Abstract image of a woman sitting on books and studying on a laptop

You're Bleeding Sensitive Data: Find it Before They Do [Presented by Steve Werby at OWASP LASCON 2011]

Download as PPTX, PDF
Steve Werby, profile picture
Steve Werby

Steve Werby's presentation at LASCON 2011 addresses the issue of sensitive data exposure and the importance of identifying vulnerabilities before they can be exploited. He emphasizes the need for awareness, effective use of tools, and proactive measures to safeguard against data breaches. The presentation includes practical tips on data management, Google and Shodan search techniques, and emphasizes a comprehensive approach to cybersecurity that encompasses both technical and human factors.

TechnologyHealth & Medicine
1 of 77
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby You’re bleeding sensitive data Find it before they do
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby Raise awareness
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby Raise awareness Identify low hanging fruit
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby Raise awareness Identify low hanging fruit Show you the tools
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby Raise awareness Identify low hanging fruit Show you the tools
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby Raise awareness Identify low hanging fruit Show you the tools
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby Raise awareness Identify low hanging fruit Show you the tools
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby Raise awareness Identify low hanging fruit Show you the tools
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby Obligatory disclaimer The opinions shared in this presentation represent the views of my employer. That’s right – the views of all 9,310 of my coworkers. I know because I’m omniscient…and omnipotent.
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby Obligatory disclaimer The opinions shared in this presentation represent my the views and only my views of my employer. That’s right – the views of all 9,310 of my coworkers. I know because I’m omniscient…and omnipotent. Presentation disclaimers are only slightly more useful than disclaimers at the bottom of an email.
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby 18,931 individuals employed in 2002 File accessible via web from 2008-2011 Possibly accessible since 2002 Name, SSN, DOB, home phone, home address
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby 757 patients from 2007-2011 File accessible via web for 2 months Discovered by relative of patient Name, DOB, medical history, diagnoses, treatment plans
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby 20,000 emergency room patients File accessible via web for 1 year Posted to StudentOfFortune.com Name, admission dates, diagnosis codes, billing charges
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby Jeremiah Grossman: “Anything you upload to a public website is not private…it’s public.” Craig S. Wright: “I would estimate 100 or more breaches occur for each one that becomes publicly known.”
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby robots.txt files that include directories you don’t want attackers to find Analytics programs that display hostnames and usernames Source code via broken web servers and unparsed backup files
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby Actually, I've been working on a plan…I'll hide under some coats, and hope that somehow everything will work out.
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby Requires easily accessible tools and little skill
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby Requires easily accessible tools and little skill
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby Finding data requires 1. Know what tools to use 2. How to use those tools 3. What to look for
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby Effective Google-fu  Operators  OR operator  – operator  * operator  ~ operator  Filters  site:  filetype:  intext:, intitle:, inurl:  link:
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby Effective Google-fu
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby Effective Google-fu
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby Effective Google-fu
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby Effective Google-fu
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby Effective Google-fu  filetype:  HTML - .htm, .html, .asp, .aspx, .cfm, .php  PDF - .pdf  Plain text - .txt, .csv  Microsoft Office - .doc, .docx, .ppt, .xls, .xlsm, .xlsx  Rich text - .rtf  OpenOffice - .odc, .odp, .ods  Databases - .dbf  Email – .eml, .msg  Other - .pst, .gz, .zip, .mdb, .xml
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby Know your data  ID numbers  Financial data  Personal info  Personnel info  IT data  Website issues
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby Know your data  ID numbers – SSN, drivers license, account #  Financial data – payroll, credit card, bank account  Personal info – address, phone, email, DOB  Personnel info – evaluations, disciplinary action  IT data – logs, system monitoring, vulnerable s/w  Website issues – compromises, error handling
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby Know your data  IT data – logs, system monitoring, vulnerable s/w Monster LinkedIn Twitter
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby Field names and labels  first name, f_name, first, namef, name_f  hw, homework, hw_1, hw 1, homework 1  assignment, exam, final, midterm, quiz, test  lab, paper, participation, project  username, user_name, user name  student id, studentid, student_id
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby File names  grades, grades_final, finalgrades  <dept><section>, <dept>_<section>  <dept><section>_<year>  <dept><section>_<semester><year>
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby 2003 2002
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby inurl:moodle.xml filetype:xml
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby  Proactively check for a subset of sensitive data  Real SSNs, account names, customer names
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby Effective SHODAN-fu  Operators  +, -  Filters  hostname:  net:  os:, port: (21, 23, 80, 443, etc.):  before:, after:
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby You found my device? So what‽
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby You found my device? So what‽  Devices with no IT support  Unaware of web interfaces and exposed services  Unaware device is accessible via Internet  Unaware of value to adversary
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby You found my device? So what? You don’t know the password.
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby You found my device? So what? You don’t know the password.  Can it be guessed?  Was it really changed from the default?
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby You found my device? So what? You don’t know the password.  Devices with no IT support  Unaware of web interfaces and exposed services  Unaware device is accessible via Internet  Unaware of value to adversary
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby The basics  Delete data and systems that are longer needed  If it’s sensitive keep it on your private network  robots.txt is not your friend  [LHS of] email address != username  Disable directory browsing
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby The basics  Delete data and systems that are longer needed  If it’s sensitive keep it on your private network  robots.txt is not your friend  [LHS of] email address != username  Disable directory browsing
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby Beyond the basics  Visibility into what you have  Scan for services  Maintain system and application inventory  System security  Patch OS and applications  Change default passwords  Disable/change banners and paths  The human side  Education and policies
Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby Questions?

