Tuesday, 2 August 2011

DfT Browsing Habits and the Impact on Security

FOI and the release
On July 29th the Department for Transport (DfT) released the list of their top 1,000 visited sites. Although there have been articles written about the list, mostly they seem to centralise on the sites themselves and the browsing habits of the civil servants within the department. However, it occurred to us that whilst released under the freedom of information act, the list itself does present a significant risk, not only to the DfT, but to other Government sites to which there is likely to be a strong correlation of browsing habits. Whether the list was edited before release is a subject of debate, but we would expect a degree of filtering to be applied in order to remove sensitive sites (although the four sites on the Government Secure Intranet (GSI) were retained).

The increased risk
There is an increased rate of technical attacks against Government systems, particularly using browser based or client side attacks. Knowing the browsing habits of your intended victims provides a potential attacker with a list of sites to target, and seed with malicious content. This approach would reduce the footprint within the target organisation of an attack. A typical approach first requires the user to navigate to a malicious site; this is ordinarily achieved through enticement or social engineering (embedded links or terms in a targeted email for example). However, by directly compromising sites this additional step and therefore log imprint at the target environment is avoided.

Seeding the target sites for an increased attack conversion rate is one use of the information. The servers themselves, and the logs they maintain, may also contain information which is useful to an attacker. For example, analysis of the logs contained on the published web servers, would likely reveal users who view the same content at work and at home. A work laptop or mobile device in the home environment can in some cases present a softer target for attack. If it's the same user on a different home machine, there is the potential for information gathering to inform more complex attacks against the Government department or to capture information stored outside the DfT network perimeter.

Taking the list to automation
So say an aggressor wanted to automate the analysis of these sites how hard would it be? In short not very, we can use the python PDF miner to extract the contents of the PDF as so:

pdf2txt.py -o output.txt f0007532-table.pdf

Tidy up the output a little to just get the hosts and remove some blank lines:

cat output.txt | awk 'NF {print $2}' | awk '$0!~/^$/ {print $0}' > tidy.txt

Result? A list of host names and IP addresses all tidied and ready for feeding into any automated analysis system. Looking for easy to exploit web application and server configuration vulnerabilities in the target sites. Given the number of sites, the range of material and the potential for vulnerabilities; the likelihood for accurate seeding of malicious content is significant.

Conclusion
Should the DfT have released the information? In our opinion, no. The value of the information in the public domain is relatively insignificant, beyond that of titillation of the reader (someone likes their expensive cars). The value to the attacking population is significant, both in the potential for increased accuracy of direct attacks, and in the availability of user specific data through the correlation of site access across multiple source addresses.

No comments:

Post a Comment