Information seeping out of your Web browser could provide a gold mine for hackers doing reconnaissance for targeted attacks.
At the ToorCon Seattle (beta) conference, Web application security specialist Robert Hansen (RSnake) demoed Mr-T (Master Recon-Tool), a new utility that combines information disclosure flaws in Internet Explorer and Firefox to collect information on a target's computer system.
For a basic idea of the kinds of information your browser is willingly coughing up, click on this link and you'll see a snapshot of your machine, including the browser version, the add-ons installed and enabled, your ISP hostname, a list of previously visited Web sites and, in some instances, your Gmail address.
Mr. T combines all that into one place so that you can gather a great deal of client based info through a single XSS hole. Then by taking the DOM and dumping it into a form that you submit to a logging server, you can know pretty much everything you want to know about breaking into the machine in question.
Earlier this year at Black Hat DC, Errata Security's Robert Graham released Ferret, a souped-up sniffer that gathers all the benign data that seeps out when you turn on your computer. For example, even before your machine fully boots up, it is already broadcasting the list of Wi-Fi access-points you've got cached on your computer, the previous IP address you used (requested by DHCP), your NetBIOS name, your login ID, and a list of servers (via NetBIOS request) you want connections to.
Combine the data from Ferret with a reconnaissance tool like Mr-T and you can get a basic idea of the data your machine is broadcasting to the world.
Another tool I saw recently that fits into this data profiling realm is Evolution, a data correlation/search utility written by South African hacker Roelof Temmingh. Evolution, which is currently in beta, provides an interface to connect publicly available data.
The idea behind Evolution fits into the Mr-T/Ferret concept because you can basically type in a person's name into the search interface and see how that name connects to domain names, IP addresses, telephone numbers and other things of interest to an attacker.
When I chatted with Temmingh at CanSecWest earlier this year, he was positioning Evolution as a forensics tool for law enforcement and other investigators but, anyone with access to a database of valuable information (think about Ferret's output) can build out a fairly solid profile of a target.
Once you know what's running on your target's machine, the types of sites he visits, the company he keeps (say, MySpace or LinkedIn connections), you can easily prepare an attack.
What's even more scary is there's very little you can do about it.