Security Attacks - Information Leakage

  • Venky Karukuri
Security Attacks - Information Leakage

In today's world, information leakage is considered a security risk at its most basic level. It can be prevented by every software professional, including system administrators, programmers, database creators, and even end users.

When we talk about information leakage as a security risk, we’re talking about the attacker getting data that leads to a breach of security or privacy policy, whether the data is itself the goal (such as customer data) or if the data provides information that leads the attacker to his goal.

Accidentally: Even though the data is valuable, it was leaked anyway, perhaps due to a logical error in the code or through innocuous means. 

Intentionally: The design team has a mismatch with the end user about whether data should be protected. Usually, these are privacy issues. 

Mistake: Designers or programmers failed to realize that even if the information was not valuable to them, it could be helpful to an attacker.

Often, an attacker can glean important information about data by measuring information the design team was unaware was being transmitted. Timing channels and storage channels are the two primary types of side channels.

In timing channels, the attacker learns about the secret internal state of the system by measuring the time it takes for operations to complete.

A storage channel allows an attacker to look at data and extract information that was probably not intended.

The job of any application is to present information to users so they can use it to perform useful tasks. Having detailed version information can aid attackers in operating undetected, allowing them to operate unnoticed. However, there is such a thing as too much information.

 

The most common mistake is leaking internal network information, such as

  • MAC addresses
  • Machine names
  • IP addresses
  • Application information
  • Path and stack layout.

Redemption Steps:

Your application designers and developers must follow a policy determining who should have access to what in the case of straightforward information leakage.