is very important, and I believe that in 10 years from now, you will have a lot more people in cyber that know about this type of operations. The main the the the first step of any kind of military law enforcement or even pen testing operation is reconnaissance. Okay? So if you’re, if you if you detect someone suspicious on your premises or taking photos of your employees or of your access points, of your equipments, of your, entries to your to your building, you might not have a cyber incident yet.

Ricardo Silva [00:31:01]:
However, you have an incident. You have someone who is gathering intel to perform something. If you’re, for instance, if you’re on the on on the web web app realm, if you if you are noticing that you are having, suspicious activity on your website, even if they are not breaking into your website and accessing your admin panel or so on, you should be cautious. You should be ready to respond to an incident. And that’s the first step because you might still be in time to avoid the incident. Okay? Okay. If if your report is about something that has already happened, someone has entered your building and had access to one of your Internet ports or so or so on. You should review all of your logs.

Ricardo Silva [00:31:56]:
You have to do some kind of forensic work. You should follow everything like reverse engineer and attack. You should review logs. You should interview your staff. Ask them if if they saw anything suspicious. Review CCTV cameras. Review, physical access control. Review everything.

Ricardo Silva [00:32:20]:
That’s what you should have on your incident response even if it’s from an early stage. Someone is doing reconnaissance on your on your on their target on your company or someone is or you are already under an attack?

Maciej Nowak [00:32:36]:
Ton of work. If you want to slow down the company, you know, create a couple of such incidents, and everyone will be, you know, scrambling, reading logs and and not doing business. I’m curious about also about OSINT because when we talked, in in portal, you also mentioned, you know, how OSINT is important to gather information. Also, we’re in in Ukraine shown how much stuff you can, you can get from OSINT. But then, also people are, you know, unwillingly might be revealing information that can get them I don’t know. Maybe not compromise is a bad word, but, you know, can reveal too much, you know, unwillingly, let’s say. So I’m curious about that.

Ricardo Silva [00:33:22]:
Has an, has an offensive the the the the difference between offensive cybersecurity professional, a pen tester or and so on, the the great difference is that you don’t rely on assumptions. You really, test the systems. You don’t wait for them to be broken into see, okay, need to see what’s what made them fail. One of the most important things that we do is to try to replicate the tactics, techniques, and procedures that criminals follow. Okay? So, one of the things that criminals do is to not waste their time on targets that are not, we are talking about high tier, criminals is not to waste time on targets that are not worth it. Sometimes what cyber criminals do is to look at 100, 1,000 of targets and choose the ones that they are skilled to attack that have, revealed enough information from them from the passive standpoint to get enough information in order to perform an attack to successfully perform an attack. So that’s the real importance of all things. Like, successfully perform an attack.

Ricardo Silva [00:34:39]:
So that’s the real importance of us in. Like, criminals do, cybersecurity offensive cybersecurity professionals, the the first thing they do is to, get as much intel on the target as they can. And that’s the one of the main roles of OSINT. To give you inform enough information for you to plan your attack and not waste time in choosing attack vectors that might not be successful. For instance, we can talk about WordPress and the the and something that is, very present on WordPress, websites. For instance, you get a lot of information about a target without even having to interact with that target. For instance, usernames, admin accounts, technologies. You can get in in, version disclosure is something that we find critical.

Ricardo Silva [00:35:43]:
If I’m able to employ a tool on your website that is a passive tool that you won’t get a log that’s, that that tool was used, or if I’m able to look at the source code of your website and get the current version of your technologies, okay, that for us is a finding, is an information disclosure. I am able to know what you are running, and I’m able to plan an attack. If, for instance, you don’t update your because of a compatible compatibility issue or so on, if you don’t update one of your technologies in use on your WordPress website, I’ll be able to know that without you having the the the the option to know that I’m looking at it. Okay? So, Allsync plays a major role in that. In regards to general users or general, to the average Joe, one of the things that nowadays, if you don’t give consent when using a third party app or service, if you don’t give consent to use some of your personal data, you’ll become excluded from the, from the digital world. When you’re using, Facebook, when you’re using Instagram, when you you are using a simple face swap app on your cell phone, when you are using Sync. Me, the application that lets you know who who’s calling you, for instance. You are giving away some of your data, and the company that has that data is vulnerable to cyberattacks.

