ITS 4550 - Fraud Prevention and Deterrence

Chapter 5, Footprinting Tools and Techniques

This lesson presents material from chapter 5. Objectives important to this lesson:

1. Information gathering
2. Website information
3. Financial information
4. Google hacking
5. Domain information leakage
6. Employees
7. Insecure applications
8. Social networks
9. Basic countermeasures
   

Concepts:

Chapter 5

The chapter begins with a list of six objectives that might be pursued in gathering information about a target. The first two objectives, gathering public facing information and determining basic network information, are more passive than the rest. This places these objectives in the category of footprinting, determining information about a target without much probing of a network.

The text opens its discussion of footprinting with the examination of a target's web site, mentioning that we should look for phone lists, organization charts, and other such documents that provide the names of employees, their positions, their phone numbers, and their email addresses. The text mentions that some organizations have become smarter about what they keep on their public facing sites, but they may not have always done so. An attacker may find that this is the case by looking for the target in the Internet Archive with its search engine, the Wayback Machine. The site can show you what lots of things on the Internet used to look like. The text is careful to say that there is no guarantee that an older version of a web site will hold information that is still valid, but it is worth a try. The suggested counter to this technique is to use a robots.txt file to prevent polite web crawlers from recording information in some or all of a web site. More information about the syntax to use in this file can be found in the Wikipedia article on the subject.

The text continues with an idea about harvesting technical information about a target. Job postings for technical positions are likely to list skill and experience requirements that provide insight into the products and equipment that are used by a company, which in turn should suggest possible attack vectors on the target. Location information about interviews can also be useful, if the locations of data centers for the target are not known. The text suggests that job postings be made with less detail about the actual employer or about the actual products being used to prevent this kind of information gathering.

The text moves on to discuss financial data. Financial data is often available from the public web site of a large entity, but is also available from the Securities and Exchange Commission for companies with publicly traded stocks. Why does an attacker want this information? If the attacker is after money, it makes sense to seek targets with lots of it. The text offers four other web sites with financial information on page 111. If you are protecting a site, you should know what kind of prize it appears to be in these databases.

The next topic is Google hacking. The text tells us that Google has access to more than web page data, which most of us have seen in search results, but most of us have not thought about the extent of the other information available. The term "Google hacking" refers to doing searches on Google in ways that are not intended by Google. Note the search commands that the text discusses that enable us to search for words in document titles (intitle:), for documents of specific types (filetype:), and for links that have specific words or strings in their URLs (inurl:). The concepts may be useful in looking for information about a specific target.

The text spends a few pages on domain and DNS information, which has already been discussed. It also explains the use of traceroute (which is the command on Linux/UNIX) and its Windows version, tracert. A reason for a hacker to use traceroute, besides general information, is to see if it can reveal the name and IP address of a border device on the target's network.

The text discusses looking for information on a target posted by employees on social media sites. Posting information about one's employer is discouraged unless permission has been given to do so, but people who are unhappy with their boss, job, or situation are prone to do so without regard to company policy.

The last section in the chapter is about countermeasures, some of which are mentioned along the way. If information is not meant for the public, don't put it on the Internet. Protect sensitive information with firewalls. Make public information generic, using job titles instead of names and reception desk phone numbers instead of personal extensions.