Is Your Own Website Tipping Your Hand to Hackers?

Hackers might not have to burrow through your trash bins, pay off a disgruntled employee or even deploy some elaborate cracking program to gain access to your network. Clues and hints that could give them all the information they need may be just waiting to be discovered right on your organization’s website. At least that’s what a story claimed that recently ran on CNet’s Asian news service entitled Careless Web Site Content Can Place Your Company At Risk. (http://asia.cnet.com/itmanager/project/0,39006404,39169712,00.htm)

According to the story, written by Debra Young of TechRepublic, seemingly innocuous fragments of information might hold the keys to bypassing any elaborate wall of IT security an organization has built.

Experts quoted in the story offer a number of suggestions on policing up the loopholes that might allow hackers access to your network.

Complete employee names on e-mail addresses can be used by hackers to guess network user names. Use Web forms, experts suggest rather than giving the general public access to your full staff’s internal e-mail address list.

Avoid URLs that might tip off outsiders as to the architecture of your system. For example, experts in the story describe how older version of Sun servers generate URLs featuring references to the internal site directory. This can enable hackers to determine how to bypass security for that particular system.

Any browser can call up the source code of any Web page. Often, developers neglect to purge the source code of information that might let a hacker see how your network is organized.

“Don’t throw information up on the Web site without giving it serious scrutiny as to how it can be used,” says the author. “If your in-house IT team doesn’t have the security expertise to protect you, engage a third party that does.”