electricfork

Covert Crawling Web 2.0

Posted Aug 16, 11:38 AM by ben

Back in 2006 I saw Billy Hoffman give a talk on an app he did up to emulate user/browser experience to covertly allow crawling a website. (wired article or mp4 of the talk)

This was neat and I had a few tangent thoughts on the way into work. If this sort of technology was extended to be aware of specific website interfaces we could do some neat things.

Social networking sites for instance. We could create a mapping of trust relationships based on crawling through the site. Myspace would be pretty easy. You could also find users over a certain age that have an excessive amounts of other aged friends. hello dateline.

Even neater still would be to extend it to linkedin.com. What a pile of recon information that is! Not only creating groups of individuals (potentially even a pseudo org chart) who work at a target company, but you can create counts of other organizations linked to that group creating thresholds that can define specific partners to that target. Lots of Oracle sales reps linked in with the target companies IT department teams? Hrm, must be an Oracle shop.

If you’re patient you can do this over time too. Sudden influx of a security vendor being linked in through IT? Maybe they had an incident? Or maybe they just bought a new wizbang product and are currently deploying it. Wonder what that Sales Engineer specializes in that just linked up with half their IT? Oh, it says it in his Bio.

Just food for thought.


// :: /

Comment

  1. A few sites popped up recently that help ‘step one’ – note the trend relying on linkedin?

    http://www.spock.com/

    http://www.wink.com/

    http://www.pipl.com/

    Grant · Aug 17, 06:33 PM · #

Commenting is closed for this article.

Creative Commons License
This work by http://electricfork.com is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License.

archive

about

charmsec

I lead an information security ops and response team. This site is a collection of interesting notes and brainstorms on the protecting from, detecting of, and responding to badness. You can read more about me or my site here.

You can subscribe to my blog via rss , or if you're looking for older items check out my archive of previous posts.

I organize a small infosec meetup in baltimore called charmsec. If you are looking for charmsec details you probably want to go here.

 

RSS

:: © 2002-2008