A few times a year I read in my newspaper that someone from some organisation has leaked data by throwing a computer away without erasing all data first, loosing a non-encrypted USB stick or more recently, twittering information which should not have been public.
But there is another way of data leakage, and it is not as obvious and well known as the ones mentioned above.
Suppose you have composed a Word, Excel or PowerPoint document and intend to publish it on a website. After composing, it not only contains data you intended it to contain, but also contains information about who wrote it, and sometimes even more. This data is called META-data; data that describes data. You could think: So what! I don’t care about the fact that anyone on the internet knows that I wrote that document.
But it does not stop there. What to think about cameras that can save there GPS position in an image? Just by taking a photo of your house, everyone could exactly know where you live!
To illustrate the above, the next two screen shots have been taken of META-data from word, excel and powerpoint documents found in google, from www.overheid.nl ( Dutch government website):
This screenshot shows all directory paths that are included as META data in the documents ( where the documents had been saved prior to uploading them to the website )
This screen shot is taken from the same set of documents and shows all printers referred to in the META data included in the documents.
Besides this, I also found 199 users ( usernames, or full names of authors) and 8 e-mail addresses; just by looking and the META-data.
I had all data within 10 minutes.
Although the confidentiality of the data can be argued, it can help an attacker convince people to trust him when social engineering them.
If he asks them to sent him a file on a specific server name in a specific directory on the users network, he is probably authorized to get the document… Because, how would he know the document exists and where it had been saved?
Tags: linkedin