Personal information is a lot easier to steal than most people realise. So what are the implications for business security?
What does it take these days to steal someone's identity? Name, address, date of birth, mother's maiden name? Where would a reasonably intelligent, would-be identity thief find all this lucrative information?
The chances are they would probably try the usual gamut of social networking sites, and, more often than not, they'd be quite successful.
But is this missing the point? Yes, your average identity thief has been handed a golden opportunity in Facebook, MySpace and the like, but what about all the other resources that the media tends to overlook – even the everyman search tool, Google, can reveal personal information you didn't even know was out there.
Many businesses worry about whether to block social networking sites, either for productivity or security reasons.
However, if the decision makers bothered to search for the amount of information on their staff, and by extension, their company, already out in cyberspace, they could be in for a nasty surprise.
Identity thieves looking to target businesses are a bit more intelligent than your average script kiddie looking to make trouble.
New attack vectors are coming up all the time but, to make these work, the hacker needs more information about you – and a quick search shows that a lot of people are only too happy to provide it.
‘Phishing' attacks are becoming old hat as businesses become wise to scattergun tactics and employ anti-phishing services, but XXS attacks are on the rise and coming to a website near you. For an attack to work, it needs to be sent to a small number of users of one particular application – but where do you find the victims to target? It's back to the world's biggest search engine again. Try searching Google Groups for @yourcompany.com and see what you find.
When we perform this check, we invariably collect a large number of email addresses, usually involving IT-related queries. To take it a step further, you could even look into the ‘deep web' searches – search engines that search other search engines such as www.pipl.com.
Just to prove how easy it is to obtain information, we wrote a Python script which searches Google and filters the results, showing anything that Google has indexed with your email domain, including websites with contact details, forums, newsgroups and anything else out there.
Using this script, we took a quick look at the email domains of ten companies in the FTSE and within ten minutes we had 1,047 email addresses.
Add this information to what is available through search engines that index registers of births, deaths and marriages and these guys should be worried.
Fortunately for them we use our powers for good, not evil, but that exercise is proof of how easy it is to get your foot in the door when it comes to identity theft.
One false log-in screen next and the hacker is home safe, happily living your life, spending your money and knowing all your secrets.
So, all the tools are in place for stealing identities without going anywhere near social networking sites.
To make the point, the Information Commissioner doesn't have a Facebook or MySpace page, but that didn't stop us ‘stealing' his identity. From the official ICO website we got his employment and academic history, as well as a brief biography that included his wife's name and the year they were married.
From all this, and a few other searches, we had pretty much everything we needed to clone his identity – including details of where he banks. Too easy!
Not everyone is a public figure of course and few of us have to disclose information by statute, but seemingly innocent information about ourselves can provide the links an attacker needs.
Given what you know now is it time to profile yourself?
Ken Munro is director of SecureTest, the penetration and security testing division of NCC Group.