In this episode for The Pivot podcast, we welcome our guest Palenath!
Palenath is an OSINT & hacking enthusiast and a speaker at Barbhack, UnlockYourBrain, Stack Overflow, Barbhack as well as Lehack. He coded several OSINT software and published them on GitHub. He also proactively participated in several OSINT CTFs, winning competitions held by Trace Labs, Maltego, and UnlockYourBrain.
In this episode of The Pivot, Palenath walks us through his journey on how he comes to program OSINT tools as well as his own experience of getting support from the OSINT community, recommending websites and communities for beginners. He also shares with us his opinions on operational security (OPSEC) and provides basic hygiene guidelines for researchers to protect their privacy while conducting investigations.
The Pivot: Your New OSINT and Infosec Podcast 🔗︎
Brought to you by Maltego, The Pivot is your OSINT and infosec podcast that dives deep into topics pivoting from information security to the criminal underground. Through The Pivot episodes, we aim to share insightful information for beginners and seasoned investigators alike, shedding light on all things OSINT and infosec from an insider’s perspective.
Each episode features one or two of Maltego’s own Subject Matter Experts as the host and an external expert, researcher, or industry leader invited to share their projects, stories, experiences, and advice.
Where to Listen to The Pivot? 🔗︎
The Pivot podcast is available on Spotify, Apple Podcast, Google Podcast, and the Maltego YouTube channel. Each episode is 45 to 60 minutes long and is released on the 15th of every month. Stay tuned with us for more updates!
Tell us a bit about yourself and your work! 🔗︎
Palenath: I’m Palenath, and I participated in several CTFs, like TraceLab and all the Maltego CTFs, and do stuff on our internet for fun.
Apart from that, I sometimes create OSINT tools open-source to share with the community. I automate some manual tasks to save time for people. For example, Holehe, a tool that allows you to check if an email address has been registered on different websites. The objective of Holehe is just saving time as I always did it manually at the beginning.
The name of my GitHub is Megadose. People can check out the tools I developed there. It’s good and it’s free. I put all the tools on my GitHub because the big advantage of the open source is that the community can contribute to these tools, and you are really more powerful when more people contribute to a project. For me, the knowledge needs to be shared as the knowledge is the power.
Can you give an example of where the OSINT community helped you achieve a greater project? 🔗︎
Palenath: For example, when I started on Holehe, I had just 20 websites. The community gave some ideas to upgrade the tool. For me, it’s definitely more powerful when we are in a community since most people are going to use your tool and help you find some bugs.
That’s the power of the open source, but the problem with the open source is the same that everyone can use your tool. Two or three months ago, someone shared a method to find a Twitter account from an email address. Within two days, the Twitter loophole was fixed. Open source tools have limitations as well as pros and cons like everything else.
Isn’t it a problem that these tools are also available to malicious users who originally don’t have the capacity or ideas to target somebody with OSINT? 🔗︎
Palenath: It’s such an interesting point. However, these guys are going to find methods to do what they want no matter what. They are going to use OSINT methods, but not because of the principle of OSINT, rather the fact that it’s hidden and the target doesn’t know the existence of their activities. If Holehe does not exist, they are going to find some aggressive methods. They don’t care about the target anyways. On the other hand, we can’t control what people do with the tools.
When everything is openly available, good people can use it for free. For example, journalists, as they don’t have a lot of money to spend on commercial tools. That’s the big win over there. They can just use the tools and have no problem with the money.
What is the reason that you are so careful with operational security (OPSEC)? 🔗︎
Palenath: One of the most crucial points and what everyone needs to remember, it’s internet forgot nothing. If someday, I put a picture of my face on the internet, it’s done. It will be around for a long time. It’s impossible to delete the picture once I put it up there, and that’s why I’m really careful with what information I share on the internet.
As I’m still very young, I don’t want to make mistakes that could negatively affect the rest of my life. Moreover, privacy is important for people in OSINT. It will be really strange if you are giving away a lot of information about yourself when conducting an OSINT investigation. I know giving just a name and a face is not a lot for people, but for me it’s a lot, and I might regret sharing the information in the future.
Any OPSEC suggestions for people that are actively doing OSINT research? 🔗︎
Palenath: For me, when you do an OSINT investigation, you need to understand that you are going to make some mistakes, and the objective here is to reduce the impact of these mistakes.
Never use your personal account to conduct your investigations. Use every time a sock puppet, which is a fake account. Never use your real IP because it’s possible that you are going to click on links controlled by the people while researching. Remember to use VPN.
Use fake phone numbers and different email addresses. Please don’t use your personal email address to create a fake account because it’s easy to find you afterwards. That’s the minimum of OPSEC for me: Using sock puppets, fake accounts, VPN, fake phone numbers, and different email addresses.
Use a virtual machine (VM) as the maximal measure. I know it’s really painful to use a virtual machine, but as an alternative, just use another browser that’s not your personal’s to avoid some stupid mistakes, such as, “Oh no, I have been exposing my personals, my face, my personal Facebook account, and I have been liking the posts of the target so they know my existence.”
Do you recommend people to go as far as using another phone or buying another one? Or is it acceptable to activate a Telegram account on their personal phone? 🔗︎
Palenath: That depends on who you are researching about. The most important thing in OPSEC is knowing from whom you want to hide. You are not going to use the same method or threat model to hide from the government as you would to hide from a random guy on the internet.
As mentioned before, use a virtual phone. It will probably be sufficient if you have a SIM card. If you don’t want to have a physical SIM card, you can use online websites to get a phone number. The best is to reduce the number of thirdparty providers. If you use an external service to get your SMS, then all the people would know how you are going to pay. Let’s say you pay with your PayPal account. They are going to know this phone number has been linked to your PayPal account.
If you have a physical SIM card, pay in cash, use it only once on the phone, and then later destroy the phone. If your targets are terrorists, it’s not an overkill to use a one-time phone and destroy it later.
Did you have any particular OPSEC fails that you want to share that are yours, of a colleague, or someone else’s? 🔗︎
Palenath: It’s not mine, but it’s during an investigation and it was really fun. What my target did was paying a lot of attention to which information they put on the internet. Like, they used different usernames and never the same profile picture. The objective of my investigation was to find their real names. I was searching and had literally nothing besides different profiles with different usernames. At some point, I got an email address. I thought to myself that it was just a random email address and I wasn’t going to find any information. However, I used epieos.com, a website that allows you to find information from an email address, just to give it a shot. I put in the email address and followed the link to an account with their real name. Apparently, they linked their personal account to this random email.
That’s why I said when you create a fake social account, don’t use your real email. It made no sense that they literally put their real names, a picture of them while working, and so on. They really spent time and money to stay private and maintained privacy well, but everyone makes mistakes.
There’s More! Listen to Our Full Interview with Palenath! 🔗︎
If you find the snippets of the interview interesting, don’t miss the full interview!
Listen to our full interview with Palenath to learn more about:
- How Palenath kicked off his OSINT journey with various content formats
- How he came to create OSINT tools
- His opinion on tools that are basically AI black box
And much more!