 Time at DEF CON 11 rocks, okay Information leakage actually I wanted to name information spewage because it's funny as you go through and start looking at information It's available out there. It kind of surprises you anyway call your plumber because your information is leaking We're gonna talk about today as a background of how the speech was Conceived information about security leakage what the risks are to organizations and then many fun little trips tricks and tips Technical trip tips For technology people and process and also for those that actually have to protect from this kind of stuff Some tricks on how to protect against it Okay, beginning the bed the background was the art of war. I just happened to be reading it lately And one of the things I say is that if you know the enemy and you know yourself You need not fear the results of a hundred battles in other words, you're gonna win if you know yourself, but not your enemy You're gonna suffer defeats and you're gonna succumb to any battle if you neither know neither A lot of times in information security. We tend to see to the know ourselves maybe and not know the enemy or In many cases during assessments. I found they knew neither Here's a chart that I put together that Dealing with all the time on the left hand side. You see the red. That's pretty much what Most of the world sitting in as far as from a security standpoint if you notice you have the unsuccessful attacks discovered those are basically people that attack systems and and Loose basically it don't successfully get in but they're discovered usually picked up by intrusion detection systems or misconfigured systems IDS is whatever And then we have successful attacks and they're discovered what I'm focusing on today is successful attacks that have been undiscovered It's funny. I've again. I've done a lot of assessments and usually a six months after a year after doing an assessment We come in again, and we find out that sometime in between they've made a change There's an echo back there cool Huh, okay, so what we have is a level protection But I think there's a lot of successful attacks that really go and discovered basically the NT guy goes well my machine locked up I'll just reboot it. Unfortunately. It puts it back to where or whatever in a year or two later It's found or discovered So that's the basis of that after conversation with some friends What is information leakage information leakage results either purposefully or accidentally? Information that's released that can put your staff and tell intellectual property systems or networks a risk So that's pretty wide category Risks of it If you understand and have the patience Of looking this information up The success of attack dramatically increases you can find many many many vulnerabilities that have been overlooked by the You know press now vulnerability assessment type stuff also places your Organization a competitive disadvantage if your competitors can look up information that's public About you long as you want. Oh, I don't want to talk that long Okay, good. I can tell stories Okay, I can put you at a major disadvantage Also, there's a lot of legal risks of this information being leaked out and also can do physical harm to staff or faculty. It's funny During from an intellectual property standpoint. This is it's kind of the Well, I've used this to track people back that have Threatened the life of individuals and also in one case threatened to blow up a facility So they were not aware of all the information out there about themselves type of information leakage. There's technology people in process I'm going to very quickly talk about technology. I think Everybody else talks about technology here. I'm going to focus on people in process Which is typically left out in this kind of conversation, but it's as critical Okay, from a technology. We really have the passive listening world Which is sniffers and scanning of frequencies and also the active We're driving we're dialing scanning of networks pretty straightforward Types of things that we can learn about a network layer to we can find out about the MAC addresses We the MAC addresses we can kind of figure out what kind of network card they have and make some assumptions about what platform they're using SSIDs frequencies used Things like wireless Active probes things like nmapx probe ICMP Cato passive which is sniffers Kismet and radio scanners Pretty straightforward. Oh, this is my favorite layer for an above SNMP Systems, I don't know if you guys actually looked at some routers that have SNMP open It's pretty neat a lot of people decide to put SNMP up as firewalls and they leave this This firewall the SNMP open to the internet several assessments that I've done I Scan the network. I find it and I enumerate the SNMP. Well, luckily enough for me I find out what processes are running so I know what protocols are using in house It lifts all the internal networks all the default gateway information. It's really wonderful tells me what? Ports are currently connected during the day. It's pretty neat Systems if SNMP is open you're able to enumerate things like hard drives processes applications that are running makes it real easy to Determine what's vulnerable? application servers like web servers if you guys have gone to netcraft netcraft will tell you what web server somebody's using Without literally going to the website. It'll also give you a history of the website and give you uptime advantage well It's a good idea. You can find out a version of a vulnerability becomes available. You can go here look up what platform they're running and Test it if you choose Also information with chat email usenet mailing lists If you haven't seen it in the header of all these there's lots of good information that can be used The track back to you And then applications is Tom Marken Speaking I know he spoke at black hat. Is he speaking this weekend? I Guess not Thomas Arkin did a presentation of black hat on webmail Where he went through webmail and talked about all the information it's given away when you use webmail and how it's used back to track back information so know you're Not anonymous when you're using webmail Some special cases firewalls. I've had Several companies tell me no you can never figure out what kind of firewall I'm using because It's you know, it's magical. I can't figure out what it is Well, there's two papers out there There's a paper out there and there's a tool out there to determine what kind of firewall they're using I recommend and suggest pulling that up and Also tempest We're getting more and more into looking at radio frequencies and Determining what radio frequencies different things are running on. This is some links to tempest sites Which will give you ideas of what frequencies are being viewed as an example Went over to a friend of mine's house. He has a new baby and everything. We had a baby monitor. He just bought a Panasonic Telephone we're sitting there and we laid it down and okay. We sat and had a beer and As we're sitting there the two of them together. We started listening in on phone conversations from the neighbors Okay, apparently the phone the baby monitor the phone was bleeding enough information that through the baby monitor We can listen to all his neighbors. So he said hey, this is kind of cool So we went a block down the street and we could catch more It's kind of cool Radio emissions are coming out of everything and can be tracked Okay, people the fun part if we're gonna track a company Typically with what we'd want to do is we'd want to go to their website if you want to find out information The speech earlier today they talked about how you can use Google as a proxy to do searches against the website looking for things like email looking for things like Company names things like passwords things like that without directly going into the website Which is with the domain option a couple very cool things the web dev or times there There's a link there called the way back machine Has anybody seen the way back machine always in that great? It has eight years of website development. There's a lot of dumb things people did eight years ago There's several sites out there that I found this is real scary, especially if you're a parent I found kids names and sports that they were in on corporate websites Okay, wife's What activities are involved in they don't do that anymore? Well, some of them don't Also Google has caches so you can go in and do searches and find a lot of information From the last time they made a change. So literally you do search and click There's also a lot of technical record information. It's leaked Seriously, if you have the Aaron record and you know what the domain name is most people leave their phone number their fax number all kind of Good information there that can be used for an attack if literally you don't know where the company is you can go to the Aaron record or the network solutions or The who is done that look it up and find out where the corporate headquarters is typically Kind of interesting and many times. That's a phone number to their help desk Hmm Marketing material I want to show you guys that that's kind of cool If I can find it Cyber alert here you go. This is kind of interesting You can take in put a corporate Information in on this you can say I'm looking for whatever company and This guy will longer 13,000 new sources and email you personal information About that organization when they do press releases and when they're named in any Article throughout the country throughout the world Pretty scary Another one is inbox in box robot And see I think that's Here that's the web dev bar. Yeah, there's the way back by the way Let's see, who do we look up? Network unavailable. Oh well Anyway, it's pretty neat because you can look up lots of information about their internal technical people at one point They used to put up what their network diagram was That's the other thing is a lot of corporations leaked information about how great their security was So literally they'll put up the the IP addresses what technologies they used what firewalls with IDS is they used They were proud of them Trade shows From people standpoint if you go to a trade show, there's a lot of information. They'll give up Trade show people leave all kind of information Around sitting on desks and things like that I've gone to things like Comdex and literally have seen their dial-up and passwords to the corporate network sitting behind the tables VPN keys all kind of things so you know people don't protect those Bars and smoking lounges and organizational parties I was once went to Comdex a little bit earlier and I found out there was a party and considering I like parties Okay, I went to this party. I didn't realize it was a corporate party for this well-known database company well, I stood there and The corporate officers got up and told me about what their plans were for Comdex Told me it was closed and enjoy the party To me and everybody else had a great time. Everybody asked me. Hey, where are you from? I said I'm from Jacksonville. Wow. We didn't know we had an office there. That's pretty cool and they left me alone It was very cool. I did that with HP. It was kind of cool because I did with HP and they said wait a second We don't have an office in Jacksonville and I said wait. Can I get one more drink? I said, okay Smoking lounges if you go to a company's smoking lounge and just ask for a cigarette. It's incredible the kind of information people will tell you about the corporation Or close by Sandwich shop people talk about during lunch during dinner They'll talk about all kind of corporate information and do it publicly Company names