In the last few weeks the Syrian Electronic Army claims to have launched successful cyber-attacks against the New York Times and Twitter. What is interesting about the attacks is that they were “indirect” attacks – attacks against New York Times “information” that is outside their direct control. I find that this is a challenging issue to get your arms around for many people. I know this, because I end up trying to explain it fairly often to clients and potential clients. Since we optionally include “Deep Internet Reconnaissance” (DIR), intended to assess this specific risk, on external penetration tests, the conversation generally goes like this:
DIR’s can be valuable because as the Internet has grown, so have the number of third party data sources available to an intentioned hacker that houses (perhaps critical) information about your company. Domain registrars, address registries, web-based services, technical support forums, social media sites, and search engines have all developed as publicly accessible, rich information repositories. These data repositories can be mined for sensitive data via aggregation tools. What makes these kinds of attacks dangerous is that they take place against third party systems, which makes them non-detectable by the target.
New York Times Cyber Attack Article
By this point most clients are still unsure about what a DIR really does so I usually use examples:
- We found a spreadsheet indexed by Google that included full contact details for the several hundred individuals that had access to a very sensitive law enforcement application. While it did not include passwords, we were able to use the information to social engineer a password reset to gain access to the highly restricted application.
- We found a post on a vendor forum detailing a problem with a software development company’s firewall configuration. We used that information to gain unintended access which lead to us gaining a copy of the source-code for their flagship product.
- We found that a malicious individual had registered variations of a client’s name (e.g., 1bm.com, ibm-support) and was using those for identity theft spear-phishing attacks against the client.
- We found that a bank had registered every variation of their name (e.g., bigbank.com, .net, .us, biz, etc.), a very good practice, but had failed to direct each of the variations to the main site. A customer going to any variation other than .com received a page advertising banking services (e.g., loans, mortgages, checking accounts) of their major competitors.
So at that point “what a DIR does” is usually pretty well understood. Whether it is worth the cost, usually isn’t understood though, and that requires a whole other conversation around probability/impact.
Yesterday, however, when we hit that point in the conversation, our client immediately wanted it done as he made the connection to the New York Times issue.
The post New York Times Cyber Attack makes “Deep Internet Reconnaissance” Simpler to Understand appeared first on Pivot Point Security.
