5/28/2017

Unintentional Damage - Warning About Possible Information Disclosure

Traffic analytical tools can cause unintentional sensitive information disclosure.  

Most of precisely targeted attacks on IT infrastructures are originated from outside of security perimeters of the victimized organizations. However, the security openings allowing cyber attackers to breach security mechanisms overwhelmingly originated either with unintentional help of insiders or disclosure of sensitive information. 

Information disclosure might be a bigger threat then a not patched system. Organizations say that the biggest risk to their security is the disclosure of the internal information on social media. It is hard to employ technologies to detect such events and it may take a serious security specialist with anti-scouting skills to detect such disclosures. 

Hackers use different techniques for cyber scouting and reconnaissance.  IT organizations should be aware of some of them. 

Sometimes our extranet systems rely on hiding sensitive information rather then securing it. We think that long hashed URLs cannot be guessed. Here is a very practical warning. If a page that has sensitive information and is hidden and it also has javascript reporting any information to third party systems, all your hidden data can be visible to those third parties. 

Example can be Google Analytics. Google Analytics java script picks up information from web pages and send it to Google. Then your analytical data is available to public. 

Here is an example how Google unintentionally discloses its own emails through its own tools.

This image below shows how analytical tools pick up and disclose an email address. 

Similarly analytical tools can disclose hashes, hidden information, email addresses, subjects of emails and other. 

Digital Edge would like to thank Fred Legrand, who was a contributor on this subject, as an advanced marketing data analyst who uses unique techniques to provide his clients with information about online behavior.  

Digital Edge designed comprehensive cyber reconnaissance and anti-scouting methodology. We help clients to make sure that there are no vulnerabilities exist through information disclosure.

Digital Edge provides the following security services:

  • Security Operation Center
  • Vulnerability Scanning
  • Security Assessment
  • Building and supporting security systems based on ISO 27001, SOC 2 or NIST core standards.
Was this article helpful?
Michael Petrov
Founder, Chief Executive Officer

Michael brings 20 years of experience as an information architect, optimization specialist and operations’ advisor. His experience includes extensive high-profile project expertise, such as mainframe and client server integration for Mellon Bank, extranet systems for Sumitomo Bank, architecture and processing workflow for alternative investment division of US Bank.

LET'S TALK: 800-714-5143