Within the last ten years our communities have become dependent on technology to support their homes and their business relationships. It may even be that we could also arrive at the assertion that 99.99% – if not 100% of the population in any developed society will be, by inference utilizing technology in both direct, and indirect ways, say by association with the use of on-line banking, ATMs, Online-on-demand TV, In-Car Technology, Cell Phones, and of course those points of communications we host from our Laptop, Desktops, IPads, IPhone, Kindle, etc. In fact, these possibilities would seem to be endless.
The basic facts of the implication are, like it or not, this cozy techno-relationship we have established adds to our very existence an invisible footprint that that may be leveraged by Law Enforcement, Commercials, the Criminal Community, Terrorists, or whoever for whatever purpose they may wish to interrogate this unknown and subliminal dark footprint.
The basic facts are, as we go about our daily lives we are leaving subliminal digital traces behind us. Say use of an IP address when we logon to our ISP. Or maybe even from a discarded hard-copy document, or some embedded MetaData in a Word or Excel office document released into public arena – objects which in isolation may not mean a great deal. However, when such isolated snippets of intelligence are aggregated they can tell the onlooker a lot about the associated personal and business profile of the subject in view.
On this theme let us consider one of the most overlooked areas of potential exploitation in our electronic society in the form of Open Source Intelligence [OSINT] which the Criminal Fraternity may leverage with considerable success. But that said, when we look at the opposing side of the Cyber Wall of Conflict in the commercial business arena, a large majority of CIO and CISO tend to discount this area as a threat they need not worry about – it is just noise outside their protected infrastructure which does not pose any direct risk to their organization – and to some extent they are absolutely correct when one considers the ‘direct risk’. In fact, to underpin this observation it was in 2014 when I chaired the info-crime Summit in London when I asked the 80+ attending delegates if ‘they understood the threats posed by OSINT, and enquired if they had defenses to protect their organizations against the threat?’ – It was no surprise however that only around 5% of the delegates confirmed they did have defenses in place, and did strive to secure their organizations against OSINT exposures, and the related opportunities of Data Leakage.
Now to digress a little, some years ago a Clifford Stoll wrote a book titled ‘The Cuckoos Egg’ which was a real life story about tracking computer espionage and cyber-crime, and notwithstanding it is over 30 years old today, the same risks still exist in our modern society – the only difference is, they are escalated by the ratio of computers in operational use in 20152016. But what was really interesting about this book was the fact that a massive security compromise was alerted by a piece of unimportant information in the form of a 75-cent accounting error on a mainframe. However, within this much recommended publication we also see this first traces of security ignorance in which a Unix Shadow Password file was obtained by some external party, but as it was subject to encryption the owner organization discounted this as any level of direct real risk to their secured assets – so no harm was envisaged by allowing some unauthorized, unknown party to have extant access to this protected file!
The point that was missed in respect of the Shadow Password File was, whilst it was encrypted, they overlooked the fact that once it was in the hands of an external who could be a potential adversary or attacker, that person or persons then had unfettered access/time to attempt to crack it, and reverse the encrypted content into real-time readable passwords. And it is here where we may start to see the conjoin with OSINT, which tends to infer the same level of leisurely indirect access to elements which may then be employed to breach, or directly target a deployment – and the levels of exposure which could realistically manifest, born out of the misunderstanding of the ever present indirect risks.
Take the average office document which has been generated inside the organization which may contain multiple snippets of subliminal intelligence. Then consider the population of the server assets, all of which have some logical associations in place with both the visible and hidden systems – which by logical circumstance may tell the outsider much about the internal relationships of the enterprise. Our potential attackers may also take a look at the Doman Domain Name System [DNS] to investigate if there are any other open holes, or misconfigurations he/she may leverage. As an example about 5 years ago an OSINT assessment was carried out of 100 commercial web sites, where it was discovered that around 12% of those interrogated were hosting Zone Transfer capabilities, which then in turn gave the prospective attacker a potential view of their internal servers, and assets. In fact, the insecure sites located in this assessment ranged from Sensitive US Agencies, though to a Credit Reference Agency, which in their case allowed access to server side scripts, which in turn contained hard coded User ID and Passwords – a very rich discovery for any miscreant actor hell bent on causing some form of compromise to an interesting or sensitive asset.
The real point about OSINT is, it is a known point of exploitation for pre attack foot printing, and is in fact a common technique utilized by Hackers, Cyber Criminals, and in particular State-Sponsored-Crime to gather Cyber Intelligence – as would any military organization when selecting, and planning an attack against a target. And not only can such a subliminal cloaked exercise tell the attackers about the target in their scope, but it may also reveal other information of intelligence of interest revealing what were, to this point hidden systems and assets.
The surprising part about this is however, no matter which site or deployment you choose to conduct an OSINT discovery against, at, in just about every single instance when it comes to seeking points of OSINT for purpose of infiltration or exploitation, there is a very high chance that such artifacts will exist, along with points of Data Leakage bleeding unimportant information into the hands of the waiting inquisitive onlooker in the form of one, some, or all of the following:
- Internal Systems and IP addresses
- Machine Names
- Associated and Third Party Systems
- Operating Systems and Application types/versions/patch levels
- User IDs
- Department Information and Telephone Extensions
- Document Stores
- Sensitive Government e-mail addresses
- And the imposition of unsecured, cleared down Track Changes
Now of course how such indirect intelligence snippets are utilized by the prospect attacker to mount a direct attack is very much down their own level of imagination. But given they have been granted the access to acquire such information, I am confident they will come up with a way to leverage such materials in an attempt to formulate a plan to accomplish a compromise over an asset, a Third Party, or Associate Site/Service. Or it may be that the route to insecurity on this occasion is via employment of the personal orientated artifacts to perform a direct Social Engineering attack against a selected human target – As I always say, the only limitation is the imagination of the attacker!
Of course after reading this you may not be convinced that this is a real issue for your organization to worry about – but think again – if you are indirectly providing any such materials which could be leveraged to assist direct compromise of organizational assets – maybe you should at least reconsider as the exposure of your unknown un knowns may just provide your next attacker with the intelligence he/she needs to perform a successful exploitation against your organization.