Information Leakage
Contents
3) Types of Information Leakage. 4
- a) Electronic Mail 8
- b) Hard Copy. 9
- c) Improper Configuration of Security Systems. 9
- i) Network and System Firewalls. 9
- ii) Intrusion Detection / Prevention Systems. 10
- iv) Improper Programming Techniques. 11
- d) Laptops and Smartphones. 11
- e) Backup Storage. 12
- f) Social Engineering. 12
1) Introduction
Cyber security managers today face numerous threats ranging from social engineering to denial of service attacks. These threats rely on specific vulnerabilities that may exist in an organization’s applications, networks, or policies. When such vulnerability is exploited, an intruder can have access to company resources including but not limited to customer information, financial secrets, private information regarding employees, and future contracts. Due to the fact that most businesses today are working towards a World Wide Web presence, vulnerabilities in their websites and smartphone applications count towards a massive number of attacks. With new website development technologies appearing on horizon in fast pace, proper training and code review are becoming more critical.
In first quarter of 2013, 86% of all websites tested by web application security company WhiteHat Sentinel had at least one serious weakness (Website Security Statistics Report, 2013). WhiteHat researchers claim that Information Leakage was responsible for 55% of those websites vulnerable to cyber-attacks. Cross-Site Scripting (XSS) was second in place and affected 53% of websites. WhiteHat researchers explain that respective organizations took an average of 193 days from first notification to resolve these vulnerabilities.
2) Information Leakage
Information Leakage has been top cyber security vulnerability on WhiteHat Security charts since 2010. Robert Auger at Web Application Security Consortium defines Information Leakage as “an application weakness where an application reveals sensitive data, such as technical details of the web application, environment, or user-specific data.” The Open Web Application Project (OWASP) explains that Information Leakage can reveal system data or debugging information that can help an adversary learn about the system and formulate a plan of attack (The Open Web Application Security Project, 2013). This information could be leaked to system output or a debugging function. A more general definition of Information Leakage is revelation of data by a closed system to otherwise unintended parties. This sensitive data leaked by otherwise secure system can be used by an intruder to attack that system and its users. Information Leakage can also be intentionally performed by an angry employee in form of leaked documents and/or credentials.
Information Leakage itself can give birth to a large number of vulnerabilities. An intruder can use leaked information to prepare for a denial of service attack. Such information can also be used to steal administrative accounts and attack the network from within. It is Information Leakage that has been present since before World Wide Web era. It is a wide spread knowledge that telephone lines could be vulnerable to information leakage if not coated well. Columbia University Researchers claim that many cryptographic and compression systems used today can be vulnerable to Information Leakage by side channel attacks (Demme, Martin, Waksman, & Sethumadhavan, 2012). They continue to explain that there are no all-inclusive methodologies for understanding Information Leakage. According to InfoWatch, more than 500 million dollars were spent by companies in efforts to neutralize consequences of Information Leakage (InfoWatch Research Center, 2012). InfoWatch claims that in year 2012 more than 1.8 billion records were leaked comprising of financial and personally classifiable data. Leaked patient information or financial documents can result in financial and legal penalties. Due to these factors, I chose to write about Information Leakage.
3) Types of Information Leakage
Cyber security managers need to understand information leakage types and classification of information being leaked. Following tables categorize information leakage based on InfoWatch statistics.
| **Type of leakage** | **2011** | **2012** |
| **Intentional** | 42% | 46% |
| **Accidental** | 43% | 38% |
| **Unspecified** | 15% | 16% |
| **Type of data** | **Percentage** |
| **Personal Data** | 89.455 |
| **Commercial secret** | 6.0% |
| **State Secret** | 4.1% |
| **Unspecified** | 0.5% |
While intentional and accidental threats are close in numbers, organizations at risk of intentional leak of information can face severe consequences. There can be variable motivations behind intentional information leakage. According to 2012 Data Breach Investigations Report by Verizon, 96% of data breaches reported were motivated by financial or personal gain. Of all data breaches reported, mere 3% reflected disagreement or protest, 2% were motivated by curiosity, and 1% held personal offense against the target (Verizon RISK Team, 2012). Channels behind information leakage range from World Wide Web exploitation to printed documents.
i) Internal Agents
Information Leakage caused by an internal agent can have large impact on an organization’s reputation. These insiders can include temporary, recently terminated (still maintains some form of access), and disgruntled long-term employees. Insider agents also include executives, independent contractors, interns, and internal infrastructure. Insider agents are usually trusted and privileged. They can be motivated by financial or personal gain; for example achieving a promotion by making existing senior systems administrator look incompetent. Resentful employees can use many mediums to perform information leak. Some of the means used for information leakage by internal agents include instant messaging, email, and fax.
