Google Calendar for Security Professionals
Google calender is a great tool collaboration tool for maintaining a personal, world accessible calendar, but also a calendar for group collaboration. With group collaboration, you can set your calendar to allow certain individuals to access it, or you cah set it to world readable.
With World readable, you can just set free/busy information, or allow "backstage access", effectively making a public calendar.
Public calendar you say? Oh goodie!
So, in order to make Google calendar useful to us as a security professional (for performing audits, pentests, etc), we actually need to have a google accoutn, and a google calendar of our own. Really simple to get, just go to http://www.google.com/calendar and sign up - free and easy. Once signed up, we can begin searching...
When we're signed in, the left hand tool bar has a seach pane - search Other Calendars! This search will obtain some interesting items only on public calendars - you'd be surprised what is out there. Information disclosure for a potential attacker, you bet.
So, what to search for? Here are some of my favorites:
- passcode = how about joining a conference call or two? Get there early, and don;t record your name. put it on mute, hang out and listen.
- passcode security = See the last one. But, likeley they'll be talking about security goodies.
- passcode [email,network,ip,] = see above. :-)
- [firewall,network,server] upgrade = see when they are scheduled. What do you want to bet there will be outages, and configuration issues? good time to exploit those weakneses, or social engineer the help desk...
- [pen, penetration] test - when is a good time to sneak in some attacks, blending in with the IDS IPS issues? you guessed it.
- vacation = more social engineering attempts. Hello helpdesk? My VPN doesn't seem to be working.....
- vacation [company name] = even more detailed information
- LOA = same as vacation.
- conference call = Sometimes they list the dialin number...sit back and listen to all sorts of info.
- Company name = certainly a good one for your own organization. Don't forget any internal abbreviations!
- Guys, thinking of any more while we're discussing these?
So, thinking about more of these searches, I'm sure that you can think of all sorts of keywords for possible information disclosure for an organization. It is a good idea to audit this and other places of information disclosure....like employee blogs? Ouch.
How do you protect? Policy, block google calendar, audit.
Stories For Discussion
Mods for Karma - [Larry] to allow for Ad-Hoc mode... Airport anyone?
Capture-HPC - [Larry] - A Client Honeypot for finding malicious web servers, from the New Zealand honeynet alliance. It engages the web server (with interaction), and checks for client changes in the VM. Look for some upcoming info on this from the PDC crew.
Quit your whining already - [Larry] - Waaaah! Evil hackers cah spend all this time finding exploits in OSees, etc, and can disclose and exploit them at will. Save us! Instead of complaining, how about code audits, and employing divisions to test your stuff before hand...