Ricardo Silva [00:37:25]:
Sometimes those companies are attacked and those though that data is leaked, and that becomes OSINT. Your personal data becomes, able to be gathered through OSINT by looking at ransomware websites, by looking at, data collection, data brokers. Okay. So Allsynth is everywhere. You have lots of information about you, about your company, about everything. For instance, back to what we were talking about before, WordPress. One of the things that, developers don’t consider a source of information are the license and the readme files of WordPress. Usually, when we we cannot enumerate the version of, of a WordPress, CMS on a website, what we do is look at the license and see what’s the data on the license because you have, for instance, the initial data of WordPress and the latest, update on the license.

Ricardo Silva [00:38:31]:
And developers usually don’t care about that. Almost 90% of my websites that I’ve of the website I’ve tested have the license, available. And if you have an older version of WordPress, this, for instance, has, the the data from the the date, not the data, the date from the last year, you’ll be able to know that that WordPress version is not patched. It’s not updated, so you can run an exploit against it. So this is also the ability to get a lot of information without interacting with your with your targets from, from a passive standpoint.

Maciej Nowak [00:39:09]:
Yeah. That’s that’s that’s for WordPress. I’m curious, you know, for example, about, like, let’s say, personal attacks. Like, you know, you’re you’re you’re you’re like a

Ricardo Silva [00:39:19]:
Okay. So about. Yesterday, I was talking to a journalist that is interested in starting to give this type of training to journalists in Portugal from a more passive state from a more cyber, with a more cyber focused approach. The thing is, nowadays, a cup a couple of years ago, when you were talking about those people only consider, for instance, social networks. When you’re talking about personal information, getting personal information from open sources. People only remember, like, for instance, when we think about social media. Social media nowadays, it’s harder to get information from. You can get a lot of indirect information.

Ricardo Silva [00:40:06]:
You can get places that are visited by the person and so on. What I believe that it’s the most efficient way of getting information on the target, on the person that criminals will use are data breaches. With lateral movement and access to data breaches, criminals can spearfish you. Spearphishing is 1. I don’t know if your listeners know. When a a phishing attack is directly targeted at someone at you, there’s some things that will that will only apply to you. With with by looking at buying data from that data brokers, looking at looking at data breaches, criminals nowadays with open source intelligence, not even tools like techniques because there’s a difference between the tool and the technique. A tool is temporary.

Ricardo Silva [00:40:58]:
You can use a tool today, and you won’t be using it tomorrow because it’s not available and so on. The technique is something that you will, that you will know and just look for the right tool to use it. So in personal terms, if you want, there there’s not much that you can do to protect yourself because it’s not your responsibility. You have, for instance, you have the town hall on your city. You have to give them your data. They have your address. They have your social, identification number. They have all of your data in.

Ricardo Silva [00:41:32]:
It’s their responsibility to protect the data. So if they are attacked, if they lose that’s those, those Mhmm. Those those assets, you there’s not much you can do about besides knowing how to look in an attack, observe an attack, see that that might be an attack, acknowledge that there is an attack, and protect yourself.

Maciej Nowak [00:41:56]:
Mhmm.

Ricardo Silva [00:41:57]:
You check sources. Don’t click on links. Go straightforward to the to your, for instance, to your home banking and so on, not using that link. Those are the only things you can do. In, personal let me just tell you that, when it comes to to to persons, one of the things that is really, useful, and I get this a lot not only in WordPress websites but in websites in general, is that you should strip out your, everything you upload to your, websites from the metadata. From, for instance, a PDF file, if you upload the PDF file to your website, it will keep the author. It will keep the information about, for instance, the the station where it was where it was,

Maciej Nowak [00:42:52]:
created.

Ricardo Silva [00:42:54]:
And the same applies with images. If you if you upload, for instance, photographs to your website and you don’t strip out the metadata, through all SIM tools, you can extract all of that metadata, including the geographic location if you are doing taking a picture with an, Android or with an iPhone that allows for metadata to be created. And by default, they do. So just a quick tip, if you go to your to your album and you have the the location to your photo gallery and you have the the location where the the the different pictures of your gallery were taken, there is metadata on your photo. If you upload that directly to a website, for instance, the website will keep the the file with that metadata, and then the attacker can extract that’s the the that that information and geolocate you as a as a target. So those are some of the things that you can do in, AllSaints.

