1. SDaPS: FTaTAtRIER Sensitive Data and Public Systems: Free Tools and Tactical Approaches to Reduce Information Exposure Risk
Shawn Merdinger Network Security Analyst
University of Florida
Steve Werby Information Security Officer
University of Texas at San Antonio
4/5/2011

2. Before we get started We will be asking you questions Visit poll4.com
Enter “75089” (without the quotes) and click “Submit” or
Open SMS client
Text “75089” (without the quotes) to one time to register

3. In a perfect world Deny all by default - locked down, private network
System inventory, app inventory
Vigilant enterprise patch management
Routine vulnerability scanning of all systems
Routine sensitive data discovery
DLP
Comprehensive IPS, WAF and SIM
24/7/365 SOC

4. The real world

5. Agenda Goals Higher-ed incidents Tools and strategies Advice
Menu of tools
Poll results
Discussion

6. Goals

7. Goals Raise awareness of extent of sensitive data leakage
Demonstrate tools for acquisition and analysis
Identify low-hanging fruit
These are tools hackers will use
Zero to low cost
Well-documented, presentations (Defcon)
Lend themselves to automated scripting
But….

8. Challenges to doing this
No commercial alerting or tools cover all
Have to cobble together yourself
Output requires manual review “eyeballing”
Make actionable and add to ticket process, etc.
Have to make the biz case to dedicate resources and people
Technically savvy scripting with Ruby or Python for automation

9. Poll – who are you?
Poll: What is your name (use an alias if you p...

10. Poll – student population
Poll: How many total students does your instit...

11. Poll – staffing
Poll: How many staff are there in your institu...

12. Incidents
3/3/2011: 6,030 Missouri State University students’ SSNs+ exposed via Google after lists put on “unsecured server”. [1]
2/22/2011: 13,000 Chapman University and Brandman University students’ SSNs+ accidentally placed in “non-secure folder” [1]
1/24/2011: 1,300 Wentworth Institute of Technology students’ SSNs+ inadvertently put online, but could only be found during a “targeted search” of the school’s website. [1]

13. Poll – sensitive data exposure
Poll: Has your institution experienced an expo...

14. Effective Google-Fu Operators Filters
OR operator
– operator
* operator
Filters
site:
filetype:
intext:, intitle:, inurl:
GoogleGuide Advanced Operators Cheat Sheet

15. Leveraging Google Search YOUR.edu for compromises and attacks
Spam – viagra
Malware – LizaMoon SQLi [1a 1b]

16. Poll – content injection
Poll: Has your institution experiened spam or ...

17. Leveraging Google Search YOUR.edu for apps
…that are vulnerable – phpMyAdmin
…that [perhaps] shouldn’t be public

18. Leveraging Google Search YOUR.edu for confidential data
Grades – grades.csv, .csv + headings
Social security numbers – ssn
DOBs, passwords, financial transactions

19. Leveraging Google

20. Leveraging Google Search YOUR.edu for attacker gold
robots.txt [1a 1b 1c] [2]
Error messages
MySQL database connection failures [1a 1b] [2] [3a 3b 3c]
Usernames
Password policies and authentication controls

21. Google Alerts Monitor Google results [1]
Control search term, frequency, delivery method
Delivery methods
address
Google Reader (RSS) - automate via API or Atom feed
Example
site:edu viagra generic prescription
Compromised page URL removed from presentation
Pharma spam page URL removed from presentation
$ - Free

