INSIGHTS, NEWS & DISCOVERIES
FROM IOACTIVE RESEARCHERS

Tuesday, December 3, 2013

Practical and cheap cyberwar (cyber-warfare): Part II

By Cesar Cerrudo @cesarcer

Disclaimer: I did not perform any illegal attacks on the mentioned websites in order to get the information I present here. No vulnerability was exploited on the websites, and they are not known to be vulnerable.

Given that we live in an age of information leakage where government surveillance and espionage abound, I decided in this second part to focus on a simple technique for information gathering on human targets. If an attacker is targeting a specific country, members of the military and defense contractors would make good human targets. When targeting members of the military, an attacker would probably focus on high ranking officers and for defense contractors, an attacker would focus on key decision makers, C-level executives, etc. Why? Because if an attacker compromises these people, they could gain access to valuable information related to their work, their personal life, and family. Data related to their work could help an attacker strategically by enabling them to build better defenses, steal intellectual property, and craft specific attacks. Data related to a target’s personal life could help attackers for blackmailing or attacking the target’s families.


There is no need to work for the NSA and have a huge budget in order to get juicy information. Everything is just one click away; attackers only need to find ways to easily milk the web. One easy way to gather information about people is to get their email addresses as I have described last year here http://blog.ioactive.com/2012/08/the-leaky-web-owning-your-favorite-ceos.html . Basically you use a website registration form and/or forgotten password functionality to find out if an email address is already registered on a website. With a list of email addresses attackers can easily enumerate the websites/services where people have accounts. Given the ever-increasing number of online accounts one person usually has, this could provide a lot of useful information. For instance, it could make perform phishing attacks and social engineering easier (see http://www.infosecurity-magazine.com/view/35048/hackers-target-mandiant-ceo-via-limo-service/). Also, if one of the sites where the target has an account is vulnerable, that website could be hacked in order to get the target’s account password. Due to password reuse, attackers can compromise all the target accounts most of the time. 


This is intended to be easy and practical, so let’s get hands on. I did this research about a year ago. First, I looked for US Army email addresses. After some Google.com searches, I ended up with some PDF files with a lot of information about military people and defense contractors:



I extracted some emails and made a list. I ended up with:

1784 total email addresses: military (active and retired), civilians, and defense contractors.

I could have gotten more email addresses, but that was enough for testing purposes. I wasn’t planning on doing a real attack.

I had a very simple (about 50 LoC or so) Python tool (thanks to my colleague Ariel Sanchez for quickly building original tool!) that can be fed a list of websites and email addresses. I had already built the website database with 20 or so common and well known websites (I should have used military related ones too for better results, but it still worked well), I loaded the list of email addresses I had found, and then ran the tool. A few minutes later I ended up with a long list of email addresses and the websites where those email addresses were used (meaning where the owners of those email addresses have accounts):

Site
Accounts
     %
Facebook
  308
17.26457
Google
  229
12.83632
Orbitz
  182
10.20179
WashingtonPost
  149
8.352018
Twitter 
  108
6.053812
Plaxo
  93
5.213004
LinkedIn
  65
3.643498
Garmin
  45
2.522422
MySpace
  44
2.466368
Dropbox
  44
2.466368
NYTimes
  36
2.017937
NikePlus
  23
1.289238
Skype
  16
0.896861
Hulu
  13
0.7287
Economist
  11
0.616592
Sony Entertainment Network
  9
0.504484
Ask
  3
0.168161
Gartner
  3
0.168161
Travelers
  2
0.112108
Naymz
  2
0.112108
Posterous
  1
0.056054

Interesting to find accounts on Sony Entertainment Network website, who says the military can’t play Playstation :)

I decided that I should focus on something juicier, not just random .mil email addresses. So, I did a little research about high ranking US Army officers, and as usual, Google and Wikipedia ended up being very useful.

Let’s start with US Army Generals. Since this was done in 2012, some of them could be retired now.


