FINAL WORD
our devices hold over us, but as business
leaders, how often do we consider the
security implications of our employee’s
combined datasets? •
•
•
•
The browser risk When testing 1,000 of the most popular
websites, according to Alexa – including
Facebook, Google Mail, Amazon, Instagram
and PayPal – Exabeam found users’ personal
information saved locally, in the computer’s
web browser, in the formats listed above.
As it turns out, it’s not just Strava users that
need to worry about staggering privacy and
security issues from location data tracking;
businesses are at risk too. All kinds of
employee information, from location, work
hours, habits, bank usage, applications and
even passwords are there for the taking if
you know where to look.
Recent research from Exabeam shows
criminals can exploit a huge amount of
personally identifiable information stored
in web browsers – including Google Chrome
and Firefox – with relatively basic malware
exploits. When an employee accesses the
Internet, their personal information is used
by website developers and advertisers to
customise browsing experience, track user
locations and maximise the impact of
targeted ads. This information is often stored
in their web browser, presenting a huge risk
for businesses.
A dangerous web dossier
The danger lies in the extensive ‘web
dossier’ that a hacker can build on an
individual, drawn from the detailed artefacts
stored in their web browser. This data can be
reviewed, combined and pieced together to
paint a picture of an employee’s habits and
past activities. It would also be simple for
an attacker to learn your corporate banking
details and in some instances, to recover
bank account numbers used to transfer
funds to other banks. With enough data, this
can also provide a foundation to predict a
person’s future actions.
For example, criminals can determine when
an employee is usually at work and when
they are at home. Accessing the employee’s
browser history will show an attacker their
personal interests. They can combine and
manipulate this, using information such as
hobbies, interests or children’s names to
guess an employee’s work passwords. In
extreme cases, an attacker can use sensitive
personal information to blackmail an
employee, turning an internal asset into a
dangerous insider threat.
104
INTELLIGENTCIO
Ryan Benson, Senior Threat Researcher
at Exabeam
“
AN ATTACKER CAN
USE SENSITIVE
PERSONAL
INFORMATION
TO BLACKMAIL
AN EMPLOYEE,
TURNING AN
INTERNAL
ASSET INTO A
DANGEROUS
INSIDER THREAT.
For an attacker, harvesting enough
information from a web browser to build a
targeted dossier is simple. Easy-to-operate,
readily available malware is all that’s needed
to access the range of data stored in web
browsers, including:
• Visited sites (including URL, page title
and timestamp)
• HTTP Cookies
LocalStorage (introduced with HTML5)
Password manager data
Autofill data
Browser cache
This is potentially sensitive corporate
information, including account usernames,
associated email addresses, search terms,
titles of viewed emails and documents,
downloaded files and location data.
By reviewing saved login information,
Exabeam was also able to extract saved
passwords for all of the websites tested.
This is not a weakness of the websites
themselves, but the web browser’s default
password manager.
Exabeam’s research used OpenWPM, a
privacy measurement framework built on
Firefox (with a few modifications), focusing
the analysis on device and user geolocation
identifiers. It also tested user accounts and
actions – creating accounts, logging in and
performing relevant actions – to see what
traces of information could be found in the
local browser files.
But creating malware to harvest this
information is quite straightforward.
Variants, including the Cerber, Kriptovor
and CryptXXX ransomware families, have
been around for years. The free NirSoft
tool WebBrowserPassView dumps saved
passwords from web browsers and while
ostensibly designed to help users recover
their own passwords, attackers can easily put
this to malicious use.
Many companies face an additional security
risk: shared computers and workspaces. If
a computer is unlocked, extracting browser
data for analysis can be achieved in seconds,
inserting malware either via a USB, or a
malicious link.
Protect your employees
There are a number of steps you can take
to protect employees – and your business
– against the threat posed by web browser
information. Given that the most serious
www.intelligentcio.com