From Security Weekly Wiki
Revision as of 18:24, 19 April 2007 by Larry (talk | contribs)
Jump to navigationJump to search

Google Calendar for Security Professionals

Google calender is a great tool collaboration tool for maintaining a personal, world accessible calendar, but also a calendar for group collaboration. With group collaboration, you can set your calendar to allow certain individuals to access it, or you cah set it to world readable.

With World readable, you can just set free/busy information, or allow "backstage access", effectively making a public calendar.

Public calendar you say? Oh goodie!

So, in order to make Google calendar useful to us as a security professional (for performing audits, pentests, etc), we actually need to have a google accoutn, and a google calendar of our own. Really simple to get, just go to http://www.google.com/calendar and sign up - free and easy. Once signed up, we can begin searching...

When we're signed in, the left hand tool bar has a seach pane - search Other Calendars! This search will obtain some interesting items only on public calendars - you'd be surprised what is out there. Information disclosure for a potential attacker, you bet.

So, what to search for? Here are some of my favorites:

- passcode = how about joining a conference call or two? Get there early, and don;t record your name. put it on mute, hang out and listen.

- passcode security = See the last one. But, likeley they'll be talking about security goodies.

- passcode [email,network,ip,] = see above. :-)

- [firewall,network,server] upgrade = see when they are scheduled. What do you want to bet there will be outages, and configuration issues? good time to exploit those weakneses, or social engineer the help desk...

- [pen, penetration] test - when is a good time to sneak in some attacks, blending in with the IDS IPS issues? you guessed it.

- vacation = more social engineering attempts. Hello helpdesk? My VPN doesn't seem to be working.....

- vacation [company name] = even more detailed information

- LOA = same as vacation.

- conference call = Sometimes they list the dialin number...sit back and listen to all sorts of info.

- Company name = certainly a good one for your own organization. Don't forget any internal abbreviations!

- Guys, thinking of any more while we're discussing these?

So, thinking about more of these searches, I'm sure that you can think of all sorts of keywords for possible information disclosure for an organization. It is a good idea to audit this and other places of information disclosure....like employee blogs? Ouch.

How do you protect? Policy, block google calendar, audit.

Stories For Discussion

Mods for Karma - [Larry] to allow for Ad-Hoc mode... Airport anyone?

Capture-HPC - [Larry] - A Client Honeypot for finding malicious web servers, from the New Zealand honeynet alliance. It engages the web server (with interaction), and checks for client changes in the VM. Look for some upcoming info on this from the PDC crew.

Quit your whining already! - [Larry] - Waaaah! Evil hackers can spend all this time finding exploits in OSes, etc, and can disclose and exploit them at will. Save us! Instead of complaining, how about code audits, and employing divisions to test your stuff before hand... Sounds like the want some legislation? When exploits become criminal, only criminals will have exploits...

Orcale to be selective about patches - [Larry] - What? So, you have to request a patch it you are running some od combination of server version on some hardware...etc. How will i know if I am vulnerable, to request the patch...why wouldn't I request the patch...If you know I'm going to ask...just develop it and not make we wait another 6 months for it whil my shorts are around my ankles.

McAffee Viruscan Overflow - [Larry] This possibly allows form remote code execution as SYSTEM. One slight snag - the target system must have East Asia language files installed and the default Unicode codepage is set to a language which contains multi-byte characters such as Chinese for the exploit to work. Time to hack those Chinese hackers/spammers back? Thoughts on hacking back?

ClamAV buffer overflow - [Larry] details are light on this one - from what I can tell. but for free AV, you get what you pay for.

Other Stories of Interest