USSS/CERT study released in 2005 detailed internal insider threats and provided a scenario:
“An application developer, who lost his IT sector job as a result of company downsizing, expressed his displeasure at being laid off just prior to the Christmas holidays by launching a systematic attack on his former employer’s computer network. Three weeks following his termination, the insider used the username and password of one of his former coworkers to gain remote access to the network and modify several of the company’s web pages, changing text and inserting pornographic images. He also sent each of the company’s customers an email message advising that the website had been hacked. Each email message also contained that customer’s usernames and passwords for the website” (Michelle Keeney, Kowalski, Moore, Shimeall, & Rogers, 2005).
Another example of intentional information leakage came from Osceola County, Florida. An ER employee at Florida Hospital Celebration Health sold more than 700,000 patient records (Narisi, 2012). While it took the hospital and law enforcement agencies two years to catch the criminal, patient privacy was at stake.
ii) External Agents
Verizon Risk Team’s report claims that 98% of information leakage incidents were caused by external agents. Intentional information leaks performed by external agents include stolen devices, documents, breaches in form of hacking, and social engineering. External agents include former employees, hackers, competitors, criminal organizations, and often government entities (Verizon RISK Team, 2012). While not always applicable, outside agents also include natural events such as earthquakes and tsunamis. Earlier this year thieves stole a laptop containing medical records and personally identifiable information of 10,300 Indiana University Health Arnet Hospital patients (Walker, 2008). Walker reports that the stolen laptop was unencrypted but password protected.
b) Accidental Leaks
Similar to intentional leaks, accidental leaks can also occur due to oversight by internal agents. External agents can use this as an opportunity to attack target systems. According to InfoWatch, accidents accounted for 38% of total data leak last year (InfoWatch Research Center, 2012). Information Leakage can occur due to unnecessary details revealed by system data or debugging information. This leaked information can be found in system output and/or in a logging function. For example, comments left without proper sanitization can provide intruder with important piece of information. WASC provides an excellent example of information leakage through HTML comments:
*
* <!–If the image files fail to load, check/restart 192.168.0.110 –>*
*
*
Improper comment left by a developer in this snippet of code provides an internal IP address (Auger, 2013). This can lead to severe consequences including brute-forcing and denial of service attacks against given server address. Information leakage can also occur due to improper configuration. Using Nmap, a stealthy port scanner, an intruder can identify open ports on target systems (Bennieston, 2013). This will help the intruder create a plan of attack. An example of such port scan is as provided by Bennieston as shown below:
* [chaos]# nmap -sS -A 10.0.0.2*
* Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-07-14 14:26 BST*
* Interesting ports on 10.0.0.2:*
* (The 1671 ports scanned but not shown below are in state: closed)*
* PORT STATE SERVICE VERSION*
* 80/tcp open http Boa HTTPd 0.94.11*
* MAC Address: 00:0F:B5:96:38:5D (Netgear)*
* Device type: general purpose*
* Running: Linux 2.4.X|2.5.X*
* OS details: Linux 2.4.0 – 2.5.20*
* Uptime 14.141 days (since Fri Jun 30 11:03:05 2006)*
* Nmap finished: 1 IP address (1 host up) scanned in 9.636 seconds*
Improper error handling techniques can provide attackers with plethora of critical information. During information gathering stages, hackers can use improper error handling to their benefit by providing unsuitable input e.g. wrong credentials. Following code provided by OWASP provides an example of improper error handling:
try { …
* } catch (Exception e) {*
* e.printStackTrace();*
* }*
Exception stack trace printed by this code snippet can provide the intruder with details about what went wrong. Depending on how the system is configured, the output can be found in system output or log files. Example above could provide the intruders with information about SQL injection vulnerabilities. If this exception was caught in a search box, the search path could provide the attacker with information about the operating system or the applications installed on the system (The Open Web Application Security Project, 2013).