I found some retired ones that now may be working for defense contractors and trusted advisors:


Active US Army Generals seem not to use their .mil email addresses on common websites; however, we can see a pattern that almost all of them use orbitz.com. For retired ones, since we got the personal (not .mil) email addresses, we can see they use them on many websites.

After US Army Generals, I looked at Lieutenant Generals (we could say future Generals):


Maybe because they are younger they seem to use their .mil email address in several common websites including Facebook.com. Even more, they have most of their Facebook information available to public! I was thinking about publishing the related Facebook information, but I will leave it up to you to explore their Facebook profiles.



I also looked for US Army Mayor Generals and found at least 15 of them:

Robert Abrams
Email: robert.abrams@us.army.mil



Found account on site: orbitz.com

Found account on site: washingtonpost.com


Jamos Boozer
Email: james.boozer@us.army.mil



Found account on site: orbitz.com

Found account on site: facebook.com


Vincent Brooks
Email: vincent.brooks@us.army.mil



Found account on site: facebook.com

Found account on site: linkedin.com


James Eggleton
Email: james.eggleton@us.army.mil



Found account on site: plaxox.com


Reuben Jones
Email: reuben.jones@us.army.mil



Found account on site: plaxo.com

Found account on site: washingtonpost.com




David quantock
Email: david-quantock@us.army.mil



Found account on site: twitter.com

Found account on site: orbitz.com

Found account on site: plaxo.com




Dave Halverson
Email: dave.halverson@conus.army.mil



Found account on site: linkedin.com


Jo Bourque
Email: jo.bourque@us.army.mil



Found account on site: washingtonpost.com




Kev Leonard
Email: kev-leonard@us.army.mil



Found account on site: facebook.com


James Rogers
Email: james.rogers@us.army.mil



Found account on site: plaxo.com




William Crosby
Email: william.crosby@us.army.mil



Found account on site: linkedin.com


Anthony Cucolo
Email: anthony.cucolo@us.army.mil



Found account on site: twitter.com

Found account on site: orbitz.com

Found account on site: skype.com

Found account on site: plaxo.com

Found account on site: washingtonpost.com

Found account on site: linkedin.com


Genaro Dellrocco
Email: genaro.dellarocco@msl.army.mil



Found account on site: linkedin.com


Stephen Lanza
Email: stephen.lanza@us.army.mil



Found account on site: skype.com

Found account on site: plaxo.com

Found account on site: nytimes.com


Kurt Stein
Email: kurt-stein@us.army.mil



Found account on site: orbitz.com

Found account on site: skype.com


Later I found about 7 US Army Brigadier General and 120 US Army Colonel email addresses, but I didn’t have time to properly filter the results. These email addresses were associated with many website accounts.

Basically, the 1784 total email addresses included a broad list of ranking officers from the US Army.

Doing a quick analysis of the gathered information we could infer: 
  • Many have Facebook accounts exposing to public the family and friend relations that could be targeted by attackers. 
  • Most of them read and are probably subscribed to The Washington Post (makes sense, no?). This could be an interesting avenue for attacks such as phishing and watering hole attacks. 
  • Many of them use orbitz.com, probably for car rentals. Hacking this site can give attackers a lot of information about how they move, when they travel, etc. 
  • Many of them have accounts on google.com probably meaning they have Android devices (Smartphones, tablets, etc.).This could allow attackers to compromise the devices remotely (by email for instance) with known or 0days exploits since these devices are not usually patched and not very secure.
  • And last but not least, many of them including Generals use garmin.com or nikeplus.com. Those websites are related with GPS devices including running watches. These websites allow you to upload GPS information making them very valuable for attackers for tracking purposes. They could know on what area a person usually runs, travel, etc.


As we can see, it’s very cheap and easy to get information about ranking members of the US Army. People serving in the US Army should take extra precautions. They should not make their email addresses public and should only use them for “business” related issues, not personal activities.

No comments:

Post a Comment