I'm coming to the realization that I don't really understand what OSINT is or is not. ("Open Source Intelligence", obviously, but beyond that)
The first time I encountered it was in the context of civilians collecting actionable military intel in the Russia-Ukraine conflict by trolling social media. But now I see people talking about it like it's a career, and see what I would have standard IT security posted under it.
Do people just use it to refer to any sort of civilian information gathering these days? Has IT security just rebranded as OSINT?
I'd say it's collecting intelligence-worthy data from publicly available sources. That is, connecting the dots that everyone could connect, were they able to notice them. It does not involve anything but sifting peacefully through public sources.
This is opposed to acquiring data by other means, like breaking into protected systems, stealing classified materials, planting moles, extortion and blackmailing, etc.
This is a pretty neat idea. I like it. However, the inaccuracy of IP geolocation services causes some Amazon AWS IPv6 addresses to appear to be located outside the US when they are not.
I continue to believe that half (or more) of all security reports/warnings are false positives due to inaccuracies such as this.
I imagine downscaling and reducing the number of colors in steps could gradually increase the false positives. You would have to noticably change the icon to avoid it.
The "practical example" in the article is the exact opposite of that, it searches for the hash of a known favicon and filters to sites that shouldn't match it but do. It would require a particularly incompetent attacker (or a very contrived case) to not match the favicon of a public website.
We agree here. The point is to detect imposters via favicon. Case 1 is easy, simple, and a legitimate concern. Case 2 is the inverse of case 1. A host is misconfigured or something. Much harder to detect, but no more important. Case 3 should not exist.
Case 3 must exist by the pigeonhole principle given that the hashes are smaller than most favicons. Otoh, if it does show up, you can exclude it by doing a full comparison.
We review the web presence of a business as our core product offering for payment processors, etc. as they look to onboard ecomm merchants. This (and techniques like it) make a great way to find scummy actors and have a proveable piece of evidence as opposed to a 'yea, this looks off' or 'this doesn't fit the profile of what an established business looks like'. We leverage a lot of subtle signals like this.
OSINT is about exploiting public data for private benefit.
The article was meh, others are expressing similar opinions if you read. It is OK that you find it useful but for me was sincerely expecting something more from the title.
And here's a map of favicons that Shodan has seen across the Internet: https://faviconmap.shodan.io/