Chapter 1. Intelligence Gathering: Peering Through the Windows to Your Organization

To successfully execute an attack against an organization, the attacker must first perform reconnaissance to gather as much intelligence about the organization as possible. Many traditional methods for gaining intelligence about targets still work today, such as dumpster diving, querying public databases, and querying search engines. However, new methods that rely on gathering information from technologies such as social networking applications are becoming more commonplace. In this chapter, we will discuss the traditional methods as well as how the new generation of attackers is able to abuse new technologies to gather information.

From the attacker’s point of view, it is extremely important to perform reconnaissance as surreptitiously as possible. Since information gathering is one of the first steps the attacker may perform, he must take care not to do anything that may alert the target. The techniques in this chapter will therefore concentrate on methods that allow an attacker to gather information without sending a single network packet toward the target.

Information gathered during reconnaissance always ends up aiding the attacker in some way, even if it isn’t clear early on how the information is useful. Attackers want to obtain as much information about their target as possible, knowing that the data they collect, if not immediately useful, will most likely be useful in later stages of the attack.

Physical Security Engineering

Gathering information through physical means is a traditional tactic that attackers have been using for a while now. Some examples of information that an attacker can obtain from these methods include network diagrams, financial information, floor plans, phone lists, and information regarding conflicts and communications among employees.

In the next section, we will look at the different techniques attackers use to gather intelligence by physical means.

Dumpster Diving

Dumpster diving, also called “trashing,” is a method of information gathering in which an attacker searches through on-site trash cans and dumpsters to gather information about the target organization. This technique is not new, yet attackers are still able to use it to gather substantial amounts of intelligence. Methods have been developed to attempt to prevent attackers from dumpster diving, such as shredding sensitive data and using off-site companies to securely dispose of sensitive documents.

Even though some companies have taken preventive measures to prevent dumpster diving, attackers can still gather information if they are willing to go through a target’s trash. Instead of securely disposing of trash, employees often throw away information that is considered sensitive into the nearest trash can. Humans are creatures of habit and convenience. Why would a person want to walk 25 feet to dispose of something when there is a trash can under her desk?

Figure 1-1 shows a printer cover sheet that exposes the username of the person who requested the print job. Even this username on a piece of paper is an important find for an attacker because it helps the attacker understand how the corporation handles usernames (the first letter of the user’s first name, capitalized, appended to the user’s last name, initial-capped). This knowledge gives the attacker an understanding of how to formulate an individual’s corporate username. The attacker can then use this to conduct further attacks, such as brute force password cracking.

Printer banner exposing a username
Figure 1-1. Printer banner exposing a username

On-site dumpsters are typically easy for attackers to access and often have no locks to secure their contents. Even if locks do exist, attackers can easily bypass them to expose the dumpsters’ contents.

More and more attackers are learning ways to bypass locks. Information security conferences often conduct lock-picking contests in which contestants are judged based on the speed with which they can pick a lock or the variety of locks they can bypass. Figure 1-2 shows a photo of the electronic timing system used to test contestants’ speed in bypassing a lock at the DEFCON 12 hacker convention. Even locks don’t prevent attackers from going through the contents of a dumpster.

Electronic timing system at DEFCON 12’s lock-picking contest (picture provided by Deviant Ollam)
Figure 1-2. Electronic timing system at DEFCON 12’s lock-picking contest (picture provided by Deviant Ollam)

As long as attackers can obtain useful information from trash cans and dumpsters, dumpster diving will continue to be an avenue for information gathering.

Hanging Out at the Corporate Campus

Attackers often go on-site, to the corporate location, to gain more information about their targets. Attackers have determined they can gain intricate knowledge about an organization just by walking around the corporate campus and overhearing work conversations.

