If you talk to security people all over the world, you’ll notice, that stuff like XSS or SQL Injections aren’t of that much interest anymore because everyone knows what the problems are and how to prevent it, even if I’m not sure that they really know enough on it. Anyway, I was thinking of how we can get data out of things like for example a database even if it’s protected against attacks just as mentioned at the beginning. I came up with something, that I’ve never seen before or at least not in the context of a security thread to data. Today it’s very important to aggregate and mix data, to get new information out of it but have you ever thought of what happens if you can reconstruct sensible data out of let’s say public data.

Let’s have a look at an example in which we’re a student, who has access to the schools Intranet but there he can just have a look at news and also his grades as well as the average of a group of people like his class mates, people with the same age and such.

The number in brackets is the amount of people who’s data are affected and in this example our name is Peter Miller, who wants to know the grades of his class mate called Paul Svenson.

In the following tables, you’ll see the result of different requests to the school information system.

Now let’s check our whole class (3b):

Now we can calculate the worst possible grades of “Lisa Wilson” (born in 1980 and one of the two females in class 3b) out of the information in table “Average grades of females in class 3b”.

With this information we’ve got two of three peoples grades (Lisa’s grades are as already written the worst possible) who where born in 1980. This means we can now calculate the last persons grades (of course this will also be the worst possible), who’s Paul Svenson, our final target.

I hope you understood what I mean and also why this is really something we should pay more attention to in the future.