FEBRUARY 16, 2007 | Researchers from Errata Security plan to release
a free tool at the Black Hat D.C. briefings later this month that
gives enterprises a firsthand look at what data is bleeding out of
their client machines every day, especially in wireless networks.
Data seepage -- not to be confused with data leakage -- is where
seemingly innocuous data gets exposed by your chatty client
applications over public WiFi connections, or even inside the
enterprise network. (See Data That Doesn't Drip... Drip... Drip....)
Robert Graham, Errata Security's CEO and David Maynor, its CTO, will
use this Windows- and Linux-based tool to demonstrate just how much
danger data seepage can pose, during their Black Hat presentation on
March 1. The tool will be available for download via Errata's
Website.
"It's more like a packet sniffer," explains Graham, who wrote the
tool, which he's tentatively calling The Juicer. "It's aimed at
corporations that don't realize how much information they are
broadcasting to the world. This tool shows the surprising amount of
data they are exposing on their laptops."
Graham says he fully expects researchers to also use the tool to find
other potential dangers in data seepage.
Security experts like Errata are raising the red flag on data
seepage, which has mostly been overlooked by most organizations. It
really boils down to just how chatty your client apps are, and where
your mobile clients are working. If your users are working from an
airport or Panera Bread WiFi connection, their machines are
announcing themselves to anyone else on those machines, which makes
your corporate network a target.
"Data seepage is one of the most overlooked vulnerabilities today in
wireless devices," says Richard Rushing, CSO for AirDefense, a
wireless security vendor. "They have no recollection of where they
are -- my wireless device acts the same way at a hotspot that it does
at a corporate office."
Their user-friendly features basically make them vulnerable. "When
you first open your laptop, it will try to connect to every WAP you
went to in the past. This tool will list all you connected to in
past" as well as other potentially revealing information, Graham
says.
That means all those desktop agents -- Oracle, your email client,
etc. -- immediately start asking questions and leaving tracks out in
the open as they reach out for their servers from a WiFi connection
at the airport. The Oracle client, for instance, will try to connect
to its server if you have cached credentials on your laptop.
"I can immediately get your NT domain name, and tell what kind of
system you're communicating with," Rushing says. "This is all good
information a bad guy would want to start breaking into your
corporate network."
But data seepage can also be a problem within the internal wired
network as well, Errata's Graham says, an insider could get more
information about the network than you think they have and use it for
nefarious purposes.
So what can you do to protect yourself from your wireless users on
the go, or from your wired users gone bad? Much of the data seepage
problem is the nature of wireless, but the key is understanding what
data is being broadcasted and made available, and whether it's
potentially sensitive or could lead an attacker to your front door,
AirDefense's Rushing says.
"You can limit the types of services on the WiFi firewall, but when
you go to the conference room back at the office, none of the
applications will work on your laptop," he says.
Simple things like creating a user account that doesn't use your real
name, and forgoing naming your servers after the company, as well as
"turning off" some services are helpful, Graham says. "But no one
thing will solve it," he warns.
And don't expect those more secure Vista laptops you're planning to
purchase to help you out much, either. "Vista has new chatty stuff
that tells you even more about the machine," Graham says. "And Apple
is even more chatty than Windows."
Next, Errata will develop a proof of concept showing how an attacker
could set up a trojan server that could respond to the client's
requests, posing as an Oracle database, Web server, or a wireless
access point, says Graham.
- Kelly Jackson Higgins, Senior Editor, Dark Reading
