Any hacker-attempt to break in to a system starts with a research phase for the purpose of identifying soft spots and possible methods of attack. This is sometimes referred to as the Network & Business Reconnaissance phase, as for example in this article called The Five Phase Approach of Malicious Hackers. The blog ShortInfoSec.net agrees, writing that “the methodology used in OSINT is the information gathering phase of every penetration phase“.
The hacker will try to find out as much as possible about the target using information that he or she can find without committing any crime and without exploiting any software system vulnerabilities. Let’s say the target is a company. The hacker will then try to find names and positions of people working in that company, collect documents and files on the internet originating from that company, collect information from newspaper articles about the company, and collect all obtainable information on the company’s internet domain names, the ip-numbers associated with those domain names, and the servers behind those domain names. He or she would collect employment ads from the company in order to find information on which software systems are in use in the company, and information on company internal routines, terminology and details on the organizational structure.
So called dumpster diving – going through trash bags coming out of the company’s facilities – can provide loads of useful information. Knowing the names, positions and work locations of employees at the company, the hacker can continue collecting biographic information on those people using for example LinkedIn, Facebook, Orkut and Pipl (The importance of thorough reconnaissance, research and preparation before making a social engineering penetration test is testified by ShortInfoSec.net). For an illustrative description of how social media websites such as Facebook can be used as the primary vehicle for a hacker who needs to find a way through the front door, read Social Media and Identity Theft Risks PT II by Robert Siciliano.
I suppose spelling it out isn’t really necessary, but still: The hacker is using information from Open Sources to create a target profile intelligence report about the company – using Open Source Intelligence. The ultimate use of this intelligence is to pinpoint a part of the company’s IT infrastructure which has a known vulnerability that can be exploited and/or to device a social engineering* attack whereby an employee is tricked into revealing critical information such as a password. At the RSA Security Conference 2010, the Security Researcher Pedro Varangot from Core Security Technologies even demonstrated how the trust that users have in social networks can be leveraged to execute targeted social engineering attacks.
* Social engineering is not OSINT, but spot-on HUMINT. Read more about social engineering on Wikipedia.
iOSINT - information on Open Source Intelligence 