Google Hacking: Social Engineering Redux
By gbrunett-Oracle on Sep 04, 2006
While looking through some recent postings, I came across this posting by Dumb Little Man. His brief depiction is yet another in a long string of reminders for us all to be more careful about safeguarding our personal information. All too often, people take their (or their company's) privacy for granted and do not concern themselves with who will see the information that they post - that is, until something bad happens. Worse yet is that people often do not understand how the various types of information made available can be used together to create a multiplicative effect - except perhaps in the more publicized identity theft arena.
Each and every day, it is getting easier to find out greater amounts of information on people, places, companies and services. Let's consider extending the thought experiment discussed in the article above. What if an attacker were to use Google Earth to obtain satellite imagery of his target's house? This tool could be used to pinpoint the position of his target relative to other buildings, roads, or other environmental elements (e.g., wooded areas, etc.) The military has long recognized the value of such imaging for planning attacks and now this information is available (certainly at a lower resolution) to anyone, anywhere. Note: I do not want to pick on Google Earth since there are certainly many other ways to get some or all of this information (e.g., purchase paper maps and/or satellite images, personally scout out a location, etc.).
Going further, with your target's name, e-mail address or other personal details, you could use current search engines to discover pictures, movies, personal profiles, business profiles, interests, and even previous postings or affiliations of your target. There is a virtually unlimited number of potential sources depending on the nature of your target and goals. Of course, none of this is new information. Take a quick search for yourself to see what I mean. My point here is that vast amounts of personal information can be gathered today for little to no cost or effort.
Let me give you an example. I know of a family that was looking for pre-schools for their kids. After some research and careful discussion, they narrowed down their selection to a handful of schools. Enter Google. A quick search on one of the schools led the couple to a MySpace page apparently belonging to one of the school's young teachers. Reading through the teacher's public MySpace profile, the couple was horrified to find discussions and endorsements of vampirism, bloodletting and related topics. Remember, this was initially about finding a pre-school for their young children. Needless to say, that single search result caused the entire school to be taken out of consideration. Now, was the person really a teacher at that school? Who knows... but that is not the point. The personal postings of an individual had cost a school a student. One can easily imagine how personal information could be used by school or professional recuiters when examining candidates.
What is interesting to observe is the damage that can be done to individuals or corporations through the malicious posting of false information. Let's say that the person in the above case was not really a teacher but had some kind of grudge against that specific school. Who knows how much business could be lost (even without the school's knowledge) as a result of prospective parents (such as the couple above) coming across that MySpace page. Similarly, think about the damage to one's personal and professional reputation could ensue as a direct result of malicious (or perhaps accidental) postings. In the old days, rumors could often be contained to a single company or perhaps a small town. Moving out of the town could potentially wipe your slate clean. Today however, such information, correct or not, could literally be in the hands of anyone on the planet. There is no way to avoid it.
Beyond individuals, these same techniques can be leveraged to uncover potential corporate targets. For this posting, I just did a quick search of comp.unix.solaris looking for .rhosts and covered this same posting:
Even though I realize that use of /etc/hosts.equiv and .rhosts are not very secure, I've thought I could possibly use them in setting up a number of Solaris workstations in a lab/setup environment before rolling them out to the desktops
This posting included both an e-mail address of an employee (presumably) as well as a company name. Comments like these made on mailing lists (from internal e-mail addresses) can often be used to determine key points about a target. From this small message, we can assume that the company uses Solaris and that they are using rsh with rhosts authentication. Not overly useful, but it is a start. Spending a little more time, it is not hard to find people asking security questions, talking about audit failures, or divulging information (seemingly harmless) that can provide clues about their security configuration, recent problems, or even how frequently they patch their systems, etc.
With the free and for-fee sources of information available today, the possibilities are truly staggering. That said, it is certainly not like this is anything new. The Internet is riddled with postings and pages detailing how to leverage these information sources as means toward various ends. Before Google there was the USENET and before that there were bulletin board systems, etc. The big difference today is that the Internet and its services are ubiquitous and greater numbers of people are sharing more personal information than ever (and this information is being captured by greater numbers of searchable repositories) - making access to such information downright trivial. Hell, for those needing a little help, there is even a book on Google Hacking.
So what is the lesson here? Simply put, you need to be careful. Don't take your privacy for granted. The damage once inflicted can be hard if not impossible to undo.
As a security professional, I want to be able to share information with people, post content and help answer questions, and generally help people better protect themselves. To establish a more personal connection with readers, I have shared a picture on my blog and have even published a LinkedIn profile. I have even occassionally posted on some personal topics. So, where do I draw the line?
Honestly - for me it comes down to a risk management decision. There are some topics that I am comfortable sharing and others that I am not. Weighting the risks and benefits, I try to strike a balance in my postings. Above all, I do my best to safeguard my (and my company's) private information. Further, I try to balance my inherent paranoia with some pragmatism so that we can engage in this virtual discussions from time to time. I for one enjoy them and hope you do too.