Monday Sep 04, 2006

Google Hacking: Social Engineering Redux

While looking through some recent postings, I came across this posting by Dumb Little Man. His brief depiction is yet another in a long string of reminders for us all to be more careful about safeguarding our personal information. All too often, people take their (or their company's) privacy for granted and do not concern themselves with who will see the information that they post - that is, until something bad happens. Worse yet is that people often do not understand how the various types of information made available can be used together to create a multiplicative effect - except perhaps in the more publicized identity theft arena.

Each and every day, it is getting easier to find out greater amounts of information on people, places, companies and services. Let's consider extending the thought experiment discussed in the article above. What if an attacker were to use Google Earth to obtain satellite imagery of his target's house? This tool could be used to pinpoint the position of his target relative to other buildings, roads, or other environmental elements (e.g., wooded areas, etc.) The military has long recognized the value of such imaging for planning attacks and now this information is available (certainly at a lower resolution) to anyone, anywhere. Note: I do not want to pick on Google Earth since there are certainly many other ways to get some or all of this information (e.g., purchase paper maps and/or satellite images, personally scout out a location, etc.).

Going further, with your target's name, e-mail address or other personal details, you could use current search engines to discover pictures, movies, personal profiles, business profiles, interests, and even previous postings or affiliations of your target. There is a virtually unlimited number of potential sources depending on the nature of your target and goals. Of course, none of this is new information. Take a quick search for yourself to see what I mean. My point here is that vast amounts of personal information can be gathered today for little to no cost or effort.

Let me give you an example. I know of a family that was looking for pre-schools for their kids. After some research and careful discussion, they narrowed down their selection to a handful of schools. Enter Google. A quick search on one of the schools led the couple to a MySpace page apparently belonging to one of the school's young teachers. Reading through the teacher's public MySpace profile, the couple was horrified to find discussions and endorsements of vampirism, bloodletting and related topics. Remember, this was initially about finding a pre-school for their young children. Needless to say, that single search result caused the entire school to be taken out of consideration. Now, was the person really a teacher at that school? Who knows... but that is not the point. The personal postings of an individual had cost a school a student. One can easily imagine how personal information could be used by school or professional recuiters when examining candidates.

What is interesting to observe is the damage that can be done to individuals or corporations through the malicious posting of false information. Let's say that the person in the above case was not really a teacher but had some kind of grudge against that specific school. Who knows how much business could be lost (even without the school's knowledge) as a result of prospective parents (such as the couple above) coming across that MySpace page. Similarly, think about the damage to one's personal and professional reputation could ensue as a direct result of malicious (or perhaps accidental) postings. In the old days, rumors could often be contained to a single company or perhaps a small town. Moving out of the town could potentially wipe your slate clean. Today however, such information, correct or not, could literally be in the hands of anyone on the planet. There is no way to avoid it.

Beyond individuals, these same techniques can be leveraged to uncover potential corporate targets. For this posting, I just did a quick search of comp.unix.solaris looking for .rhosts and covered this same posting:

Even though I realize that use of /etc/hosts.equiv and .rhosts are not
very secure, I've thought I could possibly use them in setting up a
number of Solaris workstations in a lab/setup environment before
rolling them out to the desktops

This posting included both an e-mail address of an employee (presumably) as well as a company name. Comments like these made on mailing lists (from internal e-mail addresses) can often be used to determine key points about a target. From this small message, we can assume that the company uses Solaris and that they are using rsh with rhosts authentication. Not overly useful, but it is a start. Spending a little more time, it is not hard to find people asking security questions, talking about audit failures, or divulging information (seemingly harmless) that can provide clues about their security configuration, recent problems, or even how frequently they patch their systems, etc.

With the free and for-fee sources of information available today, the possibilities are truly staggering. That said, it is certainly not like this is anything new. The Internet is riddled with postings and pages detailing how to leverage these information sources as means toward various ends. Before Google there was the USENET and before that there were bulletin board systems, etc. The big difference today is that the Internet and its services are ubiquitous and greater numbers of people are sharing more personal information than ever (and this information is being captured by greater numbers of searchable repositories) - making access to such information downright trivial. Hell, for those needing a little help, there is even a book on Google Hacking.

So what is the lesson here? Simply put, you need to be careful. Don't take your privacy for granted. The damage once inflicted can be hard if not impossible to undo.

As a security professional, I want to be able to share information with people, post content and help answer questions, and generally help people better protect themselves. To establish a more personal connection with readers, I have shared a picture on my blog and have even published a LinkedIn profile. I have even occassionally posted on some personal topics. So, where do I draw the line?

Honestly - for me it comes down to a risk management decision. There are some topics that I am comfortable sharing and others that I am not. Weighting the risks and benefits, I try to strike a balance in my postings. Above all, I do my best to safeguard my (and my company's) private information. Further, I try to balance my inherent paranoia with some pragmatism so that we can engage in this virtual discussions from time to time. I for one enjoy them and hope you do too.

Take care,


Technorati Tag:

Saturday Feb 11, 2006

Sun Systemic Security

In advance of the RSA Security Conference, I wanted to give everyone a heads-up regarding the updated Sun BluePrint article and presentation just posted on the Sun Systemic Security Program. Some may remember that I have talked about systemically secure architectures previously. This new content is more comprehensive and includes more specifics about the overall program and several architectural design building blocks and patterns.

You can find even more information on Sun Systemic Security at Sun's Security Homepage.

If you are going to be at the RSA conference, be sure to stop by the Sun booth and look me up!

Take care!


Technorati Tag:

Tuesday Aug 02, 2005

Conflicting Security Messages

No wonder people are generally confused about how to protect themselves on the Internet.

