maandag 11 februari 2013

Sensitive data on personal home folders found thanks to Google!


I can imagine that there are some people who make use of a mailing list. A way to quickly communicate in case certain events happen. These mailing lists are mostly to be used for personal reasons. And as for this personal reason, they get stored on a personal share on the network. Also known as your personal home folder. So far nothing wrong.

But what happens if these personal homefolders are browsable from the internet?
As from that moment, we have generated a data leak.

This is a situation which I bumped into with a Belgian Governmental organization, which I will not mention by name as they are very collaborative to get the problem fixed. The content of info which I read via a cached Google page, was of a similar kind of data leak to that what I found earlier this year with "dghr.mil.be". Names,location,phone, job title, email, etc... Nothing special you would think but still useful information for identity theft and surely a good case for the Belgian Privacy Commission.

But who is to blame?

Looking to the information published on the site, it seems that the purpose of the server is rather to provide a presentation of staff. Staff can publish an introduction about themselves and maybe, if allowed, their academic work.
So the sysadmin could claim that it's the users mistake to have published some internal data.
But if we look to the URL it seems to switch to a commonly used format for personal home folder http://<server>/~<username>
So maybe the user was not aware that his private folder was open to the public.

What can we learn from this? And what did we propose to the organization involved?
  1. Make clear guidelines about which location on the network will be made public.
  2. Disable directory browsing to avoid Google/people to snoop around and harvest information which might store sensitive data.
  3. Regularly perform audits. This can be done automated. Screening of content which only triggers an alarm toward the user. Then this user can decide if their might be a security violation.
Security is as strong as it's weakest link.

Geen opmerkingen:

Een reactie plaatsen