4) Exploitation Channels
Both code snippets provided above not only outline oversights by internal agents but also exemplify how external agents can exploit them. Following paragraphs will provide insights on how information leakage vulnerabilities are exploited and steps an organization can take to patch them.
a) Electronic Mail
Employees often use electronic mail (E-Mail) and web mail applications provided with company devices to share information. This sharing of information can be useful when different employees or departments are working on collaborative projects. On the other hand, resentful employees can use these channels to funnel important documents outside the organization. According to InfoWatch, 6.3% of information leaks that occurred last year were funneled through E-mail (InfoWatch Research Center, 2012). Accidental leaks can also happen through email messages sent to unintended recipients.
To prevent Information Leakage through E-mail, all sensitive data can be encrypted. Strict security policies can be implemented to require all external emails be encrypted and sent through secure channels. Data Loss Prevention (DLP) extension provided with major email clients including Microsoft Exchange and Outlook can help decrease amount of leaks. These systems use set of conditions, rules, and actions created by systems administrators to filter email messages (Exchange Online, 2013). Employee training and security awareness campaigns can help minimize the number of offenses.
b) Hard Copy
InfoWatch statistics show hard copy being utilized for 22.3% of all information leaks. While this channel does not directly come under a cyber-security manager’s jurisdiction, it is important to implement policies that minimize its effects. Access control policies that limit unintended access to information can help reduce accidental and intentional leaks. Printed documents that are not needed anymore should be shredded in a proper way.
c) Improper Configuration of Security Systems
As shown in figure 2, improperly configured systems make an organization’s network vulnerable to attacks. Unnecessary open ports on firewalls and weak network encryption are all threats to cyber security. Vulnerability and open port scanners e.g. Nmap and Nessus can be used to detect existing vulnerabilities (Stamp, 2010). Once a network administrator is aware of vulnerabilities in the network, proper steps can be taken to resolve or at least minimize those vulnerabilities. Following paragraphs explain steps that can be taken to patch vulnerabilities found in computer networks.
i) Network and System Firewalls
Firewalls can help keep unwanted traffic out of the network and operating system. Firewalls are especially important to keep security infrastructure related information from leaking outside the network. While most operating systems today come with a firewall installed, it is almost always recommended to have network firewalls in place (Stamp, 2010). Unnecessary firewall ports must be closed and open ports may be audited on regular basis.
ii) Intrusion Detection / Prevention Systems
Intrusion detection and/or prevention systems (IDPS) can help keep intruders outside network. Intrusion detection systems monitor events that occur in a system or a network and analyze these events for possible intrusions (Stamp, 2010). IDPS systems can not only prevent exploitation of existing vulnerabilities, these systems can also help prevent violations of information security policies. For example, uses of peer-to-peer networks will trigger a response by intrusion prevention system and such applications will be blocked. An alert will also be sent to systems or network administrators with the time of the event and often hostname of the offending machine (Stamp, 2010). To prevent brute force attacks against known usernames, IPS can slow down the intruder by locking the account or by denying the traffic coming from offending IP addresses.
iii) Malicious Software
Anti-virus and anti-malware applications can be used to avoid infections by malicious programs downloaded over the internet. Malicious programs (malware) usually come as an innocent looking file, through email or an internet download. Upon execution, the malicious code takes control of the system or resources and operates in its way (Stamp, 2010). When it is down executing malicious code, the application returns to normal mode hence keeping the user in dark about infections. Some types of malware, including spyware, are responsible for information leakage. While working in stealth mode, they can catch logon credentials, important documents, and can reroute traffic to malicious domain name servers (Paul, 2012).
Stealth nature of some malware makes it difficult to find infections in operating systems. Key loggers for example can hide under a word processor while capturing key strokes (Stamp, 2010). This is why researchers suggest use of anti-virus and anti-malware programs as much as possible (Stamp, 2010). Such security software can be included with IDPS systems to help keep malicious software outside the network. E-mail servers should also include security software so that E-mails can be sanitized before being sent to others.
