This semester, the members of the Penn State World Campus Technology Club put on their detective hats to do some work for a good cause and to build community in their group.
In September, the club’s members scoured the internet, combing through information available to the public online and on social media, looking for leads to help police in Pennsylvania find missing people. It was a Capture the Flag event run through Trace Labs, a national nonprofit organization whose mission is to help reunite missing people with their families while training participants to use open source intelligence, or OSINT.
Student Rae Baker, the president of the Technology Club, participated in a Capture the Flag event earlier in 2019. She thought it would be an activity her club would enjoy.
Here’s how it worked
The club invited anyone with a Penn State email address to join. Most joined online, and two participated from a classroom in the Westgate Building on the Penn State University Park campus.
Participants received a list of the missing persons. The task: Use any publicly available information online that could advance the investigation for police.
“You never know — somebody may have posted where they were at on Twitter,” said Baker, a self-described true-crime junkie. “A lot of the time, the police don’t have the resources to dive into the details.”
Several judges volunteered virtually to verify the information submitted and award points based on the quality of the leads that participants found. An online scoreboard showed everyone’s tallies.
One of the biggest point-getters was a comment under a listing on the AirBnB website. Baker said an AirBnB host posted that the missing person had just stayed at their rental.
During these events, Baker said she has found leads while searching data sources such as court records, YouTube videos, employment information, and social media accounts of the missing people’s relatives.
Peer, career connections
Club members spoke highly of the experience. It gave them an opportunity to network with their peers. Most participants were Penn State World Campus students, and students from University Park also joined.
They had an easy time communicating online. They chatted through Slack channels, judges used a Google Hangout, and the group streamed the event on Facebook Live.
Baker said open-source intelligence has a direct correlation to careers in security. You can do recon using OSINT to conduct a “pen test,” or penetration test, to learn about weaknesses. Then you find the vulnerabilities in their system and exploit them.
“Being able to effectively gather information through passive means can lead to a better overall pen test,” Baker said. “Furthermore, it can help a person better protect themselves against data breaches and other info leaks by knowing the full scope of information that can be gathered on them.”
Maria Popow, a Penn State World Campus student, is majoring in security risk analysis. She easily drew parallels to the kind of work she envisions herself doing in a job in the field.
“You look at how open your company is on the internet to attacks,” she said. “For instance, what emails are online for your company? It’s safe to assume that an attacker would find those because they are available to anyone. Those are the people who receive the most spam, more spearfishing emails. They look for their emails and find old passwords to scare them into opening attachments.”
Adam Snyder made another comparison: “In the corporate world, if you have employees that are posting pics of their new jobs with new employee badges, that’s a lot of info about your company that you’re giving out,” he said. “These are the things that you need to be cognizant of. You wouldn’t want your employees posting pics of themselves with their employee badges.”
The winner was Snyder: He gained most of his points through the submission of tattoo photos that had not been included in a person’s missing person report.
Visit https://www.tracelabs.org for more information.