Mapping The CIA Network

Using the CIA as an example, Internet security firm Matta Security Ltd. has published a white paper showing it's possible to gather detailed information on an organization's network by using freely available resources.

Matta says it limited its footprinting activities to publicly available tools and search engines, such as the "whois" domain lookup database and the popular Google Inc. search engine, while building a detailed map of the CIA's network, including subdomain Web servers, mail exchanges, routers, router interfaces, and even the IP address of an internal network. Using Google, Matta also collected information on CIA personnel, such as office locations and phone numbers.

Experts aren't surprised. "Security professionals have long known this information is readily available about their enterprise," says Pete Lindstrom, security analyst with Hurwitz Group. "In these times, it's a shame Matta chose the CIA as their target."

Chris McNab, technical director for Matta, disagrees, saying the CIA was an appropriate target. "The CIA is a security-conscious entity, with adequate technical resources to ensure the security of its networks into the future. The reality is that it is virtually impossible for anyone to compromise the CIA's sensitive network space."

Experts say the information gathered by Matta doesn't reveal any vulnerabilities, just potential targets for attacks. For example, Matta uncovered dozens of phone numbers that it says could be used by a determined attacker to locate devices giving access to internal CIA network space. "War dialing is a common threat to many organizations nowadays," writes Matta.

"So can a phone book," Lindstrom says. "Collecting all of this information and neatly packaging it just makes it easier for crackpots. If you don't think China already has this information, you're nuts."

Gartner security analyst John Pescatore disagrees. "They found a lot of information, a little here and there, and a hacker can call help desks and use what they learned to act like trusted insiders."

"Information security is all about retaining accountability and control over data," McNab says. "Whether we are talking about floor plans, telephone directories, R&D project documents, this is all potentially sensitive information and should be correctly classified and protected."