Maciej Nowak [00:43:54]:
Mhmm. What what I find very interesting is that once, you know, someone who keeps your data like that, city council, let’s say, city city hall, lose your data lose your data, it it becomes publicly available for everyone, basically. So what it it becomes not maybe public domain, but that public domain, you have to only buy the this tool, database on on black market. This is something that a poll like, may maybe not buy. Yeah. But, you know, it it it opposed me that this is so easy to, to get them.

Ricardo Silva [00:44:34]:
I can give you a practical example. So, like, 6 months ago here in Portugal, there was, a city council that was attacked in the north of Portugal. It was attacked by, right side of the criminal group. And they published, I believe, 75% of that data. They extracted the PYI, the personal identifiable, information. They extracted some of it some of it, including passports and so on. They were selling it for auction, and they had the rest of that data published. Okay.

Ricardo Silva [00:45:12]:
From that data and we as, cyber professionals and especially offensive cybersecurity, we look at that data and see if, for instance, any of your clients is implied in that, data. If you have any of those long lasting clients that you work with 247 monitoring your cyberspace and so on, You look you you manually look manually look at the area and see what implications for. For example, one of the things that was lost that has implications to the to the physical world is the location and codes of all the the public alarm all the alarm codes of the public buildings in the in that city. Okay? That’s something that is currently. It’s not available because the the ransomware, dark web website was hit by the the the FBI, I believe. But someone who has had access to that information knows not only the location, but the codes to every alarm within that city. For instance, other things lost. There is something that there there was, a piece of backup data regarding, like, a city program regarding elderly people and and supporting elderly elderly, people.

Ricardo Silva [00:46:38]:
And it has a lot of contact information and a lot of personal data about those who, who are more, likely to be targeting phishing. Okay? There’s nothing you can do about that. I’ve heard that in the United States, this information is not public. That once the the ransomware group, uploads that into their website, that information get gets copied, gets worked on by data brokers to be, to be sell to so that that can be sold into batches of specific data. But, once that information is out, there is no turning back, and that’s one of the things. I’ve heard that in the United States, there are cases in which, the ones who have their data and who have their data online by the by the leaked online, get some actions against the the companies for not properly in securing their data because that’s a responsibility. You are responsible. And you were talking about, standards, for instance, SOC 2 SOC 2 especially is specially designed to protect the data, for instance, from your of your customers.

Ricardo Silva [00:48:03]:
You are responsible for that data. And in the United States, I have read that some some some some people that had their data leaked were, pushing actions again were presenting actions against those companies because it’s worth it was their responsibility. But on the other side, what companies were defending themselves by saying is that there is no direct link between the usage of that data and the leakage. It’s hard to prove that if you get scammed, if you get a phishing email, if you get a phishing a phishing call, if you get smishing, it’s hard to prove that this is because that information was leaked. Okay? So it’s, especially here in Portugal, it’s really, really hard to prove that that company was responsible for that information and that the loss of that information resulted in something that is an issue for you. It’s a problem for you.

Maciej Nowak [00:49:09]:
But but I think, there was a very big case for British Airways when they got hacked and a lot of customer data was leaked. They, they got fined for, like, breaking GDPR. So not only you get a reputation hit, you lose trust of your customers for some time until they forget about that. But then you get the financial hit for breaking GDPR. Obviously, you you can prove that this is you know, you get having because of that leak, but, that is not fine for from GDPR. Is there anything everyone of us can do except having strong password policy do to be more prepared, for being more or let’s say, be more cyber resilient, if I may say so.

Ricardo Silva [00:49:57]:
Okay. So in my opinion, one of the may one of the first things that that, you as, as an individual, you need and and here in Portugal, the government has, has a program for that. It’s called it’s like the, cyber security citizen. The translation might be similar to this. So one of the things that everyone needs to know in 2,024 is how an attack is carried out, how a phishing attack is carried out. They need to understand how attackers think and why what they might ask. For instance, you get a lot of, I I’ve always thought you get a lot of phishing emails and smishing messages. But you never you never click the link, for instance, because you don’t.