Employees are often oblivious to the fact that some people walking around corporate campuses aren’t company employees. Attackers can overhear conversations regarding confidential topics such as IPOs, products in development, and impending layoffs. This information can become useful in social engineering attacks involving phone calls and emails, which we will address in later chapters. For now, here is a sample conversation that is typical of what an attacker may overhear at a corporate campus, involving two employees walking to their cars:

Sam: …but that’s why the Rams won the game.

Bob: Yeah, but it was a close game.

Sam: The seats were unbelievable. I wish you and Sally could’ve come.

Bob: Yeah, me too; too many conference calls last night with the investment bank.

Sam: I forgot about that. How is the IPO work going anyway?

Bob: Pretty good. We have obtained underwriting from Large Investment Bank XYZ Corporation. The share price is currently being set at around 15. The bank thinks that is around 70% of what the stock will go for on the open market.

Sam: Well, that should be a nice little investment for them.

Bob: Yeah. Well, our shares should be worth more after the 180-day waiting period too.

Sam: All right! That’s what I like to hear.

The information that is exposed in this conversation may not seem super-sensitive. But this information may aid an attacker in gaining an employee’s trust, since he knows about the IPO work that is being done. This information may even help someone who is not an attacker. It may help a non-critical employee or some other person who was walking around the corporate campus that day.

Cigarette smokers are easy targets for gathering information about an organization. Typically, smokers have designated areas for their breaks; attackers can hang out in these areas, asking for “a light” and beginning a conversation with an employee about internal projects or intellectual property.

The following is a conversation involving a person who appears to be an employee walking back to the building from lunch. The person stops and lights a cigarette and begins a conversation with a director at the company.

Employee: How’s it going?

Director: Good. (Reading a newspaper)

Employee: Good to hear. (Waits patiently)

*After a few seconds*

Director: You know, every time I read one of these electronics ads, I want to go to the store and buy something. But once I get there I realize why I don’t go there. They have horrible customer service.

Employee: I totally agree. What are you interested in purchasing?

Director: Well, I was thinking about the....

*General small talk regarding television sets*

Employee: Yeah, I would get the LCD television. So, when is the Q4 earnings call? I don’t think I received an email with the date yet.

Director: January 25. But it’s a year-end call. As you know, here at Large Organization we have year-end calls instead of Q4 calls.

Employee: How are we handling ourselves with the way the economy is going right now?

Director: Well, I can’t comment. It would be considered insider information. I wouldn’t want you to suffer from insider trading.

Employee: Yeah, I understand. You can’t be too careful nowadays.

Director: Nothing to be concerned about. (She walks toward the door.)

Employee: I just want to know if I will have a job next year at this time. Ha!

Director: Don’t worry about that. We did better this year than last year, even with the slumping economy. Have a good day.

Employee: Have a good one.

Even though the director stated she couldn’t give out “insider” information, she still did. She stated, “We did better this year than last year.” This is exactly the type of information the attacker is looking for.

In addition to overhearing or engaging in conversations on corporate campuses, attackers will attempt to follow employees into buildings. This is referred to as “piggybacking” and can be quite successful. Once inside a building, the attacker may attempt to check for unlocked doors that may provide additional areas to access or may expose the attacker to more corporate information.

While attempting a physical penetration test for a client, we, the authors of this book, were able to piggyback an employee into a building. Once inside the building, we began to open doors to see which additional areas we might be able to access. We discovered an unlocked room in which employee badges were created. We created badges for ourselves (the computer’s password was the name of the company) and we no longer needed to piggyback employees into the building.

Google Earth

Google Earth is free mapping software provided by Google. An attacker can use Google Earth to view a map of his target’s physical location before arriving on-site, providing him with spatial knowledge of the target environment. The attacker will have an easier time blending in with other employees if he already knows the general path other employees take. Figure 1-3 shows O’Reilly’s corporate campus from Google Earth.

In addition to the spatial knowledge of a target, Google Earth also provides an easy way for attackers to plan entrance and escape routes. Attacks involving conflict, such as those involving the police, can easily be premeditated using Google Earth. The time it will take response teams, such as fire, medical, and law enforcement, to arrive can be calculated using this application.

