Google Advanced Operators and Government Website Leakage

Posted August 24th, 2010 by

Ah yes, the magic of Google hacking and advanced operators.  All the “infosec cool kids” have been having a blast this week using a combination of filetype and site operators to look for classification markings in documents. I figure that with the WikiLeaks brouhaha lately, it might be a good idea to write a “howto” for government organizations to check for web leaks.

Now for the search string:, “enter document marking here” site:agency.gov filetype:rtf | filetype:ppt | filetype:pptx | filetype:csv | filetype:xls | filetype:xlsx | filetype:docx | filetype:doc | filetype:pdf looks for typical document formats on the agency.gov website looking for a specific caveat.  You could easily put in a key phrase used for marking sensitive documents in your agency.  Obviously there will be results from published organizational policy describing how to mark documents, but there will also be other things that should be looked at.

Typical document markings, all you have to do is pick out key phrases from your agency policy that have the verbatim disclaimer to put on docs:

  • “This document contains sensitive security information”
  • “Disclosure is prohibited”
  • “This document contains confidential information”
  • “Not for release”
  • “No part of this document may be released”
  • “Unauthorized release may result in civil penalty or other action”
  • Any one of a thousand other key words listed on Wikipedia

Other ideas:

  • Use the “site:gov” operator to look for documents government-wide.
  • Drop the “site” operator altogether and look for agency information that has been published on the web by third parties.
  • Chain the markings together with an “or” for one long search string: “not for release” | “no part of this document may be released” site:gov filetype:rtf | filetype:ppt | filetype:pptx | filetype:csv | filetype:xls | filetype:xlsx | filetype:docx | filetype:doc | filetype:pdf

If you’re not doing this already, I recommend setting up a weekly/daily search looking for documents that have been indexed and follow up on them as an incident.



Similar Posts:

Posted in Hack the Planet, Technical, What Works | 3 Comments »
Tags:

Bolt-On Security

Posted August 19th, 2010 by

Build security in or bolt it on afterwords? Our IKANHAZFIZMA LOLCATS have an opinion on this today.



Similar Posts:

Posted in IKANHAZFIZMA | 1 Comment »
Tags:

Thought-Terminating Cliches and Infosec

Posted August 17th, 2010 by

Reference: Thought-Terminating Cliches.  They’re such a ugly things and all over the security industry and need to die, mostly because these things are so obvious that they need to die so we can introduce new ideas.

Just starting a collection, feel free to add more:

  • Compliant doesn’t mean secure.
  • You can always go above the minimum baseline.
  • You don’t know what you don’t know.
  • Security is a journey, not a destination.
  • We all know that $Foo is dying/dead/failing/stillborn.
  • There is no silver bullet.
  • It’s security, it’s supposed to be hard.


Similar Posts:

Posted in Rants | 7 Comments »
Tags:

Traffic Analysis and Rebuilding C&A

Posted August 17th, 2010 by

For some reason, “Rebuilding C&A” has been a perennial traffic magnet for me for a year or so now.  Seeing how that particular post was written in 2007, I find this an interesting stat.  Maybe I hit all the SEO terms right.  Or maybe the zeitgeist of the Information Assurance community is how to do it right.  Anyway, if you’re in Government and information security, it might be worthwhile to check out this old nugget of wisdom from yesteryear.



Similar Posts:

Posted in FISMA, NIST, The Guerilla CISO | No Comments »
Tags:

Metricon 5 Wrapup

Posted August 13th, 2010 by

Metricon 5 was this week, it was a blast you should have been there.

One of the things the program committee worked on was more of a practitioner focus.  I think the whole event was a good mix between theory and application and the overall blend was really, really good. Talking to the speakers before the event was much awesome as I could give them feedback on their talk proposal and then see how that conversation led to an awe-inspiring presentation.

I brought a couple security manager folks I know along with me and their opinion was that the event was way awesome. If you’re one of my blog readers and didn’t hunt me down and say hi, then whatcha waitin’ for, drop me an email and we’ll chat.

You can go check out the slides and papers at the Security Metrics site.

My slides are below.  I’m not sure if I was maybe a bit too far “out there” (I do that from time to time) but what I’m really looking for is a scorecard so that we can consciously build regulation and compliance frameworks instead of the way we’ve been doing it. This would help tremendously with public policy, industry self-regulation, and anybody who is trying to build their own framework.



Similar Posts:

Posted in Public Policy, Speaking | 1 Comment »
Tags:

Security Metrics

Posted August 12th, 2010 by

A common theme for me this year:  as a security manager, how do you use metrics to tell your boss that you’re doing a good job and yet at the same time you’re doing a bad job and need more money, time, and resources?



Similar Posts:

Posted in IKANHAZFIZMA | 1 Comment »
Tags:

« Previous Entries


Visitor Geolocationing Widget: