Sophos Cloud Optix
It seems pretty obvious that implementing solid security practices, such as encryption, is a guaranteed way to protect your company secrets. Or is it?
As a data protection and privacy professional, I feel even the best cryptographic algorithms are useless when the secret guarding the secret is commonly available.
Think about this for a moment. How are your secrets being protected?
If you or your company are using encryption, did you implement it correctly?
Seriously. Drop the ego for a moment and think about the potential flaws in your own best practices. Before going live, did you get the software manufacturer or a security consultant involved to point out any potential pitfalls?
For example, where are your keys stored? Wait, let’s back up for a second. Did you implement symmetric or asymmetric cryptography?
If symmetric, how are the Data Encryption Keys (DEK) protected from unauthorized distribution and copying?
If asymmetric, how is the master key protected from unauthorized access and distribution? How many people have access to the the recovery password and how many pieces is it in?
Hopefully you feel confident with your responses, but that’s not all it takes to keep secrets safe. It’s a good start.
Do you know Google’s mission statement?
They’re doing an amazing job “…to organize the world‘s information and make it universally accessible and useful.” By no fault of their own, sometimes they are doing too good of a job.
For instance, I was generating some PGP keys at this website I found called iGolder.
iGolder puts up a page to communicate securely with them, a site member or your friend. How nice of them to provide key generation for the netizen masses!
Out of curiosity, I decided to execute a Google web search on "BEGIN PGP PRIVATE KEY BLOCK" which finished with about 29,500 results.
On the first page of results, six out of ten results pointed to a rendered webpage or an ASCII Armor (.asc) file (5 results) with the private key block exposed. I didn’t want to assume that fifty percent of the 29,500 results pointed to ASC files.
Refining the Google search to "BEGIN PGP PRIVATE KEY BLOCK filetype:asc" resulted in 21,300 results.
I thought, “Seriously folks? Have that many entities implemented PGP and left their PRIVATE key block to be readable on their PUBLIC web site?”
In an attempt to rationalize this, I skipped to the last page results Google would let me click on. I found that the majority of the ASC files are actually PUBLIC ASC key blocks. That’s better.
Wanting to clearly understand how many PUBLIC ASC key blocks are being indexed by Google, I refined the search further still ("BEGIN PGP PRIVATE KEY BLOCK filetype:asc -public"), and finished with 122 results.
From a percentages standpoint, that’s slightly more than one half of one percent of all the ASC keys indexed by Google are actually private keys.
From a data protection standpoint, that’s still 122 too many. Even if it’s a test key.
I’ve worked with organizations before where test environments have eventually become production. I only know of some that told me they changed the master password.
Those 122 entities went through the process of implementing PGP as their form of encryption to protect their secrets, but the secret to their secrets is public.
Any of them having a data breach will feel 100% exposed, and ramifications will quickly follow.
My advice is to review your organizations practices for securing data, even if already implemented. Dropping the ego and not resting on laurels is always a good first start.
Look at how and where the master and recovery keys are stored. Make sure that the keys to your secrets are protected with another layer of security. Such as, a symmetric DEK being protected with a Key Encryption Key (KEK) which is accessible with only certificate based authentication. Of course, implement what makes sense for your organization.
The moral of the story is an old one which dates back to medieval times. Even pretty good privacy is not enough when it’s implemented pretty damn poorly.
Until next time, keep it safe and secure online.
If you want to search for an exact phrase, just enclose it with quotes:
"BEGIN PGP PRIVATE KEY BLOCK" filetype:asc
Then you don't need to mess with the -public exclusion.
I agree Adam. I've developed the habit of reducing results with exclusions. Did you compare the results between your search and the one in the blog? I did and only saw a small difference.
If you want to compare results based on keystroke economy, then your method saves 6 keystrokes. 🙂 Thanks for the feedback!
Is there is any difference, you are doing it wrong David. Justifying it on a straw man argument was unnecessary.
This is the correct search based on the parameters you were discussing in your article. The ‘I got 20,000 results’ is just page filling FUD.
How does testing the keys violate your ethics?
I would say you should grab all of the keys and then do a duplicate / hash compare to see how many UNIQUE .asc keys are there. That is accurate security research.
Meant to include this link:
https://encrypted.google.com/search?&q=%22BEGIN+PGP+PRIVATE+KEY+BLOCK%22+filetype%3Aasc&btnG=
Just performed the same Google search and it's now at 124, I quickly ran through all pages doing a search for "Sophos" and couldn't see any, indicating Google has't crawled this page yet (that's what I was looking for as there were two extra on what you found).
Let's hope they're all test environments that never went live or honey pots of some description, eh?
Let's hope, Jayton. Some of the results I looked through did look like examples or test keys, as you saw for yourself. I did dig through several of the results and did find what looks like usable keys. I'm not going to violate my ethics and test that theory.
I'm simply attempting to spread awareness using a small example of what's out there. I hope this blog helps kick start better practices going forward and corrects any mistakes being made.
This is a very important point you have raised. I see the same issues in the banking world where many users search on Google for their bank account details, e.g. searching their bank account number or other sensitive details. If the user then goes on to click a paid search Adwords sponsored ad, the advertiser can see the users original query in a search query report which Google provides for advertising analysis.
jk73, your comment is provoking me to setup an Adwords campaign to test what you wrote. If I do, you could be reading about my findings here at Naked Security.
I wonder if I can expense the cost of the Adwords campaign in the name of research? 🙂 Hmmmmm……
Some interesting domain names among those who have made this 'faux pas':)
Oziwan, let's keep that as a secret between us. We don't want to embarrass anyone. 🙂
I did a search once for password.txt and actually found the list of passwords for a junior high school in Kansas. I emailed the teacher what I found so she could secure her system and got lambasted for being a "hacker". -sighs-
Bill, you make a very valid point. I've come across that ethical dilemma. Do you report your findings to help those in need? Or do you do nothing to protect yourself from incarceration?
I've found that reporting findings to their ombudsman via their website or calling their main line gives us anonymity while helping. Whether the mistakes are corrected is up to them. At that point, you've done the right thing. If anyone finds that the mistakes continue, be cautiously persistent.
The other dilemma I've run into is offering to correct the flaw. If monetary compensation is requested, that can potentially be construed as a method of generating income with malintent. And you might have to explain your findings to law enforcement. Even if you didn't violate any laws because the regular user doesn't necessarily understand what we do for a living. If the flaw isn't too onerous, I suggest working pro bono.
Are these files being found because they live in one or more specific locations (for example, C:systempgp.key) and Google is 'guessing' at these known locations?
Or is it that these files are linked from a web page somewhere and Google finds them by crawling over each link in a site?
My guess, based on looking at the Google results, would be the latter…
I've oversimplifying, but Google is crawling websites from the root of the site and follows the directory structure. Along the way, any files within the directory are indexed and becomes searchable. In the simple search I provide in the blog, specifying the filetype as ASC narrowed the results.
To be clear, I'm not the Google crawler expert, but from I understand, that's a piece of how the Google crawlers work. If anyone knows better, please feel free to speak up.
It is somewhat amazing what people leave out in the open… database dumps seem to be pretty common too: http://blog.irrelevant.com/2011/07/data-breach.ht… At least in that case the company concerned responded quickly and appropriately.
I completely agree with the improper behavior in not protecting your private keys, but one must also remember that the private keys often are protected by a password.