Hacking without hacking or seven ways to find resource leaks

Small introduction

Many believe that information technologies drive business: warehouse management, logistics management, forecasting, situational modeling, risk assessment, system dynamics, etc. But for the most part the business is controlled by the informational confrontation. Of the two companies producing one product, the wrong company wins the job that performs the job better, but the one that wins the tender. That is, it does not matter how well and efficiently you produce goods, but what is important is how you correctly use the information received. If a competent leader received the correct information and if this information is properly prepared, then heaped up analysts are not needed. He holds all the necessary information in his hands.

In most cases, information leakage occurs due to the impact of internal threats - inattentive employees or unorganized and careless data storage. And if there is a leak, then there are people who specialize in its search. Specialists in this specialty have to browse over hundreds of resources a day. And find the necessary data without resorting to illegal hacking. A good information search specialist lasts a week to get all the necessary information about the company. The very process of finding such information is called competitive intelligence. Competitive intelligence is the collection and processing of data from various sources for the development of management decisions to increase the competitiveness of a commercial organization, carried out within the framework of the law and in compliance with ethical standards (as opposed to industrial espionage). And it is important that this method of obtaining data is absolutely legal. The specialist of this field does not hack any sites and does not receive this information like another criminal offense. The very fact that the company allowed a “blunder” in protecting its confidential information, and someone got it, is not illegal.
So, we will consider several methods of obtaining such information:

Reception 1

The unmasking sign of confidential information is the very existence of the word - confidential. Its neck is also unmasking: For official use only.
You do not want the secret information found do not attract attention to it.

Let's see if we adequately protect our confidential information. Open the browser. We are launching Google and trying to see if there are any leaks of documents for official use on the website of the Tambov State Institution - 392 results.
')

Team site: –– search within the same site address. To find certain information it should be written in quotes: "For official use"

Reception 2

“Confidential, Confidential”

How to extract the main thing from the heap of found files? HTTPS protocols. Invented for the exchange between trusted partners. Exchange certificates. Those. https- in the address of the document becomes a unmasking attribute of especially important documents.


The unmasking sign becomes documents with the hyphae - Confidential. No company provides routine checks of its confidentiality of information. Many companies do not know that they have a leak, just because they did not check. And even if the company began to conduct periodic inspections, it does not mean that their partners do not have a leak.

Reception 3

"Secret"

There are vultures: Top Secret, top secret, etc ...

Each of us does not think that the search engine indexes not only the text of your document, but also the properties of this document. If this is an office document, then there still contain buffers that were used previously.

Rule: Check if you have documents with a hyphae - Confidential, which Google or Yandex sees.

Reception 4

The following files that we need are exls stamped documents. Why? Excel provokes a person to compile the available information confidential and not very. In such files there may be customer lists of their addresses, phone numbers and special notes. In general, a very good gift for competitors.

Search engines leading search engines behave like spies. They climb into those sections that we consider confidential.

Let's check:


Files appear. If we open their saved copy, we will find a lot of interesting information. Those. xls is a gift of fate for hackers.

Reception 5

Search for documents in DOC format. Why? If the document is ready for the view of prying eyes, it will be in PDF format. If the document is still not finished, then it will most likely be saved in the DOC format.

We are looking for documents in the DOC format on a given target resource.

Reception 6

Attempting to find the entire ftp server.

Very often the company leaves it open. Try to enter the site address: ftp.xxx.ru

Reception 7

Guess names

Always looking through the file, try to remember its address. The number 1711 in the picture shows that we have 1711 files available. And changing these numbers, you can open other files.

On a note

Article 29, part 4 of the Constitution of RF “Everyone has the right to freely seek, receive, transmit, produce and disseminate information.” But even in spite of this, any company about which you will receive data will assume that you obtained them illegally and will try to deal with you with pre-trial methods.

If we hunt for a state secret of a country, then we are breaking the law. Punishment will follow immediately. If it’s not a state secret that has fallen into our hands and we haven’t used expensive, depreciated methods, then it’s difficult to challenge the wrongness of our actions. Previously, there was even an article that, if the information was obtained using public methods, forget that this is a trade secret. It is impossible to present any claims to those who received this information. You can really break the law if you use trojans or pick a password. Or if you use the information incorrectly - to the detriment. Then you really break the law and suffer punishment.

From all this it follows that it is always necessary to be careful, even if you consider your actions lawful.

In the creation of the article, notes from the seminar “Hack in 60 seconds” were used (A. Masalovich).