Black Hat hears of data leak dangers

The biggest threat to your personal and professional security may be the information that your computer is already transmitting to the world around you.

Data leakage might be a hot topic, given the list of high-profile incidents reported by businesses such as TJX Companies -- through which reams of detailed consumer records have been exposed -- but most people are already broadcasting enough information from their laptops to allow hackers to aim targeted attacks at their devices and corporate networks, according to security researchers.

In a presentation at the ongoing Black Hat DC 2007 conference being held in Washington, DC, from Feb. 28 to Mar. 1, experts with Atlanta-based services provider Errata Security outlined a trend they've labeled as "data seepage."

The concept is based on the idea that people using Wi-Fi systems to connect their computers to the Web in public settings such as airport lounges or coffee shops are handing out enough personal clues to give attackers plenty of ammunition to make them the target of their malware or hacks.

Using a software application they have designed dubbed Ferret, Errata chief executive Robert Graham and chief technology officer Dave Maynor demonstrated how easy it is to intercept seemingly innocuous information from people's devices as they connect to the Internet. They can then take that data to create a detailed profile of the individual, their Web usage, and even their employers' IT networks.

During the course of their presentation, the security experts were even able to use Ferret to intercept an e-mail sent to a reporter working in another conference session that included one of her applications' passwords.

Whenever a user connects to the Web via Wi-Fi, or even if their laptop's wireless systems are merely left turned on, someone using such a so-called sniffing tool can garner data about where the user has traveled, what type of operating system or applications they use, and who they may work for, Graham said.

For instance, the expert said that while sitting in airlines' business customer lounges it's not hard to look at details offered up freely by the machines of other travelers using Wi-Fi.

In doing so, Ferret can detect what hotspots the person has been through, giving an idea of their physical location; determine what e-mail servers or IM systems they attempt to access, lending an idea of their software and potentially their employer; and even scoop their IM contacts to determine who they communicate with.

"With seepage, we're talking about the distribution information that you actually mean to broadcast but which hackers can take and exploit for their own needs," Graham said. "All you have to do is turn on your computer and we can tell a lot about you."

For instance, computers made by Apple offer up details of what operating system someone is using when they turn their machines on or access Wi-Fi. If captured by a hacker, this could allow them to target specific malware attacks at the individual based on any known vulnerabilities in their version of the OS.