Welcome back, in this blog post we're going to cover information disclosure vulnerabilities from a couple of different angles. This is the third post in the security blog series that I've been writing. For the previous one, click here .

In this day and age a company lives and dies on the information it holds. If your information isn't safe, then your company isn't safe in many respects. Information disclosure can be something as benign as giving away a list of services running on ports on one of your machines, to something less benign such as internal addressing map for your network, and at worst the release of your intellectual property or your trade secrets.

Protecting your information from the outside is no more important than protecting it from the inside. Your employees naturally have more access to data than your customers or people who are just hitting your network on allowed ingress points. While it's nice to think you can trust your employees implicitly, it's just good practice to eliminate the potential of something going sour and some of your important confidential information leaking out into the general public or into your competitors hands. Not to mention just the information these employees might have in their head about the structure of your network or the machines and services running on it.

Useful information can come in many forms. For instance:

• Intellectual property
• Trade secrets
• Software source code
• Configuration files
• Network layout documents
• Employee lists
• Contact lists
• Payroll schedules
• Credit card information
• Accounting information

Some of these things seem fairly benign in and of themselves (employee and contact lists for example).  Seem being the appropriate word here. For example, I can remember many moons ago that several of us in the organization got a call from someone who was offering jobs. These calls came to our work phones and were from a head hunter. I remember the conversation well, the man was persistent... He wasn't as persistent as I am however, and he didn't get me to take his offer. This sort of thing happens all the time and the attack vector used is commonly the company directory found on many phone answering systems.

Now I can understand why that example might not make most of you rush out and turn off your auto-attendants on your phone systems. But this is a solid example of risk management where the company owners weigh the risk of possibly losing their employees to head hunters for the sake of having a company directory which makes those employees considerably easier to reach for valid customers. It's important to note here that a company directory doesn't seem like useful information to you, but to the person exploiting it, it's rather useful information. This is why risk management is hard, because people tend to think of the risk based on what they know, instead of looking at it from an angle of "how could someone use this against me?".

So lets look at a completely different and more nefarious scenario then:

The phone rings... It's rung about 20 times this morning alone thought Don as he picked it up off the receiver and swallowed a half chewed bite of his sandwich, obviously annoyed. He hated being bothered when he was in the middle of doing his work, but what he really hated was being annoyed while he was working through lunch.

"Fantastic Widget co, Don here, what can I do for you?"

"Hey Don, it's the new guy Mike from our Satellite office in Halifax... I've been told I have to get up to speed on the code for our new super widget, and I was wondering if maybe you could point me in the right direction regarding how to obtain it?"

"Why didn't you ask one of our guys in Halifax?"
"Well, you know, it's lunchtime and they all went out somewhere, I'm a bit of a loner and I didn't feel like eating out so I thought I'd stay in, nuke something and eat while I hacked away on the code. My boss Steve told me to get in touch with you, I guess he's your boss too huh?"

Finally, someone with initiative Don thought as he sighed a sigh of relief
"Yep, my boss too. Ok so have you got subversion installed?"
"Nope, but I can install it pretty quick, and Steve said you could add me an account. Perhaps you could do that now and give me the credentials over the phone?"

"Sure. Just give me a second or two..."

Don opened up a shell to the UNIX box and proceeded to add "mike" as a user, then read the password and username over the phone to Mike, and proceeded to tell him the URL for the subversion tree.

"Thanks dude, hey, if you're ever in town remind me to take you out for a beer."

"Sure thing... if you can stand a loner as company."

"No problem we'll sit at separate tables" said Mike and let out a short laugh.

"Later days dude."

"Later days."

Then he hung up.


Meanwhile Jason, having just gotten off the phone with some dunce at Fantastic Widget co was really smiling from ear to ear. "Wow, that was easier than I expected" he said to his cohort Mark who was accessing the subversion repository and hauling down the code for Fantastic Widget co's latest and greatest widgets. "This is gonna shave months off our development time guys."

A nightmare, isn't it? Now imagine for a second it happened to you.

Let me tell you, this sort of thing happens more often than you think. It even happens to some very big names such as Microsoft. In our scenario, a companies entire intellectual property was stolen... Often times it's not near that severe but this little scenario, along with a real life example, drives the point home nicely. This scenario is obviously bad, and by that I mean it's outright horrifying to think about if you're in business and the owner of intellectual property. But what if the information gleaned doesn't appear immediately vital to your business? Then the risk falls into a greyer area, and it's harder to convince someone that the information being disclosed can be used against your company.

For example, a network or port map comes in very handy in a penetration test because it tells me what's behind the machines that I can access. It also tells me what I may be able to access through certain applications on the machine, and thus what other machines I can touch, and at best tells me other machines I might get the chance to attack should I really get into outside machines.

Configuration files are also helpful because it shows me where you may be security deficient in the configuration of various devices and services which are approachable to me :).

Employee lists on the other hand come in seriously useful for things like social engineering attacks. When you start name dropping, it can calm peoples nervousness level way down. This in turn allows you to schmooze a little, and make buddy buddy, and you're more likely to have your story bought and at least get some of whatever your target was.

Now, it's important to note that people don't give out information because they're dunces. They give it out because they're complacent. They give it out because they're not trained to be skeptical. They give it out because we have an innate desire to be helpful to our fellow man. Especially if we feel that fellow man to be a kindred spirit. They give it out because there isn't proper policies and procedures in place for handling sensitive data.

Other examples come to mind. Obviously payroll leaks, credit card information, personal employee information, accounting leaks and such can be disastrous to a company as well. If not financially at least in morale, or in reputation. Generally a loss of morale or reputation equates to a loss of money anyway, because when people aren't confident with your security they're not confident with you and they won't buy your services.

We as consumers have seen several companies take morale and reputation hits that translated into monetary losses due to credit card leaks. Heck, even governments aren't perfect and sensitive data gets leaked from time to time. Look how disastrous that is for them (not to mention for the people who's information got leaked).

Remember guys, when the bad guys attack, they're not going to hit one vector or use one technique at a time. We don't either when we do penetration testing for you. That's important to note... if we find something useful while we're penetration testing, we're going to use it to our advantage. This has led to some surprising results I assure you :).

In summation keep your data private, keep it secure, keep your employees informed and make sure they're naturally skeptical. Have proper procedures in place so that when things like the above happen someone doesn't give away the keys to the car. Get security audits done regularly by third parties, and when they find something that's data disclosure don't just ignore it. It might just prove to be a very unwise move.

Keep reading, next week it'll be a little more technical :). I promise.