III. Exploitation on Data Leakage

by JUCC ISTF
/* The following article is extracted from the "Information Security Newsletter" published by the JUCC IS Task Force. */ 
 
 
Data leakage can be caused by internal and external parties, either intentionally or accidentally. According to INFOWATCH's "Global Data Leakage Report 2009" 51% of data leakages were resulted from intentional attacks and 43% leakages were due to accidental events, which indicates a strong increase of intentional leakages when comparing to 2007's figures (i.e. 29% intentional and 71% accidental). Several intentional exploitations on data leakage are illustrated below: 

1. Code Injection

Poor programming of information systems and applications can leave universities exposed to various code injection attacks, or allow inappropriate information to be retrieved in legitimate database queries.

Structured Query Language (SQL) injection is one of the most common attack techniques for applications or websites that use SQL servers as back-end database. If the applications or websites failed to correctly parse user input and sanitise user input, the content within the database may be stolen or program errors may occur and interrupt the relevant services. 

2. Malware

Malware is designed to secretly access a computer system without owner's informed consent. Sophisticated data-stealing malware may take various forms including Trojan, spyware, key loggers, screen scrappers, adware, and backdoors. Users are usually infected during installation of other application software bundled with malware or from malicious web sites. Examples of data-stealing malware are Bancos (steal sensitive banking information) and LegMir (steal personal information such as account name and passwords). 

3. Phishing

Another data leakage channel is through the use of phishing sites as a lure to steal sensitive data from users. Phishing spam can be sent to staff or students' e-mail address. Once they are fooled to click the links in the malicious e-mails, their browsers can be re-directed to fraudulent websites that mimic reputable organisations, where users may unnoticeably leak their account name and passwords to hackers. If the login credential to a university's web mail system is leaked, the hacker can authenticate himself or herself as university member and gain full access to any sensitive information stored within the e-mail system. It is also possible that the phishing spam received directs users to a site that uploads malware to their computers. 

4. Malicious Insider

Universities' sensitive data are also vulnerable to intentional data leakage performed by their internal users (e.g. employees, students). Motivations are varied, but usually fall into corporate espionage, financial interest, or a grievance with their employers. Sensitive data can be unauthorisedly transferred out through remote access, e-mail, instant messaging or FTP. Even if DLP solutions have been deployed within universities, these malicious insiders, especially IT personnel, can bypass the restrictions through sabotage DLP systems. E.g. altering the DLP configuration to create backdoor; shutdown DLP services; physically cut off the power supply; de-classify sensitive data.

Reference:

http://www.sans.org/reading_room/whitepapers/awareness/data-leakage-threats-mitigation_1931 
http://www.infosec.gov.hk/english/anti/recent.html