NoShut.com Home NoShut.com
Alan Expressions
Insightful, delightful and entertaining some of the time.
May 2013
Sun Mon Tue Wed Thu Fri Sat
      1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31  
< Apr   Jun >
[Recent Entries]
[Entry Index]
Recent Entries
Topics
Other Blogs
Powered by PolarBlog
RSS 2.0 Feed
Valid CSS!
Valid XHTML 1.0!
Valid RSS!
Topic: Technology   Three+ Things I learned at SANS 2010 - Info Recon - Sunday Edition
10:54PM March 15, 2010
On Sunday I attended SEC550, Information Reconnaissance: Competitive Intelligence & Online Privacy. It is a one day class taught by Bryce Galbraith. He was clear that it’s early in it’s development, but it’s already packed full of great information and tools - much more than I will cover here. If you took the time to do a deep-dive on info recon it could easily be a multi-day class.

Here are a few items I took away from the class:
1. The explosion of social networks and personal/corporate information being moved online in the last ten years has taken the hunt for information about people and companies to a completely different place. It’s no longer about finding out where a website is hosted, what OS it runs, where someone lives or what a company is using for their accounting software - You can now gather large amounts of real information about people or organizations, dig deep through legal, public sources and correlate information people share freely with deep web and other resources to infer a complete picture.

2. Take copious notes when doing information recon. A tidbit of data you didn’t think was worth much could correlate with other data later to finish the puzzle.

3. The Deep Web is now a ocean of information. There are great gateway sites you can use to find different resources, including (the class had MANY sites and tools, here are a few highlighted): Black Book Online, Pipl, Searchsystems.net, EInvestigator

4. Google is still the premier search tool to find out tidbits of information about people, companies, etc. but there are many other search tools, which may locate other info. A reference for Google Hacking: Google Guide, A list of Search Engines over on Wikipedia:  List of Search Engines

5. It’s important to keep your ethics/legal brain engaged when doing recon; you can slip into a zone of gray easily, and perhaps threaten the validity of your findings or risk breaking the law.

6. Ex or Current Employee Resumes on the Internet can provide a wealth of freely available information on corporations.

7. If you are interested in all those data breaches you don’t hear about, there is a maintained database on the web with the highlights: DatalossDB.

8. Social engineering is still in heavy use and cannot be discounted, either by it’s use as a tool, or it’s threat to your organization.

This course is packed with info, there is so much that it would be a big challenge to cover all the topics, if you are really interested it’s definitely a course worth attending.

Link to my 3+ Things Learned List series for the Legal class taught by Ben Wright.
Main Blog
[Permalink]   [Google]   (449 Words)

Topic: