Tuesday, February 27, 2007

Preventing Information Leakage

Information Leakage is a fact of life in most web applications. How much time and effort should we spend minimizing it?

I've gone through I don't know how many versions of server/os/middleware hardening guides which all seem to have the standard sections on changing banners, changing default ports, etc. I did a quick search and I wasn't able to find any honeynet/honeypot data on how successful these techniques are in preventing security incidents.

How much do attackers care what your server says it is, if its running SSH or telnet are they going to just try and exploit it anyway?

Which brings me to web applications.... We spend a lot of time designing web applications so that they don't leak information about whether you failed to log in because of a bad account name or a bad password. We spend a lot of time designing password reset functions so that they don't tell the user whether an account name was valid. We send email reminders to users that don't include their account name so that it isn't easily stolen.

How effective are these measures in preventing exploits? I'm going to guess not very though I wish I had some hard data on the subject.

If you're worried about account names leaking, then you'd better not let anyone new sign up for an account, or you'd better make 100% sure you use a good captcha to prevent leakage during the signup.

Or, you'd better hope people don't have to link to each other using their account names, or ever make them public in other postings, etc.

If your web application gets hacked more by people knowing valid login names, I'm going to guess you didn't do a very good job of securing the application.

That said, when do you want to take some measures to prevent this type of information leakage? When the attacks aren't against your site but against your users. When someone wants to perform spearphishing against your users leaking account names and account info makes their job a lot easier. They'll probably manage to grab the data anyway if your site is used by anyone at all, but you might want to make their job a little harder.

But remember, its a tradeoff. If you don't leak some information your users are going to get confused, call you, waste a service-rep's time, and cost you a lot more money than some of the breaches ever would have.

As always, its a tricky balancing act.

No comments: