FREEDOM AND SAFETY

 

Beginning with the Yahoo! breach back in September – where personal information was stolen and presumably published online and/or sold to be used later to attack other online accounts – I was curious to find research that shows the top sources that criminals use to gather business and personal information (both data and metadata) which they can then use for nefarious purposes. As part of this analysis, I wanted to identify both public sites and dark web sites.

Having publically reached out to a variety of folks throughout the industry, I pulled together the material contained in these slides from the following organizations:

  • CSID | Adam Tyler, chief innovation officer
  • RiskIQ | James Pleger, head of research
  • SurfWatch Labs | Adam Meyer, chief security officer

“There has been an explosion in the number of entities offering legitimate lookup services online over the past few years,” says Tyler. “These lookup services range from Social Security number (SSN) search products to address and name verification services – all of which are used by legitimate and illegitimate users to identify and locate individuals both online and off.”

In this slide show, we’ll look at public sources for this valuable information. In a follow-up slide show, we’ll dig into dark web sources.

Source: Your Company Website

Source: Your Company Website</p>
<p>The most likely place an adversary will begin to look is at your own company website.</p>
<p>Adam Meyer, chief security officer of SurfWatch Labs, explains that while there are plenty of sites that criminals can use to can show detailed information about domains, IP addresses and effective attack vectors to try, the best way for someone to find information about a particular target is by getting it directly from the source: you.</p>
<p>'Most corporate or company websites are a treasure trove of information attackers can use to target a specific organization,' says Meyer. 'Names of VIPs, email addresses of various people in the company, photographs, Linkedin profile links....the list goes on. And that's the easy, obvious stuff.'</p>
<p>Meyer reminds us that, if your company is hosting any PDFs, Word documents, Excel spreadsheets, and PowerPoint presentations for people to download, it's important to remove potential metadata from those documents that could potentially contain additional names, email addresses, usernames, or software versions of the program used to create it. All of that information can be leveraged for attacks, such as spearphishing.</p>
<p>'Some pretty simple Google searches (just type site:yourpublicsite.com filetype:pdf into the Google search box) can reveal much more information that you may not have been aware you were leaking,' Meyer adds.</p>
<p>Image Source: SurfWatch Labs

The most likely place an adversary will begin to look is at your own company website.

Adam Meyer, chief security officer of SurfWatch Labs, explains that while there are plenty of sites that criminals can use to can show detailed information about domains, IP addresses and effective attack vectors to try, the best way for someone to find information about a particular target is by getting it directly from the source: you.

“Most corporate or company websites are a treasure trove of information attackers can use to target a specific organization,” says Meyer. “Names of VIPs, email addresses of various people in the company, photographs, Linkedin profile links....the list goes on. And that's the easy, obvious stuff.”

Meyer reminds us that, if your company is hosting any PDFs, Word documents, Excel spreadsheets, and PowerPoint presentations for people to download, it’s important to remove potential metadata from those documents that could potentially contain additional names, email addresses, usernames, or software versions of the program used to create it. All of that information can be leveraged for attacks, such as spearphishing.

“Some pretty simple Google searches (just type site:yourpublicsite.com filetype:pdf into the Google search box) can reveal much more information that you may not have been aware you were leaking,” Meyer adds.

Source: Domain WHOIS

Source: Domain WHOIS</p>
<p>Every single webpage has some publicly-available data about who registered it, and this information is typically available through the WHOIS service.</p>
<p>'The WHOIS service can be used to impersonate and create personas similar to the users being targeted,' says James Pleger, head of research at RiskIQ. 'Finding additional websites based on common ownership gives hackers new sources of information through which they can compromise an individual or corporation. They can even impersonate those domains to fool the customers.'</p>
<p>Pleger suggests that, to mitigate this risk, corporations need to manage all their web assets centrally, including domain providers that provide registrations specially for corporations.</p>
<p>'Have some sort of monitoring program to monitor domains that are not owned by the corporation. For example, rogue assets for a temporary marketing campaign may not go through IT, so nobody knows about it. Those rogue assets could get hijacked to serve malware and steal credentials,' adds Pleger.</p>
<p>Image Source: RiskIQ

Every single webpage has some publicly-available data about who registered it, and this information is typically available through the WHOISservice.

