Republished with permission from WatchGuard Technologies, Inc.


How Mugsy Plans a Cyber-Heist

By David M. Piscitello, President, Core Competence

In classic black and white gangster movies, Edward G. Robinson -- playing the part of "Mugsy" or "Mr. Big" -- always "cased the joint" before "knocking off" a bank or jewelry store. Even today, thugs in trench coats and brow-down fedoras, concealed in a doorway across Main Street from the target, or Mugsy and his moll doing a drive-by, persist as stereotypes for criminal information gathering. 

In the information age, Main Street is the Internet, and information gathering is more sophisticated than driving past your building. Modern heist movies often fast-forward to the part where the cyber sleuth dials directly into an acquired targetís critical data center. The actual process of information gathering used by serious attackers is too mundane and slow-moving for movie scripts. But itís worth your while to understand their processes so you can decide whether you are revealing too much about your organization. 

This article addresses one scenario of information gathering, but there are certainly many others. For example, I'm not addressing the "any target, anywhere, I want root" script-kiddy approach. This article describes what a motivated professional criminal (picture Mugsy as a cyber-hoodlum) might do.

Mugsy Drives By Your Web Site
Most Web sites provide contact and location information. Each corporate phone number may identify the base number of the block of numbers within a phone exchange assigned to your company. Serious attackers use war dialing software to scan these blocks for modems, oft-neglected side doors to your network. In addition, contact e-mail addresses sometimes identify domain-specific mail hosts, and may reveal how a company structures its intranet. The e-mail address reveals little more than the Web name, but suggests there might be an, or (Donít laugh, it happens!) Such clues help the attacker map your network, your mail routing, and possibly your organizational infrastructure. 

Attackers may use specific information gleaned from your Web site to refine searches about your organization as they look for "anything about <this info, this company>" anywhere on the Web. Metasearch engines like DogPile and All the Web, All the Time
(TM) expedite such searches by launching a search request across a dozen or more engines. Alternatively, an attacker can download an entire Web site using tools like WebZip Offline Browser, then compile your site into a compressed HTML file. Using index and search features from Microsoftís HTML Help Workshop, he will search for links to directories, other Web servers in your organization, and HTML comments and tags that offer information to help him break into your Web or intranet.

Mugsy Checks the EDGAR Database
Hacking Exposed authors Stu MacLure, George Kurtz and Joel Scambray explain that one of the serious attackerís tricks of the trade is to cull the EDGAR database at the U.S. Security and Exchange Commission (SEC). Motivated attackers may be very patient. They may wait for times when a targeted company is engaged in acquisitions and mergers. During such transition periods the companies involved may have difficulty reconciling multiple security policies, or they may engage in IP renumbering and modifying firewalls, VPNs, internal network structure and Internet access. Thus, the target company is more vulnerable to misconfiguration or policy implementation flaws. Hackers pounce on such opportunities.

Mugsy Moves On to Name Servers and Registrars
Domain Names and IP numbers used in the public Internet are administered by registrars, who maintain the master domain name databases. The databases identify the domain names and IP network numbers assigned to organizations, as well as administrative, technical, and billing contact names and addresses. You can trawl these databases of Internet Registrars using the WHOIS protocol, available for most operating systems. Many registrars (ARIN, RIPE, APNIC) have Web interfaces to the database. Multi-national organizations often have multiple IP network blocks assigned and administered locally; attackers use network and contact information extracted from the WHOIS database to focus war dialing efforts, as well as network scans.

WHOIS database entries also enumerate the public Domain Name Servers. The Domain Name Service is primarily used to find out what host name goes with what IP address (and vice versa), and to provide mail routing information. Serious attackers will attempt zone transfers -- the equivalent of copying your entire public DNS database. As a rule, you should not permit zone transfers from your public DNS server, except to a list of servers you trust. But even individual DNS lookups can provide an attacker with useful information. For example, mail exchange records may reveal the IP address of a firewall where a mail server or proxy is run. 

The DNS can and has been used as a distributed database, and certain DNS record types (HINFO) can be used for equipment and operating system inventory. A serious attacker doesnít actually need this information, but if you've left this information in the public domain, you've saved him the time heíd spend determining your OS type using a program like nmap. And it turns your network into "low hanging fruit" for less sophisticated attackers.

Mugsy Steals the Blueprint
With the information gathered using the methods discussed, the attacker will begin probing your network with ICMP utilities -- traceroute, firewalk, ping nmap. Using the results from these utilities, he will first attempt to determine how traffic is routed to your networks, and then will attempt to create a topology map of your network(s). The processes of network mapping, host and services scanning, enumeration, and discovery are too detailed to continue here. The point is that if you're not proactive, you'll unwittingly help hackers map your network with chilling accuracy.

When the subject of security auditing and penetration testing is raised, youíll invariably hear about zero-knowledge attacks. Companies who engage third parties to audit and test their security may want such parties to begin with no insider assistance, referred to as zero knowledge. Serious attackers donít begin with zero knowledge; they begin with a motive and a target, and they glean plenty of helpful knowledge from public sources.

Spoiling Mugsy's Spying
Countermeasures against information gathering may seem to conflict with your companyís intended use of the Internet. Actually, they donít. Disclosing only the information that helps outsiders make informed business decisions about your company is good management. Frivolous disclosure of details describing how your company operates (including how it operates its networks) is unnecessary and dangerous. For obligatory SEC filings and Internet Registrar databases, include only the information they require. Try to keep your registrar records up to date and valueless as a source of insider information: Security auditors suggest providing toll-free numbers or telephone numbers unique from any blocks your company uses. 

If you advertise internal hosts through DNS, consider running a "split" DNS. A split DNS runs an external server that maintains only the entries necessary to provide proper name resolution and inverse address mappings for publicly accessible hosts, and nothing more. This DNS can be hosted by your ISP, or you can host it yourself, off the Optional interface of your Firebox. For your internal network, host a complete DNS (both external and internal records) behind your firewall, off your Trusted interface.

Iíve only highlighted the process of information gathering here. Books Iíve found to be credible sources for additional information are the aforementioned Hacking Exposed, the forthcoming The Windows 2000 Security Handbook, and Practical Intrusion Detection Handbook. You might also want to lurk on security mailing lists such as PEN-TEST at

After all, that's a nice little network you've got there, palsie. It'd be a shame if anything should happen to it. But if you harden your system as I've described, Mugsy will be more likely to mutter "You dirty rat!" and slink away.

      Copyright© 2000, WatchGuard Technologies, Inc. All rights reserved. WatchGuard, LiveSecurity, Firebox and ServerLock are trademarks or registered trademarks of WatchGuard Technologies, Inc. in the United States and other countries.