technology, especially if you know where the techie techies go Great place and obviously bars Tech tech support The people that are supporting the technologies that we deal with regularly they have their own little challenge They have to deal with the vendor and Even worse they have to deal with the vendor help desk. You guys have never dealt with those. Have you? Yeah, okay. Well What kind of stuff do they ask you for? Hey, give me your configuration file. Can you give me your password? Okay, well in some corporate Agreements you have to provide all that information What I found is that there is a lot of companies that are now outsourcing that and Their expectations of security To the outsourcer are far lower than the original company and many times They never have the authority to even test these outsourcers. Let me tell you a story one of the outsourcers that I know about told me this story that That They didn't have enough computers for everybody on their help desk for a week or two. It's a well-known company that does Tech that does tech support for some devices can't go into the details But literally when customers would call in they would run to a single computer and print out that information the configuration files And then whenever done they'd throw in the trash yeah a Lot of companies during outsourcing agreements will forget that security is important and forget about these kind of issues unfortunately Also another fun place The people leak information is use net news and web pages. Oh, those are so much fun You can find out that the technical support Question that a techie will post full configuration files with for their Cisco pixels With the VPN configurations Okay in clear text, you don't even have to decrypt it. This is great Or what kind of DNS server they just configured or what application languages they're using in-house and what calls they're using Which may be vulnerable decom Here's some places that you can go tile net is Allows you to searches robo fetch is kind of neat robo fetch allows you to put a piece of information out there about a company corporation individual whatever and any time they post to the net it Sends you a copy Anytime they post to use net kind of cool You can also use the advanced search feature. I wasn't going to show it because I don't have a connection unfortunately but in the advanced search feature I Could put domain put the domain section and do a search and come up with a list of all the employees That have posted from that corporation and all the details During some CIs that I've done competitive intelligence gathering. I have found things like What hobbies people have one guy was in the leather. That's a different story We've found all kind of information just by doing simple searches we found a school district where We found an individual that was inappropriately interested in a woman that was inappropriately Interested in the football team see Another challenge what we call the exception to the security rule management Does anybody ever have to deal with that? Yeah We're above security planning. We're above any of that. Hey, come on over. Let me show you The spreadsheets it's okay that we have all the social security numbers for our employees being passed around at Budget time so we can figure out how they're going to get raises During present day during a lot of assessments I go in and I look for this kind of stuff and it's common It's there a lot of educational community. I teach I Get the social security numbers for all my students and now I can do a search and by find everybody's Social security numbers in this one area Apparently it's not important to protect that for many organizations Another place and information is leaked all the time is during disaster recoveries or dr. Drills a Lot of times these people are rushed. They're drive. They're driving boxes of tapes up They're bought. They're basically driving from one place to another. They're flying up a lot of times these people will leave Have clipboards of passwords and all kind of other information. That's public That they can be public just by walking up to a car and reading this information. It's it's incredible and It's real interesting because during an early part of a disaster recovery Pretty much. They don't know who's going to be there So anybody walks in is considered an employee for a short period of time. That's kind of strange other information it's leaked Posting of resumes. Oh, this is so much fun I have found out lots of information about the corporate officers just by looking up resumes that are posted especially when they're looking at moving or technical community or staff What their backgrounds are and things like that? financial comment boards if you go to yahoo comments about Corporations you can find out a lot about the internal politics that are going on and even email people. Oh, geez. This is a shame Do you know anything about this and they'll tell you and then that f you'd company? They have leaked internal documentation Which is always interesting and then here are six different Websites the tricks that I use when I'm looking for information about an organization or whatever All these have emailing lists. I can pick a technology and I can pick an area and Then every day I get to see if there's any job openings in that area and then the technologies that they're using Social engineering calls Just make a phone call. It's it's funny how bad it is when you make a phone call and say hey Can I talk to the corporate or whatever? Can I talk to HR and they'll give you names? They'll give you lots of information a lot of leakage there from the people standpoint and also email and delivery I have a CD that I created. It's a golf magazine CD. It has a trojan on it You know, it's really interesting that you can take a golf magazine And a CD and take golf magazine rapid and plastic and how