Chapter 5
In This Chapter
Gleaning information about your organization from the Internet
Web resources
Seeking out information you (and others) can benefit from
One of the most important aspects in determining how your organization is at risk is to find out what information is publically available about your business and your systems. Gathering this information is such an important part of your overall methodology that I thought the subject deserves a dedicated chapter. In this chapter, I outline some free and easy ways to see what the world sees about you and your organization. You may be tempted to bypass this exercise in favor of the cooler and sexier technical security flaws, but don’t fall into the trap. Gathering this type of information is critical and often where most security breaches begin.
The amount of information you can gather about an organization’s business and information systems that is widely available on the Internet is staggering. To see for yourself, the techniques outlined in the following sections can be used to gather information about your own organization.
Social media sites are the new means for businesses interacting online. Perusing the following sites can provide untold details on any given business and its people:
www.facebook.com
)www.linkedin.com
)https://twitter.com
)www.youtube.com
)As we’ve all witnessed, employees are often very forthcoming about what they do for work, details about their business, and even what they think about their bosses — especially after throwing back a few when their social filter has gone off track! I’ve also found interesting insight based on what ex-employees say about their former employers at Glassdoor (www.glassdoor.com
).
Performing a web search or simply browsing your organization’s website can turn up the following information:
With Google, you can search the Internet in several ways:
site:www.your_domain.com keyword
site:www.your_domain.com filename
You can even do a generic filetype search across the entire Internet to see what turns up, such as this:
filetype:swf company_name
Use the preceding search to find Flash .swf files, which can be downloaded and decompiled to reveal sensitive information that can be used against your business, as I cover in detail in Chapter 15.
Use the following search to hunt for PDF documents that might contain sensitive information that can be used against your business:
filetype:pdf company_name confidential
Web-crawling utilities, such as HTTrack Website Copier (www.httrack.com
), can mirror your website by downloading every publicly-accessible file from it, similar to how a web vulnerability scanner crawls the website it’s testing. You can then inspect that copy of the website offline, digging into the following:
Comment fields often contain useful information such as names and e-mail addresses of the developers and internal IT personnel, server names, software versions, internal IP addressing schemes, and general comments about how the code works. In case you’re interested, you can prevent some types of web crawling by creating Disallow entries in your web server’s robots.txt file as outlined at www.w3.org/TR/html4/appendix/notes.html
. You can even enable web tarpitting in certain firewalls and intrusion prevention systems (IPSs). However, crawlers (and attackers) that are smart enough can find ways around these controls.
The following websites may provide specific information about an organization and its employees:
www.hoovers.com
and http://finance.yahoo.com
give detailed information about public companies.www.sec.gov/edgar.shtml
shows SEC filings of public companies.www.uspto.gov
offers patent and trademark registrations.www.lexisnexis.com
)www.zabasearch.com
)As part of mapping out your network, you can search public databases and resources to see what other people know about your systems.
The best starting point is to perform a WHOIS lookup by using any one of the tools available on the Internet. In case you’re not familiar, WHOIS is a protocol you can use to query online databases such as DNS registries to learn more about domain names and IP address blocks. You may have used WHOIS to check whether a particular Internet domain name is available.
For security testing, WHOIS provides the following information that can give a hacker a leg up to start a social engineering attack or to scan a network:
You can look up WHOIS information at one of the following places:
www.whois.net
)www.godaddy.com
Two of my favorite WHOIS tool websites are DNSstuff (www.dnsstuff.com
) and MXToolBox (www.mxtoolbox.com
). For example, you can run DNS queries directly from www.mxtoolbox.com
to do the following:
A free site you can use for more basic Internet domain queries is http://dnstools.com
. Another commercial product called NetScanTools Pro (www.netscantools.com
) is excellent at gathering such information. I cover this tool and others in more detail in Chapter 9.
The following list shows various lookup sites for other categories:
www.dotgov.gov/portal/web/dotgov/whois
www.afrinic.net
(Regional Internet Registry for Africa)www.apnic.net/apnic-info/whois_search
(Regional Internet Registry for the Asia Pacific Region)http://whois.arin.net/ui
(Regional Internet Registry for North America, a portion of the Caribbean, and subequatorial Africa)www.lacnic.net/en
(Latin American and Caribbean Internet Addresses Registry)https://apps.db.ripe.net/search/query.html
(Europe, Central Asia, African countries north of the equator, and the Middle East)If you’re not sure where to look for a specific country, www.nro.net/about-the-nro/list-of-country-codes-and-rirs-ordered-by-country-code
has a reference guide.
Check your website’s privacy policy. A good practice is to let your site’s users know what information is collected and how it’s being protected, but nothing more. I’ve seen many privacy policies that divulge a lot of technical details on security and related systems that should not be made public.
18.217.199.122