Attackers can use phone numbers to look up your physical address via sites like http://
www.phonenumber.com, http://www.411.com, and http://www.yellowpages.com.
They may also use your phone number to help them target their war-dialing ranges, or
to launch social-engineering attacks to gain additional information and/or access.
Contact names and e-mail addresses are particularly useful datum. Most organizations
use some derivative of the employee’s name for their username and e-mail address (for
example, John Smith’s username is jsmith, johnsmith, john.smith, john_smith, or smithj,
and his e-mail address is jsmith@example.com or something similar). If we know one of
these items, we can probably figure out the others. Having a username is very useful
later in the methodology when we try to gain access to system resources. All of these
items can be useful in social engineering as well (more on social engineering later).
Other personal details can be readily found on the Internet using any number of sites
like http://www.blackbookonline.info/, which links to several resources, and http://
www.peoplesearch.com, which can give hackers personal details ranging from home
phone numbers and addresses to social security numbers, credit histories, and criminal
records, among other things.
In addition to these personal tidbits gathered, there are numerous publicly available
websites that can be pilfered for information on your current or past employees in order
to learn more information about you and your company’s weaknesses and flaws. The
websites you should frequent in your footprinting searches include social networking
sites (Facebook.com, Myspace.com, Reunion.com, Classmates.com), professional networking
sites (Linkedin.com, Plaxo.com), career management sites (Monster.com, Careerbuilder
.com), family ancestry sites (Ancestry.com), and even online photo management sites
(Flickr.com, Photobucket.com) can be used against you and your company.
Once employees, contractor, and vendor names are discovered associated with your
company, hackers can then turn to these websites and look up boundless information
about the people and companies they are associated with. Given enough information,
they can build a matrix of data points to provide deductive reasoning that can reveal
much of the target’s configuration and vulnerabilities. In fact, there are so many websites
that spill information about your company’s assets and their relative security. Suffice it to say, almost anything about your company can be revealed from the data housed in those websites.
Attackers might use any of this information to assist them in their quests—extortion
is still alive and well. An attacker might also be interested in an employee’s home
computer, which probably has some sort of remote access to the target organization. A
keystroke logger on an employee’s home machine or laptop may very well give a hacker
a free ride to the organization’s inner sanctum. Why bang one’s head against the firewalls,
IDS, IPS, etc., when the hacker can simply impersonate a trusted user
Have you ever tried to exchange links, link building, or trade links? Was it hard? Use link market instead; - it is easy to use, free and very smart. It will save you hours of work.
কোন মন্তব্য নেই:
একটি মন্তব্য পোস্ট করুন