Microsoft Blue Hat: Researcher Demos No-Hack AttackMicrosoft Blue Hat: Researcher Demos No-Hack Attack
Wealth of available online data on individuals, businesses can be used in targeted attacks
October 21, 2008
A researcher at Microsoft's closed-door Blue Hat summit last week demonstrated how seemingly mundane information available online about an individual or a business can be used against them in a targeted attack.
Roelof Temmingh, founder of Paterva, demonstrated how hackers don't eed traditional hacking tools given all of the information that' freely available about people and organizations on the Internet. With a little reconnaissance and the use of a handy information-collection, correlation, and visualization tool he built called Maltego, Temmingh showed how an attacker wouldn't have to bother with a port scan or other hacking tools to hack a person or a business.
Maltego is not a hacker tool -- it's for gathering, organizing and visualizing information from the Internet. It basically collects that accessible information online about an individual -- his email address, blogs, Facebook friends, hobbies, geographic location, job description -- and presents it in a usable, comprehensive profile of a potential target. "When I started developing this tool... I had the idea that all pieces of information out there were connected in some way or another," Temmingh says. "This tool proves that [they are]."
The problem, of course, is that users want instant access to information, and to be accessible via social networking sites and other online resources. And there's always a way for someone to abuse that interconnected information.
Attackers hack either to get control over a system, or to grab data. "You don't [necessarily] need to break into anything to get the information you need; it may be just a click," he says. "With some applications, the data you can get from them is the vulnerability."
Even PGP-encrypted email messages between two organizations can leak some useful clues. Piecing together the email addresses in the domain and the signed keys by specific email addresses can provide useful information, he says. "If five people at one organization sent mail to five others at a second organization and all mail was PGP-encrypted, this is telling us" something about the relationship between these two organizations, he says.
"If you think about an attack, the exploit itself is maybe 5 percent of the whole equation," Temmingh says. "It doesn't have to end in 'now you can ‘own’ someone.'"
Temmingh also demonstrated at Blue Hat how easy it is for an attacker to manipulate the inherent trust on the Internet -- and the lack of real identity verification. "If you're not on Facebook, I can [pose as you] on Facebook and put up content," he says. "I can invent anyone I want using your name and information gathered, he says.
Bottom line: There's no real enforcement for privacy on the Internet today, he says. "If you want to keep something private, keep it off the Internet. Even if you encrypt it... you could be leaking more information," like with the PGP-encrypted email example, he says.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.
About the Author(s)
You May Also Like
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023
Passwords Are Passe: Next Gen Authentication Addresses Today's Threats
What Ransomware Groups Look for in Enterprise Victims
How to Use Threat Intelligence to Mitigate Third-Party Risk
Concerns Mount Over Ransomware, Zero-Day Bugs, and AI-Enabled Malware
Securing the Remote Worker: How to Mitigate Off-Site Cyberattacks
9 Traits You Need to Succeed as a Cybersecurity Leader
The Ultimate Guide to the CISSP
AI in Cybersecurity: Using artificial intelligence to mitigate emerging security risks
Quantifying the Gap Between Perceived Security and Comprehensive MITRE ATT&CK Coverage
2021 Gartner Market Guide for Managed Detection and Response Report