Ah yes, the magic of Google hacking and advanced operators. All the “infosec cool kids” have been having a blast this week using a combination of filetype and site operators to look for classification markings in documents. I figure that with the WikiLeaks brouhaha lately, it might be a good idea to write a “howto” for government organizations to check for web leaks.
Now for the search string:, “enter document marking here” site:agency.gov filetype:rtf | filetype:ppt | filetype:pptx | filetype:csv | filetype:xls | filetype:xlsx | filetype:docx | filetype:doc | filetype:pdf looks for typical document formats on the agency.gov website looking for a specific caveat. You could easily put in a key phrase used for marking sensitive documents in your agency. Obviously there will be results from published organizational policy describing how to mark documents, but there will also be other things that should be looked at.
Typical document markings, all you have to do is pick out key phrases from your agency policy that have the verbatim disclaimer to put on docs:
- “This document contains sensitive security information”
- “Disclosure is prohibited”
- “This document contains confidential information”
- “Not for release”
- “No part of this document may be released”
- “Unauthorized release may result in civil penalty or other action”
- Any one of a thousand other key words listed on Wikipedia
- Use the “site:gov” operator to look for documents government-wide.
- Drop the “site” operator altogether and look for agency information that has been published on the web by third parties.
- Chain the markings together with an “or” for one long search string: “not for release” | “no part of this document may be released” site:gov filetype:rtf | filetype:ppt | filetype:pptx | filetype:csv | filetype:xls | filetype:xlsx | filetype:docx | filetype:doc | filetype:pdf
If you’re not doing this already, I recommend setting up a weekly/daily search looking for documents that have been indexed and follow up on them as an incident.