In Today’s article we will cover about How quickly can hackers find exposed data online.
Introduction[How quickly can hackers find exposed data online? ]
Data is an organization’s most valuable asset. An organization’s data may consist of its financial details, consumer information, NPI, PII information, employee details and more. Protecting employee and consumer data should be a top priority for any organization, as exposing data online could lead to a critical attack and untold damage.
A hacker can easily find exposed online data. This can turn into a nightmare, as an organization-focused hacker routinely uses open source intelligence tools to do the job.
In August 2019, LinkedIn suffered a massive data breach exposed online. More than 159 million pieces of data available on Pastebin in the “email:password” format have been found. All of this is of course available and for .012BTC you can try to access anyone’s LinkedIn user account. If they haven’t changed their password and haven’t used the same password on other sites, you can hack into many of the places where they do their work. You can access their iCloud/Gmail/Yahoo with all their photos, email accounts, Facebook and Instagram – all vulnerable to hacking once you have this database.
The dark web
One nefarious way a hacker can find an organization’s exposed data online is on the Dark Web or Deep Web. The Dark Web is web content that exists on darknets, overlay networks that use the Internet but require specific software, configuration, or permissions to access. The Dark Web uses onion routing, which is only accessible via TOR VPN.
The best thing about onion routing for hackers is that it is not indexed by Google and is not accessible via the standard internet. A hacker is very aware of onion routing and how to gain access to the dark web. Details of more than 267 million Facebook accounts have been found to be available on the dark web for as little as €500. Data consists of user account details such as names, user IDs and phone numbers. Even if these details do not include passwords and other such credentials, a hacker can use them to impersonate/steale a user’s identity with which they could very realistically carry out a spam and/or phishing attack.
The Dark Web is a protected place to buy/sell such sensitive data on the internet without getting caught because it provides complete anonymity to anyone using it.
Zoosk is a dating app that recently suffered a massive data breach. Hacker group ShinyHunters has put up for sale what it claims is stolen account information of millions of online daters who used the popular app. Nowadays, a hacker with a good understanding of the dark web could easily access this dump and gain access to millions of stolen accounts, while the average internet user might not even know what the dark web is.
OSINT stands for open-source intelligence. The OSINT framework is focused on gathering information from free tools or resources and the intent is to help people find free OSINT resources. Some of the sites included may require registration or offer more data for money, but you should be able to get at least some of the information available for free.
OSINT helps hackers search for available data on specific individuals or organizations that are exposed on the Internet. There are plenty of tools available in the OSINT Framework to accomplish this task. OSINT helps a hacker to get small but very important details about a person/organization such as their office location, current job vacancies, employee working in the office, their names, address, social security number and so on.
In today’s world, more data is available online than ever before. The main difference between a regular internet user and a hacker is that a hacker knows where to look for the most reliable information. Using OSINT techniques, a hacker can obtain the following details about an organization:
- Email address
- Domain name
- IP address
- Telephone number
- Public records
- Business records
And there are a lot of things an attacker can get their hands on:
A hacker collects all possible data using OSINT. Once the data collection is complete, the hacker analyzes all the useful data. For example, “theHarvester” is an amazing tool to collect a website/organization’s IP, email, and subdomains using a search engine such as Google from a public source.
Google hacking, also called Google dorking, is a hacking technique that uses Google search and other Google applications to find security holes in the configuration and computer code of websites.
In Google dorking, the hacker uses Google’s advanced search capabilities to find only the data type they requested. This shrinks the Google search result to show an unwanted result that may not be very useful to a hacker. For example, if a hacker wants to search a PDF document for a web page that is available on public websites, he will perform the following query to get the desired result:
In the above example, the hacker searches for all PDF files available on example.org and publicly accessible. We may not know what sensitive files were inadvertently exposed. Let’s say you find a file called configuration.pdf that might contain configuration details of their software they use for their day-to-day tasks. If we’re lucky, we may also discover the default credentials in the configuration file.
Hackers also use Google dorking to find a website’s default login panel, which may not be directly connected to the website and can be brute-forced.
Shodan is the world’s first search engine for Internet-connected devices. Shodan indexes everything, unlike Google and other search engines that only display the web. Shodan finds anything connected to the internet, including a webcam, traffic signal, smart TV, and more. Shodan allows you to search by IP or subnet, open ports on those IPs and vulnerabilities.
