Thursday, August 13, 2015

Enemies use crude techniques to build on-line target lists, but corporate and government database (and commercial software) vulnerabilities add to the problem

The media (especially CNN) today discussed a new “target list” of about 1400 people in the US (and probably including the UK and Australia), compiled by a well-known enemy (ISIS) determined to use social media to launch asymmetric and psychological warfare. (CNN has yet to post the news story, as of early Thursday evening; late in the evening it did, here.)  Troy Hunt has an interesting analysis of how these names and other identifiers could have been compiled from multiple sources, many of them government or corporate databases with employee or military personnel information, link here.

Hunt believes that the “hackers” paid very little attention to who the people are or what their jobs are.  Much of the data could come from publicly available sources (and there are numerous websites that sell culled public record information to subscribers).
But several techniques were used including “pastes”, and scrapes exploiting known Adobe vulnerabilities are presented.  There is also a new acronym, HIBP, “have I been pawned”.

Another newspaper, the Epoch Times, in a story by Joshua Phillipp, reports that much of the technical expertise for ISIS Internet activity is in the former Soviet bloc, some of it in Russia, link here.  This would seem consistent with what Troy Hunt presents in his article. 

No comments: