Whitebridge.ai my thoughts and opinions
Earlier this week I saw a post from Stacey Edmonds (https://www.dhirubhai.net/feed/update/urn:li:activity:7215979047787352066/ ) about a new AI powered OSINT tool called whitebridge.ai .
Shortly after I saw her post, I started seeing a bunch of other FUD (Fear, Uncertainty and Doubt) posts from other people on linkedin trying to scaremonger using this service, as a lot of average joe's wont understand the concept of online presence mapping and of course all the comments I was seeing on these other posts were 'OMG!' 'We need to do something about this!' 'that's scary as hell!' so in this post, I wanted to break down how this (and other similar) services work and to dispel the FUD surrounding it.
Its run by a Lithuanian company and is advertised as an online reputation profile service that uses AI.
I saw a lot of posts from people shocked by this service because it can gather all this information about you, but in reality, its just scraping information YOU already put online, that ANYONE can find manually, its just aggregating this data and pushing it into a nice report.
For all of my pentesting career, OSINT (what we call Open-Source Intelligence Gathering) or reconnaissance is a core component of a pentest that we complete on every engagement. We perform this to fingerprint the organisation and it's people to generate our network attack blueprint, to help us as testers breach in, and that's exactly what this tool is, an OSINT people-focused tool (More like HUMINT).
I've been tasked with many engagements over the years where organisations have asked me to profile C-suite staff and find out everything I can about them. After running the tool against myself, it follows the same HUMINT (Human Intelligence gathering) techniques that I use to find out information on individuals, so in the context of my work, I can see where it can provide real time benefits, same for PI's, law enforcement or anyone who may need a brief online identity report for a person.
Ok so I gave it a whirl and found the results to be it underwhelming TBH, although I did search myself and being an infosec guy, I take the necessary precautions online, i'm sure it is much more amazing on more 'public' individuals, for example if I searched for Arnold Schwarzenegger I am certain the report would be huge and amazing. but here is what it found on me and how it presents the data.
I searched just for my name, it found me all the way at the bottom (i'm not that old though! :) ) which is a good start:
It then prompted me to pay to see my report.
$27 USD later and about 15-20 minutes later I could access my report. Its important that I spell out what social media and sites I use. I currently only use LinkedIn (dah!) which i deliberately keep areas of my profile public and I have 2 facebook accounts and a twitter (X) account, and my website. I have 1 facebook account you will never find, and I have my 'Public' more professional facebook page (still limited, but its searchable), I'll add that I never post to facebook, I just use it to follow groups like my local community group which pushes area updates out about different things. For X, I only have it connected to my linkedin (before LI removed that sync ability) so that LinkedIn updates get pushed to it, besides that I dont use it or ever manually post to it, only to keep track of certain infosec news and people. I have accounts on other social media platforms, but I dont use them, they are only in place to allow my parental control software to keep an eye on my kids online activities, interestingly enough, whitebridge didnt find these and i'll explain why soon.
The first part of the report is the overview, you will see here 5 references, it basically just scraped my linkedin profile and some posts to gather this info.
It did manage to pull one of my personal email addresses which is cool, but its the one I use on all public accounts I use so I know (and expect) it to be known. It also didnt find my mobile phone number. If we do a quick search for me on rocket reach (which i use all the time for HUMINT) it got my email and phone number and the same social media hits.
Whitebridge also picked up my X and facebook account. To do this, I suspected it just did a reverse image search, which anyone can do on google and tineye (a good way to avoid scams!), and it also went out to these services and matched up my photos, which is a technique I use when people hunting (note I use the same photo on all my services (on purpose) so it was bound to pick these up):
Now we move into the behavior and Interaction Insights section which is interesting. The report gives information on the best ways to approach me based on analysis of all of my online posts and articles. I actually agree with most of the info like these:
I'm a super technical person, so I like to know the ins and outs and these "dont's" seem pretty spot on:
I can see here where this tool can be very effective for sales people and for pitching services.
Next up is information on my personality, it has pulled this information from my social media bio's, posts and content and (interestingly, it would of picked up more data if it crawled my website) but it seems like it didnt as it is not listed anywhere in the report.
And preferences are pretty accurate, again its pulled most of this data from my LinkedIn profile 'Experience' and 'Education' sections, of which I have a lot of detail in:
领英推荐
Next up is career, it has just pulled the information from my linkedin section, remembering that if you dont have much information listed in your linkedin experience section, you probably wont have a whole lot come back, and its taken the data and presented it into some summary boxes:
What was interesting though is it applied estimated salaries (at the bottom) for all positions listed based off industry data (i assume)
It also listed the education data I have in my public linkedin profile. It then found my apparent leisure & Hobbies, it aggregated sources where I have articles, podcasts and linkedin posts to attempt to determine my hobbies, here is what it came back with, the first paragraph shows just how inaccurate it can be based off the data, the text in bold is humanly impossible and was used in a joking sense in a bio for an event I spoke at, as I was big into fitness at the time and competing in OCR events everywhere, but the AI flagged this as potentially accurate :)
I'd say one of my passions is definitely sharing of information with the community and research so some of these are on point.
The events & Media section is interesting, it actually didn't return much, it just did a google search for events that reference me, it only found a small number, if it went to my website and looked at that (it didn't), where I post all my past events, it would of found another 50 odd, but it only searched certain sources and search engines which is interesting.
And the last section is Data Breaches, definitely useful for individuals to see where they have been exposed in a data breach and to ensure that they are not re-using a breached password on any other service. It found 10 breaches, and it obviously pulls this from haveibeenpwned as I performed a search manually, and got the same result:
Conclusion
As AI adoption continues this is only the start of many services that will aggregate data that you have online, its not something to be afraid of, but think of as a tool to build individual awareness of your data and online footprint. If you have a few spare bucks and are interested to see what it finds, give it a try, see what it locates, and it may help you to identify content or social media services where you may have forgotten to turn on those privacy settings. When it comes to restricting and building your own online footprint;
As this platform develops and improves, I can see where it would be good idea to check your online presence each year, along with your standard credit reference check (to identify Identity Theft) to determine just how much information is online and if any of your profiles are not restricted (they should be!)
Where I think the service can be strengthened would be with a reputation lookup, often content may appear online that would detrimentally affect the reputation of an individual, and they often would have no idea about it, presenting this, as well as finding personal websites (crawling them), using other HUMINT sources to find phone numbers and assessing additional data sources may present a lot more additional useful information to individuals.
I know what some of you may be thinking.. how can these services exist, are they breaking any laws?
Nearly every country around the world has privacy and data protection legislation and consumer protection legislation in place, which helps to ensure that organisations are protecting the data they hold and share about you, but this doesn't extend to the public domain, if you put it out there, it will get indexed and others can see it, its the nature of the internet.
If you want a good reference around privacy and data protection legislation, check out these sources:
Whether or not whitebridge and other similar services are satisfying ethical and moral obligations, that's a different discussion altogether or if they are breaching individual terms of services on social media platforms, I dont know, but we can expect to see more and more of these aggregator platforms coming online in the near future.
#danweis #ai #whitebridge #humint #osint #reconnaissance #socialmedia #onlinefootprint #onlinepresence #hackproofyourself
Apprenti ingénieur electronique et informatique embarquées CESI/CEA
1 周Super detailed, thanks for the pro insight ??.
International Liaison Partner at Grupa Strategia
3 个月Many thanks for this, very useful.
Director at Forward Group
4 个月I was looking at this as a form of due diligence on new clients but doesn’t look like it offers much at the moment against the rather hefty cost.