VANCOUVER, British Columbia—Hackers with scrounged-up data ask the same question as dogs whove caught the school bus: What do we do with it now?
Roelof Temmingh has the answer, at least for rogue hackers, in the form of a framework that makes identity theft a much easier proposition. The framework, which is in the early stages of development, is called Evolution. Temmingh, a security expert whos authored well-known security testing applications such as Wikto and CrowBar, demonstrated Evolution during his opening presentation here at the CanSecWest security conference on April 18.
Evolution works by feeding on disparate identifying data such as name, e-mail address, company, word or phrase, and Web site—or the hackers version of that, which would translate to IP address, virtual hosts, Netblocks/AS routes, affiliations (with social sites such as LinkedIn, MySpace, Facebook, and so on), forward and reverse DNS-MX/NS records, Whois records/rWhois and referring registrars, Google, and microformats including, for example, vCards.
The frameworks genius lies in transforming one type of information to another. Evolution can transform a domain into an e-mail address or telephone number, or both (through the Whois domain name lookup service), to related DNS names, to IPs, to a Web site, to e-mail addresses (again, via Whois), to telephone numbers, to geographic locations, to alternative e-mail addresses, to related telephone numbers, to co-hosted sites with the same IP, and so on.
The idea of using transforms to unearth hidden data builds on the logic that if A points to B points to C, and X points to Y points to C, then A points to X, Temmingh said. Transforms call on Java entities including affiliationEntity.java, DNSNameEntity.java, DocumentEntity.java, DomainEntity.java, EmailAddressEntity.java, and so on.
Evolution now contains 26 transforms and "is growing steadily," Temmingh said. An example of a transform that can move one type of information to another: PersonToEmailPhoneSiteGoogleBlog.java.
So what does that mean? The transforms are part of the answer to, "Who can do anything with a fill-in-the-blank?" Who can do anything with an e-mail address or a Social Security number, for example. Given a SSN and an entity with which to transform it, an identity thief or other criminal could do much, Temmingh said.
For example, with domain and e-mail data, a criminal can spoof e-mail to make it look as if it were coming from an internal source within a company. Making it look like an "accidental" cc, the crook could e-mail employees—or, less subtly, a business such as Bloombergs—stating that the CEO has resigned, that the company is insolvent, that the recipient should hasten to sell his or her shares, and so on. Or a criminal could register a site in the name of the holding companys director and mirror a porn site to get it populated. Or spoof e-mail from a techie at a sister company to employees at a target company, mentioning a lamentable "discovery." Or spoof an SMS from a mobile phone to a high-profile investor about corruption in the company.
Next, sit back and watch share price drop. Buy low and sell high: the classic pump-and-dump scheme.
"Its kids stuff, and its easy to spot," Temmingh said. "Timing, however, is everything." If a criminal can do it at the right time, say, during a merger between two companies, the crime is likely to be successful, he said. "The only thing you need is to create doubt in the minds of other people."