The dangers of Web 2.0: information gathering tactics 101

Well, we don't even have to talk about Web 2.0 or social networks. A byproduct of the technology age we live in is information. We all have or leave an extensive information waste footprint without even realizing it. This can be (mis)used for identity theft or social engineering. It's has only been a few months since I mentioned maltego. The tool that has migrated from a webbased application to a downloadable GUI still leaves Google behind when it comes to personal information gathering.

Since the webbased application has been taken offline, I downloaded the GUI and played around with it. Of course, I used it on my own name and on my company and I can say only 'WOW'. Just try it, you'll be surprised of the information out there.

What is it?

• Maltego is a program that can be used to determine the relationships and real world links between:
  • People
  • Groups of people (social networks)
  • Companies
  • Organizations
  • Web sites
  • Internet infrastructure such as:
  • Domains
  • DNS names
  • Netblocks
  • IP addresses
  • Phrases
  • Affiliations
  • Documents and files
• These entities are linked using open source intelligence.
• Maltego is easy and quick to install - it uses Java, so it runs on Windows, Mac and Linux.
• Maltego provides you with a graphical interface that makes seeing these relationships instant and accurate - making it possible to see hidden connections.
• Using the graphical user interface (GUI) you can see relationships easily - even if they are three or four degrees of separation away.
• Maltego is unique because it uses a powerful, flexible framework that makes customizing possible. As such, Maltego can be adapted to your own, unique requirements.

What can Maltego do for me?

• Maltego can be used for the information gathering phase of all security related work. It will save you time and will allow you to work more accurately and smarter.
• Maltego aids you in your thinking process by visually demonstrating interconnected links between searched items.
• Maltego provide you with a much more powerful search, giving you smarter results.
• If access to "hidden" information determines your success, Maltego can help you discover it

Look at the screenshots here.
Download here.
Download you API key here.

Your security policy and awareness program should take this into account. To get an idea of the issue and some suggested countermeasures, read ENISA's paper on "Security Issues and Recommendations for Online Social Networks. (Thanks to ISSA BE for mentioning this paper).

Introduction.

This paper aims to provide a useful introduction to security issues in the area of Social Networking, highlight the most important threats and make recommendations for action and best practices to reduce the security risks to users. Examples are given from a number of providers throughout the paper. These should be taken as examples only and there is no intention to single out a specific provider for criticism or praise. The examples provided are not necessarily those most representative or important, nor is the aim of this paper to conduct any kind of market survey, as there might be other providers which are not mentioned here and nonetheless are equally or more representative of the market.

Audience

This paper is aimed at corporate and political decision-makers as well as Social Network application-providers. It also seeks to raise awareness among political and corporate
decision-makers of the legal and social implications of new developments in Social Networking technologies. In particular, the findings should have important implications for education and data protection policy.

Some recommendations of the report are:

• Recommendation SN.1 Encourage awareness-raising and educational campaigns
• Recommendation SN.2 Review and reinterpret the regulatory framework
• Recommendation SN.3 Increase transparency of data handling practices
• Recommendation SN.4 Discourage the banning of SNSs in schools
• Recommendation SN.5 Promote stronger authentication and access-control where appropriate
• .....

Download full report here.

Update: Chris gates also refers to the following two presentations (thanks!!):

Presentations on Maltego:
CansecWest07 Presentation [PPT] (1.8MB)
FIRST 2007 Presentation [PPT] (4.5MB)

Related articles:

• This is how good the targeted attacks are getting
• Panda Labs Jan-Mar 2008 Report published
• Social engineering put to the test. How would your employee score?
• Don't make life difficult
• Security.nl, Maarten, social engineering and targeted attacks
• Social engineering pentesting against your employees (UPDATED)