Leaking information while searching for information
Let's assume that you are a security analyst/engineer working for Wakanda Ministry of Defense. You run a vulnerability scan and need to review the results, you get a pile of vulnerabilities that you need to analyse.
You start clicking links, running Google searches, visiting sites that you have no idea who operates them. Do you know how much information you are leaking about yourself?
You are working for a government agency, browsing the web from your office network, you visit a web site which publishes information about security vulnerabilities and view CVE-2019-123456. What does this tell about you:
"Wakanda Ministry Of Defense has a system vulnerable to CVE-2019-123456"
Who has access to this information?
- The website owner
- The hosting provider, maybe
- Google, because the site uses Google analytics or ads
- CDNs: The site uses Cloudflare and also loads content(javascript etc) from other CDNs
- Governments that can legally access any of the above (e.g accessing data with a court order)
- At least 3 foreign governments that hacked into any of the above
- Maybe a few hacker groups that hacked into any of the above
- Providers of widgets that the web site uses (share, like, discuss etc)
- And their dependencies and so on...
For example let's consider https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-cisco-products-could-allow-for-remote-code-execution_2019-046/ which is quite trustable when compared to other sites on the internet. It loads content from the following domains:
- www.cisecurity.org : a US based non-profit organization
- cdn.jsdelivr.net : operated by a company based out of Poland
- consent.cookiebot.com : operated by a company based out of Denmark
- www.googletagmanager.com : Google
- www.google-analytics.com : Google
- stats.g.doubleclick.net : Google
So even by visiting a relatively trustable web site you are exposed to multiple parties. It gets even worse when you visit other sites like click-baits, pages bloated with ads.
Also keep in mind that there is always a risk, after all your threat model includes nation state actors.
You start clicking links, running Google searches, visiting sites that you have no idea who operates them. Do you know how much information you are leaking about yourself?
You are working for a government agency, browsing the web from your office network, you visit a web site which publishes information about security vulnerabilities and view CVE-2019-123456. What does this tell about you:
"Wakanda Ministry Of Defense has a system vulnerable to CVE-2019-123456"
Who has access to this information?
- The website owner
- The hosting provider, maybe
- Google, because the site uses Google analytics or ads
- CDNs: The site uses Cloudflare and also loads content(javascript etc) from other CDNs
- Governments that can legally access any of the above (e.g accessing data with a court order)
- At least 3 foreign governments that hacked into any of the above
- Maybe a few hacker groups that hacked into any of the above
- Providers of widgets that the web site uses (share, like, discuss etc)
- And their dependencies and so on...
For example let's consider https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-cisco-products-could-allow-for-remote-code-execution_2019-046/ which is quite trustable when compared to other sites on the internet. It loads content from the following domains:
- www.cisecurity.org : a US based non-profit organization
- cdn.jsdelivr.net : operated by a company based out of Poland
- consent.cookiebot.com : operated by a company based out of Denmark
- www.googletagmanager.com : Google
- www.google-analytics.com : Google
- stats.g.doubleclick.net : Google
So even by visiting a relatively trustable web site you are exposed to multiple parties. It gets even worse when you visit other sites like click-baits, pages bloated with ads.
What's the solution?
Don't go out blindly searching for information. Bring data to your private instances/network and process them locally first and only go out when necessary and it's worth it.Also keep in mind that there is always a risk, after all your threat model includes nation state actors.
Comments
Post a Comment