Within the last 10 years, our communities have become dependent on technology to support their homes and their business relationships. It may even arrive at the assertion that 99.99% of the population in any developed society will be utilising technology in both direct and indirect ways, say by association with the use of online banking, ATMs, on-demand TV and media subscriptions, in-car technology, cell phones, and of course, those points of communications we host from our laptop, desktop, iPad, iPhone, Kindle... In fact, these possibilities would seem to be endless. The basic facts of the implication are, like it or not, this cosy techno-relationship we have established adds to our very existence an invisible footprint that may be leveraged by law enforcement, commercials, the criminal community, terrorists, or whoever for whatever purpose they may wish to interrogate this unknown and subliminal dark footprint. As we go about our daily lives, we are leaving subliminal digital traces behind us from our logical footprint. For example, use of an IP address when we logon to our ISP, or maybe even from a discarded hard-copy document, or some embedded MetaData in a word or excel office document released into public arena—objects which, in isolation, may not mean a great deal. However, when such isolated snippets of intelligence are aggregated they can tell the onlooker a lot about the associated personal and business profile of the subject in view. On this theme, let us consider one of the most overlooked areas of potential exploitation in our electronic society in the form of Open Source Intelligence (OSINT), which the criminal fraternity may leverage with considerable success. But that said, when we look at the opposing side of the Cyber Wall of Conflict in the commercial business arena, a large majority of CIOs and CISOs tend to discount this area as a threat they need not worry about – it is just noise outside their protected infrastructure, which does not pose any direct risk to their organisation – and to some extent they are absolutely correct when one considers the ‘direct risk’. In fact, to underpin this observation, it was in 2014 when I chaired the info-crime summit in London when I asked the 80+ attending delegates:
Do you understand the threats posed by OSINT? Do you have defences to protect your organisations against the threat?
It was no surprise, however, that only around 5% of the delegates confirmed they did have defences in place, and did strive to secure their organisations against OSINT exposures, and the related opportunities of data leakage. Now to digress a little, some years ago a Clifford Stoll wrote a book titled ‘The Cuckoos Egg,’ which was a true story about tracking computer espionage and cyber-crime, and notwithstanding it is more than 30 years old today, the same risks still exist in our modern society. The only difference is, they are escalated by the ratio of computers in operational use in 2015. But what was really interesting about this book was the fact that a massive security compromise was alerted by a piece of unimportant information in the form of a 75-cent accounting error on a mainframe. However, within this much recommended publication we also see the first traces of security ignorance in which a Unix shadow password file was obtained by some external party, but as it was subject to encryption the owner organisation discounted this as any level of direct real risk to their secured assets. Hence, no harm was envisaged by allowing some unauthorised, unknown party to have extant access to this protected file. The point that was missed in respect of the shadow password file was, whilst it was encrypted, they overlooked the fact that once it was in the hands of an external who could be a potential adversary or attacker, that person or persons then had unfettered access/time to attempt to crack it, and reverse the encrypted content into real-time readable passwords. It is here where we may start to see the conjoin with OSINT, which tends to infer the same level of leisurely indirect access to elements. Hence, may then be employed to breach, or directly target a deployment—and we may start to appreciate the levels of exposure which could realistically manifest, born out of the misunderstanding of the ever present indirect risks. Take the average office document, which has been generated inside the organisation and may contain multiple snippets of subliminal intelligence. Then, consider the population of the server assets – all of which have some logical associations in place with both the visible and hidden systems – which by logical circumstance, may tell the outsider much about the internal relationships of the enterprise. Our potential attackers may also take a look at the Doman Naming Service (DNS) to investigate if there are any other open holes, or misconfigurations he/she may leverage. As an example, about five years ago, an OSINT assessment was carried out of 100 commercial web sites, where it was discovered that around 12% of those interrogated were hosting zone transfer capabilities, giving the prospective attacker a potential view of their internal servers and assets. In fact, the insecure sites located in this assessment ranged from sensitive US agencies to a credit reference agency situated in the East Midlands. This allowed access to server side scripts, which in turn contained hard-coded user IDs and passwords – a very rich discovery for any miscreant actor hell bent on causing some form of compromise to an interesting or sensitive asset.
Fig 1 – Target Selection [Physical]The real point about OSINT is, it is a known point of exploitation for pre-attack footprinting, and is in fact a common technique utilised by hackers, cyber criminals, and in particular state-sponsored crime to gather cyber Intelligence. As would any military organisation when selecting, and planning an attack against a target (See Fig 1) this intel can be of paramount importance to the success of that mission. Additionally, not only can such a subliminal cloaked exercise tell the attackers about the target in their scope, but it may also reveal other information of intelligence of interest revealing (what were to this point) hidden systems and assets. The surprising part about this is, however, no matter which site or deployment you choose to conduct an OSINT discovery against, when it comes to seeking points of OSINT for purpose of infiltration or exploitation, there is a very high probability that such artifacts will exist, along with points of data leakage bleeding unimportant information into the hands of the waiting inquisitive onlooker in the form of one, some, or all of the following:
- Internal Systems and IP addresses
- Machine Names
- Associated and Third Party Systems
- Operating Systems and Application types/versions/patch levels
- User ID’s
- Passwords
- Department Information and Telephone Extensions
- Document Stores
- Malicious Site and Malware Activity
- Sensitive Government eMail Addresses
- And the imposition of unsecured, cleared down Track Changes
Fig 2 - Exposures See Fig 2, which is a sanitized example of the exposers that can be discovered. In this case, it includes the logical relationship with a .cn domain hosting remote login potentials. Now of course how such indirect intelligence snippets are utilised by the prospect attacker to mount a direct attack is very much down their own level of imagination. But given they have been granted the access to acquire such information, I am confident they will come up with a way to leverage such materials in an attempt to formulate a plan to accomplish a compromise over an asset, a third party, or associate site/service. Or it may be that the route to insecurity on this occasion is via employment of the personal orientated artifacts to perform a direct social engineering attack against a selected human target. As I always say, the only limitation is the imagination of the attacker. After reading this, you may not be convinced that this is a real issue for your organisation to worry about – but think again. If you are indirectly providing any such materials, which could be leveraged to assist a direct compromise of organisational assets, maybe you should at least reconsider as the exposure of your unknown unknowns may just provide your next attacker with the intelligence he/she needs to perform a successful exploitation against you organisation.
