Cleaning Up After the Leak: Hiding exposed web content
Just this weekend, a user notified us of a company leaking sensitive information on its website. The information was readily available via Google, which is how the reader found it. The news outlets also talked about a case where the secret firmware key used to sign BIOS firmware from motherboard vendor MSI leaked due to an open FTP server, essentially invalidating the security of modern UEFI motherboards.
So what do you do? Someone notifies you "hey, I found this document on your website, and I don't think it should be there". First thing would be to verify the leak ("Identification"). Don't forget to send back a big thank you.
Next we need to contain the incident. You are probably looking for a quick fix first. Something to stop the bleeding. Lets assume you don't have an actual "breach", so your systems are not compromised, just someone didn't use proper care when they published the documents.
Here are some quick fix options:
- setup a web application firewall rule to block access to the documents if you can identify common properties ("all PDFs", "all Excel spreadsheets in the /accounting directory", "all documents that contain the string 'SECRET' in the header).
- if you don't have a web application firewall, you may be able to do something similar with your web server configuration, but sometimes you are less flexible when it comes to that
- remove the documents from the web server. You probably don't just want to delete them. Either move them out of the document root (minimum) or to a different system, tape, CD or some other medium
This may be part of the identification step, but I suggest you first remove access to the content before you check your web logs to figure out who accessed the documents. Who needs to be notified of the leak internally or externally?
Next plan the real fix (Eradication)
- who needs access to the documents?
- do we already have an authentication system we can leverage?
- how critical are the documents? What is an appropriate authentication scheme for them?
Don't rush this part! It can be hard to come up with correct access control rules after the fact, and it will take some time to get this right.
Finally, don't forget the cleanup of external copies. Remember: Once it is online, it is online for ever
- check search engines for cached copies of the content, and ask them to remove it
- while "robots.txt" is not a security feature, blocking access via robots.txt can speed up search engine removal
- search for other copies online of the content (Google, Bing, Pastebin, Twitter...) and try to remove these copies
It may be very hard, or impossible, to remove all copies.
Once the fix is tested, you probably want to make the documents available, or in some cases, the real solution may be not to offer the documents online in the form in which you had them online. ("Recovery").
Lastly, don't forget the "Lessons Learned" part. In particular, don't forget to look at other spots where you made the same mistake, and try to fix the process used to make content live on your website. It is hardly ever the fault of an individual, but instead, a failure in the content management process, that leads to leaks like this.
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Comments
Anonymous
Dec 3rd 2022
9 months ago
Anonymous
Dec 3rd 2022
9 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
https://defineprogramming.com/
Dec 26th 2022
9 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
9 months ago
rthrth
Jan 2nd 2023
8 months ago