“The WHOIS service can be used to impersonate and create personas similar to the users being targeted,” says James Pleger, head of research at RiskIQ. “Finding additional websites based on common ownership gives hackers new sources of information through which they can compromise an individual or corporation. They can even impersonate those domains to fool the customers.”

Pleger suggests that, to mitigate this risk, corporations need to manage all their web assets centrally, including domain providers that provide registrations specially for corporations.

“Have some sort of monitoring program to monitor domains that are not owned by the corporation. For example, rogue assets for a temporary marketing campaign may not go through IT, so nobody knows about it. Those rogue assets could get hijacked to serve malware and steal credentials,” adds Pleger.

Source: Google or Other Search Engines

Source: Google or Other Search Engines</p>
<p>Google is one of the most obvious sources of the core information you'd expect to search for and find, but most criminals use these tools as a means to find additional information about their target(s) - following the initial website review covered in the previous slide, this source is often their starting point.</p>
<p>'There are products [that] can be found through a simple Google search by typing the following: 'SSN Search,' 'Person Trace,' or 'Email Lookup.' Most, if not all, are registered as legitimate organizations and have legal commercial uses,' says Adam Tyler, chief innovation officer at CSID. 'Many bad guys utilize these services for illegitimate and nefarious purposes.'</p>
<p>Legitimate or not, the information found through these searches can represent the beginning of the end.</p>
<p>'The information found through web-based searches can help hackers assess how valuable a specific target is and whether or not it's worth their time to go after them,' says James Pleger, head of research at RiskIQ. 'Because they can find family history, tax records, criminal records, and potentially even a phone number, this source also gives them insight into how each person might be breached; is the best path through social or through their business partners?'</p>
<p>It goes without saying, the more information exposed on the Internet, the more things the search engines can find and reveal.</p>
<p>'Being cognizant of what types of information you put out is critical,' adds Pleger. 'Saying that you're going on vacation is not a big deal, but when that information is combined with all the other data that can be found through a simple search, the pieces become valuable together.'</p>
<p>Image Source: RiskIQ / CSID

Google is one of the most obvious sources of the core information you’d expect to search for and find, but most criminals use these tools as a means to find additional information about their target(s) – following the initial website review covered in the previous slide, this source is often their starting point.

“There are products [that] can be found through a simple Google search by typing the following: ‘SSN Search,’ ‘Person Trace,’ or ‘Email Lookup.’ Most, if not all, are registered as legitimate organizations and have legal commercial uses,” says Adam Tyler, chief innovation officer at CSID. “Many bad guys utilize these services for illegitimate and nefarious purposes.”

Legitimate or not, the information found through these searches can represent the beginning of the end.

“The information found through web-based searches can help hackers assess how valuable a specific target is and whether or not it’s worth their time to go after them,” says James Pleger, head of research at RiskIQ. “Because they can find family history, tax records, criminal records, and potentially even a phone number, this source also gives them insight into how each person might be breached; is the best path through social or through their business partners?”

It goes without saying, the more information exposed on the Internet, the more things the search engines can find and reveal.

“Being cognizant of what types of information you put out is critical,” adds Pleger. “Saying that you’re going on vacation is not a big deal, but when that information is combined with all the other data that can be found through a simple search, the pieces become valuable together.”

