"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
Info leakage 200510
1. The Ramifications of Information Leakage in the
Public & Private Sectors
REAL WORLD AGILE THREAT MODELLING
2. Freedom of Insecurity (Information)
FOI is the Journalists, Data Miners, Cyber Criminals, Organised Crime, and even
Terrorists new Best Friend.
Consider the implications of not correctly assessing what is relapsed into the Public
Domain Outside of its own individual context.
Can FOI be the means by which to endanger lives?
Is this Risk appreciated?
We shall see . . . .
3. Unintentional Disclosure!
The next, and close Best Friends of are those accidental, unintended, and unintentional
Disclosures. Crooks, O
The Cyber
One slip of the Web Server Administrators Digit, could in fact cause Public Publication
Content, NOT on the Internal Intranet, but in the rather more Public Space of the
INTERNET . Here it may be assured to get many more visits!
It may be that out of misguidance, some well meaning internal user releases
Sensitive Information, and Documents into the arena of Public View - the INTERNET.
This driven out of sheer lacking of understanding of the Big
Could this Happen? YES
Has it Happened??
Picture implications!
YES
4. And What About MetaData
It is a very common find to discover revelations from Metadata which may have been
overlooked pre-publication and release of documents.
1) Track Changes – 2 Examples of INSECURITY relating to Human Resources, and
Client Pricing Schedules.
2) No Cleansing Policy – Excessive Publication of unintended materials, and information
Artifacts – 2 Examples relative to Government Sites.
3) On Mass Locating, and Download of Materials containing Metadata –
4 Examples from both Government and Commercial Sectors.
5. What About Waste?
Now, one would imagine that those
who hold Client, and Business
Customer information would take
all necessary steps to ensure it is
Secure whilst in use, and at end of
life.
Note the bag of waste, which is one
of many continually dumped on the
pavement outside a Building Society
in London, W2.
The strips of shredded waste still contain complete visible characters and numerics
6. Casual Loss
March 2010 – Example of
the potential for Casual
Loss – This Gentlemen took
a car for a Test Drive, leaving
his Laptop and Papers in the
Showroom!
7. Background Leakage
Many organisations deploy I/O USB Blocking Technologies, Web Filtering, and all is presumed
to be fully secure. However time, and tenacity has demonstrated this is not always the case
– consider (or maybe Don’t):
a) The Internet
b) Dynamic URL’s
c) Home Servers
d) Cloud Based File Sharing (Google, Amazon, SkDrive and so on . . . .
e) Cloud Based SharePoint
f) MS Groove
g) Desktop SharePoint
8. Lack of Standards (Bad Practice)
In many organisations, and in particular, within the Public Sector very little
exists in the form of Standards, or Cleansing, or Securing Documents.
Published with masses of Metadata
PDF with NO inherent Security published into the Public Arena
Inappropriate Publications into Public Arena
FOI Releases which do not consider the Bigger Picture of Aggregated Risk.
9. DNS can Give Up a Lot
DNS can provide interesting Artifacts when selecting targets.
On Average recent Research identified that around 17% of a 100 Group
Sample had security issues.
6% had High Risk Security Exposures (Zone Transfers)
External, and Third Party External DNS Testing can be, and does get overlooked
10. Real Time Target Mapping
For both Criminal, Social, and more worryingly use by Terrorists, it is no secret in
Underground Communities that the lacking of policies, linked to what seems
to be the continuous revelation of unintentional publications of artifacts and data
(Intel) provides very rich pickings to target Individuals, Organisations, and Groups.
This could be (is) used to facilitate purpose of Grooming, Exploitations, or in the most
Extreme of cases Wet Target Selection.
11. Target Selection in Action
Step 1 – Get to Know the Advanced Features of Google Searches
Step 2 – Have the right toolsets on hand
Step 3 – Originate a map of potentials targets
Step 4 – Set off on a Spidering Mission
Step 5 – Identify interesting Artifacts, Mine, and Retrieve
Step 6 – Analysis Phase
Step 7 - EXPLOIT
12. Example of Real Time Mapping - 1
Step 1: Decide the Target type
and information/artifacts
of interest
Step 4: Review Artifacts
and Download as required
Step 2: Identify and Footprint using
Advanced Searches (FOI)
Step 3: Run Application / Tool
against identified Targets
Step 6:
Step 5: Analysis Phase
EXPLOIT
13. Example of Real Time Mapping – 2
(AKA – How to Create a Soft Targets)
FOI
MI5 – MI6 Link
Thames Housed
14. Who Cares?
This is a good question – it would appear, based on previous examples
that with end users there are still shortfalls (as would be expected).
In the case of Government – the areas introduced relating to potentials
of Mapping of, and Creation of Soft Targets, Low, or No Standards, Inappropriate
Public Facing Publications, and Masses of Metadata has been reported on
Multiples of occasions in the last 12 Months – to date:
No Action – and these exposures Still Exist
15. Be Proactive
Consider you own Enterprise – Do any of the previous exposures exist
Review and releases into the Public Arena before the go – Aggregation
Consider areas of potential for Unintentional Disclosure
Consider Standards and Process – if Gaps are Identified fix them
If reports are received – consider, and act on them as appropriate
Last but not least – consider the Real Time and Life Implications of Potential Impact