Vulnerabilities / Threats
11/18/2012
02:44 PM
Connect Directly
RSS
E-Mail
50%
50%

Tech Insight: Better Defense Through Open-Source Intelligence

Corporate defenders can use the same publicly available information sources that attackers do, but to better secure their data

The ease in which attackers are compromising users through client-side and social-engineering attacks, plus the onslaught of BYOD efforts, are clear indicators that perimeter security is not enough to protect enterprise data. That's not to say there isn't value in beefing up an enterprise's perimeter defenses. Definitely not. However, security strategies need to be updated to meet the changing threat landscape and devolution of the perimeter.

The nature of today's corporate computer use has changed the perimeter to be the user's desktops and mobile devices. End users' constant interactions with cloud-based services and social networking sites are making traditional defense moot. To adapt, security professionals must meet new security challenges head-on by considering their defensive measures as an attacker might.

How? By putting on their offensive hat.

When we take a look at the typical attack process, it includes reconnaissance, scanning, exploitation, maintaining access, and cleaning up. For attackers to be successful, they have two choices. They can go for the target of opportunity that's easy and doesn't require much preparation to attack (sometimes something they simply stumble on). Or they can go for a targeted attack that requires research and, often, patience.

Reconnaissance, while commonly overlooked and discounted, is a key phase providing successful targeted attackers (and penetration testers) with information about the target, the target's server and application technologies in use, employees, location, and much more. Often called OSINT, or open-source intelligence because it uses publicly available sources, the recon phase is anything that can help the attacker obtain his goal. Security pros can leverage the same tools and techniques as the attackers to identify unintentionally exposed devices on the Internet and users leaking sensitive information via social networking sites, and address those issues before they're used during an actual attack.

Where to start? The simplest starting point is Internet search engines like Google, Bing, and Yahoo. Searches for company name, key file names, employee numbers, and other unique information can turn up leaked files, dumped data on Pastebin, or plans to attack the company in the coming weeks. Over the years, I've seen searches turn up everything from accidental disclosures of personal patient and employee information on company sites, to evidence of compromises by user credentials and server names in an online bulletin board.

It's important to note that using search engines is not a one-shot deal because the content changes over time. Maybe the search engine's crawler hasn't found and indexed the website hosting the content, or it could be the content hasn't been published yet. Either way, this isn't a quick few hours of work and you're done forever, which is why researchers from Stach & Liu have developed a suite of tools called "Search Diggity" to help security professionals with better, more targeted searches that can be automated.

Social networking sites have contributed quite a bit to the change in the perimeter and the ability for employees to post revealing information and interact with practically anyone, including attackers, around the world. Some of the interesting things include co-workers' names, office locations, pictures inside of company buildings (like data centers), and personal information (i.e., birthday, spouse, kid names). Attackers can then use that information to social-engineer users into giving up passwords over the phone or get past the questions required to reset an account password.

Tim Tomes, senior security consultant at Black Hills Information Security, spoke about the recon process during his talk, "Next Generation Reconnaissance," at Hack3rCon 2012. During the discussion, he released Push Pin, a recon tool that specifically targets information posted on social networking sites Twitter, YouTube, Flickr, Picasa, Instagram, and Oodle.

The more fascinating aspect about PushPin is that it searches those sites not for a specific search term, but by location. Want to look up information potentially posted by employees at a particular office location? Plug in the GPS coordinates of the office, and out comes posts to Twitter, pictures on Flickr and Instagram, and videos on YouTube. Tim has made the Python-based tool freely available here.

Other sources of data include DNS and network information published on sites like Robtex where IP addresses, network ranges, and domain names can be searched. There's also the excellent Shodan computer search engine that contains service banners from Internet-accessible servers all over the world. Security pros can find all sorts of juicy information, like internal network and host names exposed through DNS, or unintentionally exposed services that Shodan has found without scanning or touching the target network.

Besides the Web interfaces to those sites, several tools exist to make queries faster and scriptable. Dnsrecon is an excellent example for DNS research, and the PushPin tool also queries Shodan based on location information. Additionally, there is the shodan_search module in Metasploit (written by yours truly), and an iOS app developed by Erran Carey.

Just as all of these resources can be used for evil, enterprise security teams should be taking advantage of them to help secure their networks. Information published on social networking sites can often be removed quickly and the responsible person identified and counseled on the proper use of such sites. Exposed services found through Shodan can quickly be taken down or blocked with a quick firewall change.

These resources are out there and being used by attackers and penetration testers. Why not do the same and use them before they're used against you?

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0174
Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2014-3485
Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

CVE-2014-3499
Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

CVE-2014-3503
Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

CVE-2014-3991
Published: 2014-07-11
Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 3.5.3 allow remote attackers to inject arbitrary web script or HTML via the (1) dol_use_jmobile, (2) dol_optimize_smallscreen, (3) dol_no_mouse_hover, (4) dol_hide_topmenu, (5) dol_hide_leftmenu, (6) mainmenu, or (7) leftmenu pa...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.