Today, I arrived at the USENIX Security Symposium in Baltimore, MD. You will get the irony of this in just a second. The conference, this year, is being held at the Sheraton Inner Harbor Hotel. As with most hotels, they offer both wireless and wired Internet access through a contracted ISP. Next to the network jack in the hotel room is a small sign that provides details about the Internet service including how best to connect to the ISP's network. One of the most prominent sections is titled "Tips for a Successful Connection". The very first tip on their list is:

Disable any VPN, proxy or firewall software that may be running on your computer.

Riiight... As if.

Unfortunately, many people (despire warnings to the contrary) will follow this advise in an effort to make connecting to the service as simple as possible. Who wants to have a problem and then sit idlely by for minutes to hours while the problem is identified and resolved, right? Not to mention - how often will technical support just start with the same task anyway: first disable any VPN, proxy, or firewall software...

The problem here is that by disabling your local firewall software (in particular), you may be putting yourself in direct violation of your company's security policy and generally accepted common sense. The end result is that the consumer (yet again) is put at risk particularly especially if they have not taken other precautions to strength the security posture of their system (e.g., hardening, patching, etc.) Further, by extension these types of recommendations can serve to put our own companies (and potentially critical infrastructure) at risk by opening opportunities for such systems to be infected or otherwise compromised while employees and consultants are on the road. Systems compromised in this way invariably end up connecting back to a corporate networks where the scope and impact of the breach can be multiplied - all because an ISP told you that it would be easier to connect to their network if you disabled your firewall, etc.

Let's take it a step further. This recommendation could be potentially viewed as in conflict with the President's Strategy to Secure Cyberspace. The strategy document clearly says (for example):

Home users and small businesses can help the Nation secure cyberspace by securing their own connections to it. Installing firewall software and updating it regularly, maintaining current antivirus software, and regularly updating operating systems and major applications with security enhancements are actions that individuals and enterprise operators can take to help secure cyberspace. (from Action/Recommendation 3-3)

The real kicker here is that no where on the pretty little information card does it instruct the user to re-enable their protections (either while connected or when done using the service). The impact of these recommendations could have a long lasting impact to the end user especially in cases where the software is not configured to automatically enable itself upon next boot or in cases where the system is simply not rebooted frequently - such as when using suspend / hibernate modes instead.

So, enough ranting for one day... What are your thoughts?

To what degree should ISPs be held liable if their recommendations are followed by consumers trying to access their network, and those consumer's are exploited as a direct result of the ISP's recommendations?

Technorati Tag:

Friday Mar 25, 2005

I'm not dead yet!

It has been a very long time since my last post and for that I apologize. I have a good excuse honest! I was off for most of January with the birth of my second son. Following that, as you can imagine when I came back I needed to spend a good deal of time unburying myself from e-mail, v-mail and project deliverables. So, now that I am nearly unburied, I can safely proclaim that I am not dead yet!

I wanted to take a few moments to catch you up on a few things that I have been doing over the last two months or so. I will also preview a few things that will be coming up...
  • Upon my return from leave, I presented at the RSA 2005 Security Conference held in San Francisco, CA. I had the honor of presenting on the topic of "Adaptive Security for Dynamic and Consolidated Environments" with Dave Walker and Peter Charpentier. It was quite a blast!

  • I have continued my work as a member of the Unix Benchmark Team for the Center for Internet Security. Most of the recent work has been on the development and refinement of the Solaris 10 Security Benchmark. I have to say that in large part due to the teamwork displayed by that organization, the Solaris 10 Benchmark has come together very quickly and should be ready to release soon.

  • I have also been working on converting some of my Solaris 10 Security blog articles to become Sun BluePrints Cookbooks. The first of such to be converted was the Automating Solaris 10 File Integrity Checks. It was published this month. It looks like at least one more will be published next month. Don't think that this is just a rehash of the blog however. We did actually go in and add new clarifications, examples, and other content! Also, I would like to acknowledge Darren Moffat and Scott Rotondo for their careful technical review of the article. Thank you very much.

  • I have also been working on new material. Hopefully in either the April or May edition of the Sun BluePrints, you will see a new article titled something like Limiting Service Privileges in the Solaris 10 OS. The paper is done, it is just a matter of getting it through the necessary processes.

  • I have been doing a lot of customer briefings on a variety of topics. Most of my briefings are deep dives into Solaris 10 security features and capabilities. In fact, just last week I presented to over 300 customers in both New York, NY and Somerset, NJ on those topics. It is absolutely incredible the things that you can accomplish with Solaris 10 in the security space.

  • I have also been preparing a talk that I will be giving on April 4th at the EDUCAUSE Security Professional's Conference in Washington, DC. The subject of my talk will be "Systemically Secure Architectures". If anyone reading this will be there, please be sure to stop me in the hall and say 'Hi'!

  • I have also been accepted to present at the New York State Cybersecurity Conference. The subject of my talk will be "Lessons from the Trenches: Solaris Security Best Practices". Hope to see you there!

Those are just a few of the things that I have been working on recently - that I can talk about of course. ;-) I hope to do another posting with yet another Solaris 10 Security tip in the very near future.

Also, before signing off, I have to send some kudos to the Solaris Security Toolkit team. Thanks to their hard work and determination, we can now proudly say that the Toolkit has become an official Sun product that is supported under the Solaris Support contract. Great work everyone!

Take care,


This area of cyberspace is dedicated the goal of raising cybersecurity awareness. This blog will discuss cybersecurity risks, trends, news and best practices with a focus on improving mission assurance.


« July 2016