iv) Improper Programming Techniques
As shown in figures 1 and 3, improper programming techniques can have devastating effects on an organization’s network. To prevent such mistakes, security awareness should become top priority. An organization’s software developers need to be on same page when it comes to programming techniques and error handling (The Open Web Application Security Project, 2013). Detailed error logs should either be limited or disabled. Wait times between occurrences of the exceptions and information logged in error files can help minimize information leakage. Web servers and database management systems might return well known error messages. Proper access controls and error log sanitization techniques can prevent a successful footprinting (exploration) being done by the hacker. OWASP also suggests that a default error handler be written to output status 200 (OK) to prevent information leakage through web servers. Though this is security through obscurity, it may provide an extra layer of protection against information leakage (The Open Web Application Security Project, 2013).
d) Laptops and Smartphones
According to InfoWatch, stolen laptops and smartphones were responsible for 9.6% of information leakage incidents (InfoWatch Research Center, 2012). This does not account for incidents where the device was considered lost, hence no confirmation of information leakage. Storage encryption and geo-location modules can help prevent such information leakage.
e) Backup Storage
Information leakage from backup storage accounted for 13.3% of information leakage last year (InfoWatch Research Center, 2012). Such large number of theft from backup storage suggests that information technology teams are not paying sufficient attention towards securing backups. While it can be easier to steal back up data than operational data, encryption techniques can prevent information leakage. Moreover, physical security of backup storage is vital and should not be overlooked (InfoWatch Research Center, 2012).
f) Social Engineering
During year 2012, social engineering accounted for 20% of data breaches in larger organizations (Verizon RISK Team, 2012). This includes masquerading trusted websites and email senders (phishing) and fake helpdesk phone calls (vishing) (Stamp, 2010). Security awareness campaigns can help keep social engineers from being successful in performing data breaches.
5) Conclusion
Cyber security managers have a large number of tools on their disposal that can help prevent information leakage. Cyber security managers should stay proactive in the organization to keep security technologies and practices up to date. While there are new information security tools coming to market every day, number of malicious software and attacks is also on the rise. Information leakage can sometimes be inevitable. It can however be minimized with use of user training, policy making, and up to date security software.
Works Cited
(2013). Website Security Statistics Report. Santa Carla: WhiteHat Security.
Auger, R. (2013, 10 18). Information Leakage. Retrieved from The Web Application Security Consortium: http://projects.webappsec.org/w/page/13246936/Information Leakage
Bennieston, A. J. (2013, 10 18). NMAP – A Stealth Port Scanner. Retrieved from Nmap Tutorial: http://www.nmap-tutorial.com/
Demme, J., Martin, R., Waksman, A., & Sethumadhavan, S. (2012). Side-channel Vulnerability Factor: A Metric for Measuring Information Leakage. Portland: 39th Annual International Symposium on Computer Architecture (ISCA).
Exchange Online. (2013, 03 21). Data Loss Prevention. Retrieved from Microsoft TechNet Library: http://technet.microsoft.com/en-us/library/jj150527(v=exchg.150).aspx
InfoWatch Research Center. (2012). Global Data Leakages & Insider Threats Report. Moscow: InfoWatch Analytical Labs.
Michelle Keeney, J. P., Kowalski, E., Moore, A., Shimeall, T., & Rogers, S. (2005). Insider Threat Study: Computer Systems Sabotage in Critical Infrastructure Sectors. Washington: U.S Secret Service and CERT Coordination Center.
Narisi, S. (2012, 08 23). Former hospital employee stole and sold protected health information. Retrieved from Healthcare Business & Technology: http://www.healthcarebusinesstech.com/employee-stole-protected-health-information/
Paul, I. (2012, 07 05). DNSChanger Malware Set to Knock Thousands Off Internet on Monday. Retrieved from PCWorld: http://www.pcworld.com/article/258796/dnschanger_malware_set_to_knock_thousands_off_internet_on_monday.html
Stamp, M. (2010). Handbook of Information and Communication Security. Berlin: Springer.
The Open Web Application Security Project. (2013, 10 18). Information Leakage. Retrieved from The Open Web Application Security Project: https://www.owasp.org/index.php/Information_Leakage
Verizon RISK Team. (2012). 2012 Data BREACH Investigations Report. New York City: Verizon Communications.
Walker, D. (2008, 05 13). Indiana University hospital laptop stolen, contains data on 10K patients. Retrieved from SC Managazine: http://www.scmagazine.com/indiana-university-hospital-laptop-stolen-contains-data-on-10k-patients/article/293088/