Source: State/County Public Records

Source: State/County Public Records</p>
<p>Public records are effective for targeting specific individuals as a means to work their way into organizations or to conduct a business email compromise scheme. A prime example of these sources is the county assessor office, which can reveal information about the property, its owners, spouses, relatives, neighbors, and the adjacent properties.</p>
<p>In addition, 'people routinely share useful and important personal information on social media, or via government and other query-able databases,' says Adam Tyler, chief innovation officer at CSID.</p>
<p>'If you're doing a social engineering attack, you have to be believable, and in order to do this you have to be very knowledgeable about the subject so you can appear to be the target you're impersonating,' says James Pleger, head of research at RiskIQ.</p>
<p>'This information can be used to socially engineer a wide range of users into providing more data, or answering additional security questions on individuals they have already acquired a subset of data for,' adds Tyler - or even changing passwords or altering account information.</p>
<p>While not all of the information found on these sites can be controlled by the user, they still have a responsibility to only share what is necessary with these sites.</p>
<p>'Individuals need to be aware of what information is out there, how they share this data, and if the details provided can be utilized to access or compromise any of their physical or digital accounts,' adds Tyler. 'Minimize posting of personal information to public locations and be careful who you connect and share data with on social networks and other sharing platforms. If possible, register ex-directory for government services to minimize your exposure to public database searches.'</p>
<p>Organizations must also recognize the risk these records bring to their business. For example, your company's high-profile executives could be targeted for those types of attacks...and this might be a precursor to an attempt to compromise the company itself.</p>
<p>'Be aware that the data is out there and what it means,' adds Pleger. 'To mitigate the risk, you can set things up in a trust or owned by a different company. Some states have options to remove data from public records for precisely this reason.'</p>
<p>Image Source: RiskIQ

Public records are effective for targeting specific individuals as a means to work their way into organizations or to conduct a business email compromise scheme. A prime example of these sources is the county assessor office, which can reveal information about the property, its owners, spouses, relatives, neighbors, and the adjacent properties.

In addition, “people routinely share useful and important personal information on social media, or via government and other query-able databases,” says Adam Tyler, chief innovation officer at CSID.

“If you’re doing a social engineering attack, you have to be believable, and in order to do this you have to be very knowledgeable about the subject so you can appear to be the target you’re impersonating,” says James Pleger, head of research at RiskIQ.

“This information can be used to socially engineer a wide range of users into providing more data, or answering additional security questions on individuals they have already acquired a subset of data for,” adds Tyler – or even changing passwords or altering account information.

While not all of the information found on these sites can be controlled by the user, they still have a responsibility to only share what is necessary with these sites.

“Individuals need to be aware of what information is out there, how they share this data, and if the details provided can be utilized to access or compromise any of their physical or digital accounts,” adds Tyler. “Minimize posting of personal information to public locations and be careful who you connect and share data with on social networks and other sharing platforms. If possible, register ex-directory for government services to minimize your exposure to public database searches.”

Organizations must also recognize the risk these records bring to their business. For example, your company’s high-profile executives could be targeted for those types of attacks…and this might be a precursor to an attempt to compromise the company itself.

“Be aware that the data is out there and what it means,” adds Pleger. “To mitigate the risk, you can set things up in a trust or owned by a different company. Some states have options to remove data from public records for precisely this reason.”

Source: Social Network Footprint: Linkedin, Twitter, Facebook

Source: Social Network Footprint: Linkedin, Twitter, Facebook</p>
<p>As you can imagine, this source allows hackers and cybercriminals to find information about personal and professional connections which can be used to create impersonation profiles and/or as part of a social engineering attack.</p>
<p>According to CSID, social networks offer malicious users a huge amount of data and insight, with the most common information gathered from these public web sources including: </p>
<p>- Name<br />
- Email<br />
- Physical address<br />
- Social Security number<br />
- Date of birth<br />
- Work/employer information<br />
- Family details<br />
- Like/dislikes</p>
<p>'Cybercriminals compile lists of who their target(s) are related to, who they hang out with, how they interact with their family, friends, and co-workers,' says James Pleger, head of research at RiskIQ. 'Hackers don't want to waste their time impersonating someone their target never has interactions with.'</p>
<p>'Many users still post and provide personal information on their social networks, allowing nefarious actors to identify, extract, and utilize the information where possible,' says Adam Tyler, chief innovation officer at CSID. 'Even seemingly innocuous information, like your high school mascot or pet's name, can put you at risk and may be the final key to unlock your most sensitive accounts.'</p>
<p>'Corporations need to pay attention to their org structure; who is coming and going, especially during mass layoffs,' adds Pleger. 'Cybercriminals can find friends of employees who have left who may be disgruntled and are easy targets because they aren't thinking logically. Combat this risk by outlining clear policies for social media sharing, proactively look at what your employees are sharing, and build risk profiles internally for ongoing social media monitoring.'</p>
<p>Image Source: RiskIQ

