Determined attackers will go to great pains to exploit you and your applications.
Unless you're locked in a room with some guy from a three-letter government agency, chances are that anything you've heard about a targeted attack on an organization is strictly hypothetical. Details are scarce and what you hear usually involves theories about a phishing scheme, zero-day exploits or crimeware. That's all well and good, but all of that is too far after the fact to really get a grip on the issue.
The real insight comes when the topic turns to the reconnaissance cybercriminals conduct against a target.
It's frightening the depths a cracker will descend and the time he'll invest to learn about your organization. And it's an equally scary proposition when you learn--often too late--what you've exposed about yourself online, or worse, what innocuous applications running on your machine leak to the world.
Enter a hacker nicknamed rSnake. His real name is Robert Hansen and he's behind ha.ckers.org, a hacker site and self-professed application security lab. Hansen, whose day job is head of a security consultancy, recently posted details of an exercise he ran, he says, as a demonstration of what pains a determined attacker takes to target not only an organization, but perhaps a key individual within that group.
The essay, called "Death by 1000 Cutts," is the tale of a targeted attack on a guy named Matt Cutts, who not only is a sometime visitor and poster to Hansen's site, but is the head of Google's spam team. He's an SEO guru and a not-so-coincidental target. Hansen's distaste for Google and its security practices is no secret--just peruse a few pages of his site to see for yourself.
Hansen set out to prove that a hacker who knows what he's doing can exploit the most inconsequential series of actions and carry them out to a potentially disastrous end. Cutts' greatest sin was merely visiting the hacker site. As Hansen put it: "His browser has touched my website, which is often all an attacker needs, if I know what to look for."
The details are meticulous and they're posted, but for the sake of brevity here, Hansen had Cutts' IP address and browser, and after some reconnaissance via log captures and Google searches, he was able to determine that Cutts was running a vulnerable instance of Google Desktop (in addition to finding out his home phone number, work address, schools he attended and sites he visits--all of which serve a purpose to a hacker, like providing password possibilities, answers to challenge questions and vulnerable Web sites to attack). Armed with this knowledge from Cutts' visit to ha.ckers.org, Hansen could send exploit code back to the victim and initiate a cross-site scripting attack that eventually gave Hansen theoretical access to Cutts' files, email and more via Google Desktop. Hansen says he did not go through with the attack.
This is today's hacker: an organized, patient criminal who relies on your mistakes and ubiquitous holes in applications to sneak off with your organization's most precious assets (see "Who's Had a Taste of Your Intellectual Property?"). Hackers do recon; it's probably their most insidious weapon, and it pays off. Remember, you're a target, and if you have visibility, you're a bigger target.