the file includes 1 MB, Powerpoint Slides Uploaded on 04/09/2011
Download
Report
Transcript the file includes 1 MB, Powerpoint Slides Uploaded on 04/09/2011
SDaPS: FTaTAtRIER
Sensitive Data and Public Systems: Free Tools and Tactical Approaches to Reduce Information Exposure Risk
Shawn Merdinger
Network Security Analyst
University of Florida
4/5/2011
Steve Werby
Information Security Officer
University of Texas at San Antonio
Before we get started
We will be asking you questions
Visit poll4.com
Enter “75089” (without the quotes) and click “Submit”
or
Open SMS client
Text “75089” (without the quotes) to 22333 one time
to register
In a perfect world
Deny all by default - locked down, private network
System inventory, app inventory
Vigilant enterprise patch management
Routine vulnerability scanning of all systems
Routine sensitive data discovery
DLP
Comprehensive IPS, WAF and SIM
24/7/365 SOC
The real world
Agenda
Goals
Higher-ed incidents
Tools and strategies
Advice
Menu of tools
Poll results
Discussion
Goals
Goals
Raise awareness of extent of sensitive data leakage
Demonstrate tools for acquisition and analysis
Identify low-hanging fruit
These are tools hackers will use
Zero to low cost
Well-documented, presentations (Defcon)
Lend themselves to automated scripting
But….
Challenges to doing this
No commercial alerting or tools cover all
Have to cobble together yourself
Output requires manual review “eyeballing”
Make actionable and add to ticket process, etc.
Have to make the biz case to dedicate resources
and people
Technically savvy scripting with Ruby or Python for
automation
Poll – who are you?
Poll: What is your name (use an alias if you p...
Poll – student population
Poll: How many total students does your instit...
Poll – staffing
Poll: How many staff are there in your institu...
Incidents
3/3/2011: 6,030 Missouri State University
students’ SSNs+ exposed via Google after lists put
on “unsecured server”. [1]
2/22/2011: 13,000 Chapman University and
Brandman University students’ SSNs+ accidentally
placed in “non-secure folder” [1]
1/24/2011: 1,300 Wentworth Institute of
Technology students’ SSNs+ inadvertently put
online, but could only be found during a “targeted
search” of the school’s website. [1]
Poll – sensitive data exposure
Poll: Has your institution experienced an expo...
Effective Google-Fu
Operators
OR operator
– operator
* operator
Filters
site:
filetype:
intext:, intitle:, inurl:
GoogleGuide Advanced Operators Cheat Sheet
Leveraging Google
Search YOUR.edu for compromises and attacks
Spam – viagra
Malware – LizaMoon SQLi [1a 1b]
Poll – content injection
Poll: Has your institution experiened spam or ...
Leveraging Google
Search YOUR.edu for apps
…that are vulnerable – phpMyAdmin
…that [perhaps] shouldn’t be public
Leveraging Google
Search YOUR.edu for confidential data
Grades – grades.csv, .csv + headings
Social security numbers – ssn
DOBs, passwords, financial transactions
Leveraging Google
Leveraging Google
Search YOUR.edu for attacker gold
robots.txt [1a 1b 1c] [2]
Error messages
MySQL database connection failures [1a 1b] [2] [3a 3b 3c]
Usernames
Password policies and authentication controls
Google Alerts
Monitor Google results [1]
Control search term, frequency, delivery method
Delivery methods
Email address
Google Reader (RSS) - automate via API or Atom feed
Example
site:edu viagra generic prescription
Compromised page URL removed from presentation
Pharma spam page URL removed from presentation
$ - Free
Google Alerts
site:ufl.edu OR site:fcla.edu "free hindi ringtones" OR "free sexy ringtones" OR "free alcatel
ringtones" OR "kyocera ringtones" OR "free verizon ringtones" site:ufl.edu OR site:fcla.edu
"latin ringtones" OR "free ericsson ringtones" OR "free allatel ringtones" OR "sony ringtones"
OR "free tracfone ringtones" site:ufl.edu OR site:fcla.edu -pdf -ppt -doc "hydrocodone
online" OR "no phentermine prescription" OR "cheap fioricet" OR Cozaar OR biagra OR
"Biaxin Interaction" site:ufl.edu OR site:fcla.edu -pdf -ppt -doc "adipex online" OR "buy
soma" OR "xenical online" OR "buy celexa" OR "buy xenical" OR "diethylpropion online"
site:ufl.edu OR site:fcla.edu -pdf -ppt -doc "buy cheap discount" OR "buy cheap" OR
"discount cheap"
site:ufl.edu OR site:fcla.edu -pdf -ppt -doc "buy diethylpropion" OR
"lipitor online" OR "buy hoodia gordonii" OR "provillus" OR "natural Hair Loss Treatment" OR
"valtrex online" site:ufl.edu OR site:fcla.edu -pdf -ppt -doc "cheap levitra online" OR "cheap
viagra online" OR "buy viagra online" OR "buy herbal phentermine online" OR "Effexor And
Menopause" site:ufl.edu OR site:fcla.edu -pdf -ppt -doc "free daily porn" OR "free celebrity
porn" OR "free asian porn" OR "free black porn" site:ufl.edu OR site:fcla.edu -pdf -ppt -doc
"free tax preparation" OR "free tax filing" OR "bad credit personal loans" site:ufl.edu OR
site:fcla.edu -pdf -ppt -doc "payday loan" OR "emergency payday loan" site:ufl.edu OR
site:fcla.edu -pdf -ppt -doc phentermine OR viagra OR cialis OR vioxx OR oxycontin OR levitra
OR ambien OR xanax OR paxil OR "slot-machine" OR "texas-holdem" OR "rolex"
Don’t reinvent the wheel
Google Hacking Database (GHDB)
GHDB
Searchable, categorized collection of useful queries
3,200+ listings
Find interesting targets, data and vulnerabilities
GHDB + Google Alerts
Google Hacking Database (GHDB)
Web app installation files
vBulletin
Error messages
SQL Server errors on .asp pages
System info
phpinfo() [1a 1b 1c 1d]
Poll – Google to find data/systems
Poll: Does your institution use Google, Google...
More Internet search tools
Facebook
Openbook
Twitter
Twitter Search
Twilert
$ - Free
SHODAN
“Computer Search Engine”
Searchable DB of pre-scanned hosts -- this is
passive, no active scanning/probing
Crawls Internet and grabs system banners
TCP Ports 80, 21, 22, 23 -- more en route
SSL survey (TCP/443)
Will find many systems that web search engine
won’t
$ - Free, paid
SHODAN interface
Effective SHODAN-Fu
Operators
+, -, |
Filters
hostname: [1a 1b]
net: [1a 1b]
os:, port (21, 23, 443, etc.): [1] [2]
before:, after: [1a 1b 1c] [2a 2b]
SHODAN
Purchase credits for exportable XML results
SHODAN requires account and login
for some search filters (e.g. country code)
for export of XML results (up to 1000)
Special for .edu folks
Contact John Matherly
Tell him you are with .edu
Will get more capability added to your account
SHODAN
Popular searches
API – Ruby, Python
Exploit search (Metasploit, OSVDB)
Interesting searches
Default password [1] [2]
Webcams [Running webcamXP] [Some Axis cameras]
Cisco routers [1]
Printers [1] [2]
Example SHODAN searches
.edu Cisco device with no http authentication configured
http://www.shodanhq.com/?q=hostname%3Aedu+%22cisco-ios%22+%22lastmodified%22
LAN-based projectors that can’t be secured with authentication
http://www.shodanhq.com/?q=Microsoft-WinCE%2F6.00+ContentLength%3A+519
.edu Polycom video conference systems
http://www.shodanhq.com/?q=hostname%3Aedu+engint00.austin.polycom.com
Example SHODAN searches
SNOM VoIP phones with no http authentication configured
(make calls / pcap via http)
http://www.shodanhq.com/?q=+snom+embedded
http://voipsa.org/blog/2010/09/07/its-a-feature-remote-tapping-a-snomvoip-phone/
S2 Security Door Access Controller
http://www.shodanhq.com/?q=hostname%3Aedu+GoAhead+Webs+login.asp
+no-cache%2Cmust-revalidate
S2 Security: I reported several vulns to US-CERT,
presented at Defcon, etc.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2466
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2465
Example SHODAN searches
.edu old versions of Microsoft IIS
.edu IIS/2.0 http://www.shodanhq.com/?q=hostname%3Aedu+IIS%2F2.0
.edu IIS/3.0 http://www.shodanhq.com/?q=hostname%3Aedu+IIS%2F3.0
.edu IIS 4/0 http://www.shodanhq.com/?q=hostname%3Aedu+IIS%2F4.0
But authentication is required!
Password often aren’t change from defaults
Devices with no IT support
Unaware of web interfaces and exposed services
Unaware device is accessible via Internet
Unaware of value to adversary
Password databases
CIRT.net Default Passwords
CyXla’s Password Database
Built into many pen-testing tools
Poll – finding risky public systems
Poll: Does your institution use a tool to find...
Domain names
Unauthorized or unknown use of trademark
Phishing
Malware distribution, credential theft
DomainTools
Extensive array of tools
Domain search, reverse IP search, etc.
Domain search [1a 1b 1c] [2]
Registrant name, phone #, address, email address
Social engineering
Hope they never leave, take vacation, get hit by a bus
Domain typos
$ – free, paid
Local sensitive data discovery
Search for sensitive strings
Social security numbers, credit card numbers
More
Tools
Spider (Cornell University)[1]
SENF (The University of Texas at Austin) [1]
Find_SSNs (Virginia Tech) [1]
$ - Free, free, free
Poll – domain name monitoring
Poll: Does your institution monitor for the cr...
FOCA
Fingerprinting Organizations
with Collected Archives
Web crawler
Metadata risks
What Is FOCA?
Standalone JAVA tool
Uses Google, Bing, Exalead
Crawls defined web site or TLD - *.ufl.edu
Automatically
Downloads documents
Analyzes documents’ metadata from Word, Excel, PPT,
PDF
Can create a nice, detailed report
FOCA Interface
Risks of Metadata
Usernames
Document owner and creator
Spear phishing risks (SANS mention in RSA hack)
Application and OS used
Vulnerable version of PDF creator on M$ XP
Internal infrastructure Disclosure
Network shares and paths, printers
Increases risk of secondary attack / recon
NSA Document: “Hidden Data and Metadata in Adobe
PDF Files: Publication Risks and Countermeasures”
http://www.nsa.gov/ia/_files/app/pdf_risks.pdf
Metadata Leak Defense
Run FOCA against own domain
Follow-up with key departments (e.g. finance)
Scrubbing metadata from docs
User-level tools
Web server plugins (Informatica64 IIS tool)
Getting FOCA
Free, limited function version to try
Full version
More searches, reporting functions, updates
Tip: Tell Chema from Informatica64 you're with
.edu - will give a free copy of FOCA if you pay to
attend online training
Blog post with links to Chema presos, etc.
https://www.infosecisland.com/blogview/6707Metadata-Analysis-With-FOCA-25.html
Poll – metadata analysis
Poll: Does your institution use a metadata ana...
Advice
Advice – 20,000’ view
Visibility
Scan & inventory
Systems security
Keep OS/apps current
Change default passwords
Disable/change banners & paths
Policy and education
Requirements
Risks, +/- actions
Track and report
Advice – the weeds
[email protected] = no!
Delete [data|users|databases|systems] that’s not
needed
robots.txt is not your friend
Disable directory indexing
Ask yourself “does the system/data need to be
public?” (consider hybrid approach)
Poll – Google Alerts
Poll: Will you use the Google Alerts at your i...
Poll – GHDB
Poll: Will you use the Google Hacking Database...
Poll - SHODAN
Poll: Will you use SHODAN at your institution?
Poll - DomainTools
Poll: Will you use DomainTools at your institu...
Poll - FOCA
Poll: Will you use FOCA at your institution?
Poll - feedback
Poll: Feedback (comments, questions)?
Menu of tools and resources
ARIN Whois
http://whois.arin.net/ui
CIRT.net Default Passwords
http://cirt.net/passwords
CyXla’s Password Database
http://www.cyxla.com/passwords/index.php
DataLossDB
http://datalossdb.org/
DomainTools
http://www.domaintools.com/
Menu of tools and resources
Educational Security Incidents
http://www.adamdodge.com/esi/
Find_SSNs
http://www.security.vt.edu/resources_and_information/fi
nd_ssns.html
FOCA
http://www.informatica64.com/downloadfoca/
Google Hacking Database
http://www.exploit-db.com/google-dorks/
Google Alerts
http://www.google.com/alerts
Menu of tools and resources
GoogleGuide Advanced Operators Cheat Sheet
http://www.googleguide.com/advanced_operators_refere
nce.html
Openbook
http://youropenbook.org/
Poll Everywhere
http://www.polleverywhere.com/
Secunia Advisories
http://secunia.com/advisories/
SENF
http://www.utexas.edu/its/products/senf/
Menu of tools and resources
SHODAN
http://www.shodanhq.com/
Spider
http://www2.cit.cornell.edu/security/tools/
Twilert
http://www.twilert.com/
Twitter Search
https://search.twitter.com/
Questions/Discussion
?
Notes
Some links included in the live presentation were
removed from this copy due to their sensitive
nature; for the same reason, a few links were
changed so the scope of files or devices searched
for was broader
The official copy of the presentation, speaker bios
and other resources (including raw data from the
poll conducted during the live presentation) can be
found at
http://www.educause.edu/SEC11/Program/SESS15
Contact us
Steve Werby
[email protected]
@stevewerby
Shawn Merdinger
[email protected]