Ricardo Silva [00:50:51]:
It’s one of the of the rules of for your protection. You don’t click random links. Okay? But the thing is, when you click the link, and I’m not telling you to, I’m telling you this as a as a professional, You get an insight on what the attackers want. If you get, for instance, if you get to a page that is asking you about your it’s a page of an institution that you already have, for instance, an accounting, and he’s asking you the same information. Something is not right. They have that information. Why are they asking you that information again? Why are they asking you for your home address? Why are they asking you for some for things that they should have? So one of the things that people need to to to know to protect themselves is how attackers think. That’s one of the key points for me.

Ricardo Silva [00:51:41]:
So and the the the the other thing that people might, in the the everyday I think your question is regarding that the everyday user and probably, someone who is not in, who works in cyber and not related related to to to security. One of the things that everyone should be present and should know is that everything you do online leaves a track. Okay? If 10 years ago, one of the things that we do is lateral movement, for instance. I can give you an example. You might think, if I, if you have, no email with 10 years ago, that is leaked. Okay? And has a password, leaked with it. You have the the email address and the password. One of the things that people should know is that this is still important.

Ricardo Silva [00:52:35]:
Okay? Because, for instance, your backup email address, the one that you reset your password to, might be that old email from 10 years ago. So one of the things that you should do is review everything, not only what you did in the last year, but review everything you did in the last 10 years. Because like I was telling you, lateral movement is this. I get to I got an email address from you from, a lead website, a lead generating website from marketing or so on. This is one of the using techniques. I then run this email through, data breach, from a data breach, website collector or so on. I get a I get a password. And you might and if I present this to you in a report to say, okay, but this is an old password.

Ricardo Silva [00:53:26]:
I don’t use this password anymore. But lateral movement is this. I’ll then change my search query to that password and get the email that you used 10 years ago. In that email that you used 10 years ago, it’s still the recovery email from your for your current Gmail account. Okay? Other thing that people need to know in regards with, phishing that I believe it’s one of the main, issues of worrying of the average, citizen is that people tend to to, not trust on email addresses, but to trust a lot on SMS messaging. If you get a text message with the header of your bank or of your, any of your service providers, you in in the in, actually, the the the text message gets aggregated to the ones that you received because it has the same header, you immediately trust that. You do. I’ll more than half or I would guess more than 75% of the users will trust that.

Ricardo Silva [00:54:44]:
Okay?

Maciej Nowak [00:54:45]:
Seems not true.

Ricardo Silva [00:54:47]:
Yeah. Spoofing is a fang. It’s very easy without any technical knowledge by hiring a third party to spoof an SMS header. So that’s one of the advice. This is a trend that is that is on the uprise is that people usually trust immediately on, SMS if they have a header that is that is compatible with something they have. So be alert to that. Be alert to what someone is asking you, what the provider is asking you. Try to give your there’s there’s a service that is provided by Proton that lets you have ProtonMail that lets you have one email account, but then that email account generates several, email addresses that that relay all of the the the emails to your main account.

Ricardo Silva [00:55:46]:
So you will have your, for instance, awesome@proton.me, for instance, And then you have several email addresses that you can use to fill out forms, to register on websites, and so on. So I would I would advise if you if you work in cyber, if you use several technologies, if you use several for that apps and so on, I advise you to get an email address and not use your personal email address. Don’t use your main work email address. Try to be a little if someone wants to hack you, you will get hacked. Just try to have more barriers in order to make it harder for them so that they can switch targets and choose someone else.

Maciej Nowak [00:56:34]:
Yeah. Someone easier. Alright. Thank you. Thank you. This was very interesting conversation, especially, in a world where you leave a trail everywhere and you don’t you get just annoyed by the cookie banners and think this is it. This is, me stop being, tried, maybe. Like, tracked tracked.

Maciej Nowak [00:56:59]:
Thank you. This was very, very, illuminating, let’s say.

Ricardo Silva [00:57:03]:
Thank you very much for the opportunity to be here. And it was a pleasure it was a pleasure for me to to be able to to speak a lot a lot.

Maciej Nowak [00:57:14]:
Yes. A bit

Ricardo Silva [00:57:15]:
more than last time. A bit more than last time. Exactly.

Maciej Nowak [00:57:18]:
Yeah. Thank you. It’s always a pleasure.

Lector [00:57:20]:
If you like what you’ve just heard, don’t forget to subscribe for more episodes. On the other hand, if you’ve got a question we haven’t answered yet, feel free to reach out to us directly. Just go to osomstudio.com/contact. Thanks for listening, and see you in the next episode of theOsom to Know podcast.