http://www.nwfusion.com/news/2003/0630schwartau.html By Winn Schwartau Network World 06/30/03 Recently a reporter called the Pentagon's public affairs office and asked for the location and itinerary of certain aircraft carriers and their battle groups. He was told that this information is classified and not available to the media. The reporter then went to Google, entered the name of the aircraft carrier, found its home page and printed out the ship's entire schedule for the next year. He also got all sorts of juicy information about the captain, his military history and tons of tidbits on the senior officers. You might think that no company in its right mind openly would publish on the Internet key data about its firm, staff, finances or technical issues. But almost every major U.S. company does exactly that. This is what open source intelligence is all about. Traditionally, intelligence has been the domain of the CIA and foreign national intelligence services. But today, Robert Steele, former CIA case officer and now president of OSS, says his personal unclassified contacts and information sources could do as well as, if not better than, the combined resources of the intelligence community in a comparative intelligence analysis. Say I want to know secrets about your company. Maybe I'm a competitor; maybe I'm a potential attacker. Either way, I'm going to employ generally non-technical intelligence means from my desktop such as Google, Securities and Exchange Commission databases such as Edgar, and the American Registry for Internet Numbers, which provides a convenient search function for registered domain owners. In a matter of minutes, I can find an amazing array of information, including: * Names, biographies and contact information (both work and home) for key executives. * Information about the corporation's infrastructure and Internet connectivity. * Lists of the corporation's service providers and major IT equipment suppliers. * Testing and policy guides, personnel procedures, disaster-recovery services and methods of business continuity. * User IDs of all staff on internal mail and groupware systems. * Technical problems the company is experiencing (innocently divulged in chat rooms by engineers seeking help from peers). Does your company want this sort of information available to everyone on the Internet? Probably not. But what can you do about it? First of all, you have to realize that open source information is valuable to the bad guys and potentially harmful to you. The next step is to perform an honest, in-depth assessment of your exposure to this simple, yet highly effective, means of intelligence gathering. Then you must make some tough policy decisions. What information on your corporate home page, while nice for marketing and image, has the potential to damage your firm if used by the wrong people? Can technical staff use their work e-mail addresses when conducting Internet research, or should they have aliases? How much Internet travel should be done anonymously to hide any trails that could give away valuable information to a competitor or adversary? I have never been a supporter of security by obscurity. I believe cryptographic source code and algorithms should be made fully public for peer testing and acceptance. But I also believe in controlling the release of information that can be used against me. Hanging clean or dirty laundry on the Internet in the name of self-promotion is a sure way to divulge too much information - unless clear-cut policy and review procedures are in place. Companies need to form procedures to control what corporate information is released, how it is released and how it relates to all other public information releases the company makes. The combined results could show the company unintentionally is giving away the keys to its own kingdom. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Jul 01 2003 - 06:27:15 PDT