O’Reilly campus as seen from Google Earth
Figure 1-3. O’Reilly campus as seen from Google Earth

Social Engineering Call Centers

Social engineering is the art of obtaining information from people who don’t want to give it. Journalists, law enforcement officers, and lawyers learn these skills as a trade. They learn techniques to intimidate or sympathize with a person so that the person “reveals her hand.” Attackers use similar techniques to gather sensitive information from unsuspecting victims.

Call centers are a target for social engineering because they offer a great way to directly interact with employees from a given company. The company call center provides an attacker with a large population of targets. If these targets become hostile or become aware of the attacker, the attacker just needs to hang up and try again.

Attackers often seek targets who are new to the organization, are easily intimidated, or don’t like dealing with confrontation. Call centers allow the attacker to leave a small footprint, meaning there is little chance the organization will even know that it is being attacked.

A sample conversation between an attacker posing as a consumer and a call center employee may go something like this:

Employee: Thank you for calling Large Organization. Can I get your account number?

Caller: Yeah, sure. I think it is 55560-5-2219, but I could be wrong. I haven’t called in before.

Employee: That’s all right; give me a few minutes while I look up that account’s information.

Caller: No problem. How is your day going? (Jovial tone)

Employee: I can’t complain. It’s just been a little hectic around here with the merger and all.

Caller: I read about that. It’s with Company X, right?

Employee: Yeah, a lot of us aren’t sure if there will be positions for us once the merger is complete.

Caller: Sorry to hear that.

Employee: I can’t find any information for the account number you gave me. Are you sure that is your account number?

Caller (ruffle of papers): I will have to look around and see if I can find it. I will call back later.

Employee: Okay. Thanks for calling Large Organization. Have a great day.

The information the attacker received could be considered sensitive in nature. The attacker obtained information suggesting that Company X may be laying off employees because of a merger. He also discovered that Company X might be laying off people specifically from the support department that he called. This information could be useful to a competing organization. An attacker could then call recently laid-off people, assuming the role of a hiring manager, to get more information about the target organization.

Search Engine Hacking

Search engines, by definition, are used to find and locate information on the World Wide Web. In addition to using search engines to search for information, attackers have ways of using search engines to identify and locate vulnerabilities and confidential data.

Using search engines to find vulnerabilities offers a way for attackers to probe a network without the target’s knowledge since the entire search request and response come from the search engine and not the target. The attacker doesn’t leave a footprint since he is not sending information to the target. Attackers also use a cached page to view the information, instead of accessing the site directly, which creates another layer of protection for them.

Google Hacking

Numerous books and presentations discuss how to gather “sensitive” information from Google. Attackers can use Google to gather basic information such as contact lists, internal documents, and top-level organizational structures, as well as locate potential vulnerabilities in an organization’s web application.

Attackers can use a specific type of search query, called a dork, to locate security issues or confidential data. Attackers can use dorks to obtain firewall logs and customer data, and to find ways to access an organization’s database.

Security professionals have developed public databases of dorks. Dork databases exist for several different search engines; the most common dork database is the Google Hacking Database.

Note

The Google Hacking Database (GHDB) is a great resource for finding dorks that can aid an attacker. The GHDB is located at http://johnny.ihackstuff.com/ghdb/.

Using a dork is relatively simple. An attacker locates a dork of interest, and then uses Google to search for the dork. The following code is a dork that attempts to identify web applications that are susceptible to an SQL injection vulnerability by searching for a MySQL error message that commonly signifies the existence of an SQL injection flaw:

"Unable to jump to row" "on MySQL result index" "on line"

An attacker can limit the dork to a certain domain by adding the site: directive to the query string. For example, here is a Google query that is limited to the example.com domain:

"Unable to jump to row" "on MySQL result index" "on line" site:example.com

Figure 1-4 illustrates the execution of the SQL injection dork. Notice that more than 900,000 results were returned!

Execution of an SQL injection dork
Figure 1-4. Execution of an SQL injection dork

Automating Google Hacking

An attacker can use the Search Engine Assessment Tool (SEAT), developed by Midnight Research Labs, to automate Google hacking. SEAT uses search engines and search caches to search for vulnerabilities for a particular domain.

SEAT supports multiple search engines, including Google, Yahoo!, and MSN. SEAT also has a variety of built-in dorks. The databases that SEAT uses (shown in Figure 1-5) were compiled from multiple sources, including the GHDB and Nikto.

An attacker can select multiple databases and search engines when using SEAT. Along with SEAT’s multithreading, these features aid the attacker greatly when he’s gathering information via search engine hacking. Figure 1-6 shows SEAT during the execution stage running 15 simultaneous queries.

Note

You can obtain the latest version of SEAT from http://midnightresearch.com/projects/search-engine-assessment-tool/.

Extracting Metadata from Online Documents

Metadata is “data about other data.” A good example of metadata is the data that is often inserted into Microsoft Office documents such as Word. For instance, Microsoft Word inserts data such as usernames and folder paths of the author’s machine. Attackers can extract this metadata from documents that corporations have put online.

Using search engines, attackers can use specific directives to limit their results to specific file types that are known to include metadata. For example, the Google directive filetype:doc will return only Microsoft Word files. The following is a query that returns only PowerPoint presentations that contain the phrase “Q4 Expenses”:

filetype:ppt "Q4 Expenses"
SEAT’s different built-in vulnerability databases
Figure 1-5. SEAT’s different built-in vulnerability databases

Attackers query Google using such queries; then they download the documents that are returned and examine them, pulling out any metadata stored within them.

Metagoofil is an automated tool that queries Google to find documents that are known to contain metadata. Metagoofil will query Google using a specific domain, download the files that are returned, and then attempt to extract the contents. Here is a demonstration of Metagoofil being used against example.com:

$ python metagoofil.py -d example.com -f all -l 3 -o example.html -t DL
*************************************
*MetaGooFil Ver. 1.4a               *
*Coded by Christian Martorella      *
*Edge-Security Research             *
*cmartorella@edge-security.com      *
*************************************

[+] Command extract found, proceeding with leeching
[+] Searching in example.com for: pdf
[+] Total results in google: 5300
[+] Limit: 3
        [ 1/3 ] http://www.example.com/english/lic/gl_app1.pdf
        [ 2/3 ] http://www.example.com/english/lic/gl_app2.pdf
        [ 3/3 ] http://www.example.com/english/lic/gl_app3.pdf
[+] Searching in example.com for: doc
[+] Total results in google: 1500
[+] Limit: 3
        [ 1/3 ] http://www.example.com/english/lic/gl_app1.doc
        [ 2/3 ] http://www.example.com/english/lic/gl_app2.doc
        [ 3/3 ] http://www.example.com/english/lic/gl_app3.doc
[+] Searching in example.com for: xls
[+] Total results in google: 20
[+] Limit: 3
        [ 1/3 ] http://www.example.com/english/lic/gl_app1.xls
        [ 2/3 ] http://www.example.com/english/lic/gl_app2.xls
        [ 3/3 ] http://www.example.com/english/lic/gl_app3.xls
[+] Searching in example.com for: ppt
[+] Total results in google: 60
[+] Limit: 3
        [ 1/3 ] http://www.example.com/english/lic/gl_app1.ppt
        [ 2/3 ] http://www.example.com/english/lic/gl_app1.ppt
        [ 3/3 ] http://www.example.com/english/lic/gl_app1.ppt
[+] Searching in example.com for: sdw
[+] Total results in google: 0
[+] Searching in example.com for: mdb
[+] Total results in google: 0
[+] Searching in example.com for: sdc
[+] Total results in google: 0
[+] Searching in example.com for: odp
[+] Total results in google: 0
[+] Searching in example.com for: ods
[+] Total results in google: 0

