Researcher: Tools Will Help Personalize ID Theft by 2010

By Lisa Vaas  |  Posted 2007-04-19 Print this article Print

A well-known security expert demonstrates a framework at the CanSecWest conference that makes it easier for criminals to steal identifying data.

VANCOUVER, British Columbia—Hackers with scrounged-up data ask the same question as dogs whove caught the school bus: What do we do with it now? Roelof Temmingh has the answer, at least for rogue hackers, in the form of a framework that makes identity theft a much easier proposition. The framework, which is in the early stages of development, is called Evolution. Temmingh, a security expert whos authored well-known security testing applications such as Wikto and CrowBar, demonstrated Evolution during his opening presentation here at the CanSecWest security conference on April 18.
Evolution works by feeding on disparate identifying data such as name, e-mail address, company, word or phrase, and Web site—or the hackers version of that, which would translate to IP address, virtual hosts, Netblocks/AS routes, affiliations (with social sites such as LinkedIn, MySpace, Facebook, and so on), forward and reverse DNS-MX/NS records, Whois records/rWhois and referring registrars, Google, and microformats including, for example, vCards.
The frameworks genius lies in transforming one type of information to another. Evolution can transform a domain into an e-mail address or telephone number, or both (through the Whois domain name lookup service), to related DNS names, to IPs, to a Web site, to e-mail addresses (again, via Whois), to telephone numbers, to geographic locations, to alternative e-mail addresses, to related telephone numbers, to co-hosted sites with the same IP, and so on. The idea of using transforms to unearth hidden data builds on the logic that if A points to B points to C, and X points to Y points to C, then A points to X, Temmingh said. Transforms call on Java entities including,,,,, and so on. Evolution now contains 26 transforms and "is growing steadily," Temmingh said. An example of a transform that can move one type of information to another: So what does that mean? The transforms are part of the answer to, "Who can do anything with a fill-in-the-blank?" Who can do anything with an e-mail address or a Social Security number, for example. Given a SSN and an entity with which to transform it, an identity thief or other criminal could do much, Temmingh said. Can identity theft be solved with more regulation? Click here to read more. For example, with domain and e-mail data, a criminal can spoof e-mail to make it look as if it were coming from an internal source within a company. Making it look like an "accidental" cc, the crook could e-mail employees—or, less subtly, a business such as Bloombergs—stating that the CEO has resigned, that the company is insolvent, that the recipient should hasten to sell his or her shares, and so on. Or a criminal could register a site in the name of the holding companys director and mirror a porn site to get it populated. Or spoof e-mail from a techie at a sister company to employees at a target company, mentioning a lamentable "discovery." Or spoof an SMS from a mobile phone to a high-profile investor about corruption in the company. Next, sit back and watch share price drop. Buy low and sell high: the classic pump-and-dump scheme. "Its kids stuff, and its easy to spot," Temmingh said. "Timing, however, is everything." If a criminal can do it at the right time, say, during a merger between two companies, the crime is likely to be successful, he said. "The only thing you need is to create doubt in the minds of other people." Next Page: The scary side of Web 2.0

Lisa Vaas is News Editor/Operations for and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel