Local Tech Repair: Website Security

Sunday, May 22, 2011

Website Security

Recently today I was searching my email address on google to see what information there is out there about me and what not. This is a good practice to do to keep track of what you have out on the internet. But I ran across a website that I had bought from before that had a large chunk of their client emails and some staff emails out in the open.

I was horrified that the company (a tech company) was not taking my privacy to the utmost respect and had a what I consider a major security hole. Granted that the only information out there was email addresses but the problem is that if I was a black hat (evil hacker) and wanted to just see out of the thousand emails that I could do to get some fun information from them.

There are many different kinds of approaches a black hat could take in what they wanted to do with the information. There are many different social engineering attacks they could do. For instance sense they had internal emails of staff it opened up the attacker of impersonating one of the coworkers in an attack to infect a workers computer with a trojan so that the hacker could get access to the internal network and from there do a lot greater damage.

The black hat could use the other emails to send out personalized emails to the customers trying to get them to login to a fake site or use some form of XSS to help him gather usernames and passwords and from there maybe even more information like addresses and credit card information. Maybe the black hat is impersonating the company and their website and offering a free mp3 player coupon for being a loyal customer of the company. All you need to do is update your information and pay for shipping and handling (to get credit card).

There are 2 lessons that we can learn from this.

1. check what information is out there on the internet and always double check the addresses that people send you over email.

2. If your a website never let the public see anything more than they have to see. everything else needs to be protected.

Hope you check your stuff on google.
local tech repair admin