Usernames found:
================
rmiyazaki
tyamanda
hlee
akarnik
April Jacobs
Rwood
Amatsuda
Dmaha
Dock, Matt

Paths found:
============
C:\WINNT\Profiles\Dmaha\
C:\TEMP\Dmaha\
C:\Program Files\Microsoft Office\Templates|Presentation Designs\example
C:\WINNT\Profiles\Rwood
[+] Process finished
SEAT using 15 threads, searching for vulnerabilities using multiple search engines
Figure 1-6. SEAT using 15 threads, searching for vulnerabilities using multiple search engines

Note

The publicly available Python script metagoofil.py aids in searching, gathering, and extracting metadata from documents. It is available from http://www.edge-security.com/metagoofil.php.

Searching for Source Code

Developers will often post code on public forums when they discover a bug they cannot solve. Too often, these developers will post code without redacting it in any way. It is unsettling how often these forums display code that clearly belongs to a specific organization.

Information such as the developer’s name, internal comments, code descriptions, and organizational ownership are among the items you can find in source code that is posted on public forums on the Internet.

Using Google, it is trivial to find some of this code in a short period of time. Using search terms such as “here is the code” and “here is the exact code” will return many results. Here is a code snippet that we found using Google (the code has been redacted):

<?php
$error = ""; // Set a variable that will be used for errors
$sendTo = ""; // Set a variable that will be used for emailing
// Form is submitted
if(isset($_POST['upload']) && $_POST['upload'] == 'Upload File')
{
$whereto = $_POST['where']; // Gets post value from select menu
// Gets file value from file upload input
$whatfile = $_FILES['uploadedfile']['name'];
// This is the subject that will appear in the email
$subject = "File uploaded to ". $whereto ." directory";
$from = "FTP UPLOAD <noreply@redacted.com>";
// Checks to see if $whereto is empty, if so echo error
if(empty($whereto))
{
$error = "You need to choose a directory.<br />";
}
// Checks to see if file input field is empty, if so throw an error
if($whatfile == NULL) {
$error .= "You need to choose a file.";
}
//if no errors so far then continue uploading

if(!empty($whereto) && $whatfile != NULL) {
$target_path = "$whereto/"; // The directory the file will be placed
...

This code snippet describes upload functionality that is on a web server. An attacker can use this code to reverse-engineer how to get a file into a different directory, or how to bypass the security mechanisms that are in place.

Leveraging Social Networks

Attackers can use social applications such as MySpace and Facebook to gain inordinate amounts of information about a company’s employees. Information such as an employee’s hometown, her interests, and even incriminating pictures are available on these sites.

Social applications attempt to prevent unauthorized parties from viewing users’ information. However, social applications and their users benefit from that information being publicly available, making it easier for people to find others who share similar interests without knowing them first. Users of social applications are therefore given an incentive to share as much data as they can; the more data they share, the more they benefit from the social network.

Facebook and MySpace

The popularity of social applications such as Facebook and MySpace has grown exponentially around the world. These applications are driving a phenomenal paradigm shift in how people communicate and collaborate.

From an attacker’s point of view, a wealth of information is available from profiles on social networking websites. An attacker can obtain an amazing amount of information without even having an account on some social networking applications, such as MySpace. Alternatively, an attacker can easily create an account to gain the ability to interact with a targeted individual. For example, an attacker may send friend requests to an employee of a specifically targeted company to gain additional knowledge of the company.

Abusing Facebook

Social applications have many inherent weaknesses despite all of the security built into them. For example, after browsing to Facebook.com, an attacker can click the “Forgotten your password?” link and select the option of not having access to his login email address. (This option is legitimately available for Facebook users who do not have access to their original email account and those who have forgotten their Facebook credentials.) Figure 1-7 shows the page the attacker sees in this situation. The attacker can obtain the requested information from the targeted individual’s Facebook profile. If it is not accessible, the attacker can use another social networking site, such as LinkedIn or MySpace.

