31 July 2009

What is Information Leakage?

Information leakage is a term we are hearing more about these days. But what is it, and what does it look like?

There's a useful briefing document Information Leakage available from the Information Security Forum (ISF), that describes the what information leakage is, why it's important and ways to reduce the likelihood of information leakage occurring. It describes information leakage as "an incident where the confidentiality of information has been compromised" but I'd also include privacy breaches within that description. An alternative application development view of information leakage is published by the Web Application Security Consortium (WASC).

We've all heard about lost laptops and misplaced USB memory sticks, but in what other more subtle ways can information leakage occur? Well, certainly by malicious hacking, but also by more ordinary actions too. This week, I was looking for a location to host a meeting, and some of the possible venues had web site enquiry forms to collect my requirements. One of these form submissions appeared to work okay, but shortly afterwards I received a message from their mail server informing me that it had been unable to deliver an email from me to two of the company's email addresses:

Partial screen capture of an email message with the subject 'Delivery Status Notification (Failure)' and body beginning This is an automatically generated Delivery Status Notification. Delivery to the following recipients failed.' followed by two email addresses (obscured)

I've mentioned previously about using email in business processes in Keep The Emails Coming and Application Data Flows by Email. But what else did this fault lead to? Well it gave away (leaked) two email addresses and an internal document that was attached. In fact, I don't think there was any information that I hadn't added myself in the attachment, but it may be that the two email addresses were not intended to be known publicly.

This seemingly small, and hopefully transient fault, has leaked some information. Whilst it is not major in any way—more like a couple of drips than a flood—you can see how information can be divulged in unexpected ways.

In this example, using an external email address as the "from" or "reply-to" fields within internal business processes may be convenient, but in error situations the sender may be notified, so do this with care. A similar situation might also occur if your own mail server rejects the message as spam, or has an out-of-office auto-responder set up for the recipient email account.

Posted on: 31 July 2009 at 08:00 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

Comments

Comments are filtered automatically and should appear shortly after they been checked.

Post a comment
Confirm acceptance and understanding of the terms of use
New posts to this thread will be sent to your email address
What is Information Leakage?
http://www.clerkendweller.com/2009/7/31/What-is-Information-Leakage
ISO/IEC 18004:2006 QR code for http://clerkendweller.com

Page http://www.clerkendweller.com/2009/7/31/What-is-Information-Leakage
Requested by 38.107.191.107 on Wednesday, 8 September 2010 at 01:01 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use http://www.clerkendweller.com/page/terms
Privacy statement http://www.clerkendweller.com/page/privacy
© 2009-2010 clerkendweller.com