General security

3 Simple Ways to Recon Yourself

October 26, 2010 by Dinesh Mistry
Dinesh Mistry is currently in his 2nd year as a full time Security Professional. He will be writing a column for and will be focusing on introductory topics, eventually moving towards more advanced technical techniques.


The “Internet” – which started out as a way for universities to exchange information, and for the US military to maintain communication in the event of an attack – has grown into  a massive collection of systems which allows businesses to be open 24 hours a day  7 days a week, and 365 days a year. This is a great thing for businesses, as they can market and sell their products without the restrictions of a brick-and-mortar storefront. We have also seen rapid adoption of computer systems to replace many back-office processes. With this comes the risk of potentially leaking trade secrets, intellectual property and many other things to prying eyes.

Maintaining an Internet presence is a great thing for any organizational entity, in fact it is not just great — it is a necessity; it is equally important that companies protect and secure their data.  There is a great deal of information being leaked on a daily basis, attributed either to poorly-configured systems or to accidental information disclosure. Below are three simple ways a company can help identify their risk posture by using reconnaissance methods similar to those used by hackers.

Search Engines

Search engines are an excellent tool for helping hackers search for easy targets, or for stealing a company’s most sensitive intellectual property.  Search engines continue to be significant channels aiding hackers to find and penetrate weak systems.   Many hackers agree that, for them, reconnaissance is the foundation for effective penetration.  One could possibly use these same discovery techniques to identify the presence, and ultimately enhance the security, of his/her brand?  Sounds obvious, right?  It is amazing what type of information could be found with a few well-crafted search queries pertinent to one’s own company or organization. Remember that, once Google finds your site, it spiders, indexes and caches everything it finds.

The concept of “Google Hacking” is not new; in fact Johnny Long of wrote “Google Hacking” back in 2007.

In order to clearly identify information being leaked, one needs to understand the advanced search operators that Google offers.  I am not going to explain each operator, or even the advanced techniques in this post; my primary aim is to raise awareness about protecting websites and web applications from leaking sensitive data.

Identify network and nodes

Part of reconnaissance is to identify systems on a network which have not been patched or are not at the latest patch level, rendering them vulnerable to exploitation.  Before doing this, a hacker will need to identify nodes that are easily reached from the Internet.  In order to ensure that an attacker is unable to easily compromise sensitive information, it is essential that a company quickly enumerate their presence in this space.  There are many ways to identify servers, pertinent software revisions and stored content by simply visiting sites such as Netcraft. It is imperative that you document every node on your network and have a process in place to apply software patches on a regular basis. There are a plethora of tools available to automate both the identification and the vulnerability remediation of nodes, as ignorance is never an acceptable excuse in the event of a data breach.

Social Media

Another mechanism used by malicious hackers to better understand the network topology, security posture, and culture surrounding a corporation’s presence is Social Media (e.g. Facebook, LinkedIn, Twitter, etc.).  One would be surprised at the sensitivity of information employees may be leaking for the world to see. I have included an example below:

Joe has been working long hours and weekends rushing to try and get the latest functionality out to the website. He knows that he has sacrificed some security to meet his deadline. He’s angry and disgruntled that he missed out on free tickets and an opportunity to attend his favorite team’s football game. He posts on his Facebook later that night how disappointed he is that he did not get to see his favorite team play. The reason being that the latest project he’s been working on had tight timelines.

He ends his post with “and I didn’t even get to implement all the security fixes and now I’ll just have to go back and implement stored procedures for all my database calls. More long late night’s uhg!

Joe’s family and friends more than likely have no idea what he is rambling on about.  Joe’s Facebook profile may not say that he works for XYZ Corp., so there are no ties back to his company…what’s the big deal?  Well, his LinkedIn profile does mention that he works for XYZ, and that he is a PHP developer for their Internet-facing content. This means that anyone who may be targeting Joe’s company can potentially link Joe to XYZ and XYZ to a site which may have vulnerable PHP content (because it was clearly a rush job).  Remember, effective hackers don’t look for just the obvious; they look for ways to correlate information which potentially identifies weaknesses.  In order to prevent this, one should regularly audit and monitor social media (and similar) sites for discussions regarding his/her corporate brand.

It is imperative, that organizations – large and small – review polices and guidelines for information protection.  They should understand the scope of information that is actually leaking out of their company.  By actively performing reconnaissance against one’s business or organization, he/she can provide extremely valuable details, essential in order to avoid data leakage.

Recon yourself regularly; you’ll be amazed what you will find.

Posted: October 26, 2010
Dinesh Mistry
View Profile

Dinesh Mistry is a security researcher for InfoSec Institute and has been in the Information Technology field for over 16 years. He has been working in Information Security for the past 2 years. He is currently a full-time Security Professional, Ethical Hacker, and overall technology enthusiast. He enjoys working on Search Engine Optimization as time permits. Certifications: • Certified Pen Tester (CPT) • Certified Ethical Hacker (CEH) • GIAC – Security Essentials (GSEC)