As you can imagine, this source allows hackers and cybercriminals to find information about personal and professional connections which can be used to create impersonation profiles and/or as part of a social engineering attack.

According to CSID, social networks offer malicious users a huge amount of data and insight, with the most common information gathered from these public web sources including:

  • Name
  • Email
  • Physical address
  • Social Security number
  • Date of birth
  • Work/employer information
  • Family details
  • Like/dislikes

“Cybercriminals compile lists of who their target(s) are related to, who they hang out with, how they interact with their family, friends, and co-workers,” says James Pleger, head of research at RiskIQ. “Hackers don’t want to waste their time impersonating someone their target never has interactions with.”

“Many users still post and provide personal information on their social networks, allowing nefarious actors to identify, extract, and utilize the information where possible,” says Adam Tyler, chief innovation officer at CSID. “Even seemingly innocuous information, like your high school mascot or pet’s name, can put you at risk and may be the final key to unlock your most sensitive accounts.”

“Corporations need to pay attention to their org structure; who is coming and going, especially during mass layoffs,” adds Pleger. “Cybercriminals can find friends of employees who have left who may be disgruntled and are easy targets because they aren’t thinking logically. Combat this risk by outlining clear policies for social media sharing, proactively look at what your employees are sharing, and build risk profiles internally for ongoing social media monitoring.”

Source: Genealogy Websites

Source: Genealogy Websites</p>
<p>Many of these websites have cataloged a great deal of family information which can be used to socially engineer their targets.</p>
<p>'These sources are very similar to public records in terms of value to hackers,' says James Pleger, head of research at RiskIQ.</p>
<p>Information on genealogy websites may also be used for mine for potential gold such as maiden names or even passwords, for those individuals who use that data for creating passwords.</p>
<p>Image Source: RiskIQ

Many of these websites have cataloged a great deal of family information which can be used to socially engineer their targets.

“These sources are very similar to public records in terms of value to hackers,” says James Pleger, head of research at RiskIQ.

Information on genealogy websites may also be used for mine for potential gold such as maiden names or even passwords, for those individuals who use that data for creating passwords.

Source: Shodan.io

Source: Shodan.io</p>
<p>According to Adam Meyer, chief security officer of SurfWatch Labs, Shodan was originally launched in 2009 by developer John Matherly and has grown in popularity among researchers, penetration testers...and malicious actors. Shodan is constantly crawling the Internet looking for what is connected and publicly accessible.</p>
<p>'It's the Google for the Internet of Things,' says Meyer.</p>
<p>This simple idea has grown from a basic list of IP addresses and ports to maps showing where devices are located, and now screenshots taken from these devices (which include webcams, unsecured servers and workstations).</p>
<p>'The original focus for Matherly's scans was to highlight the growing problem of internet-connected things (thermostats, refrigerators, etc.), but his research also uncovered industrial control systems, wide-open computer systems, unsecured security cameras, and more,' says Meyer.</p>
<p>SurfWatch notes that the site underscores the inherent risk of putting IoT devices online and that careful thought needs to be applied when using new technologies. Unfortunately, once a device is online, there is little that can be done to hide it from Shodan.</p>
<p>'If it's online, Shodan will find it, says Meyer. 'The lesson to be learned from this site, without a doubt, is secure your systems and protect your data before it goes online.'</p>
<p>Image Source: SurfWatch Labs

According to Adam Meyer, chief security officer of SurfWatch Labs, Shodan was originally launched in 2009 by developer John Matherly and has grown in popularity among researchers, penetration testers...and malicious actors. Shodan is constantly crawling the Internet looking for what is connected and publicly accessible.

