This whole blog entry reminded me of some work I did on the new SANS 6 day hands on "Securing Oracle Track" that I have been writing for SANS. I covered information leakage in one of the modules, indeed i briefly mentioned the same in the book Oracle security step by step - A survival guide for securing Oracle. I did some research into this issue when writing about it for SANS. Quite frankly it is amazing in Oracle database and server terms and application terms what information some companies will leak to the Internet, either in newsgroups, mailing lists or even on corporate websites.
I have seen all manner of information, such as network configurations, usernames, passwords even, IP Addresses, applications used, third party and in-house, job specifications, even security policies and guidelines (very useful for a hacker to know the password policies!). I have even seen the source code for the authentication recently for a web based application that will interact with an Oracle database posted to a newsgroup where one of the developers wanted to ask a question.
This is a key lesson that companies need to learn. If you post details of IP Addresses, usernames, passwords and applications structure and even source code to the Internet or post your policies and working practices to publicly accessible web sites you should not be surprised if you get attacked.
Companies need to educate employees on these issues, its important.
I think in Duncan's case itís a lot less worrying as itís a public project anyway and he doesn't have live production data that can be lost to worry about. Also the main point is he understands the issue.
There has been 4 Comments posted on this article