Facebook’s forgotten password functionality; this is only for cases where the user selects that she does not have access to her original email account
Figure 1-7. Facebook’s forgotten password functionality; this is only for cases where the user selects that she does not have access to her original email account

Once the attacker has obtained and submitted this information, he is presented with Figure 1-8. The additional “private” information being requested in this example is the target’s college graduation year. Figure 1-9 shows the target’s graduation year, obtained from her LinkedIn profile.

Request for target’s college graduation year
Figure 1-8. Request for target’s college graduation year
LinkedIn profile showing the year the target graduated college
Figure 1-9. LinkedIn profile showing the year the target graduated college

Once the additional information has been submitted, Facebook sends the attacker the email shown in Figure 1-10.

The attacker responds to the email, as requested by Facebook. After a few hours, the attacker receives another email describing how to change the password on the account. This example shows how easy it is to use the biographical information posted on social applications to break authentication mechanisms.

Attacks such as this are becoming more frequent and are gaining media coverage. During the 2008 presidential election, the attack on vice presidential hopeful Sarah Palin’s Yahoo! email account received abundant media coverage. Figure 1-11 shows a screenshot of a forum post describing how the attacker found all of the necessary information to defeat Yahoo!’s security reset mechanisms.

Facebook’s response
Figure 1-10. Facebook’s response
Description of how the attacker obtained access to Sarah Palin’s Yahoo! account
Figure 1-11. Description of how the attacker obtained access to Sarah Palin’s Yahoo! account

Twitter

Twitter is a microblogging application. A microblog consists of small entries that users post from “connected” devices. More and more people are using Twitter to collect their thoughts about different things they encounter and post them to the Internet. Messages on Twitter are often unedited, informal, and off-the-cuff. Because of this, the information has a tendency to be very accurate and genuine.

An attacker can use Twitter’s search interface, http://search.twitter.com, to search Twitter messages given a specific keyword. Depending on the target, it may be beneficial for attackers to seek information about a specific individual or organization.

In February 2009, Pete Hoekstra, a member of the U.S. House of Representatives, used Twitter to update his precise whereabouts while traveling to Iraq. Figure 1-12 shows Hoekstra’s message.

Pete Hoekstra’s Twitter message
Figure 1-12. Pete Hoekstra’s Twitter message

It is clear from this example how the information individuals put on microblogging channels can aid attackers. In this case, the information Hoekstra twittered could have aided terrorist efforts that may have jeopardized his security. Messages posted on microblogging channels such as Twitter are therefore extremely important and useful to attackers.

Note

For more information on the Pete Hoekstra incident, see “Pete Hoekstra Uses Twitter to Post from Iraq about Secret Trip” at http://www.mediamouse.org/news/2009/02/pete-hoekstra-twitter-iraq.php.

Tracking Employees

Attackers do not necessarily limit their attacks to organizations. Often, the attacks are aimed at specific employees and business units of the target organization. The human factor is still the weakest part of the organization.

First things first: attackers need to gather employee lists and then correlate attack vectors to them. In doing so, attackers have a better chance of successfully entering the target organization.

A critical step for attackers is to gather a target list of employees. This list will often contain employee names, personal and work email addresses, home addresses, work and home phone numbers, and some interesting notes about the employees.

The information contained in such an employee list can have multiple uses. For example, certain information about an employee may suggest that the best attack method is social engineering through intimidation. Another employee’s profile may suggest she is particularly vulnerable to clicking links from emails received from social applications.

Email Harvesting with theHarvester

One of the first steps an attacker needs to take is to gather the corporate email addresses of employees. Attackers do this by using search engines or by crawling the corporate website. In addition, they can search forums, looking for email addresses ending in the target domain.

