My lightning talk from this year’s BSides København on the potential dangers of using unvetted software in OSINT investigations.
How many of us actually vet the software we use? Do we always know who’s behind the software? Can we be sure that there aren’t any back doors implemented? A while back some friends and I had a deeper look at an upcoming OSINT tool. It turns out the software wasn’t from the company and country it claimed to be, and direct links to one of Russians largest surveillance companies (and maybe even the FSB) were found. I’ll take you along the process of this investigation and show how traffic analysis, reverse engineering, OSINT and a little HUMINT shed light on this case. The original blog post can be found here.