Social media

Social media sites are the new means for businesses interacting online. Perusing the following sites can provide untold details on any given business and its people:

• Facebook (www.facebook.com)
• LinkedIn (www.linkedin.com)
• Twitter (https://twitter.com)
• YouTube (www.youtube.com)

As we’ve all witnessed, employees are often very forthcoming about what they do for work, details about their business, and even what they think about their bosses — especially after throwing back a few when their social filter has gone off track! I’ve also found interesting insight based on what ex-employees say about their former employers at Glassdoor (www.glassdoor.com).

Web search

Performing a web search or simply browsing your organization’s website can turn up the following information:

• Employee names and contact information
• Important company dates
• Incorporation filings
• SEC filings (for public companies)
• Press releases about physical moves, organizational changes, and new products
• Mergers and acquisitions
• Patents and trademarks
• Presentations, articles, webcasts, or webinars

Bing (www.bing.com) and Google (www.google.com) ferret out information — in everything from word processing documents to graphics files — on any publicly accessible computer. And they’re free. Google is my favorite. Entire books have been written about using Google, so expect any criminal hacker to be quite experienced in using this tool, including against you. (See Chapter 15 for more about Google hacking.)

With Google, you can search the Internet in several ways:

• Typing keywords. This kind of search often reveals hundreds and sometimes millions of pages of information — such as files, phone numbers, and addresses — that you never guessed were available.
• Performing advanced web searches. Google’s advanced search options can find sites that link back to your company’s website. This type of search often reveals a lot of information about partners, vendors, clients, and other affiliations.
• Using switches to dig deeper into a website. For example, if you want to find a certain word or file on your website, simply enter a line like one of the following into Google:

  site:www.your_domain.com keyword
site:www.your_domain.com filename

You can even do a generic filetype search across the entire Internet to see what turns up, such as this:

filetype:swf company_name

Use the preceding search to find Flash .swf files, which can be downloaded and decompiled to reveal sensitive information that can be used against your business, as I cover in detail in Chapter 15.

Use the following search to hunt for PDF documents that might contain sensitive information that can be used against your business:

filetype:pdf company_name confidential

Web crawling

Web-crawling utilities, such as HTTrack Website Copier (www.httrack.com), can mirror your website by downloading every publicly-accessible file from it, similar to how a web vulnerability scanner crawls the website it’s testing. You can then inspect that copy of the website offline, digging into the following:

• The website layout and configuration
• Directories and files that might not otherwise be obvious or readily accessible
• The HTML and script source code of web pages
• Comment fields

Comment fields often contain useful information such as names and e-mail addresses of the developers and internal IT personnel, server names, software versions, internal IP addressing schemes, and general comments about how the code works. In case you’re interested, you can prevent some types of web crawling by creating Disallow entries in your web server’s robots.txt file as outlined at www.w3.org/TR/html4/appendix/notes.html. You can even enable web tarpitting in certain firewalls and intrusion prevention systems (IPSs). However, crawlers (and attackers) that are smart enough can find ways around these controls.

Contact information for developers and IT personnel is great for social engineering attacks. I cover social engineering in Chapter 6.

Websites

The following websites may provide specific information about an organization and its employees:

• Government and business websites:
  • www.hoovers.com and http://finance.yahoo.com give detailed information about public companies.
  • www.sec.gov/edgar.shtml shows SEC filings of public companies.
  • www.uspto.gov offers patent and trademark registrations.
  • The website for your state’s Secretary of State or similar organization can offer incorporation and corporate officer information.
• Background checks and other personal information, from websites such as:
  • LexisNexis.com (www.lexisnexis.com)
  • ZabaSearch (www.zabasearch.com)

WHOIS

The best starting point is to perform a WHOIS lookup by using any one of the tools available on the Internet. In case you’re not familiar, WHOIS is a protocol you can use to query online databases such as DNS registries to learn more about domain names and IP address blocks. You may have used WHOIS to check whether a particular Internet domain name is available.

For security testing, WHOIS provides the following information that can give a hacker a leg up to start a social engineering attack or to scan a network:

• Internet domain name registration information, such as contact names, phone numbers, and mailing addresses
• DNS servers responsible for your domain

You can look up WHOIS information at one of the following places:

• WHOIS.net (www.whois.net)
• A domain registrar’s site, such as www.godaddy.com
• Your ISP’s technical support site

Two of my favorite WHOIS tool websites are DNSstuff (www.dnsstuff.com) and MXToolBox (www.mxtoolbox.com). For example, you can run DNS queries directly from www.mxtoolbox.com to do the following:

• Display general domain-registration information
• Show which host handles e-mail for a domain (the Mail Exchanger or MX record)
• Map the location of specific hosts
• Determine whether the host is listed on certain spam blacklists

A free site you can use for more basic Internet domain queries is http://dnstools.com. Another commercial product called NetScanTools Pro (www.netscantools.com) is excellent at gathering such information. I cover this tool and others in more detail in Chapter 9.

The following list shows various lookup sites for other categories:

• U.S. Government: www.dotgov.gov/portal/web/dotgov/whois
• AFRINIC: www.afrinic.net (Regional Internet Registry for Africa)
• APNIC: www.apnic.net/apnic-info/whois_search (Regional Internet Registry for the Asia Pacific Region)
• ARIN: http://whois.arin.net/ui (Regional Internet Registry for North America, a portion of the Caribbean, and subequatorial Africa)
• LACNIC: www.lacnic.net/en (Latin American and Caribbean Internet Addresses Registry)
• RIPE Network Coordination Centre: https://apps.db.ripe.net/search/query.html (Europe, Central Asia, African countries north of the equator, and the Middle East)

If you’re not sure where to look for a specific country, www.nro.net/about-the-nro/list-of-country-codes-and-rirs-ordered-by-country-code has a reference guide.

Privacy policies

Check your website’s privacy policy. A good practice is to let your site’s users know what information is collected and how it’s being protected, but nothing more. I’ve seen many privacy policies that divulge a lot of technical details on security and related systems that should not be made public.

Make sure the people who write your privacy policies (often nontechnical lawyers) don’t divulge details about your information security infrastructure. Be careful to avoid the example of an Internet start-up businessman who once contacted me about a business opportunity. During the conversation, he bragged about his company’s security systems that ensured the privacy of client information (or so he thought). I went to his website to check out his privacy policy. He had posted the brand and model of firewall he was using, along with other technical information about his network and system architecture. This type of information could certainly be used against him by the bad guys. Not a good idea.