many corporate officers will run it Okay, they're above security. Oh Golf courses, of course That's a pun. Sorry the course part Yeah, no, oh news sources a lot of times The local newspapers will have a lot of news items about the people that are within corporations Besides the corporations themselves So if you do a search for wherever the corporate offices There's a good chance you'll find out that they were they were involved in this community activity or that community activity And we'll give up the name and titles of lots of different people that are involved in this Yes phone numbers Here's four places that literally just by putting in the phone number or looking at names Honestly, not all four of them are that good with certain names or certain databases It changes based on area and whatever but by literally looking up Whoever's name between these four. There's a good chance. You're gonna find people You're gonna find an individual The personnel wreck the personnel the WW us search us search is kind of cool You have to pay for it, but before you pay for it After you type in the information and give you the names it gives you the age of the individual Hey, how can that be handy? Well, if you go to the genealogy website You can look up the family tree and if they've posted that information you can approximate who they are to figure out The mother's maiden name This is information leakage for individuals that you've got to protect yourself from Okay, reverse phone number look ups. Oh the fun part about it is this particular place now has cell phones Yes, you can now look up cell phones here, sir. Yeah horizon comm. This is a roll-up for everybody's email dresses for some weird reason this guy keeps track of email dresses classmates calm if you have a general Age and where they're grew up from their resume What do you think you can find out about them? All kind of things people put their hobbies their names are their animals The names of their kids they put all kind of stuff on classmate calm. It's pretty outrageous. I Didn't say that you did I see Q again. I see Q people put all kind of information up about themselves a Lot more than should go and also here's my favorite public Records place if this is the only thing you stayed for this is the most fun place Where are you? That's the other one. I'm gonna talk about that one a minute. Ah There we go. Oh, maybe not. I miss it again, huh? My Lennox partition died. Sorry I Have to see there we go. This guy is very fun This guy is a index To all the contractors anybody's licensed by states property records For majority of states can be found here Drivers life license information for free can be found here Okay, I just found that they put legal records and they put my son's name on legal record here Okay, not cool Found out that somebody posted My social security number I've taken that off now, but you can get a lot of this information Yeah, I'm not a lawyer and I don't even play one on TV But anyway, we're gonna talk about that towards the end But honestly when I've done competitive intelligence I've been able to find passport numbers for people in Israel by looking up this information if they spend any time in the United States I've been able to get social security numbers what their signatures look like Marriage divorces Pretty much any type of legal records for free Also, again, if they're somebody like an architect a contractor an engineer They have to give a lot of that information up There's also a physician's database with the physician's code that they're supposed to Protect Is on here And if I had internet access unfortunately, I don't You can go to the state of Florida and look up information about counties and then drill down from there To individuals within counties and then look at all the court records for that individual For 12 years The other one is the Search systems Another free database This has hundreds of additional databases one of the things you're probably not aware of Do you do you guys believe that google? Has an index to everything on the net No, it doesn't It's interesting google does not index databases. There is expected from a database size Uh, there's supposedly anywhere between 10 and 100 times more information out there within databases That cannot be reached by google what you have to do is you have to go out and find the front door to those places Well, guess what I'm going to show you where the front doors are Okay, here's the hidden gems See that librarians index to the internet. This is what the librarians used to look up information Uh, the invisible web has a lot of great indexes Here we go So if you're looking for lawyer information, you can drop down there and find out lots of information about the practice Industry industry groups Uh individuals within industry groups All that information is public Let's see Ooh Now those are all the people information any of you guys afraid yet Yeah, yeah, it's pretty cool. Amen It's uh, it's very interesting Uh, I teach a class in a college and first thing I do is I have everybody go out and do a vanity search For themselves They use this list and a few others And they look up information about themselves And usually within an hour or two of doing this I can tell that they're doing their homework because I get an email It says I don't believe it. You should see what I found about me It's pretty outrageous Processes it's incredible How easy dumpster diving is Let me give you this story um We're at another con We went to the bar because we were thirsty And while we were there we went there very early in the morning We looked at the trash can because it was sitting right there. We found this long yellow strip So we picked it up Well, apparently the process within this hotel is at the end of day They run a strip of all the credit cards and all the people's names Okay, this is common And