Have you ever wondered how much information there is about your business on the web? Were you just curious or were you concerned? It’s great to have information on the web; it suits your marketing needs perfectly and it’s cheap. However, having more information on the web than your users need may compromise your security. Footprinting is the first part of hacking a network and it’s not that technical. It consists of gathering information from publicly available sources and then impersonating another’s identity. With this information you can narrow down the targets of your attacks and run some tests for vulnerabilities against them. Think of it as your company’s privacy on the net. How much of your company’s sensitive information are you ready to give up?
In the first part of this Network Security series we will focus on the footprinting that can potentially expose important information about your network. The structure of the series will follow the Certified Ethical Hacker’s program.
Hacking does not consist only of techie tools, writing scripts, and exploitation. For a hacker to be successful, he or she first has to get to know the target infrastructure and network. Google, public records, and social networks are the first places to look for information. It’s amazing how much information is out there. It may sound crazy to you, but a hacker that has targeted your company may easily find sensitive information in your dumpster! This process is called dumpster diving and manufacturers even offer equipment for the purpose. Make sure you shred all sensitive information, even if it doesn’t seem that important to you; anything containing names, especially of formal employees, phone numbers, security numbers, addresses, and the like.
Public databases (such as whois) can be used to identify the network address space that your company’s using. With this information, an attacker can use hacking tools to scan the address space for live and vulnerable machines. Most Intrusion Detection Systems (IDSes) and Intrusion Prevention Systems (IPSes) can spot this. However, there are places where this kind of attack can be successful. Using NAT (Network Address Translation) as much as possible can limit the damage this type of attack can cause. This way, only servers in the Data Management Zone (DMZ) will remain exposed.
Other places where a hacker can search for information are the different support message boards like Technet forums or Experts-Exchange consultations. In many cases, when searching for a solution to a problem, IT staff from within the company copy sensitive information including IP addresses, operating system details, firewall rules, etc. to these boards. This sensitive information can be used to exploit your vulnerabilities.
Anyone can easily look up career opportunities offered by your company. If they see that you’re looking for a pure Windows administrator, they might conclude that most or all of your servers are Windows-based. If you’re looking for an Oracle database administrator, it’s most likely that Oracle is the database you’re using. Based on this information an attacker can run specific vulnerability tests that will potentially find security holes in your network. It is even possible that the person who comes to an interview and asks all kinds of questions about the job is actually a hacker that is gathering internal information about your systems.
Traceroute (tracert) is a great tool for troubleshooting network connectivity issues. But have you considered the possibility that an attacker may use it for malicious activities? Traceroute can be used by the attacker to identify your Internet Service Provider (ISP), to get to know your network architecture by measuring the distance to particular devices, and most importantly, to identify firewalls in your network, because they usually return asterisks in the traceroute output. Linux –T and –U gives you more.
Directory browsing is another technique used by malicious users to get to your sensitive information. There are a lot of sites out there on the web that contain a so called robots.txt file. It saves information about the structure of your site and can be used to manually get to places where nobody is supposed to go via Internet access. You may have hidden the links from your primary page but they may be still accessible by browsing.
Usually, hackers won’t use your Internet site directly for most of their attack attempts, because traces can lead back to them. They would instead copy it onto their local station and then use that copy to perform the different kinds of vulnerability testing.
In order to gain access to sensitive information on your network, malicious users first need to make a connection to the device that holds that information. One relatively easy way to do this is by getting onto your wireless network. For that purpose they can use a laptop while on the street outside your building. This is actually the way that most of these attacks happen. If you want to prevent that, you can configure your wireless antennas to point inside the building so that the signal can only be captured from within the company’s building. But even then hackers can use devices such as Cantenna, which can capture even the weakest signals outside the building. A good security measure for you to implement is to keep your wireless users away from the internal network. You may give them Internet access and access to your DMZ, however, you may want to limit their access to the internal network. If you need to allow internal access to your wireless clients then you may consider higher level connection protection, such as MAC filtering and encryption. Keep in mind that all these settings can be altered if the hacker connects to the wireless access point. Make sure you’ve changed the default password that came with the device (it can easily be found on routerpasswords.com and then used) and that you’ve set a strong new one.
Usually, routers and IDSes will protect your network from known types of attacks. They can also be used to identify new patterns that attackers use. For this to work without you suffering, you may want to consider adding a honeypot to your network. This is a machine (usually virtual) running in your DMZ that has fewer than usual security measures applied. Your purpose with this machine is to attract malicious users to it, where no harm can be done, and to investigate their hacking techniques so you can implement better security measures for your really important servers.
Your website may contain short bio information about your employees. A hacker may use this information for a social engineering attack. A security advisor can examine the information that your website contains and instruct affected people on how to identify and avoid such hacking attempts.
When it comes to social engineering, attackers can get very creative. For example, they can call you on the phone, presenting themselves as the technical support guy, and ask you to do something that seems harmless, such as save a new shortcut for your line of business application. They would most likely explain to you why they can’t do this themselves, claiming that a server is down or a network problem has occurred and that you only need to do this on this one occasion because of the failure. They would sound very convincing and you would probably not even doubt they had good intentions to help you do your work.
If they don’t want to put too much effort into your particular company, they can send an email message to you, and maybe other potential victims, using your company’s sales address. Then it is more likely that a non-technical person would open it.
You should be extremely careful with what you post on your website. If you have a change of mind and remove content that you think is sensitive, it’s still possible that a searching machine may have captured your site when the content was present and that it may show it to interested users even after you’ve removed it. Archive.org is an excellent site for this purpose. You may try it with your website to see the results.
Nessus (downloadable) and Nikto (installable on Linux) are other tools you may try using against your infrastructure to see how secure it is. They can point you to existing security holes, such as opened ports that you may want to close. It is a good idea to run such a tool every now and then, because a port used by an old application may still be open. You may have forgotten to close the port when you moved to another application. It happens a lot.
The most powerful tool you can use to test your web security is actually Google. A process called Google Hacking allows you to use the search engine for searching specific content like a .php page with a title including a specific keyword and content including specific words or numbers. Using this tool smartly you may come up with passwords and other sensitive data if they’re not well protected. You can create searches yourself by using the commands specified in Wikipedia: https://en.wikipedia.org/wiki/Google_hacking, or you can use the public database for pre-written commands for various purposes: exploit-db.com.
We will continue our discussion in the next article of this series. Stay tuned!