On Sunday I attended SEC550, Information Reconnaissance: Competitive Intelligence & Online Privacy. It is a one day class taught by Bryce Galbraith. He was clear that it’s early in it’s development, but it’s already packed full of great information and tools - much more than I will cover here. If you took the time to do a deep-dive on info recon it could easily be a multi-day class.

Here are a few items I took away from the class:
1. The explosion of social networks and personal/corporate information being moved online in the last ten years has taken the hunt for information about people and companies to a completely different place. It’s no longer about finding out where a website is hosted, what OS it runs, where someone lives or what a company is using for their accounting software - You can now gather large amounts of real information about people or organizations, dig deep through legal, public sources and correlate information people share freely with deep web and other resources to infer a complete picture.

2. Take copious notes when doing information recon. A tidbit of data you didn’t think was worth much could correlate with other data later to finish the puzzle.

3. The Deep Web is now a ocean of information. There are great gateway sites you can use to find different resources, including (the class had MANY sites and tools, here are a few highlighted): Black Book Online, Pipl, Searchsystems.net, EInvestigator

4. Google is still the premier search tool to find out tidbits of information about people, companies, etc. but there are many other search tools, which may locate other info. A reference for Google Hacking: Google Guide, A list of Search Engines over on Wikipedia:  List of Search Engines

5. It’s important to keep your ethics/legal brain engaged when doing recon; you can slip into a zone of gray easily, and perhaps threaten the validity of your findings or risk breaking the law.

6. Ex or Current Employee Resumes on the Internet can provide a wealth of freely available information on corporations.

7. If you are interested in all those data breaches you don’t hear about, there is a maintained database on the web with the highlights: DatalossDB.

8. Social engineering is still in heavy use and cannot be discounted, either by it’s use as a tool, or it’s threat to your organization.

This course is packed with info, there is so much that it would be a big challenge to cover all the topics, if you are really interested it’s definitely a course worth attending.

Link to my 3+ Things Learned List series for the Legal class taught by Ben Wright.
Main Blog

1. Case law may act as a example, but should not be used as a guarantee of result - each case is judged separately and often by different courts with different focus and understanding of the material, and although prior case law is a influence, it’s not a guarantee of result.

2. By looking at cases between similar nations (e.g. english speaking, 1st world nations with similar government structures) you might be able to derive information about how another nation’s courts might interpret a new situation.

3. Information gathered from questionable sources might be admitted in court - such as information gathered through activities that may themselves be illegal, such information gathered by a vigilante.

4. Scienter and Self-Help are important concepts in our legal system - acting with scienter is to act knowing that you are committing a wrongdoing. Wikipedia has a bit on this topic. Self-Help is acting on your own behalf without engaging law enforcement, Wikipedia also has a blurb on this concept.

5. Computer forensics work often requires licenses so it is important to understand the requirements in your state if you are to perform forensics work as a professional.

6. Being aware of international and state law boundaries/compliance is important when gathering evidence and attempting to pursue a situation, especially on the Internet since it crosses so many legal jurisdictions and there might be multiple overlapping law enforcement agencies.

Monday Edition
Main Blog

1. Every reaction to a situation can influence others to think of your organization as “good” or “bad”. Being open, transparent and taking responsibility quickly comes off much better than shutting down, seeming closed and acting slowly. Your organization needs to assure that at the end of the day people have a positive view of you, even if it means fessing up to major mistakes or wrongdoing.

2. Don’t tamper with a pre-existing records, especially logs and the like - rather than edit a pre-existing record, create a new one referencing the old one and the corrections you have. By doing it that way if the records are ever questioned it will not appear that they were tampered with.

3. Many civil actions and investigations (read: no jail time) can become criminal easily (read: jail time) if there is any evidence of fraud, tampering or misrepresentation.

4. Modern Auditors have a responsibility not only to validate things are correct and in order, but to also look for suspicious activity and ask questions which will help them locate fraud.

Plus over the last few days I’ve added a couple of new books to my to-read list: The Naked Corporation and Geekonomics.

One other thing I should mention is our class is taught by Ben Wright, who is a awesome instructor. It’s rare that you get a instructor who is as energetic and communicating as well on day four as he is on day one.

Friday Edition
Main Blog

1. Breaching a contract in America is a economic situation, not a ethical or criminal one. The goal is to make the vendor or customer whole. It can have fall-out, and damage company reputation, but it is not a “go directly to jail” situation.

2. Force Majeure clauses are not a 100% protection. If you have a primary system and it fails with no backup you may still be liable if the system that failed was critical, and it was well within your control to have a backup. In the same situation, if you have a backup system, and both the primary and backup system fail, that may fall under Force Majeure since you made reasonable effort to make sure the system didn’t go offline. In other words when something falls under Force Majeure you can’t just throw up your hands and wait for it to fix itself.

3. The definition of Best Effort between the Legal and IT Realm are two different things - in Legal definition it is more than just “reasonable effort”, whereas in IT it is often “the minimum effort necessary”.

Thursday Edition
Main Blog

1. Everything said when you are functioning in a legal context must be accurate. Period. Exaggerations or any false statements, even made thinking they are correct at the time can bite you later. Research and understand what you are talking about before commenting.

2. The Legal team needs to have a solid relationship and good communication practices with the IT group. Courts are relying more and more on the lawyer being able to speak intelligently about the organization’s capabilities to do things like recover documentation and what specific information would be needed to find the right data.

3. Your policies (exampled via data retention policies) must be modeled with all applicable laws and industry rules in mind - not just a single one, or a group of laws/rules/guidelines your specific industry is required to follow. By strictly complying to or fixating on one set of rules you could be breaking others or ignoring common sense. Remember the big picture.

4. Identification and Signatures are two different things and should not be confused. Signatures are “a symbol adopted with intent”, meaning that even items you might not think of as a signature (such as a email from your account to another person - or your name typed at the bottom of a message) might be considered legally binding depending on circumstance and intent.

5. When talking about Terms and Conditions - make sure everyone knows yours, and repeat them as often as you must in order to keep them known.

Wednesday Edition
Main Blog