22. Google Alerts
site:ufl.edu OR site:fcla.edu "free hindi ringtones" OR "free sexy ringtones" OR "free alcatel ringtones" OR "kyocera ringtones" OR "free verizon ringtones" site:ufl.edu OR site:fcla.edu "latin ringtones" OR "free ericsson ringtones" OR "free allatel ringtones" OR "sony ringtones" OR "free tracfone ringtones" site:ufl.edu OR site:fcla.edu -pdf -ppt -doc "hydrocodone online" OR "no phentermine prescription" OR "cheap fioricet" OR Cozaar OR biagra OR "Biaxin Interaction" site:ufl.edu OR site:fcla.edu -pdf -ppt -doc "adipex online" OR "buy soma" OR "xenical online" OR "buy celexa" OR "buy xenical" OR "diethylpropion online" site:ufl.edu OR site:fcla.edu -pdf -ppt -doc "buy cheap discount" OR "buy cheap" OR "discount cheap" site:ufl.edu OR site:fcla.edu -pdf -ppt -doc "buy diethylpropion" OR "lipitor online" OR "buy hoodia gordonii" OR "provillus" OR "natural Hair Loss Treatment" OR "valtrex online" site:ufl.edu OR site:fcla.edu -pdf -ppt -doc "cheap levitra online" OR "cheap viagra online" OR "buy viagra online" OR "buy herbal phentermine online" OR "Effexor And Menopause" site:ufl.edu OR site:fcla.edu -pdf -ppt -doc "free daily porn" OR "free celebrity porn" OR "free asian porn" OR "free black porn" site:ufl.edu OR site:fcla.edu -pdf -ppt -doc "free tax preparation" OR "free tax filing" OR "bad credit personal loans" site:ufl.edu OR site:fcla.edu -pdf -ppt -doc "payday loan" OR "emergency payday loan" site:ufl.edu OR site:fcla.edu -pdf -ppt -doc phentermine OR viagra OR cialis OR vioxx OR oxycontin OR levitra OR ambien OR xanax OR paxil OR "slot-machine" OR "texas-holdem" OR "rolex"

23. Don’t reinvent the wheel

24. Google Hacking Database (GHDB)
Searchable, categorized collection of useful queries
3,200+ listings
Find interesting targets, data and vulnerabilities
GHDB + Google Alerts

25. Google Hacking Database (GHDB)
Web app installation files
vBulletin
Error messages
SQL Server errors on .asp pages
System info
phpinfo() [1a 1b 1c 1d]

26. Poll – Google to find data/systems
Poll: Does your institution use Google, Google...

27. More Internet search tools
Facebook
Openbook
Twitter
Twitter Search
Twilert
$ - Free

28. SHODAN “Computer Search Engine”
Searchable DB of pre-scanned hosts -- this is passive, no active scanning/probing
Crawls Internet and grabs system banners
TCP Ports 80, 21, 22, more en route
SSL survey (TCP/443)
Will find many systems that web search engine won’t
$ - Free, paid

29. SHODAN interface

30. Effective SHODAN-Fu Operators Filters +, -, | hostname: [1a 1b]
net: [1a 1b]
os:, port (21, 23, 443, etc.): [1] [2]
before:, after: [1a 1b 1c] [2a 2b]

31. SHODAN Purchase credits for exportable XML results
SHODAN requires account and login
for some search filters (e.g. country code)
for export of XML results (up to 1000)
Special for .edu folks
Contact John Matherly
Tell him you are with .edu
Will get more capability added to your account

32. SHODAN Popular searches API – Ruby, Python
Exploit search (Metasploit, OSVDB)
Interesting searches
Default password [1] [2]
Webcams [Running webcamXP] [Some Axis cameras]
Cisco routers [1]
Printers [1] [2]

33. Example SHODAN searches
.edu Cisco device with no http authentication configured
modified%22
LAN-based projectors that can’t be secured with authentication
Length%3A+519
.edu Polycom video conference systems

34. Example SHODAN searches
SNOM VoIP phones with no http authentication configured (make calls / pcap via http)
voip-phone/
S2 Security Door Access Controller
+no-cache%2Cmust-revalidate
S2 Security: I reported several vulns to US-CERT, presented at Defcon, etc.

35. Example SHODAN searches
.edu old versions of Microsoft IIS
.edu IIS/2.0
.edu IIS/3.0
.edu IIS 4/0

36. But authentication is required!
Password often aren’t change from defaults
Devices with no IT support
Unaware of web interfaces and exposed services
Unaware device is accessible via Internet
Unaware of value to adversary
Password databases
CIRT.net Default Passwords
CyXla’s Password Database
Built into many pen-testing tools

37. Poll – finding risky public systems
Poll: Does your institution use a tool to find...

38. Domain names Unauthorized or unknown use of trademark Phishing
Malware distribution, credential theft

39. DomainTools Extensive array of tools Domain search [1a 1b 1c] [2]
Domain search, reverse IP search, etc.
Domain search [1a 1b 1c] [2]
Registrant name, phone #, address, address
Social engineering
Hope they never leave, take vacation, get hit by a bus
Domain typos
$ – free, paid

40. Local sensitive data discovery
Search for sensitive strings
Social security numbers, credit card numbers
More
Tools
Spider (Cornell University)[1]
SENF (The University of Texas at Austin) [1]
Find_SSNs (Virginia Tech) [1]
$ - Free, free, free

41. Poll – domain name monitoring
Poll: Does your institution monitor for the cr...

42. FOCA Fingerprinting Organizations with Collected Archives Web crawler
Metadata risks

43. What Is FOCA? Standalone JAVA tool Uses Google, Bing, Exalead
Crawls defined web site or TLD - *.ufl.edu
Automatically
Downloads documents
Analyzes documents’ metadata from Word, Excel, PPT, PDF
Can create a nice, detailed report

44. FOCA Interface

45. Risks of Metadata Usernames Application and OS used
Document owner and creator
Spear phishing risks (SANS mention in RSA hack)
Application and OS used
Vulnerable version of PDF creator on M$ XP
Internal infrastructure Disclosure
Network shares and paths, printers
Increases risk of secondary attack / recon
NSA Document: “Hidden Data and Metadata in Adobe PDF Files: Publication Risks and Countermeasures”

46. Metadata Leak Defense Run FOCA against own domain
Follow-up with key departments (e.g. finance)
Scrubbing metadata from docs
User-level tools
Web server plugins (Informatica64 IIS tool)

47. Getting FOCA Free, limited function version to try Full version
More searches, reporting functions, updates
Tip: Tell Chema from Informatica64 you're with .edu - will give a free copy of FOCA if you pay to attend online training
Blog post with links to Chema presos, etc.
Metadata-Analysis-With-FOCA-25.html

48. Poll – metadata analysis
Poll: Does your institution use a metadata ana...

49. Advice

50. Advice – 20,000’ view Visibility Systems security Policy and education
Scan & inventory
Systems security
Keep OS/apps current
Change default passwords
Disable/change banners & paths
Policy and education
Requirements
Risks, +/- actions
Track and report

51. Advice – the weeds usernames@host.edu = no!
Delete [data|users|databases|systems] that’s not needed
robots.txt is not your friend
Disable directory indexing
Ask yourself “does the system/data need to be public?” (consider hybrid approach)

52. Poll – Google Alerts
Poll: Will you use the Google Alerts at your i...

53. Poll – GHDB
Poll: Will you use the Google Hacking Database...

54. Poll - SHODAN
Poll: Will you use SHODAN at your institution?

55. Poll - DomainTools
Poll: Will you use DomainTools at your institu...

56. Poll - FOCA
Poll: Will you use FOCA at your institution?

57. Poll - feedback
Poll: Feedback (comments, questions)?

58. Menu of tools and resources
ARIN Whois
CIRT.net Default Passwords
CyXla’s Password Database
DataLossDB
DomainTools

59. Menu of tools and resources
Educational Security Incidents
Find_SSNs
nd_ssns.html
FOCA
Google Hacking Database
Google Alerts

60. Menu of tools and resources
GoogleGuide Advanced Operators Cheat Sheet
nce.html
Openbook
Poll Everywhere
Secunia Advisories
SENF

61. Menu of tools and resources
SHODAN
Spider
Twilert
Twitter Search

62. Questions/Discussion?

63. Notes
Some links included in the live presentation were removed from this copy due to their sensitive nature; for the same reason, a few links were changed so the scope of files or devices searched for was broader
The official copy of the presentation, speaker bios and other resources (including raw data from the poll conducted during the live presentation) can be found at

64. Contact us Steve Werby Shawn Merdinger steve.werby@utsa.edu