Small Business Attack – Web Disclosure
One of the flaws on a legacy server at the Iowa State University Cyber Defense Competition resulted in granting me the ability to scan the entire web directory. Normally, you’d think “What’s the big deal”, right? After all, the whole point of having a web server is to share it with the world.
In the case of the competition, some very private data was stored on the site. Sure, it was protected, but since there was the flaw that let me scan the system, it was easy enough to circumvent security restrictions and download the files I wanted. After all, I knew exactly where to look.
In the industry, we call this a “data leak”. Typically, it’s when private data somehow wanders across a boundary to the public world and someone on the outside finds it. This used to be primarily done via email or disk, but increasingly it occurs through the Web. As we combine web-based technologies into both extranets and intranets, the chance increases that something from the internal intranet world will cross over into the external extranet world.
Of course, it should be simple, right? Just keep the private stuff private… well, sorta. It turns out, not all information falls cleanly into “public” and “private” categories. Increasingly, attackers target private data, but if they can’t get it, they can leverage sorta-private data against sorta-public data. By finding, for example, the names of your board members on a public website, their mother’s maiden names from a genealogy site, and their personal associations from a search engine, an attacker is in the perfect position to start taking over accounts and working towards that more private data… and that’s just with purely public information.