what they do is they only keep the white copy so they throw away the yellow copy Okay, this is real common This is the kind of stuff that you have to from a process standpoint you have to put in place and say look Yes, I know that there's little x's on my credit card piece that you're giving me And yes, I know that there's x's on the credit card piece that you're keeping in a lot of cases by the way They're not but check. Oh my favorite by the way, if anybody sells things It's the merchant id the merchant id and the phone number of the credit card machine Well, that's an index into their bank account I tell people in that and they go you're nuts man. You're nuts. Nobody would ever do this well Yeah, that's why a secret service announcers nine million people that have lost their identity in the last 12 months Okay backup tapes cds dvds floppy disks people are throwing these things away without deleting them destroying them whatever They'll throw them in the trash can they'll give they'll take them home Yeah, that's fun Then we'll throw them in the trash there hard drives We had a school district that decided that they didn't need those old hard drives for all their corporate machines So they gave those they donated to them to us To another organization as linux boxes. That was so special Well, they had I brought to their attention. They had credit card information and uh information about the kids in the school district Not good hard drives pda's pda's for a lot of people that's their whole life the pda can be snatched that's everything cell phones a lot of cell phones have numbers you can't Grab hold of also the cleaning staff um a lot of assessments that i've done and a lot of people that i've talked to Uh, they never checked their cleaning staff and things disappear and they never Take the cleaning staff to task and ever confirm that these cleaning staff is bonded, but uh This one well-known lawyer that I know kept on finding information moved and fall cabinets open at night when they got in in the morning So, um the cleaning staff is definitely a process issue to check Okay, another process information. Well now that we've given all this information away to Um about ourselves and our financial information everything else the government likes to post it too wasn't that special um If it's a corporation edgar will have the information hoover Secure systems or uh search systems dot net info today Uh done in brad street gives you a lot of information even for free Uh the a icpa.org gives you lots of information for free. Here's one of my favorites american express That's their b2b information They put far too much information on there about corporations If they take american express Um take a look at that and also you can do uh google searches on uh targets You want to find out what vendors sell their product Or use their service Link colon and the target domain will give you links to hundreds thousands or 10 thousands of different places About that organization Okay, how to protect yourself People limit the information Um and haven't removed most public records they'll have a form and a Practice to remove your information which can take six weeks Um we're literally they'll have your social security number erased from that image online, or they'll have the particular um Information removed unfortunately once you know it's there You can then go back and it's still in public records physically down at whatever courthouse and they can still obtain it So be aware you want to request that information to be blocked on yourself um educate your staff Especially corporate officers a lot of corporate officers don't realize They've put a lot of information out there about themselves. It's very easy to find out All the information about all the houses that they've owned and where all the places they they currently own And who signed for them um It's incredible even to the point of social security number and um credit card numbers especially uh about five years ago That was the vogue within the real estate business is to on the closing papers to put that information at the bottom Uh processes have someone do a competitive either you do a competitive intelligence on your organization or yourself Go out there and do these searches and no you can't just press a button a lot of the stuff isn't automated Stuff appears and disappears all the time Um in the presentation. I had eight links that disappeared and they found three more So the stuff appears and disappears is hard to automate that kind of stuff But go out and spend a couple hours looking up information about yourself. I think you'll be surprised go out there and request it to be removed Um if there's information on google google has a remove link They'll remove information From their database But some um search engines it takes a lot more work. It's not just uh fill in the uh blank and go process let's see process Basically define what's considered extreme damage to either uh your corporation your individuals um as an example if i'm shipping um Fertilizer in rail cars maybe Maybe I don't want to tell people where that facility is Um technology consider removing the banners From all your email servers your web servers All kind of fun things like that what you're going to find is uh, you know, seriously, that's what you're looking for Ooh, this has a banner of microsoft Is three cool. We're there Consider removing the banners pop mail servers imap all those others Also consider using crypto and a lot of that Um also generally for organizations Classify the information This is a difficult process most people have a real difficult time doing this to say, okay This should be treated You know this could could do the be the end of our company or our organization Or put people in jail So we're going to keep this really secret and we're going to make sure that this information doesn't get leaked And then this information should stay here, but it could be shared and this information could be sent out to everybody else It's not real common for organizations to do that and because of that A lot of information is leaked Also another trick In databases Consider inserting some misinformation Hmm, what do you mean? Well, um Agent smith I usually in databases. I'll put a bogus agent smith in or bogus Information that way if that information is ever leaked I'll know that it came from inside Spreadsheets things like that Okay, also another thing considering posted on the usnet some piece of information about misinformation about technology or two Can't hurt And also perform all your best practices and security. Well, that's all the technology stuff we talk about anyway And that's about it. Oh, by the way, one of the interesting parts I didn't mention during the news A lot of companies during these outsourcing processes The outsources get really excited that they're outsourcing and give away lots of information like wow This outsource is going to outsource the whole security department For a company Okay, well there's a transition period, right Enough said Okay, especially when you see layoffs occurring too um There we go any questions sir I'm providing them back to the defcon folks. They'll have it up on their website Plus you if you want to come up if you have a USB drive, I'll drop it onto it if you have it here Or if you want to email me feel free. I'll email you a copy No, it's not on the cd. I made modifications to it. I added more cool stuff Any other questions sir Yes I found from a public record standpoint. I found 40 references to myself And I had in The database company that they outsourced to interestingly enough I literally have to fill in a piece of paper And have it certified for every single record that I found that I have to remove or modify So it's a very arduous process Did a question A lot of them will have a removal of information Uh for public records Uh, you just have to look forward or ask the ask the question. How do I have this information removed? It Has information it could leave to identity theft. Oh ask me later. We'll talk to the company. This could be fun We didn't say that you did Okay, what company? Honestly these databases, um, it's interesting how many, um, companies Will belong to associations and they'll give up lots of corporate officer information in that Which is pretty scary golf courses post scores An information about executives real handy Anybody else? Okay, what he's asking is how is charity is for things like this? Um, I have done some searches through charities. I've made phone calls and asked and yeah, they'll give up some information Oh, you know what I didn't uh, I didn't include one called they rule net It provides information about the board of directors and then you can search underneath that and find out where they donate Again, I'm not a lawyer Okay, what he asked is uh, if they say no, what can we do? Um, honestly public embarrassment is probably the best way for a lot of those corporations to sit up and uh Become aware of the other thing is there's uh Legal issues if it has if it's HIPAA based it's health care based Um, and they're not doing it. That's something can be reported if it's gremlin from bliley financially based There's there's places you can go there. There's privacy act information Yeah, the survey in oxalic act where if your identity is stolen the corporate officers might be held accountable for that Lack of due diligence on their standpoint. So there's there's some hammers that you can use against them Sir The regulator Six Oh, no problem. Actually I want to add to that if you did you spend time and read the law I totally forgot about this. It's really cool because everybody from the administrator that managed this system Through their manager all the way up to the owners of the company can be held liable for that action Okay, and it's it's not only um professional, but also personally And guess what best of all there's no limitation of liability So if enough records are stolen they could be charged for a billion dollars by the way, um Feinstein I guess that's her name from california. She's just proposed this for the nation It's in congress right now floating around So we may see this every place She has set a limitation. I'm not sure what it was. I think it's A hundred million dollars or something like that. So you can still hurt especially if you're administrator and your systems get cracked I don't have that kind of cash Any other questions sir The question. Yes, there are they all free? Um, the majority of them are free. There's one or two that are pay It's interesting that with this there are some links that you may want to check out There's a link that check gives you information as an example about licenses Each state has their own information Give an example Please repeat questions. Thank you So, thank you Um as an example driver's license the information In some states you can go in for ten dollars walk in with no identity check or anything else and look up people's driver's licenses Yeah Exactly Yeah, I had that on here, but they also give up information like the age of people which is actually very handy Sir The legal, um information is specific to data. Let me Repeat that. Um, are there similar are there legal restrictions? Am I repeating that? Thank you. Yeah, he's waving at me in the back Um, are there restrictions to the use of this information? Um, yes, it depends on where this database comes from some databases There's really no restriction some databases. There's there's minimal restrictions Of usage it did, you know your mileage may vary on these databases. Just read it Any other questions? If I had internet access we could look people up now, which was what I was looking for. This is fun The questions, thanks