Friday, October 30, 2009

Information disclosure: It's everywhere

You might have seen stickers like this in the back window of some minivan and maybe you thought it was funny/cute/stupid, but did you ever think of it as information disclosure? What's the big deal about showing all of your family's names? glad you ask :), let me briefly describe something that happens in Mexico and South America: Virtual kidnapping extortion, criminals will call your phone, tell you that hey have kidnapped your kid (they have the names you graciously provided) and ask you to immediately pay the ransom, when in reality they don't have your kid, but use the emotional momentum to take advantage of you. This is only one example of how they conduct these activities, there are many other ways, and I'm not trying to make you scared of that, but to make a point on information disclosure. It can be found in the most innocent places and if you think this can't happen to you, then you're already very vulnerable.

You've also probably seen this:


I couldn't even tell you how many blogs have been hacked because of that (hint: too many), WordPress makes it too easy to break those sites when new vulnerabilities appear (as they do every other week).

I have seen systems where they use some employee id as their login credentials, that id is visible when the computer is locked, and it turns out you can call the help desk, provide them with that id, the person's name, and they will happily reset the password for you.

Unfortunately there are no rules that I can give you or that I have ever seen anywhere to prevent the issue of information disclosure, I'm just trying to raise the awareness on the potential issue that represents having information that bad people can use for malign purposes both in your systems and your own life. The only thing I can tell you is that information disclosure is really everywhere, in your comments, in your configuration files, disclosing the components that your app users, that version, that user id, etc. even in that innocent sticker.

Security does get in the way of usability and usability gets in the way of security, just give it a second thought and be careful out there.

There is no such thing as a secure system, all you can do is raise the bar a little bit more and yes, security by obscurity may be your friend some times.

2 comments:

Steven said...

Amen brother!

Justin Wilson said...

That's funny I just saw one of those stickers on a car today.

It had the male character with 'Cody' as the name underneath. Next to it was a female character with 'Your name goes here' with an arrow.