More Related Content

KEY
WordPress is for EVERYONE
Lisa Sabin-Wilson
 
PDF
Reference Rot and Link Decoration
Martin Klein
 
PPTX
Prototypes of pro-active approaches to support the archiving of web reference...
EDINA, University of Edinburgh
 
PPTX
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...
Steve Werby
 
PPTX
Bad Advice Unintended Consequences and Broken Paradigms - Think && Act Differ...
Steve Werby
 
PPTX
Forget Malicious Links and Fear the QR Code Presented by Steve Werby at ConSe...
Steve Werby
 
PPTX
Information Security Threat Level Snapshot Template by Steve Werby 2014
Steve Werby
 
PPTX
Data Breach Notifications Laws - Time for a Pimp Slap Presented by Steve Werb...
Steve Werby
 
WordPress is for EVERYONE
Lisa Sabin-Wilson
 
Reference Rot and Link Decoration
Martin Klein
 
Prototypes of pro-active approaches to support the archiving of web reference...
EDINA, University of Edinburgh
 
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...
Steve Werby
 
Bad Advice Unintended Consequences and Broken Paradigms - Think && Act Differ...
Steve Werby
 
Forget Malicious Links and Fear the QR Code Presented by Steve Werby at ConSe...
Steve Werby
 
Information Security Threat Level Snapshot Template by Steve Werby 2014
Steve Werby
 
Data Breach Notifications Laws - Time for a Pimp Slap Presented by Steve Werb...
Steve Werby
 

Recently uploaded (20)

PDF
Unlock new opportunities with location data.pdf
Precisely
 
PDF
sustainability-14-14877-v2.pddhzftheheeeee
VenkateshGovindaraja9
 
PDF
TrustArc Webinar - Click, Consent, Trust: Winning the Privacy Game
TrustArc
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PDF
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
PDF
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
PPTX
Modernising the Digital Integration Hub
Daniel Toomey
 
PPTX
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
PPT
What is a Computer? Input Devices /output devices
GulJan8
 
PPTX
Web Crawler for Trend Tracking Gen Z Insights.pptx
Actowiz Solustions
 
PDF
CloudStack 4.21: First Look Webinar slides
ShapeBlue
 
PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
PPTX
Benefits of Physical activity for teenagers.pptx
Nokwanda Thabethe
 
PPTX
observCloud-Native Containerability and monitoring.pptx
anupsingh76937
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PDF
Five Habits of High-Impact Board Members
OnBoard
 
DOCX
search engine optimization ppt fir known well about this
StandardCodeLearning
 
PDF
A Late Bloomer's Guide to GenAI: Ethics, Bias, and Effective Prompting - Boha...
Mindy Bohannon
 
PDF
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
PDF
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
Unlock new opportunities with location data.pdf
Precisely
 
sustainability-14-14877-v2.pddhzftheheeeee
VenkateshGovindaraja9
 
TrustArc Webinar - Click, Consent, Trust: Winning the Privacy Game
TrustArc
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
Modernising the Digital Integration Hub
Daniel Toomey
 
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
What is a Computer? Input Devices /output devices
GulJan8
 
Web Crawler for Trend Tracking Gen Z Insights.pptx
Actowiz Solustions
 
CloudStack 4.21: First Look Webinar slides
ShapeBlue
 
Getting Started with Data Integration: FME Form 101
Safe Software
 
Benefits of Physical activity for teenagers.pptx
Nokwanda Thabethe
 
observCloud-Native Containerability and monitoring.pptx
anupsingh76937
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
Five Habits of High-Impact Board Members
OnBoard
 
search engine optimization ppt fir known well about this
StandardCodeLearning
 
A Late Bloomer's Guide to GenAI: Ethics, Bias, and Effective Prompting - Boha...
Mindy Bohannon
 
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
Ad

Featured (20)

PDF
2024 Trend Updates: What Really Works In SEO & Content Marketing
Search Engine Journal
 
PDF
Storytelling For The Web: Integrate Storytelling in your Design Process
Chiara Aliotta
 
PDF
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
OECD Directorate for Financial and Enterprise Affairs
 
PDF
How to Leverage AI to Boost Employee Wellness - Lydia Di Francesco - SocialHR...
SocialHRCamp
 
PDF
2024 State of Marketing Report – by Hubspot
Marius Sescu
 
PDF
Everything You Need To Know About ChatGPT
Expeed Software
 
PDF
Product Design Trends in 2024 | Teenage Engineerings
Pixeldarts
 
PDF
How Race, Age and Gender Shape Attitudes Towards Mental Health
ThinkNow
 
PDF
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
marketingartwork
 
PDF
Skeleton Culture Code
Skeleton Technologies
 
PDF
PEPSICO Presentation to CAGNY Conference Feb 2024
Neil Kimberley
 
PDF
Content Methodology: A Best Practices Report (Webinar)
contently
 
PPTX
How to Prepare For a Successful Job Search for 2024
Albert Qian
 
PDF
Social Media Marketing Trends 2024 // The Global Indie Insights
Kurio // The Social Media Age(ncy)
 
PDF
Trends In Paid Search: Navigating The Digital Landscape In 2024
Search Engine Journal
 
PDF
5 Public speaking tips from TED - Visualized summary
SpeakerHub
 
PDF
ChatGPT and the Future of Work - Clark Boyd
Clark Boyd
 
PDF
Getting into the tech field. what next
Tessa Mero
 
PDF
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Lily Ray
 
PDF
How to have difficult conversations
Rajiv Jayarajah, MAppComm, ACC
 
2024 Trend Updates: What Really Works In SEO & Content Marketing
Search Engine Journal
 
Storytelling For The Web: Integrate Storytelling in your Design Process
Chiara Aliotta
 
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
OECD Directorate for Financial and Enterprise Affairs
 
How to Leverage AI to Boost Employee Wellness - Lydia Di Francesco - SocialHR...
SocialHRCamp
 
2024 State of Marketing Report – by Hubspot
Marius Sescu
 
Everything You Need To Know About ChatGPT
Expeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Pixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
ThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
marketingartwork
 
Skeleton Culture Code
Skeleton Technologies
 
PEPSICO Presentation to CAGNY Conference Feb 2024
Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
contently
 
How to Prepare For a Successful Job Search for 2024
Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Kurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
SpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
Clark Boyd
 
Getting into the tech field. what next
Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Lily Ray
 
How to have difficult conversations
Rajiv Jayarajah, MAppComm, ACC
 
Ad

You're Bleeding Sensitive Data: Find it Before They Do [Presented by Steve Werby at OWASP LASCON 2011]

  • 1. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby You’re bleeding sensitive data Find it before they do
  • 2. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
  • 3. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby Raise awareness
  • 4. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby Raise awareness Identify low hanging fruit
  • 5. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby Raise awareness Identify low hanging fruit Show you the tools
  • 6. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby Raise awareness Identify low hanging fruit Show you the tools
  • 7. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby Raise awareness Identify low hanging fruit Show you the tools
  • 8. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby Raise awareness Identify low hanging fruit Show you the tools
  • 9. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby Raise awareness Identify low hanging fruit Show you the tools
  • 10. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby Obligatory disclaimer The opinions shared in this presentation represent the views of my employer. That’s right – the views of all 9,310 of my coworkers. I know because I’m omniscient…and omnipotent.
  • 11. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby Obligatory disclaimer The opinions shared in this presentation represent my the views and only my views of my employer. That’s right – the views of all 9,310 of my coworkers. I know because I’m omniscient…and omnipotent. Presentation disclaimers are only slightly more useful than disclaimers at the bottom of an email.
  • 12. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby 18,931 individuals employed in 2002 File accessible via web from 2008-2011 Possibly accessible since 2002 Name, SSN, DOB, home phone, home address
  • 13. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby 757 patients from 2007-2011 File accessible via web for 2 months Discovered by relative of patient Name, DOB, medical history, diagnoses, treatment plans
  • 14. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby 20,000 emergency room patients File accessible via web for 1 year Posted to StudentOfFortune.com Name, admission dates, diagnosis codes, billing charges
  • 15. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
  • 16. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby Jeremiah Grossman: “Anything you upload to a public website is not private…it’s public.” Craig S. Wright: “I would estimate 100 or more breaches occur for each one that becomes publicly known.”
  • 17. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
  • 18. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
  • 19. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
  • 20. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby robots.txt files that include directories you don’t want attackers to find Analytics programs that display hostnames and usernames Source code via broken web servers and unparsed backup files
  • 21. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby Actually, I've been working on a plan…I'll hide under some coats, and hope that somehow everything will work out.
  • 22. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
  • 23. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
  • 24. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
  • 25. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby Requires easily accessible tools and little skill
  • 26. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby Requires easily accessible tools and little skill
  • 27. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby Finding data requires 1. Know what tools to use 2. How to use those tools 3. What to look for
  • 28. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby Effective Google-fu  Operators  OR operator  – operator  * operator  ~ operator  Filters  site:  filetype:  intext:, intitle:, inurl:  link:
  • 29. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby Effective Google-fu
  • 30. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby Effective Google-fu
  • 31. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby Effective Google-fu
  • 32. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby Effective Google-fu
  • 33. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby Effective Google-fu  filetype:  HTML - .htm, .html, .asp, .aspx, .cfm, .php  PDF - .pdf  Plain text - .txt, .csv  Microsoft Office - .doc, .docx, .ppt, .xls, .xlsm, .xlsx  Rich text - .rtf  OpenOffice - .odc, .odp, .ods  Databases - .dbf  Email – .eml, .msg  Other - .pst, .gz, .zip, .mdb, .xml
  • 34. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
  • 35. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby Know your data  ID numbers  Financial data  Personal info  Personnel info  IT data  Website issues
  • 36. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby Know your data  ID numbers – SSN, drivers license, account #  Financial data – payroll, credit card, bank account  Personal info – address, phone, email, DOB  Personnel info – evaluations, disciplinary action  IT data – logs, system monitoring, vulnerable s/w  Website issues – compromises, error handling
  • 37. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby Know your data  IT data – logs, system monitoring, vulnerable s/w Monster LinkedIn Twitter
  • 38. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
  • 39. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
  • 40. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
  • 41. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
  • 42. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby Field names and labels  first name, f_name, first, namef, name_f  hw, homework, hw_1, hw 1, homework 1  assignment, exam, final, midterm, quiz, test  lab, paper, participation, project  username, user_name, user name  student id, studentid, student_id
  • 43. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby File names  grades, grades_final, finalgrades  <dept><section>, <dept>_<section>  <dept><section>_<year>  <dept><section>_<semester><year>
  • 44. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
  • 45. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
  • 46. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby 2003 2002
  • 47. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby inurl:moodle.xml filetype:xml
  • 48. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
  • 49. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
  • 50. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
  • 51. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby  Proactively check for a subset of sensitive data  Real SSNs, account names, customer names
  • 52. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
  • 53. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
  • 54. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
  • 55. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
  • 56. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
  • 57. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
  • 58. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
  • 59. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
  • 60. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
  • 61. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
  • 62. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
  • 63. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
  • 64. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
  • 65. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby Effective SHODAN-fu  Operators  +, -  Filters  hostname:  net:  os:, port: (21, 23, 80, 443, etc.):  before:, after:
  • 66. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby You found my device? So what‽
  • 67. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby You found my device? So what‽  Devices with no IT support  Unaware of web interfaces and exposed services  Unaware device is accessible via Internet  Unaware of value to adversary
  • 68. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby You found my device? So what? You don’t know the password.
  • 69. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby You found my device? So what? You don’t know the password.  Can it be guessed?  Was it really changed from the default?
  • 70. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby You found my device? So what? You don’t know the password.  Devices with no IT support  Unaware of web interfaces and exposed services  Unaware device is accessible via Internet  Unaware of value to adversary
  • 71. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
  • 72. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
  • 73. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby The basics  Delete data and systems that are longer needed  If it’s sensitive keep it on your private network  robots.txt is not your friend  [LHS of] email address != username  Disable directory browsing
  • 74. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby
  • 75. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby The basics  Delete data and systems that are longer needed  If it’s sensitive keep it on your private network  robots.txt is not your friend  [LHS of] email address != username  Disable directory browsing
  • 76. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby Beyond the basics  Visibility into what you have  Scan for services  Maintain system and application inventory  System security  Patch OS and applications  Change default passwords  Disable/change banners and paths  The human side  Education and policies
  • 77. Steve Werby | LASCON 2011: You’re bleeding sensitive data… | @stevewerby Questions?