Contractors do the dumbest things sometimes.

12 July 2007

Like putting classified material online where anyone can stumble across it it.

It has come to the attention of the news media that documents that really shouldn't be getting out (like blueprints of high-security military installations) are being stashed on publically accessible web and FTP servers around the net, sometimes on the networks of the subcontractors themselves where anybody with the time and patience to go digging has a chance at finding it. During research for this article, reporters working for the Associated Press found dozens of sensitive documents that weren't even protected with a basic password. Moreover, sometimes you could anonymously FTP into the same web servers and go poking around behind the scenes to look at the source code for dynamic content and find older things that were once hyperlinked (incidentally, this is how web developers get their work onto the servers in the first place; the standard FTP daemon is often a necessary evil, but there are still countermeasures that can be put into place). Even though the data is no longer online, nobody knows exactly what's still floating around out there, or what's likely to be accidentally posted in the future. I wonder how the security auditing teams that the US government hires to survey their systems missed this stuff..

More and more, it seems like the book Google Hacking for Penetration Testers (second edition) is required reading if you're going to be doing anything useful on the Net these days, if only so that you know what is possible and can plan to not do dumb things. I'd also recommend that all security auditors and penetration testers read it so that you can add some new tricks to the contents of your sleeves - just because it's not a Cisco router running the telnet daemon with a username and password of 'cisco' doesn't mean that it isn't important.