Lately I've been extremely busy at work, but also in my private life I'm very busy. Since we're able to go back to the office again for a few days a week, and taken up sports again, things are getting pretty busy. I do still love to read and collect all the OSINT news though! And I'll keep making time to write these weekly newsletters. Because the time spent on researching new tips and tools, is well spent since I expand my own knowledge at the same moment! So do keep those tips, tools and tricks coming! This week, I've got the following topics for you:
What happens when one of the hard hitters in the field of OSINT asks a question on Twitter? What if that question is: Give reasons why you should look at the source code of a web page. The result is an interesting Twitter thread, with lots of examples why it can be fruitful. People are discovering analytics codes, hidden metadata, timestamps, JSON data that is parsed and a lot more! Thank you for that question Kirby!
The #OSINT question for this week: give one reason you might look at the source code or inspect panel for a website during an investigation.— kirbstr (@kirbstr) September 7, 2021
Link: Twitter thread
One of the best tools to combat fake news, is the toolbox from the WeVerify project. It sits in your browser, and with a single click it can do a reverse image search, or pop-up a menu with helpful tools. And it just got better, since they added some helpful new things:
The best thing of all is that they even have learning material, and a game within the tool. So if you're new to fact-checking content, have a look at the 'classroom' and the 'demo' to get up to speed! Some tools are only available for journalists and researchers, so do register an account if you're interested in using some more advanced features. Let's just hope that the Firefox add-on will be updated some day too...
Link: Chrome extension
Ritu Gill has created a 'Start.me' page, with helpful sources on Canada. She has split things up into links on national level, but also by province and territory. It's a massive list of links, and even though you'll have to search a bit since it's not split into categories, there's a world of useful links in there if you need it! Thanks for all that hard work and sharing it with the community!
Link: Start.me page
Another very interesting repo of his, is his collection of phishing kits. Phishhunt.io downloads active phishing sites in the wild, and saves them to the GitHub repo. A really helpful collection on here!
Link: Phishing kits
Lots of excellent additions happening in the WhatsMyName project! With submissions from "ef1500", @WebBreacher, and @Zewensec, we are well over 300 sites that are checked!— whatsmyname (@whatsmynameproj) September 17, 2021
Thank you to everyone suggesting sites (https://t.co/acaNyosulm) and submitting them!#OSINT #recon pic.twitter.com/39ZbJkJYd4
Back in October 2015 Micah Hoffman created the tool Whatsmyname, a username enumeration tool. This script is unlike most of the tools though, since it doesn't just query a website and gives a hit when there's no error. It actually looks at the content, after it fires off a query to a website or API. Less false positives, and less time spent on manual labour. And thanks to the community, now even more sites are added! More than 300 websites are included now, but they do need your help! Feel free to fill in the form, or create a pull request to add even more sites.
Link: GitHub repo
Link: WhatsMyName web app
Not everything is visible for a LinkedIn user, since some information is simply not clearly visible when you look at a profile. But good ol' Google recognizes these hidden snippets of information, and you're even able to search for locations where people work, as Henk van Ess demonstrated in a little Twitter thread.
And even though people are able to prevent their profile from being indexed by Google, people will still show up as employee of the company they added. Go over to the site of Irina Shamaeva, where she shared some useful queries for LinkedIn!
Tracy Maleeff wrote a short tutorial on how to create Google Alerts. It's a simple way of digesting information on specific topics, right to your mailbox or even an RSS feed. This service from Google was launched back in 2003 already, and it offers a service where newly indexed URLs within the Google database that matched to 'alerts', after which the creator of the alert is being notified. Extremely useful, and easy to set up. Thanks for this little tutorial!
Ever wondered what a candle, sunglasses and toilet paper might have in common? Twitter user @Coleens_IS asked the question: "What's the most ridiculous IOT device you can find?" and the answers she received are hilarious! And if you're scrolling through the list and are wondering about the 'anus scanner'? Well, it's probably this weird device.
Do go over the thread if you're into IoT, security, or just need a good laugh at the start of your week!
Link: Twitter thread
Have a good week and have a good search!