Owned By Low Risk

Whenever we perform an action, be it; buying a new car, choosing on clothing for the day, sitting at a meeting, or purchasing a set of golf clubs online– we are giving away lots more information about ourselves than we may intend to.  There have been numerous studies on how and why particular car choices reflect personality, and how clothing sells a particular personality, and how one sits in a meeting room reveals how he/she feels about others in the room.  If you’ve ever seen the show lie 2 me, you get a picture of what I mean.  So, the trick then is to ensure that those choices only tell others what we mean them to, or even better if we can tell nothing beyond the individual action taken.  This is a lot harder than it seems.

If we examine the process of buying a set of golf clubs online, how much information do you think was disclosed by the server during that transaction?  Even with developers who are security aware, I can imagine learning things like: function and class naming conventions, potentially what design approach was used, how they identify products, and how they track state.  For the other 98% of developers, my guess is that with a bit of prodding and poking I could easily learn more things like: server type, server diagnostics, local source code paths from exceptions, frameworks used, every function a website supports and how to call them, pages I don’t have access to, default files, server names if on a farm, developer names left in comments, lots of other garbage in comments, development language, third-party components, and just tons of other little juicy bits of information about the website in front of me.  Potentially even knowing more at the end of my testing than the people who actually wrote it.

But oddly that information disclosed is usually considered a low risk by industry standards.  After all, nothing mentioned above can be used on its own right to compromise the system.  Which is why I can really appreciate why we’d refer to it as low risk– I just don’t know if I agree.  Information disclosure may not be directly actionable, but it’s the very teeth which I bite you with.

Take for instance naming conventions and framework usage.  On the surface that seems fairly nominal– but with a bit of tinkering I can (and often do) build a custom word list for looking for directories and pages you might also be hosting.  It’s not that hard to figure out that if you have ViewMyItem.aspx, you may likely have EditMyItem.aspx… even if you never directly show me the page.  In fact it’s fairly common practice that if I know your framework version, to research any known vulnerabilities for it to see if you’ve patched your system.  In extremely serious situations, I might even build a whole local testing environment to see if I can’t find flaws in your framework, third-party dependencies, or even the language used to program the site in.  After all, if you had something really worth my time, I might spend my time to get in.  Lets also not forget those helpful developer names and what might happen with careful social engineering exercises.  LinkedIn is a great way to verify employment 🙂

In every case I can think of, that information I gained is exactly what I’d use to create very sophisticated (read: dangerous) attacks that could harvest a great deal of information (read: major breach).  Still think it’s a low risk?

So what does your website really say about you?  Are you showing me your cards and hoping to hell I wont read them?  Do you even know you are holding cards at all?  While the industry might not be swayed by this post, I don’t think it’s smart to ignore the reality that information disclosure is very dangerous.  Be careful what you say (or don’t) and to who you say it to.  They might be listening.

As a final thought, another approach to information management is lying.  Or creative truth-telling as I am fond to call it.  The only thing more dangerous than a man who reveals only what he intends, is a man who reveals exactly what you are looking for.  But that’s a story for later.


Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: