Security experts demonstrated today just how effectively determined attackers can use freely and openly available information on the internet to gather intelligence about a target organisation.

Security firm Matta this week released a white paper on internet-based counter intelligence using the CIA as the target. According to the firm, the results were "surprising".

Without using port scans or direct probes of the CIA network, and employing methodologies entirely within the boundaries of UK and US law, Matta was able to "build a clear network map" of the CIA's infrastructure.

'Whois' and DNS requests identified the CIA's global points of presence and listed the domain names and network blocks used by the organisation, which consisted of the CIA.gov, UCIA.gov and ODCI.gov hosts.

Domain name system queries, using techniques such as standard forward DNS requests, zone transfers and reverse DNS sweeping, identified a number of sub-domains including web servers, mail exchanges, routers, router interfaces and the internal IP addresses of two servers that existed both on the internet and internal network.

Matta was able to conclude that the mail and DNS server ran Solaris and that the organisation was using a Cisco 4000 series router.

Web server analysis tools available at Netcraft.com allowed the 'attackers' to work out that CIA.gov and ODCI.gov were running Netscape Enterprise 4.1 on Solaris 8. Netcraft can also identify other web servers on the same network block.

A simple search on Google allowed the 'intruders' to gather details of a number of CIA personnel, office locations and telephone numbers.

"It was the case that many government and military websites used to publicly present sensitive information regarding networks and operations, which was addressed by the National Security Agency and other agencies in a joint effort to remove sensitive content from publicly accessible web servers," claimed the report.

The telephone numbers harvested in this fashion "can be used by a determined attacker to locate devices that may allow for access to internal CIA network space. 'War dialling' is a common threat to many organisations nowadays. As internet-based security is improved, other routes to sensitive information are followed," it said.

Matta explained that responses from bogus emails sent to non-existent users at the organisation could also provide valuable insights into internal network structure.

From these open and freely available sources Matta was able to build a clear network map which can be seen here.

"The information is probably not entirely correct, as we are not authorised to perform network scanning and probing to verify the existence and accessibility of specific hosts and networks," explained the white paper. "However, it should certainly be an eye opener to the open source information that can be used to map networks and perform counter intelligence."

Chris McNab, technical director at Matta, said: "The results were interesting as we managed to map a lot of their network space that we shouldn't have been able to through misconfigured DNS and mail servers.

"It should be noted that at no point did we port scan or directly probe CIA internet-based networks, as all of our intelligence was gathered using open sources.

"If Matta had been authorised to launch a determined attack, encompassing network scanning and aggressive probing of the CIA's infrastructure, more information would have been gleaned."

The full white paper can be seen here.