I’m going to assume that anyone reading this post with at least a few weeks of professional information technology work to their credit has at one time asked a question on a forum in pursuit of a technical solution. I have my own favorite forums and communities that I keep on the short list for when I need to ask questions. I’m also fairly active in answering people’s questions when I have the time.
Over the years of participating on forums, it’s fairly common to see people post logs or diagnostic information as they and the forum’s population try to troubleshoot the issue. Most of the time people remove any sensitive information, but once in a while you’ll see someone post the entire config file for a router that includes username and password (unencrypted, of course).
Recently I’ve noticed that, sometimes, the inhabitants of a forum or community will get a little cranky if not enough somewhat-private information is posted. We’re not talking about usernames and passwords, of course. Usually it revolves around domain names and DNS entries. That is, if a person is having issues surrounding DNS, especially public DNS records, a forum member will sometimes complain that the original author hasn’t provided enough information to help solve the problem. What follows is usually a request for the author to provide the public DNS name of the domain that is having problems.
I take immediate issue with wanting to know the public domain information of a post’s author, and have finally put my finger on the controversy. This is why I do not think people should post DNS information in public forum posts:
My Position, Part 1
If you post information on a public website concerning your workplace or a client, one should exclude as much information as is possible. Any amount of information concerning a client can be used to bootstrap a potential intruder into your infrastructure. I recommend avoiding the mention of any real names that could trace your post back to a real company. That includes even public DNS entries.
Counter Argument: The above idea is commonly countered by something along the lines of “If attackers can gain entry into your systems simply by knowing a few relatively innocuous bits of information, then you have larger problems.” The rebuttal is that, while that might be a certain shade of true, narrowing down the scope of an attacker’s knowledge is undeniably helpful. If a potential attacker knows that a specific company uses SuperMicro, it’s just a little bit easier to either spearfish or attempt to attack external services using known exploits for that vendor and the stock hardware / software / firmware that often comes with it.
(Side note: That’s why I’m on my guard when working for American non-profits. Each non profit has to file what is known as a “Form 990” which includes major purchases. I’ve perused through a few 990s for organizations that I’ve worked for or supported and learned a lot about equipment purchases and brand preferences. Knowing major vendor relationships can bolster an attacker’s ability to do evil deeds.)
(Second side note: I don’t live this out perfectly because I do enjoy and see good business sense in being open with how an infrastructure is built. When building my own hosted services, I prefer to swing the door open and show build and status information that violates this position. However, in certain scenarios, it should still be carefully considered before information is shared about an infrastructure.)
My Position, Part 2
Furthermore, if you volunteer your time on a forum or in a community of some kind, don’t ask for specific information concerning a poster’s problem that could identify a company. Certainly don’t complain about people not posting those specifics. Don’t ask for real domain names, even if it’s a DNS question concerning public records.
First Counter Argument: “But wait! DNS names are public information!” you might howl. That’s true, however if a poster reveals the domain name of the company he is working with, then suddenly the relationship between the author and a company has been established. Now that poster’s history on a forum or group of forums (people often use the same nickname on multiple forums) has a greater liklihood of being pertinent to that specific company. Did a person ask a series of questions months ago concerning how to run SMTP services on IIS 7? Oh but they were cautious and didn’t mention any company affiliations! Months later, tracking down a public DNS issue, if at a forum volunteer’s request they post the results of nslookup including full domain information, suddenly their posting history could be correlated to a specific company.
Second Counter Argument: “If they’re asking for help for a public DNS issue, then how can I help the person without being able to perform my own dig and nslookup queries?” Teach a man to fish, don’t hand him a plate of fish and chips.
Oh sure, perhaps they no longer work for the same place that used IIS 7 or maybe they’re a consultant like myself and have multiple clients come and go so relationships would be very hard to correlate. However, the likelihood is that there’s a solid relationship between that author, his posting history and a specific company. Certainly a quick look on LinkedIn or some other social networks could easily reveal if the poster is a consultant or has changed jobs in a certain time period. Nevertheless, all of this shows that a person’s history and relationships can be relatively easy to track down and will help in the event that an intruder starts an information gathering mission as a precursor to an attack.
My Position, Part 3
Finally, there’s this thing called Google. Or Yahoo, or Bing, or Baidu, or DuckDuckGo, or Wolfram Alpha, or Cuil (har har), or whatever search engine you like to use. They index anything and everything and, unless you’re asking on a private site that disallows indexing, your question will be indexed within mere minutes of being posted. That can be bad for two reasons:
- If someone searches the company / domain name that you’ve posted, your post may come back. If you’re working for a SMB, your post could be on the first page of results. Now, anyone who searches for that company will see a page that says in essence “Something ain’t working right over here!” From a customer perspective, that could mean the difference between a relationship or them looking elsewhere. From the company’s perspective, well, it’s not uncommon for a company executive to have a Google search alert for their company’s name. Don’t be surprised if they see your post as a result. Depending on the company culture and your relationship to the company (internal IT or external consultant) that might not endear you to them.
- If someone searches for a name associated with you, such as a real name, your consultancy’s name if you’re independent, or your forum name, then they will see who you’re working for and what problems and weak spots might exist. The trouble associated with that has largely already been dealt with above.
Counter Argument: “That’s just silly.” No it isn’t. Nya nya nya you’re stupid and ugly. Or… something.
The Overarching Counter Argument to All of This:
“But still, you’ve got larger problems if information like that can lead to a break in!”
I disagree. Everyone has problems. Every grouping of infrastructure can be compromised, broken into and owned given enough time and effort. Every last thing. Every speck of code, every network appliance, everything that has a network presence and anything that plugs into an electrical socket can be compromised and turned against an organization.
The goal is to reduce not only the possible targets of attack, but to reduce the known information about the existing targets. “Security through obscurity” has gotten a bad reputation that isn’t universally deserved.
Don’t leave behind a public trail of problems that you have been working on solving that have a direct connection to a specific company. I realize it’s already easy enough to check someone’s LinkedIn profile for work history and then correlate the person to forum accounts. However, hanging it out directly in a forum post is just more low hanging fruit that is unnecessary.
This isn’t always easy to practice, and certainly public facing services like SaaS, Iaas, and Whatever-aaS do get a customer-relationship benefit from being open and transparent with what they’re building and the products that are being used to build it, however those scenarios seem to be edge cases. In most cases, privacy is preferred.
I am paranoid.
What Say Ye?
The TL;DR summary of this post would be: “Don’t post info that can reveal who you’re working for. Don’t ask for info that could reveal who a person is working for. Don’t believe the fallacy that because public DNS records are public that it’s okay for an author to include it in their forum post.”
Do you agree? Am I unreasonably paranoid? Support or slay me in the comments below.