Shoddy data-stripping exposes firms to hack attacks

Large firms are vulnerable to targeted hack attacks because they do little to strip data from files on their websites, suggests research.

The data gets added as employees create documents, images and other files as they maintain and update websites.

The research found user names, employee IDs, software versions and unique IDs for internal computers in the files.

Attackers could use it to craft attacks aimed at senior staff, said security firm Glasswall which did the survey.

Banks, law firms, defence contractors and government departments were all found to be leaking data.

“This is really low-hanging fruit,” said Lewis Henderson, a vice-president at Glasswall, which carried out the survey for the BBC.

Leaky media

To gather the data, Mr Henderson “scraped” target websites for days to ensure he grabbed copies of all the files published by an organisation. Pictures, PDFs, spreadsheets and other documents made public via the sites were all sampled.

“This was all done from a single IP [internet protocol] address and in broad daylight,” he said.

Mr Henderson said that a significant proportion of the files contained metadata which betrayed key information about the people who created that file, when they did it, and the version of the software and machine which they used. About 99% of one particular document type contained this data.

In some cases, he added, user names were annotated with internal user IDs and, in one case, he found a detailed guide to a remote login procedure for a law firm’s Far Eastern regional office.

The cache of data gathered would be a perfect starting point for any sophisticated attack that sought to target senior staff or their aides, said Mr Henderson.

“We did what a malicious actor would do,” he said, “which is intelligence gathering on a large scale.”

Continue reading…