“It's the Google for the Internet of Things,” says Meyer.

This simple idea has grown from a basic list of IP addresses and ports to maps showing where devices are located, and now screenshots taken from these devices (which include webcams, unsecured servers and workstations).

“The original focus for Matherly's scans was to highlight the growing problem of internet-connected things (thermostats, refrigerators, etc.), but his research also uncovered industrial control systems, wide-open computer systems, unsecured security cameras, and more,” says Meyer.

SurfWatch notes that the site underscores the inherent risk of putting IoT devices online and that careful thought needs to be applied when using new technologies. Unfortunately, once a device is online, there is little that can be done to hide it from Shodan.

“If it's online, Shodan will find it, says Meyer. “The lesson to be learned from this site, without a doubt, is secure your systems and protect your data before it goes online.”

Source: Virustotal.com

Source: www.virustotal.com</p>
<p>Adam Meyer, chief security officer of SurfWatch Labs, notes that, on the surface, the offerings of VirusTotal seem fairly simple. Sure, the site is billed as a free service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, Trojans, and all kinds of malware. But that simple tagline masks its full capabilities.</p>
<p>'The power behind VirusTotal is how it adds and saves the metadata and behaviors of the files it analyzes,' says Meyer. 'You can use the domain search to look at the IP history of the domain and get the current WHOIS for the domain, but VirusTotal will also show you a list of every time it detected something malicious on the site, as well as list all of the samples that attempted to communicate with the searched-for domain.'</p>
<p>Perhaps even more troubling, explains Meyer, is that attackers are also using the service, uploading new versions of their malware to test against the 56 (at last count) antivirus vendors to see if and how their new variant will be detected.</p>
<p>'The timeframe before detection is short so these malicious files must either be used fairly quickly, or the criminals could just be testing a new obfuscating method to hide already known malware from being detected to be used in a future campaign,' adds Meyer.</p>
<p>Image Source: SurfWatch Labs

Adam Meyer, chief security officer of SurfWatch Labs, notes that, on the surface, the offerings of VirusTotal seem fairly simple. Sure, the site is billed as a free service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, Trojans, and all kinds of malware. But that simple tagline masks its full capabilities.

“The power behind VirusTotal is how it adds and saves the metadata and behaviors of the files it analyzes,” says Meyer. “You can use the domain search to look at the IP history of the domain and get the current WHOIS for the domain, but VirusTotal will also show you a list of every time it detected something malicious on the site, as well as list all of the samples that attempted to communicate with the searched-for domain.”

Perhaps even more troubling, explains Meyer, is that attackers are also using the service, uploading new versions of their malware to test against the 56 (at last count) antivirus vendors to see if and how their new variant will be detected.

“The timeframe before detection is short so these malicious files must either be used fairly quickly, or the criminals could just be testing a new obfuscating method to hide already known malware from being detected to be used in a future campaign,” adds Meyer.

http://www.darkreading.com/cloud/8-public-sources-holding-private-inform...

 

 

There are 3 ways of getting knowledge and practical skills on Freedom and Safety:

1) Subscription to materials
2) e-Learning
3) Buying e-books

Read more

Tweets

Some People Have No Visual Imagery. Here is Why https://t.co/6y2cUaCoe1 https://t.co/9qOtnLf7i7
Freedom and Safety (7 hours ago)
1% Wealthiest Americans Own 40% of the Countrys Wealth https://t.co/WWs08PAvY8 https://t.co/D0Sp3HGA5h
Freedom and Safety (9 hours ago)
Universal Declaration of Human Rights https://t.co/xqUzrjxAyz https://t.co/ySWpu5lDOP
Freedom and Safety (20 hours ago)