Security Bytes

Sep 29 2008   4:42PM GMT

Penetration testing without the penetration

David Schneier David Schneier Profile: David Schneier

When the subject of penetration testing and security assessments comes up, it usually conjures thoughts of highly skilled consultants deploying an array of custom tools to gather information on a target network and look for potential weak spots. But there are a number of guys out there doing these assessments who are using less-technical methods and putting the Web’s seemingly boundless stores of information to use instead. Chris Gates is one of those guys, and he gave a fascinating talk on his methods at ToorCon over the weekend, telling the audience that tools like Maltego and Metagoofil can be invaluable in gathering data on a target network.

Maltego, which finds, organizes and displays information on specific networks and reveals the relationships among companies and individual people, can be a tremendous resource, he said. “I can start with mail servers and name servers and get all the domains on those servers and then move onto netblocks,” he said.

Gate also said that programs such as email harvesters can be great sources of information on a company’s employees, as can social networking sites such as LinkedIn, Facebook and MySpace. That’s not a huge revelation, but using information gathered on those sites in conjunction with the other tools Gates talked about can lead to major caches of data on specific employees or companies in general, all of which can then be leveraged to glean more information.

Also, be sure to check out the photos of ToorCon I took this weekend.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: