Kim Kardashian: An OSINT Cautionary Tale
As the name implies, this is based on my analysis of the sequence of events of Kim Kardashian’s robbery in Paris, France. I have no insider information and my analysis hinges on what I have read from various news outlets and my own observation of her social media platforms. While I make every effort to be thorough and hit every aspect, there are times that I inadvertently omit things or skip them due to scope, time, length or applicability. Email any questions you have about this or any other topic to firstname.lastname@example.org
If you have been online in the past couple of days, you have likely seen something about Kim Kardashian being robbed in Paris. The estimated value of loss is $10 million dollars. The purpose of this post is to talk about how her social media posts allowed the attackers to find her and the ideal time to perpetrate the robbery. This is a cautionary tale, not victim shaming.
Data collected for this blog post was gathered late in the day on October 4. I am have missed some of the context and content of Kim’s social media presence depending on her publicity team’s actions. Therefore, I am purposely omitting anything that would require my use of the Wayback machine or other archival resources.
This blog operates under the assumption that the robbery was legitimate and not “an inside job.”
Open Source Intelligence is just that, open source. Due to it being open source, there are no myths or magic behind the ability to gather it. You can gather it, as can I, as can nation-states and intelligence agencies, as can the paparazzi, as can criminals. While there are a variety of platforms and methods, I will skim the surface of a couple of tools and resources anecdotally and follow up with a more informative blog later.
I was originally going to break this section down by platform (Twitter, Instagram, and Facebook). In reviewing Kim’s posts, they are all about the same and likely from a platform like Hoot Suite.
In reviewing Kim’s
Around October 2, she posted which shows she planned on attending via talking about not wearing makeup to a certain (Balenciaga) show. She then posted a picture of her at the Balenciaga show (revealing what she was wearing) then checked in at the Givenchy show and got a facial (albeit in a different outfit; this could be as a result to the time zone differences between Atlanta, GA and Paris).
At this point, we have a profile of where she has been, her patterns, and what she has been wearing. While this is not overly revealing for most people, those that are specifically targeted or in the public eye (as a result of being married to Kanye and independently famous) should exercise far more caution. The paparazzi and media have shown to be relentless (reference: Princess Diana and Dodi Fayed; ironically also in Paris) in the past. While it seems unethical for most of us, that is how some people make a living.
The motive of this was not for pictures or an interview. Kim has a persona of being in the elite class with the rich and powerful. That indicates that she is likely to have expensive jewelry and expensive possessions. I am not sure about the USA Today valuation of her jewelry probably being around $10 million, but that is not completely absurd. The initial media reports sounded as if the robbery was on the street, now it appears to have occurred in a building, likely a hotel, so having a jewelry box makes more sense now.
This shows us that there was some level of Social Engineering and prexting involved because the perpetrators were disguised as police officers. When performing OSINT and/or Social Engineering attacks, you must be able to stick to a script per se and keep it up as a pretext. Almost all successful SE attacks has pretext and a story for the attacker to convey to the target either for emotional connections or other motives which is especially relevant.
I spoke to OSINT expert and my friend, Justin Seitz (a podcast guest) about the social media APIs (Application Program Interfaces). He stated that if the “target” has location tagging enabled, then anyone with an API Key could write a script in a programming language and pull the data without anyone’s knowledge since that is how the API is designed. In Justin’s Python Course on his Automating OSINT training site, there is actually a demonstration of what this data looks like and how to manipulate it. In full disclosure, I am currently enrolled in the course and have not quite completed the course, so I cannot speak to the Twitter API work at the end of the course. Justin’s Basic and Master Courses deal with Twitter, Instagram, Flickr, Facebook, and You Tube as well as methods to make searchable data from them.
While using the tool of another friend named Justin and OSINT expert, Justin Nordine, I was able to pull up everything about Kim Kardashian using a tool called Social Searcher via Justin’s Advanced Recon Framework website. I accomplished a similar function, less the actual posts about Kim on Michael Bazzell’s Social Network Search from Nordine’s site.
In terms of Geo Location, there are rather a few tools to accomplish this that are on Advanced Recon Framework. Creepy is a python based tool that is downloaded and installed and allows correlation of data and integration into Google Maps. Tweetpaths and GeoChirp both tie into your Twitter account and perform the location analysis for you by username or nearby users with search capabilities. I searched using Kim’s username and it seems like she does NOT use location services.
In conclusion, it is difficult to ascertain the absolute honest truth about what happened. It seems that it could be dumb luck, an OSINT based attack, or an inside job. Few people actually know. I did not even begin to scratch the surface in polling data that other people post about celebrities showing their locations, which a completely different vector. Even those who adamantly avoid social media exist because of the uncontrollable instances of photography in public. Since you are reading this, you should take a look at my advice below to help you stay secure. Keep in mind that these are ONLY suggestions and recommendations. Do so at your own risk, but they should keep you reasonably secure, although there is no absolute method in such assurance.
Advice in preventing osint attacks
To be rather blunt, you can’t. You can minimize what YOU post to the public internet and social media. What you post and who can see it is within your control. Most of all, think before you post. Therefore, you should think about whether someone can download or misuse it without your knowledge or consent? Be careful when posting or replying to public posts. Because of the threat, you should almost always disable location services and enable only when in use. Scrutinize possible friends. They can do major damage to your reputation. On the opposite hand, they may not even be who the claim to be, as a result amplifying the damage. Bear in mind that anything posted to Twitter is public (for the most part) hence my position of talking more about it than Facebook.
If you see an imposter account or someone stealing your picture or posts without your consent, report them. I will also reiterate: Think before you post. How can this be used against me? Can this be used to track me? Alternatively, you may ask yourself “could this get me fired?” Would I be ashamed if I said this to my grandmother’s face? While I am sorry to get a little preach-y, a misstep could easily lead to someone collecting OSINT about you and you spoon feeding them. Finally, you are mostly in control of your destiny in this regard. Taking the time to see what is on the web about you and taking proactive steps to ensure it cannot be used against you is especially relevant in your personal security.
Announcements and Resources
SANS Mentor Session
Security 504: Hacker Tools, Techniques, Exploits, and Incident Handling
Joe will be leading a SANS Mentor session for Security 504: Hacker Tools, Techniques, Exploits, and Incident Handling, which is the class that corresponds to the GIAC Certified Incident Handler (GCIH) certification. The dates are October 27 -December 15 from 6-9 PM (Eastern Time). Location is TDB. If your organization wants to host the training, email Joe and you can receive a discount. Therefore sign up before September 29 and get a discount and a free attempt at GCIH. https://www.sans.org/mentor/class/sec504-atlanta-27oct2016-joe-gray
OTHER APS POSTS
Implications of Powershell Going Open Source
Yahoo Data Breach: What We Know Now
Most of What You Need to Know: Wi-Fi
Cybersecurity & the US 2016 Presidential Election
Most of What You Need to Know: Passwords
Change Your Email Password Now!
Qatar Bank Breached After Bangladesh
Bangladesh Bank Loses 80 Million USD
Thanks for stopping by and checking out our podcast. We would appreciate if you could subscribe (assuming you like what you hear; we think you will). To learn more about us, check out our “About Us” page.
If you have ANY Cybersecurity needs, please contact us and we will promptly reply to your question or concern.