Obtaining email addresses provides a starting point for an attacker; once he has the email addresses, he can research the employees in more depth.

theHarvester, also known as goog-mail.py, is a tool for enumerating email addresses from a target domain using these methods. You can configure theHarvester to use Google or the MSN search engine, as well as attempt enumeration on PGP servers and LinkedIn.com. The following example demonstrates how to use theHarvester.py to find email addresses belonging to example.com using Google as the search engine:

$ python theHarvester.py -d example.com -b google -l 1000

*************************************
*TheHarvester Ver. 1.4              *
*Coded by laramies                  *
*Edge-Security Research             *
*cmartorella@edge-security.com      *
*************************************

Searching for example.com in google :
========================================

Total results:  326000000
Limit:  1000
Searching results: 0
Searching results: 100
Searching results: 200
Searching results: 300
Searching results: 400
Searching results: 500
Searching results: 600
Searching results: 700
Searching results: 800
Searching results: 900

Accounts found:
====================
psurgimath@example.com
csmith@example.com
info@example.com
brios@example.com
jlee@example.com
====================

Total results:  5

Note

theHarvester is available on BackTrack 3 under the /pentest/enumeration/google directory and is named goog-mail.py. It is also available for download at http://www.edge-security.com/theHarvester.php.

Resumés

Using online search engines, attackers can search for resumés containing sensitive information. The amount of “sensitive” information contained in a resumé can be substantial. Job seekers will often include information in their resumés that could be considered sensitive and therefore could be useful to an attacker.

The majority of people building resumés don’t realize attackers can data-mine the information they include, and therefore will often include details about projects they are currently working on. These details can range from benign information or general knowledge to information that is intended for an internal audience only.

Again, an attacker can use Google to search for resumés containing the name of the target organization. For example, this search query will return Microsoft Word resumés that contain the phrase “current projects”:

resume filetype:doc "current projects"

Searches such as this turn up hundreds of results. Searching for current and previous employees of the target organization can reveal information that is important to an attacker. Information from resumés can:

  • Reveal programs, databases, and operating systems that are used internally. Systems include SAP, MySQL, Oracle, Unix, and Windows. This information may include version numbers.

  • Reveal previous and current projects. Attackers can search for other resumés that have similar project names to attempt to locate other team members.

  • Allow attackers to link employees who worked on projects together, aiding an attacker in identifying social networks.

  • Reveal internal details of projects.

  • Reveal home addresses and phone numbers of current employees that can be used in social engineering attacks.

The projects listed in the sample resumé illustrated in Figure 1-13 include competitive products currently in development, information about SAP integration, and a hybrid engine purchased by Boeing in September 2006.

Resumé with information that could potentially help an attacker
Figure 1-13. Resumé with information that could potentially help an attacker

Job Postings

In addition to resumés, job postings can lead attackers to useful information. Job postings are often found on corporate websites or through job search sites (for example, Monster.com). Some job postings contain information such as hiring managers’ names, corporate email addresses, or additional information that can aid attackers in tracking down employees.

Using information gathered from a simple job posting, along with ideas we presented earlier in the chapter, we will demonstrate how we were able to track down a target employee. Our first step was to search a job posting site looking for hiring managers. After searching Monster.com for a hiring manager from the target organization, we acquired the email address shown in Figure 1-14.

Job posting listing the hiring manager’s email address
Figure 1-14. Job posting listing the hiring manager’s email address

Once we obtained the email address, we used Google to track down information on the hiring manager, as illustrated in Figure 1-15. The information we obtained identified the hiring manager’s name and work phone number. We found this information on the company’s corporate website.

A Google search revealing the hiring manager’s full name and work extension
Figure 1-15. A Google search revealing the hiring manager’s full name and work extension

Now we had a work number and extension. What other information can we dig up?

