Thanks to the “boom” in the information security industry combined with the latest buzzwords, more and larger corporate companies are looking for the latest “next gen” anti-haxor services and technologies. In doing so they often go out publicly on a tender and/or issue an RFP/RFQ in order to obtain the best possible solution to meet their requirements and budget (usually cost *wins*).
Due to this and a lack of maturity in the field, companies issue public RFQs / RFPs that contain classified and confidential/secret information such as network diagrams, architectural designs, software versions etc. This type of information would usually require that an attacker spend an extensive amount of time performing enumeration and/or gaining access to the internal network first and taking a significant amount of time to learn about that environment. Targeting the procurement process of an organization exposes a largely unexplored attack surface.
This new research and presentation aim to demystify the above and give practical examples of large international organizations, which unfortunately fail at the RFP/RFQ process badly. This opens a “free and easy” attack vector for attackers to exploit without even conducting extensive enumeration and fingerprinting, or anything close to intrusive attacks. As a result, an attacker often has access to an extensive amount of confidential information about the organization, which could be utilized to launch more targeted attacks. Depending on the type of information gathered, such attacks could be likened to an attacker that has insider knowledge.
We will also be demonstrating, via real-world examples, the dangers of going out blindly and looking for specific services and products in the information security industry, with real-life networks being shown on stage.