Shodan gave you the power to discover devices that are vulnerable to specific vulnerabilities. If a device is vulnerable to an “Anonymous FTP” attack, Shodan will indicate this in the search result. This will help detect a large number of servers/devices vulnerable to anonymous FTP. Shodan also helps you filter the result by country, operating system and organization.
First, the hacker searches for “FTP anonymous”. From there you can filter the results. In the left sidebar we see a lot of summary data:
- Results map
- Top service
- Top organizations
- Top operating systems
- Top products
Then in the main section we get full details including:
- IP address
- Host name
Shodan also provides an advanced search feature through which a hacker can search through Google for dorking and get a filtered result. Suppose a hacker wants to know how many devices are vulnerable in London. He simply puts a query into Shodan like the one below:
- FTP anonymous city:”london”
This will give you the result for all servers that are vulnerable via anonymous FTP in London. With this result, the hacker tries to login to the FTP server and gets his hands on all the data located on the FTP server. From there, they start filtering out data that seems more sensitive and can even get the clear text credentials stored on those servers.
Suppose there is a website called XYZ from the last five years and it updates its website regularly. You know they posted something about a job posting where they posted details about their OS or software and now you can’t access that page.
So how would you get that page back and get the sensitive details? Many regular internet users will think this is impossible because one would think it would go back in time. But what if it is possible? You can visit pages that the company had in the past, but no longer in the current version of the site.
The answer is the Wayback Machine. Don’t think it’s a fancy time machine that sends you back in time to browse the web. Instead, it takes a snapshot of the site when the site refreshes. It records every change that has happened to the site in the past.
A hacker would simply visit the Wayback Machine and enter a website address to browse the website’s history. This would provide a website history calendar where you can go to any past date and visit that day’s snapshot. This will also let you know how many pictures were taken on a particular day with the given time.
Now, as a hacker, how would you chain all of this together for a fruitful outcome? Let’s say you want to target a company called XYZ with basic internet knowledge that you found on their website called xyz.com. A hacker would simply run Harvester to see if they can get any IP or subdomain details from a website.
After running the tool, you will notice that there is one email address that the tool found: [email protected]. There is now a website that will let you know if an email address has been compromised or not. It’s called Have I Been Pwned. From there, the hacker will look to see if the email is compromised or not.
Another method a hacker can use is an OSINT tool called Maltego. Maltego automates email querying using OSINT techniques and also helps you discover where the credential leaks are from compromised accounts. If you’re lucky, Maltego will show you the result from Pastebin if the email is leaked there. Now you can find not only the [email protected] email account but many others from the same group. In this way, the hacker chains all the discovered details to get the maximum results that will eventually succeed.
Let’s talk about the S3 bucket
2017 was one of the worst years in terms of data breaches and compromises. There were 5,207 breaches recorded, which is around 20% more than in 2015.
Several organizations were affected – Accenture, Dow Jones and Verizon to name a few. Many cases have been identified where organizations have misconfigured their AWS S3 buckets containing highly sensitive data and marked it as public readable. More red flags were found; research says that most breaches done by hackers were not pre-planned and could have been avoided by not making the mistakes that dev/arch/ops teams did in the way they handled AWS S3 buckets.
Data breaches often occur because the team changes the default permissions before processing these segments. S3 buckets can be configured either manually or using a script, and misconfigurations can be an oversight by administrators or scripts at the time of granting permissions. The same has been noted when a user changes permissions for temporary use and sometimes forgets to revert back. This is a blatant invitation to a hacker.
Finding publicly exposed buckets is easy for a hacker because the buckets have a predictable and publicly accessible URL. By default, the URL should be as follows:
The bucket can also sometimes be exposed in HTML. There are plenty of tools available to find such buckets. The best way is to use a brute force approach to predict the name of the buckets.
The widely known Burp Suite tool can also be useful with AWS Extender. Once you successfully get the bucket name, it can only be abused if no configuration is done correctly.
“AWS CLI” can be useful to facilitate this exploitation process.
Hackers have a useful list of tools and resources at their disposal. They use them to enumerate the maximum number of details about a person or organization by gathering all the publicly exposed data that the average internet user might not find with ordinary internet browsing knowledge. A hacker knows exactly where to look for sensitive data using OSINT, Google dorking, the Deep Web, and more.