Using LinkedIn, we searched for the hiring manager along with the name of the organization. We successfully identified the hiring manager’s profile, which gave us more information about her. Figure 1-16 is a screenshot of the hiring manager’s LinkedIn page, which contains a wealth of information that we could use for nefarious purposes.

The hiring manager’s LinkedIn profile
Figure 1-16. The hiring manager’s LinkedIn profile

Now we have professional information about the target. Can we dig further to identify other personal information? Can we use this information to intimidate or blackmail the hiring manager?

Assume that we browse to some social application sites and use the hiring manager’s name as a search term. We can limit the results based on the geographic location listed in the target’s LinkedIn profile. We can use additional information to limit results, including the target’s age and occupation, and even her social contacts. Figure 1-17 shows the target’s MySpace profile.

The hiring manager’s MySpace page
Figure 1-17. The hiring manager’s MySpace page

This demonstrates the impact that a few pieces of information can have. Using that information, we were able to obtain additional information about the victim and her organization. Obviously, job postings can lead attackers in identifying key people, and give them a starting point for an attack.

Google Calendar

Attackers can use Google Calendar, located at http://calendar.google.com, to find information about companies and their employees. Using a valid Google account, an attacker can search through public calendars. Most individuals are aware that public calendars shouldn’t contain sensitive or confidential information. But people often forget this fact after they have made their calendar public. Information in public calendars can include internal company deadlines, internal projects, and even dial-in information.

Figure 1-18 shows the dial-in number and code required to attend an IBO teleconference. Attackers can use this public information to call in and “overhear” the conference call.

Dial-in information obtained from calendar.google.com
Figure 1-18. Dial-in information obtained from calendar.google.com

Figure 1-19 shows another conference call, but outlines more detail about the call. The description states that three vendors will be making their final pitches to the organization. The description goes on to say that the company is not informing the vendors about the other phone calls to avoid having them “listen in” on their competition’s calls. Why did someone put this in his public calendar for the world to see? It is clear how this may aid an attacker and a competitor.

Dial-in information regarding vendor calls
Figure 1-19. Dial-in information regarding vendor calls

What Information Is Important?

What kind of information is important to an attacker and what isn’t? All information that an attacker can find can be used for some purpose. From the attacker’s perspective, all information is important. Some information can be more critical than other information. Information that could be deemed critical for an attacker to have would include:

  • An employee’s personally identifiable information (PII), such as work and home phone numbers, work and home addresses, criminal history, Social Security numbers, and credit reports

  • Network layouts, including the number of web servers and mail servers, their locations, and the software versions they run

  • Company files, including database files, network diagrams, internal papers and documentation, spreadsheets, and so forth

  • Company information such as mergers and acquisitions, business partners, hosting services, and so forth

  • Organizational information, including organizational charts detailing the corporate structure of who reports to whom

  • Work interactions detailing such information as who gets along at the office, how often direct reports communicate with their managers, how often managers communicate with their subordinates, how they communicate (e.g., via email, phone, BlackBerry), and so forth

The information outlined here can be public or private. Attackers who have done their preliminary research are rewarded greatly. All of the information obtained during reconnaissance can benefit the attacker in some way, including leveraging public information to gain internally sensitive information.

Summary

In the past, system administrators have relied on perimeter-based security controls to alert them to potential attacks on their networks. However, the techniques that attackers can use during reconnaissance will not trigger any such perimeter- or network-based controls.

Due to the popularity of social applications today, it has become difficult for any organization to keep track of or police the information employees may put out there. The information-collection avenues for attackers are not limited to social applications, but include job postings, resumés, and even simple Google searches.

The crafty attackers are using, and will continue to use, the types of techniques presented in this chapter to gain substantial amounts of data about their potential victims. As you saw in this chapter, the techniques that attackers leverage today often include components of social engineering that give the attempts a greater impact and make them extremely hard to detect.

Get Hacking: The Next Generation now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.