It has recently been confirmed in Korea that personal information, including an identity photo, resident registration number, address, and phone number of an individual who submitted an application form to a public institution four years ago, had been publicly exposed on the internet for the past four years. It has also been confirmed that it was possible to access and download a copy of the resident registration containing personal information in PDF format. This case has become a more serious issue because the public institution in question was unaware that it had been storing and leaking individuals’ important personal information. 

Among the causes of confidential information leakage, fraud intrusion, external hacking, and security mismanagement can be prevented with OSINT Search Engine and Attack Surface Management. In this article, we will cover how to prevent malicious external attacks, monitor the status of information leakage, and respond promptly with appropriate security measures using OSINT Attack Surface Management.

Exposed personal information was available for download in PDF format for 4 years

Use OSINT to Monitor Information Leakage Status and Identify Relevant Google Search Keywords

Hackers use Google hacking techniques to exploit personal information exposed to the search engine for cyberattacks. The article comparing web-based Google hacking and IP-based Criminal IP noted that specific search conditions could be used with Google search operators (such as filetype, site, inurl, intitle, etc.) to conduct targeted searches and obtain results.

Test pages for Apache in default state searched using Google hacking

As you can see, hackers can easily use Google to search for all types of application forms, documents, and internal sites containing personal information. For those responsible for managing data, using Google hacking techniques can be a solution to find leaked information. However, this manual search can be time-consuming and require a lot of labor resources, especially if the person is not certain about what information has been leaked.

The Criminal IP ASM‘s OSINT feature offers Google search keywords that automatically detect company and public institution data exposed on Google. This feature enables quickly identifying publicly exposed data, including its title, description, and file type. As a result, all information containing personal data, such as application forms, admin pages, and test servers, can be promptly restricted or deleted based on priority.

Information leakage status can be filtered by searching for file types, information types, and keywords on the OSINT page

By automatically searching for information related to a company’s domain and related keywords, it is possible to quickly identify not only personal information leaked by the company itself but also personal information compromised by other sources. For example, it is possible to detect personal information submitted to other organizations and personal information disclosed on pages managed by collaborating companies.

Detect Potential Threats of Information Leaks With Attack Surface Management Solutions

It is equally important to manage potential data leakage incidents proactively as it is to identify current leaks using OSINT tools. The risk page of Criminal IP ASM updates a company’s IT asset information automatically on a daily basis, using registered IP ranges and domains. This enables you to check for security vulnerabilities and potential data leakage threats in your IT assets.

The Criminal IP ASM dashboard screen displays hosting information and risk status at a glance

The items identified as high-risk include open ports and vulnerabilities, as well as data leakageremote access, and VPN (Virtual Private Network) cases. To specifically check for IP addresses using VPNs and remote access, which are commonly exploited as channels for information leakage, you can utilize a filter search to narrow down the results.

The screen below shows the results of a filter search for remote access.

Leaked IP assets data detected by “remote_access” filter search

You can confirm not only that port 22, which is used for SSH remote servers, has been detected, but also that port 22 is open by looking at the specific IP through detailed search on Criminal IP. If port 22 is exposed to the external resource, it can lead to an intrusion into the server and become a critical cause of personal information leakage. Therefore, a quick security response can be taken by closing the port to prevent such attacks.

Open port 22 confirmed through detailed search on Criminal IP CTI search engine

There are many other attack surfaces that lead to personal information leakage, and OSINT Attack Surface Management can automatically detect personal information leakage  threats on a daily basis. Attack surface management is essential as the sensitivity of personal information management is increasing, and there are various ways for personal information to be leaked due to fraud access or mismanagement by companies and public institutions. Security and data administrators can establish a comprehensive management and response plan with minimal resources by staying up-to-date with daily security threats and leakage updates.  

Please refer to our article on Using OSINT Search Engines To Collect Cyber Threat Intelligence for a Best Practice of OSINT.


Data Source: Criminal IP (https://www.criminalip.io/en)

Related Article: